4deff7d8434583ea8e5c3ef9b4c64674dfb165b1720ddf63b5abdd8ed6a7399c (SHA256)
sous.exe
Windows Exe (x86-64)
Created at 2018-04-13 00:34:00
Notifications (2/2)
Due to a reputation service error, no query could be made to determine the reputation status of any contacted URL.
The operating system was rebooted during the analysis.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: sous.exe
4764
9
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\5jghkoaofdp\desktop\sous.exe |
| Command Line | "C:\Users\5JgHKoaOfdp\Desktop\sous.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:34, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3d4 |
| Parent PID | 0x3f8 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
364
0x
834
0x
840
0x
880
0x
87C
0x
95C
0x
94C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000668df70000 | 0x668df70000 | 0x668df8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000668df70000 | 0x668df70000 | 0x668df7ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000668df80000 | 0x668df80000 | 0x668df86fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000668df90000 | 0x668df90000 | 0x668df9efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000668dfa0000 | 0x668dfa0000 | 0x668e39ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000668e3a0000 | 0x668e3a0000 | 0x668e3a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000668e3b0000 | 0x668e3b0000 | 0x668e3b1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000668e3c0000 | 0x668e3c0000 | 0x668e3c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000668e3d0000 | 0x668e3d0000 | 0x668e3dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000668e3e0000 | 0x668e3e0000 | 0x668e3e6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000668e3f0000 | 0x668e3f0000 | 0x668e3f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000668e400000 | 0x668e400000 | 0x668e400fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000668e410000 | 0x668e410000 | 0x668e80ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x668e810000 | 0x668e88dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000668e890000 | 0x668e890000 | 0x668ea17fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000668ea20000 | 0x668ea20000 | 0x668eba0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000668ebb0000 | 0x668ebb0000 | 0x668ffaffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000668ffb0000 | 0x668ffb0000 | 0x668ffb0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000668ffb0000 | 0x668ffb0000 | 0x668ffb3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000668ffc0000 | 0x668ffc0000 | 0x668ffc1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| rpcss.dll | 0x668ffd0000 | 0x6690087fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000668ffd0000 | 0x668ffd0000 | 0x66900c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000066900d0000 | 0x66900d0000 | 0x66900d6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000066900e0000 | 0x66900e0000 | 0x66900e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000066900f0000 | 0x66900f0000 | 0x66900f0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000006690100000 | 0x6690100000 | 0x6690100fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000006690110000 | 0x6690110000 | 0x6690110fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000006690120000 | 0x6690120000 | 0x6690122fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000006690130000 | 0x6690130000 | 0x6690130fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| cversions.1.db | 0x6690140000 | 0x6690143fff | Memory Mapped File | Readable |
|
|
|
- |
| counters.dat | 0x6690140000 | 0x6690140fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000006690150000 | 0x6690150000 | 0x669015ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000006690160000 | 0x6690160000 | 0x669025ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x6690260000 | 0x6690534fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000006690540000 | 0x6690540000 | 0x669063ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000006690640000 | 0x6690640000 | 0x6690a3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000006690a40000 | 0x6690a40000 | 0x6690e3bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000006690e40000 | 0x6690e40000 | 0x669123ffff | Private Memory | Readable, Writable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000028.db | 0x6691240000 | 0x6691259fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000006691260000 | 0x6691260000 | 0x6691260fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000006691270000 | 0x6691270000 | 0x6691370fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000006691270000 | 0x6691270000 | 0x669136ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000006691370000 | 0x6691370000 | 0x669176ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000006691770000 | 0x6691770000 | 0x6691b6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000006691b70000 | 0x6691b70000 | 0x6691f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000006691f70000 | 0x6691f70000 | 0x669236ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000006692370000 | 0x6692370000 | 0x669237ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000006692380000 | 0x6692380000 | 0x6692380fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000006692390000 | 0x6692390000 | 0x6692391fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000066923a0000 | 0x66923a0000 | 0x66923a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000066923b0000 | 0x66923b0000 | 0x66923b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff756f4c000 | 0x7ff756f4c000 | 0x7ff756f4dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff756f4e000 | 0x7ff756f4e000 | 0x7ff756f4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff756f50000 | 0x7ff756f50000 | 0x7ff75704ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff757050000 | 0x7ff757050000 | 0x7ff757072fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff757074000 | 0x7ff757074000 | 0x7ff757075fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff757076000 | 0x7ff757076000 | 0x7ff757076fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff757078000 | 0x7ff757078000 | 0x7ff757079fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff75707a000 | 0x7ff75707a000 | 0x7ff75707bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff75707c000 | 0x7ff75707c000 | 0x7ff75707dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff75707e000 | 0x7ff75707e000 | 0x7ff75707ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sous.exe | 0x7ff757f40000 | 0x7ff758041fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ondemandconnroutehelper.dll | 0x7ffb0e420000 | 0x7ffb0e42bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x7ffb117b0000 | 0x7ffb117b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winhttp.dll | 0x7ffb12970000 | 0x7ffb12a34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x7ffb12aa0000 | 0x7ffb12bfffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmmbase.dll | 0x7ffb133a0000 | 0x7ffb133c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmm.dll | 0x7ffb13500000 | 0x7ffb1351efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x7ffb13950000 | 0x7ffb1395afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ncryptsslp.dll | 0x7ffb14280000 | 0x7ffb1429afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wsock32.dll | 0x7ffb142a0000 | 0x7ffb142a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x7ffb15750000 | 0x7ffb1576afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x7ffb15770000 | 0x7ffb15a18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x7ffb15a20000 | 0x7ffb15c4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fwpuclnt.dll | 0x7ffb16050000 | 0x7ffb160b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x7ffb16750000 | 0x7ffb16759fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x7ffb16760000 | 0x7ffb16788fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x7ffb170e0000 | 0x7ffb170f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x7ffb17120000 | 0x7ffb17134fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x7ffb17380000 | 0x7ffb173affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| propsys.dll | 0x7ffb17d30000 | 0x7ffb17e94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasadhlp.dll | 0x7ffb18930000 | 0x7ffb18938fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7ffb18f20000 | 0x7ffb19179fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x7ffb19210000 | 0x7ffb1922ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x7ffb193e0000 | 0x7ffb1947efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7ffb197a0000 | 0x7ffb198c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7ffb198d0000 | 0x7ffb198f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffb19920000 | 0x7ffb19929fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gpapi.dll | 0x7ffb19c50000 | 0x7ffb19c72fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x7ffb19d00000 | 0x7ffb19d0bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| schannel.dll | 0x7ffb19ea0000 | 0x7ffb19f0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffb19f50000 | 0x7ffb19f84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7ffb1a060000 | 0x7ffb1a07efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x7ffb1a0c0000 | 0x7ffb1a162fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x7ffb1a2b0000 | 0x7ffb1a307fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffb1a310000 | 0x7ffb1a32dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntasn1.dll | 0x7ffb1a4d0000 | 0x7ffb1a509fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ncrypt.dll | 0x7ffb1a510000 | 0x7ffb1a533fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffb1a540000 | 0x7ffb1a565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7ffb1a7d0000 | 0x7ffb1a7f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ffb1a830000 | 0x7ffb1a85afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffb1a860000 | 0x7ffb1a8bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffb1a9c0000 | 0x7ffb1a9c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffb1aa50000 | 0x7ffb1aa63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x7ffb1ab00000 | 0x7ffb1ab11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x7ffb1ab20000 | 0x7ffb1acf6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wintrust.dll | 0x7ffb1ad00000 | 0x7ffb1ad4bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ffb1ad50000 | 0x7ffb1ad99fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ffb1b010000 | 0x7ffb1b067fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffb1b070000 | 0x7ffb1b126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ffb1b280000 | 0x7ffb1b288fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffb1b290000 | 0x7ffb1b407fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffb1b410000 | 0x7ffb1b580fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffb1b590000 | 0x7ffb1b6c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffb1b870000 | 0x7ffb1ba45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffb1ba50000 | 0x7ffb1baa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7ffb1bac0000 | 0x7ffb1ced6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x7ffb1cee0000 | 0x7ffb1cee6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffb1cef0000 | 0x7ffb1cf94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7ffb1cfa0000 | 0x7ffb1d043fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x7ffb1d050000 | 0x7ffb1d223fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffb1d230000 | 0x7ffb1d280fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffb1d2f0000 | 0x7ffb1d323fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comdlg32.dll | 0x7ffb1d3b0000 | 0x7ffb1d449fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffb1d450000 | 0x7ffb1d594fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffb1d5a0000 | 0x7ffb1d6d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\progra~1\common~1\sous.exe | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\5jghkoaofdp\appdata\local\microsoft\windows\inetcookies\l7fpzpa3.txt | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\progra~1\common~1\sous.exe | 997.00 KB |
MD5:
f6d01e72a58a8bdf14f9a103250f779e
SHA1: 3b97bac22a04282ebbaef60beb168a41e4449239 SHA256: 4deff7d8434583ea8e5c3ef9b4c64674dfb165b1720ddf63b5abdd8ed6a7399c |
|
|
| c:\progra~1\common~1\log.txt | 0.06 KB |
MD5:
7c832c33dff92f1b0275e375f9f2ffc7
SHA1: 10ec053210837a4a9d6eb5c97be8090636c06fa5 SHA256: cfd79999b41cde3535101dcc2c7c71005b5c9a685cc8f93ebc5654303baa3ef4 |
|
|
| c:\progra~1\common~1\log.txt | 0.12 KB |
MD5:
d3474ae78906f9c8ac13628183db6b77
SHA1: b850847a1dabac20d7adf6a382b118161949b598 SHA256: c215876eecfce1d91bec5f208250774ea93f5cfa2b377e87c0a3b5896f43b1f9 |
|
|
| c:\progra~1\common~1\log.txt | 0.19 KB |
MD5:
15a177ecd046d93f0cf77289e4d38d00
SHA1: 45d5d61a1cd26db0338a53abf149d84ade0c390d SHA256: 8ebe57f2d5430c76d359aa4ae8ac501f527ada688f12d0e41f572ba68fbde724 |
|
|
| c:\users\5jghkoaofdp\contacts\lulcit amkdfe.encrypted.contact | 1.16 KB |
MD5:
1683b0f875057bbaa9a5bc56fbd63a4f
SHA1: ec5927f5dc1d5345abddd7ff85f1c759c5aa7a5f SHA256: 3f6434f412498a55cbc2878a3d97a9b6c762e298c2bf8440e01864b9c5a10b81 |
|
|
| c:\progra~1\common~1\log.txt | 0.25 KB |
MD5:
f4e03c76b9f67568df0edeae1b2032f0
SHA1: 7ff717b4f2d5b1d6864bd475bc72843383ae27b2 SHA256: 400c016d1367fa4454c2fe7835af7316433f73a001629ee3ac834a478ca636de |
|
|
| c:\progra~1\common~1\log.txt | 0.31 KB |
MD5:
b8d0abf824818a14d5750371abb8b8f9
SHA1: cb22e7b10eb7ccea5788f301b80fe7aa7eed6a93 SHA256: 02d262caf20a35da81b3bcf02d84284769c9d6fe8730e2cd21ea2479229a229c |
|
|
| c:\progra~1\common~1\log.txt | 0.36 KB |
MD5:
208310bf2faf6f4adf593b98f2663eff
SHA1: 38e6f80e9150a3456c566c5a4d23a33cb636de62 SHA256: 16c04bbe6c24805137896dd90d8112fa4848408416b53b117f9f76462decbe5d |
|
|
| c:\progra~1\common~1\log.txt | 0.42 KB |
MD5:
edaa013a0d22ede4ed393d7e2d355a76
SHA1: 832f87edeb98baf6519f69db534dfbeeaa93668e SHA256: f0378410d65f98cdec3a43c1ef9040aa6cc5fb25720ed3b66393007e42eb3567 |
|
|
| c:\progra~1\common~1\log.txt | 0.48 KB |
MD5:
c160a9c3abed4cc069de75b3f5513c3d
SHA1: 804b1a296c865366841b60e26d41f62f7ff5f81b SHA256: da1f6567878a174287c7a96011d84902010d554b464ee8474da9e08bce37925f |
|
|
| c:\progra~1\common~1\log.txt | 0.53 KB |
MD5:
45ddc325aeae84172675be2cf5ad2184
SHA1: 72270bdb5863d2fb7f9891e9c77c10ff816cf413 SHA256: e6869bece3c348abdccbdb164e3889fdccfd03c9b4da07144fcab06502c7751e |
|
|
| c:\progra~1\common~1\log.txt | 0.59 KB |
MD5:
66c14fc87a62f3f57a7f0f160a22fb0b
SHA1: 6da047dfd96578dbc0c4cc430eb0572278fbc3b6 SHA256: 4247ce99889f920c1b9479f282d0bd8a48076afa643e6f51f198ea2b4ac73745 |
|
|
| c:\progra~1\common~1\log.txt | 0.64 KB |
MD5:
46a8d5bfa1f311da53f503017d9991ed
SHA1: d092d6ca2559e9bb62f043cd171b7109d2b93283 SHA256: 02fecdb0e324bd37d2bbda1502fcaec16cce47037406be887661d5b20f3309ee |
|
|
| c:\progra~1\common~1\log.txt | 0.70 KB |
MD5:
9f5c62a8de2ba814ac5406aa5b7a58b0
SHA1: 21dcd1c3c1a633244b72d2e05d55af2d4073c16c SHA256: 928213053401f314d200ea9903d94e8dd561aada5e82c84a1819bb15ff2cdee6 |
|
|
| c:\progra~1\common~1\log.txt | 0.75 KB |
MD5:
eb72e7fc34d26b131040bcae50ff3cf1
SHA1: dad34d3eb69e94ac9ae85a264519b46054cfbd92 SHA256: 06edd750590482cca4c6fbd3abf3871b69e389957066e221a73167687a7ba7e8 |
|
|
| c:\progra~1\common~1\log.txt | 0.81 KB |
MD5:
22683e0dc1fc647f3406b952665f5457
SHA1: d1dbf2e506b3f1cabca4ad558cc0e9b5b3aba26a SHA256: b85e5b1238280a990a85dfe55f0d029f00e4ab830c769b85801fda3aa044829b |
|
|
| c:\progra~1\common~1\log.txt | 0.86 KB |
MD5:
798aae4e7b28ea1cf389ea76f99783e5
SHA1: fc485e317bf3495598dc24d0af0af0e00ad0b1f0 SHA256: 4255e3ed5d29741ad4437883601913b37ef6c8cb0eadd4b5ef4348dac471d570 |
|
|
| c:\progra~1\common~1\log.txt | 0.91 KB |
MD5:
d981928807f2cea94b962805954435e2
SHA1: 7c68e4cb42b8da1203b70cfe33c471cf95b43971 SHA256: af8e9bc0ab8d54e3e4cc9c16c21142f89a3a82a6ed476e492030fea443d7364f |
|
|
| c:\progra~1\common~1\log.txt | 0.97 KB |
MD5:
a282c39bb011a748b65b7663d38e4c7c
SHA1: 0cc1c2c3556579eff3cc64a9faef038c832c5c2c SHA256: 9f7eb8ba6e34f238af6ed2bf201215ddcce9afe2667901597e5f7da578c79e17 |
|
|
| c:\progra~1\common~1\log.txt | 1.04 KB |
MD5:
226035d3d5fd4e30ffed3e3d7c47eff6
SHA1: f3d5628c446719aecbdb8e05cd3d15505d623b15 SHA256: 47f26f2e82a69ad1a818efa3c8333c4e56acede2ea663a76d98383b57984d19d |
|
|
| c:\progra~1\common~1\log.txt | 1.10 KB |
MD5:
593f816f144626f1f92b65263551696f
SHA1: 0ffea2b02200de4a8e5dc4576e6edf83dc785c8d SHA256: dfb8f9390cb555a0883aa8e5dd6e75c2b726c891598544f071ca6edd393f7e60 |
|
|
| c:\progra~1\common~1\log.txt | 1.17 KB |
MD5:
19ad2b23e13ad9db0020dfbe4be722fb
SHA1: bb6a8fad44da3c35e397e73af5a8b54631b48c86 SHA256: e25e33c0dde2f861370818c1fa53a150e7cabbe228876a049fb85924991b78b6 |
|
|
| c:\progra~1\common~1\log.txt | 1.22 KB |
MD5:
3a14e967f543bcc02ee79b58f029c528
SHA1: 407352215a3e57ea36128211e7abbf6d7d586cce SHA256: c45844365b8824acc7054dbc3ed96ea14eb7fe2a90ccdb218759a37a6c10e4db |
|
|
| c:\progra~1\common~1\log.txt | 1.30 KB |
MD5:
ace2928270f5396c157bb20bf6383321
SHA1: 54a0761e94bb1554d915072af1537a01bdc9d5e2 SHA256: 0ea564870583207d4fa3961695f64eacec83cb0b5720474a05f5f979c7fc5a0f |
|
|
| c:\progra~1\common~1\log.txt | 1.37 KB |
MD5:
fe3c2a42f3802e8c733abce21b62144b
SHA1: a096cc80550153ea9e5613b144478825556ca08b SHA256: 2934af8f125d850311712adc44d0780060adb07b1d06bd3a322fddcd8fb3873b |
|
|
| c:\progra~1\common~1\log.txt | 1.45 KB |
MD5:
6622f81569d3057612fbeffc827ea796
SHA1: c4954ecbe21f9f60e6d96b0760a826acfe3e3899 SHA256: b5536a69f072a8ed3959f113a3be1ef398cc6a091c589e623c1386097afa68e7 |
|
|
| c:\progra~1\common~1\log.txt | 1.52 KB |
MD5:
dd362db085744d176a963bd7b8673a7b
SHA1: bac85b000577bfb66dff2a8a6d4f04cdc02e0500 SHA256: 0c8165e574dc4e9397ea7243bf76243b76d4811706438244fe5e6fa440c84473 |
|
|
| c:\progra~1\common~1\log.txt | 1.59 KB |
MD5:
dd344a97e61528d28bdf265e585a01aa
SHA1: 9c1b4cbb7e01888977ef3dc0408d26fa9f38586f SHA256: e5a7ee15659c4cb60a088a21eaf48789aa375bfa749e08d1db4c5430ff2d65b5 |
|
|
| c:\progra~1\common~1\log.txt | 1.65 KB |
MD5:
ddafb38070fdd0b2e16c3aeac0630473
SHA1: e30a989fa28b2af25a88d10dcc18252dd78e9364 SHA256: f96fe0895f33d618d4e7335c83d85f81f1bb4d579ecea69671964548f98e655c |
|
|
| c:\progra~1\common~1\log.txt | 1.73 KB |
MD5:
7f06a1aac70b767219b1a48a28f0106f
SHA1: 5b80020f3a708a7a3e7db7ac66316a37aae13353 SHA256: 42fef1c416e1517b056bf447088f40031fa47db4c9f93148bf912034aa2c57c9 |
|
|
| c:\progra~1\common~1\log.txt | 1.79 KB |
MD5:
7026b18a0e052b79b83d50f344857013
SHA1: 3947e553acf6308b221b4f27216775ab0fabc28a SHA256: 15d548689b1b5ab7a88ec3e9c01ce02d713673269e1bcbcbfed0f88cf12b8197 |
|
|
| c:\progra~1\common~1\log.txt | 1.86 KB |
MD5:
0bd38574b3e2687763a11208e1c80f57
SHA1: baf5bf329ba256db4f3ff7e71240bddac25a101c SHA256: e30d3c17dd8645e9485c32b593601ee15a52e12407ded3fb4edc46aad8a41d14 |
|
|
| c:\progra~1\common~1\log.txt | 1.91 KB |
MD5:
577de7a3158fac7dbd0d8632d8d8f778
SHA1: d42dc60410ecef4e18af4caba49759a9613aaa15 SHA256: 4e0501bf1b13f70deef6ef5714f146a6b4a32b24be093786cc17270d77c1fc89 |
|
|
| c:\progra~1\common~1\log.txt | 1.97 KB |
MD5:
01a0c19729047cb1dba712cde32a1fdb
SHA1: 2ab0831dcb522e798ed31e4989bf1321f0c202ef SHA256: 0dd67d63e6ff2fa1cf068e05314bf70fae3063824667a80cc59156ba847b848b |
|
|
| c:\users\5jghkoaofdp\desktop\pcbhpe.encrypted.swf | 43.75 KB |
MD5:
fa3661ed89a7e56de20f69d097e2fff0
SHA1: 74c92563774dbaa2919f354ddc37d79b6646d69f SHA256: bbc6159828e05c9709f8aaffcdbccbe0f8c8357fffd8280618a368f39006b6aa |
|
|
| c:\progra~1\common~1\log.txt | 2.02 KB |
MD5:
47770238509833f05ad9247d87f5988b
SHA1: f09d1d24dbf8302c75e09e73ec05729825a5f996 SHA256: 27ebb14e38855204e34e613d31d7e83cdddf74fd9d0395617394fb7202e6b71f |
|
|
| c:\progra~1\common~1\log.txt | 2.07 KB |
MD5:
cb294761b94d7e07056701292e64af66
SHA1: a45c86f6c6c0173d816bb3c74ebc794c0b29171a SHA256: a97796df1500f8d2488b2b480f847ecb3abca479bcf852d59fd68c0a1263dc84 |
|
|
| c:\users\5jghkoaofdp\desktop\s5cbub-rhdetht7wyi.encrypted.avi | 59.52 KB |
MD5:
b99891b84ed4ca99a315233c8a7d8aa4
SHA1: d64256d46017cede5bc047ebc8d7aa439f849b76 SHA256: 75a0bb762e841f4b69f395484cf262ba96dfeda1b13a7737af0e6f01a1158e1e |
|
|
| c:\progra~1\common~1\log.txt | 2.14 KB |
MD5:
c7ce1ea1b89a333d1206d4102ea203a6
SHA1: 0bc473eac76f1741d879ded82e3d43a4c9c36c80 SHA256: 552904b0251cfe8d8071aa3fed56217e0dc15c1063d8f824b83b503754848722 |
|
|
| c:\progra~1\common~1\log.txt | 2.19 KB |
MD5:
64d606266305b1f183b963883a651289
SHA1: 5ba84f1e20c6937d5fb634d7f32651bbb2fda93c SHA256: 20131e7ec9332d0a4780a401d40f3e686f011b8b22fae718930e9ec896d37fc4 |
|
|
| c:\users\5jghkoaofdp\desktop\sy1211x.encrypted.ods | 83.05 KB |
MD5:
3fff1188d60577bedd91569aaf5df2b3
SHA1: 3c160a2235b03330107244704eeaf6db5c6bc530 SHA256: 5cf8792e8ffceaffb4b92e3b7e4fb131da16d7a9d4f4aea9446ec0ffe1078df0 |
|
|
| c:\progra~1\common~1\log.txt | 2.24 KB |
MD5:
752e45aba37292c196948579103ab791
SHA1: d6ba42637db089158e9039b876a755b44424d674 SHA256: 1c7606dc8759ff4e16b851cbc5d1e2b7c580bb1a46a71af9d33da6b4a3993550 |
|
|
| c:\progra~1\common~1\log.txt | 2.29 KB |
MD5:
9df3bebba0d9f57da99b8c4bc51b8fee
SHA1: 3f914dcd2faa85cb281d458b3c2d8604e3f20ea9 SHA256: a08eb0fcac9805662ec6c255e77dd66464ae4993eefddeea4ba890d1e9f585cb |
|
|
| c:\progra~1\common~1\log.txt | 2.35 KB |
MD5:
37b4ba7e38aa13d099b63ac91c034e70
SHA1: 52909eec39e84d4f8e807532b760e93a7178e810 SHA256: 44f547d013aabf6acb198d6a1169a9e274a89b05b0eb451d97a94f1207d90edf |
|
|
| c:\users\5jghkoaofdp\desktop\w4ypscyd_vipa.encrypted.odp | 57.80 KB |
MD5:
9494850eae868a79ed5bd40c9ec57e3d
SHA1: 01d7511089caaae0ff0493410aea280b5d07d06a SHA256: 6962090684a1ef3e07598f72befd9e305d9e19f8ea0ddf1c7520c73adc9054cf |
|
|
| c:\progra~1\common~1\log.txt | 2.40 KB |
MD5:
b79e0a0bb10c0344eb105ebf2d577487
SHA1: 7e25d957439e5c98fbe73ba510b2b75871ba36fe SHA256: 3ee3a216cbf1c6aa20c50cdeb8f3d243952a9e25004212dd3fa2b00453622be6 |
|
|
| c:\users\5jghkoaofdp\desktop\xobzgp-nq nymn\hf0m-qqalglo0.encrypted.mp3 | 97.06 KB |
MD5:
99c3c201d2426fb493434eac7cc60ae6
SHA1: abda8f53f7bbdc5d5700af2ae0706818fe0cdfa1 SHA256: f1ab537404a9f392127fe78e71e8afc6ed3ad28ddf6986534611cb3a05938b9f |
|
|
| c:\progra~1\common~1\log.txt | 2.48 KB |
MD5:
1c3fb07ca06e452f1fc1af21e6d4c1c2
SHA1: 1bc76c8c03bcfacff1216dccee92a38633b98f82 SHA256: b8416afa1d757aaf44e3feffaf9014d3726586120bd039a078ca0ebd5baa2cb8 |
|
|
| c:\progra~1\common~1\log.txt | 2.55 KB |
MD5:
6c91d4c91c269485bcada99f0a4f0a3a
SHA1: 4d6931c1e95cec9ccad37e1b92f3150099c2c473 SHA256: e6b9d3f08d6355bf71cdfe8609b4724a8fec4bd0f4d8dd0e3785a250ba3eac6f |
|
|
| c:\progra~1\common~1\log.txt | 2.62 KB |
MD5:
b1b0d5a1a9540627f4a73db4c4a75503
SHA1: 88fe18119a4d97ab64f02d133da6565ab6bcee66 SHA256: 424d139e0a1a33ad1beb759194b3ea90f5f0cf7f8cd0bc40022293d7a9176faa |
|
|
| c:\progra~1\common~1\log.txt | 2.69 KB |
MD5:
4c20ebe5a5709e72cb0aecefc8f31896
SHA1: 88945b51a032a2c02e64cb7205a8e9d30e2bdf42 SHA256: 7cc891f280b9bbb5f74ea03c4cd947250b9f6a79726656a26fe20c82fe782355 |
|
|
| c:\progra~1\common~1\log.txt | 2.76 KB |
MD5:
1163bd86de0e75be8fe34f15525d3579
SHA1: 4a95d714df9931ecb219b1e7369008f7d127543b SHA256: 8dadda7e9dcd269e0ec006075a33238ef573dff19d1d96a60000e9e0c6642388 |
|
|
| c:\progra~1\common~1\log.txt | 2.82 KB |
MD5:
288905f559f5fa5abecd1773f7203692
SHA1: 4d8817fa1b481cfc31677ba6aa4c7535e29c4c5c SHA256: 628b132bcc1e23caaaf2b5a3939fbfae7427ac0580d7fd881e7bcc9157fdbd63 |
|
|
| c:\progra~1\common~1\log.txt | 2.87 KB |
MD5:
961adeff51cb57832cbdcb1ad42c653d
SHA1: ff032e339a4b4c95ebadbff178d22671ac726fcb SHA256: 19d7da937aaab3493f57e85a86efcb7f8dde79bd8db4671d65c1a2298e7ee1be |
|
|
| c:\progra~1\common~1\log.txt | 2.92 KB |
MD5:
d4ae9d8fa70728419175aadf0adc7594
SHA1: af6aca80b1372cc546d79ce1487497d7505d5496 SHA256: 2babd8f7b83dadf126b3ced4381b56d265c8b52d0b6eaf64f83cd0ca9a097caa |
|
|
| c:\progra~1\common~1\log.txt | 2.97 KB |
MD5:
23fd9eea214a4c4b9759cf3d91abc43d
SHA1: 22fe2a9b2d1e0c7fd8d936148d551d01f7e44622 SHA256: 6b28aef358d76b2546bfac5ebb256588f6f103fbf45012d3fdaa35d73a7ad805 |
|
|
| c:\progra~1\common~1\log.txt | 3.03 KB |
MD5:
bea1a134c59e282fbd521ad5f7d9ce2f
SHA1: b629f7fae3d4f54dd3865562801a9b0dfa5d1a18 SHA256: 1dfdaa883ce9565d9b9f73eccf9f7d12169adee49c06ce52a95aaa80424b4434 |
|
|
| c:\progra~1\common~1\log.txt | 3.09 KB |
MD5:
de4180fac5bd4fc441d7f08994ab962e
SHA1: 977a8a7e893896858f58d99e36293ed97ece9afd SHA256: 965d220b8b3bac94877abb40a12954a74bcdfc3bc04a594b4e7f5d40d1ad9d5a |
|
|
| c:\progra~1\common~1\log.txt | 3.16 KB |
MD5:
7cca429f9eeadc363730148d4926e800
SHA1: 505a5699a2b3f975bcfe08561dd491344e9c7e09 SHA256: 6f44890150e0e831c49f509d8d7afafa3584675605976058486cf3beaca022b7 |
|
|
| c:\progra~1\common~1\log.txt | 3.21 KB |
MD5:
a594fa59bdd9ee96d95808e6698f2d78
SHA1: d9de00f8ae06b76878262b6b484759ec42995a8a SHA256: e3cabfe23c772b4f21bad2ecc9e1b1754df65c268639d4770b709bc3953b1b83 |
|
|
| c:\progra~1\common~1\log.txt | 3.26 KB |
MD5:
a5dc0414f0fc18c60b9a1d91c28fec9b
SHA1: ff0adc813e16ec5348d83fbee581856a3974b07c SHA256: a4637875a2e332dcd8ca1d664eeec4290eaec8d29daaefc8750b2cb56a8d6308 |
|
|
| c:\progra~1\common~1\log.txt | 3.32 KB |
MD5:
86609138c1d15f14fc0bccd9940f4a62
SHA1: aa7073f74341e1cd713137e7ce352706e8e6e9d4 SHA256: 61eb4e981ca985a47752dab9bacb9b3d22e341574e807cd29f57ade5289120ec |
|
|
| c:\users\5jghkoaofdp\documents\8zjzu_i3yhk3gy6-wl.encrypted.xlsx | 10.89 KB |
MD5:
c9be97af9e7a419ae84979e6a09d66b0
SHA1: 73f71e579b9dd7196f37ab43d5217f39f2db6feb SHA256: 32c8c544fae0b8dcb8372675e2041f351272125d69eb31e3aa450b1c07151fd3 |
|
|
| c:\progra~1\common~1\log.txt | 3.38 KB |
MD5:
377b9176f05987ae4951095ceaeafdbc
SHA1: 4ef7301feebb9c9b77cce072a70dbf103a50b337 SHA256: 0b66e0ea61db83d005cfb1c0d84218d12a421d36eee2f1ba3e6a953a5982851b |
|
|
| c:\progra~1\common~1\log.txt | 3.44 KB |
MD5:
26f952dd92b114953b8798305e49169f
SHA1: 20a0cdbd53a9b4fb4858f03c70a183b486dd2cce SHA256: 827ffe2e10310571de174a80433f1145f2433801ec96ed95b93778be2ebeb471 |
|
|
| c:\progra~1\common~1\log.txt | 3.51 KB |
MD5:
3ddf9fa1eaf9ab216e31ef91d8027e2b
SHA1: 225138dec236e762e03f2556663ff628c843f58f SHA256: 71c8b1ae109f6d1c5a64ac9e166ee1d45c2262a7f508af85db90008e3a127e3d |
|
|
| c:\progra~1\common~1\log.txt | 3.56 KB |
MD5:
d8fe16f601eca3c058fb8e0cf85b31ec
SHA1: 8f901b6160ec3432bcdc42c06e0d793098b3f1df SHA256: ce30effaa3512e20f06e9998a51c6f5551ec835628dac1e42c39d0baeba680ff |
|
|
| c:\progra~1\common~1\log.txt | 3.61 KB |
MD5:
3e949f13519799d28352364c30469ba7
SHA1: af3f0b4b3cdacea737b8767b95b2d48943540eae SHA256: 9b1dce703effa5f386848a08e25774e3ed6fcd6d60609dbd4a16a310970dec33 |
|
|
| c:\progra~1\common~1\log.txt | 3.67 KB |
MD5:
ef1f193123ce0f5be2966e60be209216
SHA1: 2fb4a5ff5d2fb6a037c3353aab4786619ee8b50a SHA256: 78066f06b0a50e6d162331fd1dedcd519b622ce3b454b10ee8b618e3aa507096 |
|
|
| c:\progra~1\common~1\log.txt | 3.73 KB |
MD5:
c76cfcf77b8c60d4e0985f05c543d1b3
SHA1: bf0042d1a0c18ef0a8f06b66fd5efbe417dfd8c6 SHA256: 2b01d634dadfd45a9796b6a8812a13bf2706260733eb7d155362d9ef2d13f8c6 |
|
|
| c:\progra~1\common~1\log.txt | 3.79 KB |
MD5:
8594e992f56ca3047d255acf27973948
SHA1: a94444260a4c2247ba2a0d18eb0d87abc590527c SHA256: 73a2e73b5283cf3e2867336ca13eaf2cfabdca5c22b8dcd264d05e4d015347fc |
|
|
| c:\progra~1\common~1\log.txt | 3.85 KB |
MD5:
68b132550c6d9bdd1898a1e2d7d1c6b4
SHA1: d090756aec626a1b3fbbd03a761af568bd1420e9 SHA256: c3ae9c5eb2026738e0cf7f2165c3e4a6fe78766cf49651e6b8864f6ff7f31d0b |
|
|
| c:\progra~1\common~1\log.txt | 3.90 KB |
MD5:
1fe3c687a1b55e40c252fe483b0a591c
SHA1: 45e03d2b7e954dfbf98453c338c35a987633b860 SHA256: 9fbeed50b10d044d2c35d604bb5e1c61ef0b68eedf4d87d8ba06ccc64491edb7 |
|
|
| c:\progra~1\common~1\log.txt | 3.97 KB |
MD5:
8cdef177d4e4c3f0622577ee7f6cd932
SHA1: 3f046ab216ef54949fee9142461b4f812428c5d7 SHA256: 8814b0886f2c30f362157bcbc91011c0d822e8cb507ef432de7927417dcd0d07 |
|
|
| c:\progra~1\common~1\log.txt | 4.03 KB |
MD5:
ac28124517d9377a3072e409551650e4
SHA1: 12654ccbd90433c7fbff0948b384d9f67f272534 SHA256: 4a9eef4f66f2fb8f2df23e12e90d95d5d7c22206c3c72c4f2ab8ed68cfe7c4c6 |
|
|
| c:\progra~1\common~1\log.txt | 4.09 KB |
MD5:
8e4c4c9dded8f54314dd6549948d5002
SHA1: 5e5c7fa122ed281e2696ffc1c4ad6c665d48683d SHA256: 508a6a8d9e3a2cbc263a37e177405e7ec0f2cd75763faa83a057600c20729176 |
|
|
| c:\progra~1\common~1\log.txt | 4.14 KB |
MD5:
de545222f316fcefebd949cc234c4ae6
SHA1: 9e78e083de13eadf25e4c31ec5bf326ae8b51c67 SHA256: acea3c0c67b031428a52e540510948ff88a2f0e3207b38df1656f546e859034e |
|
|
| c:\progra~1\common~1\log.txt | 4.20 KB |
MD5:
c36be73c85b9b2d1cf280094513d4a0c
SHA1: c7dcfa8ca2f296481a6792cea14e527d93dfba8e SHA256: e59fd14979ba6e9442bd095477f6eb5c321c99aa0d5f4850cf5f97c6f660eb5b |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\8y9zk 2bwq.encrypted.ots | 43.44 KB |
MD5:
e0b818f7815b83108ef981cdc03d04ce
SHA1: f484a011c667172c0af637f4daa054c6f32ef905 SHA256: 05ac9c7ad1e6a45f2438a9dd1399598706a82819c2b13870b8253f85371274cd |
|
|
| c:\progra~1\common~1\log.txt | 4.27 KB |
MD5:
10e72e9e170437cffa7f60a266d07b9f
SHA1: 8a1741204ef273480f430a2ebba9e29893cec6da SHA256: 7d9893a8785a5a8d2c2dd8dee7fd2872dfbfc0ba630af49b39577f72fec06835 |
|
|
| c:\progra~1\common~1\log.txt | 4.35 KB |
MD5:
1381a86c9536d138c17501d7f7fbd426
SHA1: 19aafa570316a65c130cfeed39495a958ab5be00 SHA256: d8fc788c5b0c03e8aa5efbd8149409630518b3bc67a1da71465b8df9a5e21c6d |
|
|
| c:\progra~1\common~1\log.txt | 4.46 KB |
MD5:
eddf3185dbce2ae741a452c51cb74b6a
SHA1: 3adf0de76ccae1f706b371d3a87ea1124e7ad6e3 SHA256: 3987f33baeca5c9cd0dd39f8081e50d35677711b54e705f0bf9e6fbf4ffd257c |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\j2q6rpjqlwrnko9k1e\p4g4qgo\bfini9.encrypted.ppt | 53.25 KB |
MD5:
78a05c452e965f3779d05aba89b8dbdd
SHA1: ac3120c61953bc680904fdba29a0c029e93391d2 SHA256: 7160f8242a7b8277f4e83d83c8bf3d8d8e41b8bbad30de00d4f6215b76a8a083 |
|
|
| c:\progra~1\common~1\log.txt | 4.55 KB |
MD5:
b3d9bf308ae2979517282b8602765f49
SHA1: 1df1f10f78e6910b4fe8060c27cf2431df553ebd SHA256: e6c613e9ef4056889b33cd9d74a4c4a3ae0e60b9f1959d6631de39145b17de1b |
|
|
| c:\progra~1\common~1\log.txt | 4.64 KB |
MD5:
94a096903309dc0155308aadfc5aa924
SHA1: 4c1145e711127fea0239416d144c7b6ca7030c14 SHA256: e3885db58876c1fd3fcee27ad2ff1033424dfa4da41cf7f922a693a3a8542424 |
|
|
| c:\progra~1\common~1\log.txt | 4.74 KB |
MD5:
00a8c2cddd07ff3ad4aedb922361c802
SHA1: 81bf1dcbfc2da354181af8533e9d4165c215c513 SHA256: 422dd27636e8f53d7ed9ce5a22ba367738137a163fa17d43fec4c310a0269dcf |
|
|
| c:\progra~1\common~1\log.txt | 4.84 KB |
MD5:
61b36cc7bb6a1200811cc0c220b8a7bf
SHA1: 709c0690f44cdfb29a6e03fc72f835ce4e9f5bf6 SHA256: 7e25087309f1c19ebbbc28170bf62c0b97cfd24d6a6eb9c6e0854e2cbfc3f430 |
|
|
| c:\progra~1\common~1\log.txt | 4.95 KB |
MD5:
e6b6ffb9d925ca1e3d040a6e80ea827b
SHA1: 6291d3cc4b8771ad34b18a1beb1193fe5c65c7d8 SHA256: 6af059cc20704767d98922649146e9fb12820a7c093d14aebe7f21a73bd3dc3f |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\j2q6rpjqlwrnko9k1e\p4g4qgo\xm0y.encrypted.csv | 50.69 KB |
MD5:
060de04731e601886b9e9a8e6a5f8882
SHA1: 97ca9aa11eedb7e3a72651ecd32bde82c759b27b SHA256: 8a4ab654793b4935a3b10cdafa1fd29ff25ad27e5229c76e9802677006731fd1 |
|
|
| c:\progra~1\common~1\log.txt | 5.04 KB |
MD5:
9afa568a6f95bd872d345bcd37b559c7
SHA1: a31f278f9f60ea2d9bfe46920de12472e4a543a0 SHA256: 6e75c16a337bda308945da86c3e67674c7483bbf246835fb85ca017b9726fcc9 |
|
|
| c:\progra~1\common~1\log.txt | 5.14 KB |
MD5:
c22f29cffa4f96287065b23eddad9df0
SHA1: 5121afb30c3123d29650d985229aa9912ae437b3 SHA256: 43cd08deca37a170dcfebf6f43e7aa738b67c8d493f1daa463149222f18ca30d |
|
|
| c:\progra~1\common~1\log.txt | 5.22 KB |
MD5:
060247fca4f32b2b3baee26bd85a7e38
SHA1: cd30b36fdc7c815ec77330e76dbb9a1b2b311c66 SHA256: b54ba1b7671615ba0734ab5041e3a66262d51578b9ab24e366de94ca316c9c80 |
|
|
| c:\progra~1\common~1\log.txt | 5.30 KB |
MD5:
343972c85c6ec8a5bdd4dacced43270b
SHA1: f45ae9726691a0ea5c509b1af629f95adbd43d99 SHA256: 712c9d3ad285b1912e5e8f9316581164089cdc03e3cbf51cc40cdf3b64ba4435 |
|
|
| c:\progra~1\common~1\log.txt | 5.37 KB |
MD5:
e7d7e95f2aa032b2625f2d799b0f3bdb
SHA1: ac5ede9bd50ce1e52e7332d682cb35c2f22508c5 SHA256: 80a1d641e790cbe26ef95f4ef0fa02f24f35f561248cf804ad419e7f150075f9 |
|
|
| c:\progra~1\common~1\log.txt | 5.46 KB |
MD5:
981feede97cf42bb6b7e442bbb496a88
SHA1: 5f7cd5e237a1bb8d34734a8cacf2705290a66719 SHA256: 3b99028b04dc678e3dd8a71af68a6e5ed886580084ad6da996e79fe6374668f6 |
|
|
| c:\progra~1\common~1\log.txt | 5.55 KB |
MD5:
b6646fbadf69d9ba083a3f09de933714
SHA1: 3e576dd29c60543dd281824f8038173898df6b8f SHA256: bdf4855042a39e856c62bf721acfee9e4effdcec1a504d0b968369bf73299d4d |
|
|
| c:\progra~1\common~1\log.txt | 5.64 KB |
MD5:
c18a3d028375a3afc9ceaba792363cb9
SHA1: 7a15da93f08c6861fd3b31b4526cfd1247eb527d SHA256: 163d548546cd47da42068d3a934cf1830554cc8ffff4e1f7cda98ee8b8579096 |
|
|
| c:\progra~1\common~1\log.txt | 5.73 KB |
MD5:
dc1f084a5ed35a04947b6e4b758c6b51
SHA1: ad55aafab9bcde146625db3634338459ae9e4be7 SHA256: 8b38c5a50b01db85eac503d8708b3337ede6836e02131b16f24af162bb0c78d0 |
|
|
| c:\progra~1\common~1\log.txt | 5.81 KB |
MD5:
0ef4af66d05ff1e80839be3832ccef34
SHA1: d9cee36249f8bb2a9ef89de872fd789a632862f1 SHA256: 7b3de2192e3aca5f767b778d4fd3903d27e6c8e8959fc218d7288ed2b2b6c4c8 |
|
|
| c:\progra~1\common~1\log.txt | 5.91 KB |
MD5:
83b199b4214e4544680d87a9f4b0da17
SHA1: ac4096f410ef9546f6d35750584bcc0f001ac1e1 SHA256: f719b74c4c4bea0608b07f2715bde491eb8be5c2000975cda58bf90ef507c3fb |
|
|
| c:\progra~1\common~1\log.txt | 6.01 KB |
MD5:
1b02f7d0fb561f29e17d9c0d8214088d
SHA1: 8957cc229f96f56089f72ceb986a69ec2daf4fb1 SHA256: 37a8fb44f485e25a4d674d2b9eafb152b818c4832ca6bdfa586f11289205a6f6 |
|
|
| c:\progra~1\common~1\log.txt | 6.12 KB |
MD5:
27cc65ea7624aa67d571766062cfe317
SHA1: 71d4dfb30500f5dd9ef18aaff5406641fb1b9e22 SHA256: 43cb9519889ef2a19b48b3242f1516b40b57df68df0fb4aa99ddb9ff9bd19079 |
|
|
| c:\progra~1\common~1\log.txt | 6.23 KB |
MD5:
134e97cc4ff7e1a467fa8103000afe62
SHA1: 7321dcacf65b3ae450200f078addbf51cb4ee71e SHA256: 137fe5dbfc5b14a88feeda78eb953fe4bac8075b08c0c4f43bad328cf3320a6d |
|
|
| c:\progra~1\common~1\log.txt | 6.33 KB |
MD5:
a89187016a34f68d00ef64d935d38925
SHA1: 83d4b81f14c5b4511eae8967b954e95f4f8175a0 SHA256: 949dbfa59678dcb6935474cc76f7a5af0563a4e6e9661cb4c6860751f5ce6054 |
|
|
| c:\progra~1\common~1\log.txt | 6.43 KB |
MD5:
8d442f067d01d7223ce3bda7df79ab76
SHA1: 0bc8edcf61a3af6d6ed8e94a7701f719a78f406c SHA256: f7509fc584177a677b6556683fe05f464526e20c463fc85f1e2feabb5539a6fe |
|
|
| c:\progra~1\common~1\log.txt | 6.54 KB |
MD5:
4bffd9f61fe8e240f127a3f03009ee13
SHA1: a03ba3d27d0676438a19abe87f2010f191c3298f SHA256: 290682e4b09698e40c0576bea9a308f8b61bfade9fe0a79ff34760c3e768353d |
|
|
| c:\progra~1\common~1\log.txt | 6.64 KB |
MD5:
c46ca75d2e35eb309b56c52cdb88a47c
SHA1: c30ef854fee8b278e7e722b2f4afd5a0b03914c7 SHA256: d73fbdf21a37beb387bbadb6fb5bc4813b9a5af9afe3c4f4a73477d055a5dc34 |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\slbooivzw6bdt1j4\xqmfdxwpjox9nmvq.encrypted.rtf | 29.00 KB |
MD5:
56d96fc12021d0855595b1b0f1911992
SHA1: a33b0cb5ead205094bbc92e1294d9f5a18ed5c91 SHA256: 8f396a06dc8de96ee5bc5aff82884086548b564816d92f830ca193b848c4b4e8 |
|
|
| c:\progra~1\common~1\log.txt | 6.73 KB |
MD5:
bdceb675f12ce3558af4ac627febf830
SHA1: c81a0ec22f672dd38e74b1034bb28d0003708a67 SHA256: f8dd7e48d70bc15366b95acab5539cf001f762b53ef6f02cc78245c5306ed8d8 |
|
|
| c:\progra~1\common~1\log.txt | 6.82 KB |
MD5:
3f6688ea729e6f78fb54f3a199a3cb89
SHA1: 4a37d72837a67d47c4fc16598951ee66b5d985f6 SHA256: 5c3ed4abe51787c050ac28c6ad9da593090e932ddd0316cf4e53a8a409881a9b |
|
|
| c:\progra~1\common~1\log.txt | 6.89 KB |
MD5:
b0ab84ecaf859dbf1ea63010880b2dca
SHA1: 6ac52eea004d3771c6c7ac25627e43e8be8429b4 SHA256: cdaffce22342f70424f690a4fac0b840294780d160a4a35b9f4f36a329090df8 |
|
|
| c:\progra~1\common~1\log.txt | 6.98 KB |
MD5:
d1bb716fd7b5e67c6618346f14196ed0
SHA1: 3184290bc54ba62a4f647c112105240d2f24300e SHA256: 977f7983ccabd6777f565cf4e2eb093465db4e8a0134596087793c8e5e785387 |
|
|
| c:\progra~1\common~1\log.txt | 7.05 KB |
MD5:
b7f9647394bdb367b8309c9bf61350d1
SHA1: fc5d80a4d6220f49b65dc03487e6106695f333cc SHA256: 0e48e7ead4f31904e7396d2a55a2f8d59998f1a9ca1637b1d020020c72f67ff3 |
|
|
| c:\progra~1\common~1\log.txt | 7.11 KB |
MD5:
1c03edf86b39cc4a477ead9679825df5
SHA1: c18bc1d0417a01b1798a17f5b00f8a98cfcb76aa SHA256: 8ca2befb5f0ed0a7d635255c5067003620a176e46ed037741d31777f1a498c18 |
|
|
| c:\progra~1\common~1\log.txt | 7.20 KB |
MD5:
5af15fe5f970a684c84e9b5efee3c66a
SHA1: 329139583fa9912245bc6a13c01ad5d2ff75f44e SHA256: 8b6d09da4bfb6567dce93de4803345d1d876589c24e2d2e3ad10835c90ea8002 |
|
|
| c:\progra~1\common~1\log.txt | 7.29 KB |
MD5:
1ba496f09816c385f773f517a67016e0
SHA1: 40d69400ceafc5f0a0303e992f42f7c4d9b70d5f SHA256: 7370bc03fde6ee64f79a47c24d0008b768ed72d4132462bee4487eaf18adcf7a |
|
|
| c:\users\5jghkoaofdp\documents\outlook files\cjeijc.diuv@div.com.encrypted.pst | 265.02 KB |
MD5:
ac92965e5ab77a002cc506cf26c1fa24
SHA1: 6b792f9c2ce59f15ee1d94310aa8d80f9533fd1a SHA256: 2ffd749b68c985d7930c2d0a268e4694b94acf2b46caff9858c09d7b74a98858 |
|
|
| c:\progra~1\common~1\log.txt | 7.37 KB |
MD5:
da903ae7608c0a75e344d8945dc8e8a8
SHA1: 12bd09d80daf206a28dd91754af44a049fc043c4 SHA256: 9360409fb95ea5ed8a4ecd4f965ed009d4a160b188c3e750d22d343ddcfdb78a |
|
|
| c:\progra~1\common~1\log.txt | 7.43 KB |
MD5:
b23f5a8034be76c6b4c9f846f42dfe76
SHA1: 1ea754db59a111bab3f8f732c888018e7fbafa00 SHA256: 680f1fafbc5d156bd10b0923c9ba477e02ea304c333090f50862efd1f95a120c |
|
|
| c:\progra~1\common~1\log.txt | 7.48 KB |
MD5:
f5d70b0b0712706554a9b75a815181f4
SHA1: d98d302b4d78c934adb0683c361a033d3f423f97 SHA256: 9dd5b640d3281add9944f3ebe805d480ec89a00a7d71093687843f6621e289a5 |
|
|
| c:\progra~1\common~1\log.txt | 7.54 KB |
MD5:
2d44cf4e066010292f1228beddd67fd4
SHA1: 7637672f4a43d1f29eadfb03698e71847ee40efd SHA256: 29889a8218c8307a3bb9496701bb49a65bd4bbe72d938d3d5ff0503f716fa1d0 |
|
|
| c:\progra~1\common~1\log.txt | 7.60 KB |
MD5:
2284afc3ccdb99f1880a2eec7d95084e
SHA1: 62bd1bda256bc971e266390ff61d184f20684972 SHA256: 3d4624a45df8b13bc4839dc1aee01a1d832405713796f8b08f89f7e4c4a790e9 |
|
|
| c:\progra~1\common~1\log.txt | 7.67 KB |
MD5:
fdf15ee00cd4e261c3aa2beff0c9d035
SHA1: d4d154cdafea0fe426b31d77d7b8cd2771136b69 SHA256: b2c275b82a77c85048cb9c65d4ece5d85c01be50d793d7ea3ddcc8238992607c |
|
|
| c:\progra~1\common~1\log.txt | 7.73 KB |
MD5:
5c303531ab46b7f22cd42fdb188690f1
SHA1: 7299b116bb66cb9f1fab1eef895fc4f81371c2db SHA256: 37a690842ab0294121333e5d03dda051af2dd707950e9326cd5251668230dfe5 |
|
|
| c:\progra~1\common~1\log.txt | 7.80 KB |
MD5:
a4b5845af749efa7dab85413dd5046db
SHA1: a9a860b6ddc8a58ebbd2a075ee288d520275a0ac SHA256: 68189a9c081fee7883acf0f50b49db2fe5f75e68bef946b291b74e8639f7843f |
|
|
| c:\progra~1\common~1\log.txt | 7.87 KB |
MD5:
6e810605bbe3d45878f0833fe229d36e
SHA1: e6a9351726d0b26e23037f47056c74ba46df602b SHA256: 20f0e59633bdcd4a96c1ec0dc00a2859ec68729b0802039f215d043055baf644 |
|
|
| c:\users\5jghkoaofdp\music\9cdgt6fjqes8j\tzm3m2.encrypted.wav | 6.91 KB |
MD5:
284b860941f548fab01f3a8e139bb583
SHA1: 60967ac7d5d169833bfa505f7c19c628ee58fe37 SHA256: d8bba4332a9ee45f967d463ac6e68e0d80ac3ac2819a99097c75be5fc07acebd |
|
|
| c:\progra~1\common~1\log.txt | 7.93 KB |
MD5:
37bb883bb9e7fb948b0ccb4f53bcb933
SHA1: f5a6ad6f273577319add9369eedeab9148d9bb9c SHA256: 3398ea767c520e877106f7e91f4fc49717f6bf22ab39a3c2b6ff475190f8cd08 |
|
|
| c:\progra~1\common~1\log.txt | 8.00 KB |
MD5:
5f0cca6019de63c1d5a3abd8cca5dc32
SHA1: 8ab6fe8dda883e755e85951ebe218a2dd1729356 SHA256: 06a5d5b873053ab56768edd5bbc95491b2ae8ee66f9f293ce45217b0a69f0fa8 |
|
|
| c:\progra~1\common~1\log.txt | 8.06 KB |
MD5:
4bc4eb521388046af66281fea78aa358
SHA1: bd13ca63e8c038af70ec137f62ca014bd1751b46 SHA256: b2e8568017e0329f5c5102e9b5efda4a434273c9e126bbf909b25ae384db9a50 |
|
|
| c:\progra~1\common~1\log.txt | 8.12 KB |
MD5:
33ecdd1056bcdb8ec363426895e797ac
SHA1: fbf1cb5170fb2504eac03c3d3a2ad7ce05115691 SHA256: 381bcf709c1ccb8eb01bb352b3105eed8165ecdc7177a3d8a06eb093a3c742cd |
|
|
| c:\progra~1\common~1\log.txt | 8.18 KB |
MD5:
b0254a8b283ab468b77bfb81cac53662
SHA1: 001a44274b8fe2b712f90184d681fb075af7aaec SHA256: 6459a35b68effb5bdaf63e36fa8d83efe880dc163bad3872c4d83ac07a84ccf5 |
|
|
| c:\progra~1\common~1\log.txt | 8.25 KB |
MD5:
5d7d7a170995a091af7761ad22c51c18
SHA1: 70064f8433b9cb84e0f83846f12a90bf8f4ffcfa SHA256: 7d613e42e48dc33a11338655cc53b8eb396b6e2ddfe117f804c0dd88448df696 |
|
|
| c:\progra~1\common~1\log.txt | 8.34 KB |
MD5:
f36e456548f3e26089b97c5144ab1264
SHA1: c682e4b8a771e794c1be6e9cf7a7d0da44cd1852 SHA256: 801d3e80b277430e52cdc38933172c20021ff164c9ef28f178d37d652dd9d9a1 |
|
|
| c:\progra~1\common~1\log.txt | 8.42 KB |
MD5:
659605dc9c840b4920cdbe5ff1a384ab
SHA1: a860ab88217555c80161e3c7c520ccc618966dc2 SHA256: 54c92e6b739e13681082982b88cb36b31029e504d2389363b7afb5803a11ce9a |
|
|
| c:\progra~1\common~1\log.txt | 8.48 KB |
MD5:
a2df69d26881cdd0881205964a54f753
SHA1: 8832beef2d75802d8c457040e69a8d731ccdeb4c SHA256: 108cd455905d95cc2f5e4285c7a7d08059938004bd7022f0ed62abc0b81e8a94 |
|
|
| c:\progra~1\common~1\log.txt | 8.57 KB |
MD5:
c76df08b87fa1f62a93b626414cb97d7
SHA1: 53b97107c9b3a2eb6100019371c13b2119d92756 SHA256: d757a8e9efa759095e83ba4bf67e5d823b073fd0ef5ea13b3fa3c94349071332 |
|
|
| c:\progra~1\common~1\log.txt | 8.65 KB |
MD5:
655ce7d269e89b77d6a0fd4dec4ad92f
SHA1: 6bd241eb989b2627cc1473d6cfa3d42ef5d71492 SHA256: 9c78d551405273309351e9e2cf28733f2c47fc9f974343ee834e578cc9dad53d |
|
|
| c:\users\5jghkoaofdp\music\giwnvgbpa1ur\mjyhk4k\hxmo\i pap4u q1s wukv.encrypted.mp3 | 64.16 KB |
MD5:
fbf504b8c43d79bf12710aa384c79569
SHA1: 1007a31fdc468a1d1e41e2fe80116169cb41b754 SHA256: 7480b2a72af746e58950f7e29bd6c0a937f7b313577a277ed54bdb4ff8f44ac6 |
|
|
| c:\progra~1\common~1\log.txt | 8.73 KB |
MD5:
477a67305b895eab8ec5ff15a486a84e
SHA1: 5bd47a4af78410d536c46c1986192730f9de0f23 SHA256: a26e8ad3c9e3de89fc51793e99ee5a6576538008a01583ffb46d718380937784 |
|
|
| c:\progra~1\common~1\log.txt | 8.81 KB |
MD5:
841c3d724c5b78dba0905ff270ce647c
SHA1: 738d4018a060d4ead367ed02267210707237be6f SHA256: 051dc739cc739ccbb2f632aff661c911e00af3542f85aa186860ede8752c0e4f |
|
|
| c:\progra~1\common~1\log.txt | 8.88 KB |
MD5:
6e54ba874095704b17091fbcc629aa99
SHA1: ffaf4d85895bf56d8eef9a4f5fdc42f2e70386e6 SHA256: 024d7305b4c4dab4b1b1518026bca6caf2c85d3afcac5c46da01eba2501d7b2a |
|
|
| c:\progra~1\common~1\log.txt | 8.95 KB |
MD5:
0b3904ac428be265740b2a31f501dc6c
SHA1: fdf0461fc4c002b90ea95bf6295f56c9b425e1db SHA256: bc2c85644234d1cc30d1055dae6ca5c0d3621b1d6bb4f4500c9a199dc7cc9b93 |
|
|
| c:\progra~1\common~1\log.txt | 9.03 KB |
MD5:
9d4912c6563325aa065b877a54b5f8f1
SHA1: 8484097dc071d56d6524b8c602be71673c195e37 SHA256: 332323a3949dc817b2d7f3cc8cf0634d0a56e5fe1fcce3df9d818ac0224adf0e |
|
|
| c:\progra~1\common~1\log.txt | 9.11 KB |
MD5:
f6a939cec03374c29e8981bff0d8249c
SHA1: 9113f8ac89732c9767030a6090295232ef08ad0a SHA256: 5195971d50f6261dc316f94e4aa3010801beb3750356b66e185ea7b5bef42486 |
|
|
| c:\progra~1\common~1\log.txt | 9.18 KB |
MD5:
bf809c795ebc6c494249e1a06844d5ff
SHA1: bd5ad94d5aac73b51584947af59112d0e32f4c8a SHA256: 77b295c762896b0efccb6c33202b6424ae616ac38999c759cc70949b79e8be5d |
|
|
| c:\progra~1\common~1\log.txt | 9.25 KB |
MD5:
46535bde93514825740804e1eb713065
SHA1: ccc4919cf50b1e37d259bc0d0b7184263061944c SHA256: 78caf7007ac87822c29745a5308ecbd31e130ca0c359f852a4ff3788f348b8d5 |
|
|
| c:\progra~1\common~1\log.txt | 9.32 KB |
MD5:
56924a5ec7ad7205ae4673f2f7faa75b
SHA1: b1365f5b383fd6d6bfbd8c9ec3c95e42f074364f SHA256: aa2824d3d3109f5c5c4512b03e2e0beddae0f99d21f1105f261fac721022387e |
|
|
| c:\progra~1\common~1\log.txt | 9.38 KB |
MD5:
75c456c9d5218df26c160bb53e39d85d
SHA1: 869a2c08b561477f7e530e43de1d1899829dd8ac SHA256: d3ee32e4116c7ff0b864f5df5c0a5716150540ea9909fb24cb636daa43fe37ba |
|
|
| c:\progra~1\common~1\log.txt | 9.44 KB |
MD5:
7093d0fbf58989eb81d4c0ce6ec1e75c
SHA1: aae81217871a40494c6a4bf905a93f7706c0f65d SHA256: 9dc464f133f1b4685084e3ccd49b7c2ee689aee627a4c0be91fb34fc0eef9645 |
|
|
| c:\progra~1\common~1\log.txt | 9.50 KB |
MD5:
9e86da142495a98e706194a6ca666a29
SHA1: 445f12342cacf501bd548634c8c6ca1327b6dc3c SHA256: 63b0e6ae2c02e4aac96efe927352e87a672e71af34501fcec7b997fc5846adc5 |
|
|
| c:\progra~1\common~1\log.txt | 9.55 KB |
MD5:
8d1e807eba7a96e0468e0a940c414b5f
SHA1: 015e3623920f2c02b30d4e1b34fd8c10f9055532 SHA256: 15d450a4f0b5f08ba98341ea76cb8c525e4132b7c10ebcb0bbe3fb47216f64ed |
|
|
| c:\progra~1\common~1\log.txt | 9.61 KB |
MD5:
f4f7fd2873cd61bad61eaf45ad6b2e5f
SHA1: a16873e007b1b3a510dd1625e1dd93597a23292c SHA256: 9e97949d5546a54ed8108e0b22ee99f9621cb3e3424080dfd7d3b2a9638a7a39 |
|
|
| c:\progra~1\common~1\log.txt | 9.66 KB |
MD5:
4bd98c8628a8c5d3bbae031b6e1b14c5
SHA1: 6f126da84f97f0b6e2a9fe21c9878582ab501112 SHA256: b33286068f8dd78df2c31deae824442ec08c120b621bc1c54d466240526d246e |
|
|
| c:\progra~1\common~1\log.txt | 9.72 KB |
MD5:
61550a06b717e3d4d42468d716391bf8
SHA1: 7a760e866edaba814e742065819347b34f8bccf6 SHA256: 59ee3eea66ee7161c713b68350e5a995f7518b2df61b9b237c7a993d45ce2f0e |
|
|
| c:\progra~1\common~1\log.txt | 9.78 KB |
MD5:
00496c196013bab55ae9719d93476c09
SHA1: 72a3064eafd6f2204d92caa570deb2e16f2120e9 SHA256: 1f3ca248164b596dfc88010ac10bf159062ae4178405b0cdaeca8b4fb58958f7 |
|
|
| c:\progra~1\common~1\log.txt | 9.84 KB |
MD5:
fabe4b9e02d873a6ced2eb252dbe2f45
SHA1: 0aabf1abf4b26b44a675cceb40abdcf90b292066 SHA256: 3adc501f238d8f379367c5b32575abc92dc9639c71b112cfb66c81707a342f18 |
|
|
| c:\progra~1\common~1\log.txt | 9.90 KB |
MD5:
5910a70c71ed21b6958fc6e89c6be5c3
SHA1: 24e149991cf3d774218f3fde0cf04d1097d2bc8a SHA256: c0ee8e00603c2c48fc7630d0304652e6fac08c7d2702942d721bc7071856a33c |
|
|
| c:\progra~1\common~1\log.txt | 10.05 KB |
MD5:
649b34b1e7690776149d07833af261fc
SHA1: 1a47bd60f9bf8b829ba1df31bc29a56981765c84 SHA256: 2fcf144cf63e4639490e2df020f027f02881cf2626fdefa0e0a1bf8692a46ed2 |
|
|
| c:\progra~1\common~1\log.txt | 10.13 KB |
MD5:
c3962e39ec875be51009c1db27899f4a
SHA1: 67db9b154d01f96db61435e1d2fbbeccefcf5c93 SHA256: eea8dd46eaa175431d8ddb0d857cf162160c93b362f218233c68b2a180ea513f |
|
|
| c:\progra~1\common~1\log.txt | 10.21 KB |
MD5:
4d9f003d300c0b5acf11538952f8a647
SHA1: 9bc7c84d35a1655a578c21eedcd4a783841e0e0b SHA256: a4de8a48f912e9d5dfd4b36b734b3e173f264c33de693b5f0d266d76b3c2177a |
|
|
| c:\users\5jghkoaofdp\pictures\eokirfg2ostb_n\dwey5ysxf8zdvlgtk-7\6oagzbr.encrypted.png | 56.30 KB |
MD5:
8f2795c1c847b7d984c9a309ecd97fe8
SHA1: f8cafcd5e205d145f9d102d0cccb179b7e4c4f5d SHA256: 0ccd5c783c9502062e2fb85db1007048e500a7c9629fd13781b96a3e0375233d |
|
|
| c:\progra~1\common~1\log.txt | 10.29 KB |
MD5:
76880b66027cf8fcc4a09ea05a38cba9
SHA1: 77c65ffe595c33b2c8d7782d29bf4ccc9568a976 SHA256: 7c91fdb52232364c1d530a2a3ccf0229346b355a0255393dabf9b9a13f04267a |
|
|
| c:\progra~1\common~1\log.txt | 10.38 KB |
MD5:
17841a79582f38f8cf69e5f5576559c8
SHA1: 7c0bf9987d1147e987ab1baada6a3e9d2187a859 SHA256: ca51ef601d8261eab0b1181877ba44b6d196ef0f44c8e56270579cd8dee5d48f |
|
|
| c:\users\5jghkoaofdp\pictures\eokirfg2ostb_n\dwey5ysxf8zdvlgtk-7\ysnbzv2wpszu7yvhi.encrypted.png | 21.56 KB |
MD5:
fa234010dfb117d308c514a95dcefc0a
SHA1: 6c0828e2ca18a4345daaa8886351f38c3b16e280 SHA256: 7ff963d02c9505e00e51c209fada4867b23c9d4a1028dfd226b5e04ed25a0658 |
|
|
| c:\progra~1\common~1\log.txt | 10.48 KB |
MD5:
46cadae9f86a710059270a62062d85ed
SHA1: d908944775f3963f9e6533f926e1a609ac9d3e33 SHA256: 156c08a0e5ed5038c067c873eeab52b11dbef55b89368fca65832a6d5d7a1fa7 |
|
|
| c:\progra~1\common~1\log.txt | 10.57 KB |
MD5:
8b8cdbad2a40771a1d7cefde28c35cb9
SHA1: 38572c8a505c3f71e8df02b671ad365e82c4aab2 SHA256: f5770fb2e1218fdda54d5483f40242515dbec6382035baec73ab9bfd3bda35a4 |
|
|
| c:\progra~1\common~1\log.txt | 10.66 KB |
MD5:
7ec312c2c2ab3de7b3ebe95e357108b8
SHA1: d34b0ff7351c27e76a65ef107bfacfe4c0b0c2b4 SHA256: a1ac9ca0dee76cb830a09f0bc02774bd29d2a694cdf12b0b3968235a682b1595 |
|
|
| c:\progra~1\common~1\log.txt | 10.76 KB |
MD5:
f1626036f2856e7f1b0f17939b4806c6
SHA1: 32eb0a7f9f134cb94b2843e15bc5a8d0aaf8b96e SHA256: 20dccfd9672180eac05f350b7fc5079937c668795a8bc06c4115699ac9933701 |
|
|
| c:\progra~1\common~1\log.txt | 10.85 KB |
MD5:
dc6f4b812d212decdfae0d0e4ac685ab
SHA1: 43a3047787c4f2b0dc5a853992f61000a27d750a SHA256: 207856b64aa132ac1a0382ef5fbe2a0393c70e2e2171e45476a0eadc6f254e41 |
|
|
| c:\users\5jghkoaofdp\pictures\eokirfg2ostb_n\k2gr3uxs6xidwvxov5og\roxu_ohrqz3alul1vav.encrypted.jpg | 2.05 KB |
MD5:
edf3c1dd2e41ce0583b6ec25c939f4c7
SHA1: f5b00ca418bd577ffee761028a962aff4b659cdf SHA256: 7eae1c00a9219bf4ce8516deff8b0e86f2ffbabcfe9cb7452c6285321a2c8b67 |
|
|
| c:\progra~1\common~1\log.txt | 10.95 KB |
MD5:
a2f8c794784121b83db70f5e380d43d9
SHA1: 397108b565026191c2bd82930a68677fc8a85c63 SHA256: 48538978fec988acd7850482b880511d30be3f255b097e12e32c238a0235cbd8 |
|
|
| c:\progra~1\common~1\log.txt | 11.04 KB |
MD5:
0ae9d50187251bee1f5ad87bc99b05b6
SHA1: 6b8a1ffb4f5f55f79273461b15ec3f7ea40b08f2 SHA256: 86d89c93781dcb45ca68ac034df40e1d3f0d84ff6dd267e6b29dd3bab5ea9e06 |
|
|
| c:\progra~1\common~1\log.txt | 11.14 KB |
MD5:
20614b3dc9904ccd2597f7d2885a5f2d
SHA1: 16eaa4b9f091496814ef5c9ce5bb23ebada90ba6 SHA256: 3bd09049841efc08259b58e84dfbc88c3021c7c9c0c53c8a67627a16bfe44629 |
|
|
| c:\progra~1\common~1\log.txt | 11.22 KB |
MD5:
3cc9399b066ec3da59498518bb0f59dd
SHA1: 638e892b8f8bc9402da48ad51a86fa5020aa6d38 SHA256: a35029aa707b60198cc8ca752ad2b4b2a93d5e096e5b5d878743f03545165202 |
|
|
| c:\progra~1\common~1\log.txt | 11.31 KB |
MD5:
c98368bf6a1173fc951bc2ef1848a500
SHA1: f6fc626bea1dcad8eab4e30c4f2453562b1e3f06 SHA256: e9b3eef78066aabfb65a32f704c4797532a0d308d80eadfec80871abe86a44bc |
|
|
| c:\progra~1\common~1\log.txt | 11.38 KB |
MD5:
c68be4d691a5b277aa5a7943480d0d83
SHA1: 17cb4d27531015e8085368cd9f4c41c089641984 SHA256: 5a402b1a3cd47ed06fe3799666bb82bbace58885d42432309d5c19fbe8c327ec |
|
|
| c:\progra~1\common~1\log.txt | 11.44 KB |
MD5:
ecfee9f1909a95b50a17510d9a3d52c1
SHA1: 0a522b928d55e37c3f8335bf6195cc2772c9cdea SHA256: 4d327f56f7e1e9d861bb26ae4c0d90e8d96aa6011924e46c0bde1b209e0f24a3 |
|
|
| c:\progra~1\common~1\log.txt | 11.49 KB |
MD5:
e499bea931a8c100721c15b7d95fd503
SHA1: a16efec030d29e0f642e4fc94bee14ec118f6f24 SHA256: d53251f1cc0c9f5a807432e195bae5ef2d91b6d43502cfa8cc4b3e31ca6dc806 |
|
|
| c:\progra~1\common~1\log.txt | 11.54 KB |
MD5:
8cd4b9684f6acf0cca696656c65b19b1
SHA1: 38e62d1b28a0b8d19b650f6078e3e6145f4fce8c SHA256: 51091fe7fdd53eeaa089985cdb70fff90f0357694f5ab907d87eb8d93a23f590 |
|
|
| c:\progra~1\common~1\log.txt | 11.60 KB |
MD5:
5e7d17fad19ac5cce3d9171e91f2463c
SHA1: 645816e5f70bdf57b30599423a40d3f90c6d0378 SHA256: 9c11242fad37af9d8cfaf17c3a2dedbccbd268a8fa1f517ec067d25140d9dea5 |
|
|
| c:\progra~1\common~1\log.txt | 11.68 KB |
MD5:
27f0f9e99f213c21b98a03ea7eeac627
SHA1: c0cdb57fa7928b37456a0e752d4f5590be52e59a SHA256: 24e6425acbac316d0d1ce1af453e9973adefff27810e076cb713728e7d1e3a5b |
|
|
| c:\progra~1\common~1\log.txt | 11.74 KB |
MD5:
392dd136b6a925746c8c75af851bcb4b
SHA1: 31a3934ea0761d824c3647d9d8f77ec2beabe166 SHA256: 7119882fd9871bc95fd066d52df8648eddbf6a213a064d16a84cffba58a170d1 |
|
|
| c:\progra~1\common~1\log.txt | 11.80 KB |
MD5:
ea32f2653f2f885f5d999ea7bd668752
SHA1: 3f5c702c16c318e3d95c19528c760f486061fd72 SHA256: e9bb50781cac913715aeb8334f839d3ffc42fc006d0ea8e33cdf872bfd0bc752 |
|
|
| c:\users\5jghkoaofdp\pictures\_lrt-tcrik9qqhk2-\yg wf7 j.encrypted.bmp | 71.19 KB |
MD5:
63a496be7a74a2cb702b8723670289a4
SHA1: 2e1a6577e595afb690f5f7417d64a0a0fe686fbe SHA256: 6ab2e4748ebffd3ca38f75369ec874a617f0d4ccf257bd2a602a3bd3afaccaae |
|
|
| c:\progra~1\common~1\log.txt | 11.87 KB |
MD5:
3ba07e62078a0a5988fb5a39022345a0
SHA1: 3f3007afbe06a95d113e4aa723f036cb81bede4c SHA256: 8c0775e4f6c1d7a4438e3d20ca6231cd59503ef4e9a3f9cda103bae4305fbc1a |
|
|
| c:\progra~1\common~1\log.txt | 11.92 KB |
MD5:
977685382fa76ca6cc7a9555d8f0a8d9
SHA1: ff0b5376c5cba4d53e803346b0906ade37d1a1ad SHA256: 1d0399a37211ad3f6ec7baca6bf4208c55f76ebf4f326a88895280c80b4dc0af |
|
|
| c:\progra~1\common~1\log.txt | 11.98 KB |
MD5:
cdbeef58d741aea8b64be002b23acc1d
SHA1: e6dd739ad04e9f4da0a8832b150b4463c4d6fe38 SHA256: c788d874fc2f2200a86283f06dfbb1496b5ee03aa62a11e8fda1c86d73be882f |
|
|
| c:\progra~1\common~1\log.txt | 12.06 KB |
MD5:
60acd51876b75d62960ce347c7f9bda6
SHA1: a7d09a6cbd5cb55b4c4b5c5a140e15af3d4c4d66 SHA256: ef638f1b45f049af6f8098e7f5a81dd3eeb9e78bfddf32e0360622d4bc70ba1a |
|
|
| c:\progra~1\common~1\log.txt | 12.15 KB |
MD5:
3ffad35e9c16c1d7d867f629d6ecd117
SHA1: 2e43127959ed4cf0f8c7edfa383ad5dc9ff54851 SHA256: e49f28f98050600adf8b79ccb51b2c423c167efc17fa84b9859b88259aee2f53 |
|
|
| c:\progra~1\common~1\log.txt | 12.24 KB |
MD5:
19b6c7055b7e75222ebbfe7e975e101e
SHA1: a860cb25a8d59afc18992e838ae06d230864dd79 SHA256: 8912b16b8eeee63ee3eef0f12ffbe33185ca713579a9acc7def5be24797c790d |
|
|
| c:\progra~1\common~1\log.txt | 12.32 KB |
MD5:
c7519e7cbdb9fddd646a164d2676039a
SHA1: bcf0d7706f5e0c7a8b0330532bd1a557371f37e8 SHA256: f1e2d841f19c4debaf0507fd56be151c3edf70d4d827a021235bccbbab566f94 |
|
|
| c:\progra~1\common~1\log.txt | 12.40 KB |
MD5:
1a030ae4bafee0e5c37d1eb8da50aaea
SHA1: 97d4465834a60f061fea03e6de5fa2de1965137a SHA256: 8b031346f41e6b72be998801b78e3bc2e9b7e2177413d961fc9ac876afb6a3b7 |
|
|
| c:\progra~1\common~1\log.txt | 12.48 KB |
MD5:
9048de1065eeecd05c04febb2e042d85
SHA1: 34ec43ea31c910fe141e5d6b5f664174961fc381 SHA256: b4faf3a495f4f88d728cb7c6bfaa1bf90bd9886b453ab9eb59983b6f0f093f6a |
|
|
| c:\progra~1\common~1\log.txt | 12.60 KB |
MD5:
52fa6c5477ef52fe36623613c992517f
SHA1: bbd88ea01d05a028ea8a962e6b69531b3158b892 SHA256: f4b4f655461261a7a2fdaefd06da2411adc16ed040600e9ec218813def44268e |
|
|
| c:\progra~1\common~1\log.txt | 12.72 KB |
MD5:
e8a8e6aa2c5e5d7edac8455d6c65b699
SHA1: 1b1e8b34174314d418302a857c6f7d9bbfb65f8f SHA256: bde1b3b5ba1513c30611e7305fd305b4630a6aa5bf283a5eb1e2eacf8c2818dc |
|
|
| c:\progra~1\common~1\log.txt | 12.83 KB |
MD5:
08886a7f49b2f37dd294849ad22c5baf
SHA1: f7b65f5d4c841062cf7427522fb895cc27f6d316 SHA256: d122c78536a2765b71a54fb583f7604598318e952bb8c9146338d8e14db91b82 |
|
|
| c:\users\5jghkoaofdp\videos\w7mj2euig4vnsi\i34vb8v\ly9pykmqm52kjo\74ljzjj6v\9n8-jbx3bqwx\kg1tsubk.encrypted.mp4 | 33.44 KB |
MD5:
a7603c90abded5a21735590c91550907
SHA1: 4016a33febcc98f1df9723f2d5d4fa99c082949e SHA256: 877c54e981228ba7bee20135dbd310960169400bc651e6deb66717dfb3b05288 |
|
|
| c:\progra~1\common~1\log.txt | 12.95 KB |
MD5:
7c647eb7c30535b89eb83519fccba079
SHA1: ba739418f3c8f4b3d0195567ba4d385a4616b6f8 SHA256: 10526c4ccba16ef143abfcbfdfe7a861a37eaee328465f1e0e0d49dd3bd80fbd |
|
|
| c:\progra~1\common~1\log.txt | 13.06 KB |
MD5:
dec53fe6810bb8d6b3cccc0cc3b611fe
SHA1: 531f988183bc54017cf5c473fdd519441bd62a8f SHA256: 822a7a8d9b8e559e9d22a3e086c4d21a7c063c9f465f4c82bc86ac051c12e37f |
|
|
| c:\progra~1\common~1\log.txt | 13.16 KB |
MD5:
648df55acc105e9ce332b5776af72675
SHA1: 2f6c2443761920da7de78259fcf377dad5e8f747 SHA256: 87a79f7d0e2320c732510239b47582c8373fe7278508a654a54c172facc63be1 |
|
|
| c:\progra~1\common~1\log.txt | 13.26 KB |
MD5:
66cc2d8cdf3d525d0d05b702feaf67be
SHA1: 1f76af5bad116219f5cf6e8a29a28b16b47c01da SHA256: cc91bc4e66e62833b415c6068d4f9037b9e795cff1b831b77317dd4da86d860e |
|
|
| c:\progra~1\common~1\log.txt | 13.36 KB |
MD5:
6a4259d013b78d7a92dcaca11408e12a
SHA1: 27a07f4ed60e49f486fe5ca4358992a12a511ab6 SHA256: 45eecada46cc99d53530c2dcae123e34483f46ca4b755fdc7be565aff13e0301 |
|
|
| c:\users\5jghkoaofdp\videos\w7mj2euig4vnsi\i34vb8v\ly9pykmqm52kjo\oy8pi.encrypted.mkv | 94.47 KB |
MD5:
a5e8c7dc8bae9496f8a6d8153e07293a
SHA1: 0a8258d2b400088ca3c716f5eaa3969aa68b73e6 SHA256: 2e35c7ad842452bfa211685333e2531343b63c851859bfd4d39d862c8be8e406 |
|
|
| c:\progra~1\common~1\log.txt | 13.44 KB |
MD5:
87b38ec3706e01efb6f91385284d3024
SHA1: fc6836bf48c0f74e7f9d20bcee07f73bb7bd2c1a SHA256: 0b77a534068ee2583f3d7ba3be1742543eb267845aa9ba8fc40b08f1c48ecf6d |
|
|
| c:\progra~1\common~1\log.txt | 13.54 KB |
MD5:
ff0ed29088e0edaecf9dd902e8236342
SHA1: 9196e790c2dda3742ed7e4fa42cdde6fcd316927 SHA256: d56ba18faa44bbe51002b93ac8380eec1b0d174c8be8bc5a4b307d23c711cc19 |
|
|
| c:\progra~1\common~1\log.txt | 13.62 KB |
MD5:
4924bd526d2b559053d1a1cd46c86c50
SHA1: 164ffedc504d243e92da226bc0c0cb9d01b8de69 SHA256: bea8a3b108813705d0eb903e9cbc2a8e8881b3293857a590650063d95d823725 |
|
|
| c:\progra~1\common~1\log.txt | 13.69 KB |
MD5:
506560b0c2df57a0e7d6904890ea7b68
SHA1: ae3c3ec2c361fa01977e814f7f20b8fb4b3170df SHA256: 39271b1d5d56e412468824f7c3f8c445f9e9b3bf7a62c495ec2b044e8d29bfae |
|
|
| c:\progra~1\common~1\log.txt | 13.75 KB |
MD5:
2ecae0c38c5ca5c9a5758e2ffe84163d
SHA1: d3d59a6832a4bf610c5baa5f3a348eafde69b3f4 SHA256: 32a9200839e8cff8e1d433106a5ad0ff83761228f51a164cf51ecefd4b85249b |
|
|
| c:\progra~1\common~1\log.txt | 13.81 KB |
MD5:
5a5eaa20e485e91921f6195ae5344ab0
SHA1: bc371cb76a7b1861b756e6e68946ef1124eb22b5 SHA256: a10e6e70b5349741a49fbec2bfb1a71c3b01ddafb4c43ba695999f7258191c06 |
|
|
| c:\progra~1\common~1\log.txt | 13.89 KB |
MD5:
2f824bf96ebe741ccc90083257a6fb35
SHA1: 8757189799e38d0e7db7422a2c80e9eaf91921b4 SHA256: 7723eb7604181acec5c4b48d93f6e8f14ad9a54c87dd8db789b40e801baf1020 |
|
|
| c:\progra~1\common~1\log.txt | 13.96 KB |
MD5:
c1506e05a8aa27b77e059716022c6612
SHA1: 8dac960840e90c3170cffba4d4a1c0dfdd9b268a SHA256: a2e14d3915111e3ef4cee5c9c85bf53ac1b8d2c4e52bc214ec181a1c7a8c7391 |
|
|
| c:\progra~1\common~1\log.txt | 14.02 KB |
MD5:
880264dd6260c475813a67e91c08bda7
SHA1: ba3316ec538b3223c2ed02d9c044df049f281a1f SHA256: 4747d4d4e093ad2d0dfa078ef23a1862c54f535b157154fc59a3765c84a06c09 |
|
|
| c:\$recycle.bin\s-1-5-21-3643094112-4209292109-138530109-1001\desktop.ini | 0.06 KB |
MD5:
ad0b0b4416f06af436328a3c12dc491b
SHA1: 743c7ad130780de78ccbf75aa6f84298720ad3fa SHA256: 23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416 |
|
|
| c:\$recycle.bin\s-1-5-21-3643094112-4209292109-138530109-1001\desktop.ini | 0.13 KB |
MD5:
a526b9e7c716b3489d8cc062fbce4005
SHA1: 2df502a944ff721241be20a9e449d2acd07e0312 SHA256: e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066 |
|
|
| c:\progra~1\common~1\31236356313123635631 | 0.02 KB |
MD5:
534ba7f58d2383df110e324ce7877164
SHA1: 4ebb3d39f3ff3bac77305c960088269c5b20341d SHA256: bbc1a1f0ab880d8bd0f6777ef3f6c4cd636625298476f8e0e0cf25fb939760d2 |
|
|
| c:\users\5jghkoaofdp\appdata\local\microsoft\windows\inetcookies\l7fpzpa3.txt | 0.11 KB |
MD5:
fe7a5661d33d1a8b2add093182a145fb
SHA1: 001bb8aa2128e494078e50029da90f1fa34bbf3f SHA256: cfab67a609e80a615c40317b623150f43e8c64cc150b2eb85a3e5edb226406e4 |
|
|
| c:\users\5jghkoaofdp\appdata\local\microsoft\windows\inetcache\ie\vzk262qe\tobtc[1].txt | 0.01 KB |
MD5:
2d5ff58f4ffc20518b8e3cded84421bf
SHA1: 36e98d5ad8e2b5de42ae82c25549c02c63f02a1e SHA256: 1d9b13f4761424ad004ed56985c8dc3ad69e6996f74547f464f1ad4349fe00d6 |
|
|
| c:\progra~1\common~1\1365363213 | 0.03 KB |
MD5:
1374a1c91dbf1c77c604a580e37d454a
SHA1: 7dc2c0c7d31ddb0ccce95e82b9d2bf27635f3ea1 SHA256: 98ddcf3bbfb487a6539da554b3d1651c246f9344ce279e7b5cff04af5dd0d551 |
|
|
| c:\users\5jghkoaofdp\contacts\asdlfk poopvy.encrypted.contact | 1.16 KB |
MD5:
f0e180c4dfc9297901d6c60e05bb69b1
SHA1: 97a05ac2303a70c2047b8fd73f44e1948d78472f SHA256: 5e90928653df10fd6296a38bb8bb2ae07bd0a46fa749344b94c935e905f1bb16 |
|
|
| c:\users\5jghkoaofdp\contacts\chucu jadnvk.encrypted.contact | 1.16 KB |
MD5:
401dac3b53b085df0bbc9c7bee1b1160
SHA1: 21ac7942832b5e67178d76cf9059f3bf8768c5ae SHA256: 1e9d5c3f56abd0278799eb1db5eefd5d9229375b7d0e12fd37111b64925c75ae |
|
|
| c:\users\5jghkoaofdp\contacts\sikvnb huvuib.encrypted.contact | 1.16 KB |
MD5:
9de2ae09951055163059ab62148a41fa
SHA1: b2aaf542244b104988a4d556de976c0f7ffc1481 SHA256: 63d711583de37f2418cc857fc21c7e318433481b6782a50e866fd1aa91ff2e4a |
|
|
| c:\users\5jghkoaofdp\desktop\1tb75wbo1.encrypted.mkv | 86.17 KB |
MD5:
99a001ee5a636290d0072c82dd7f4328
SHA1: 6d5410d338ced61899572e0505b6bfea14ebc098 SHA256: 990c68c96bd3fc6324890a03213f2fd2c9d9ea7c22dacdc38f11bcd1c62ed4aa |
|
|
| c:\users\5jghkoaofdp\desktop\3ezx86sahxtw8_.encrypted.m4a | 71.56 KB |
MD5:
b1ac4577a3d33a2d15833f4dee811d22
SHA1: b14bbc2566544f0dd612163dfe1c9ffdafc95804 SHA256: 25b42f922f9ca7bba55f58c94f6ae45a49e827b78d26bc1a7be05d7224fcb8cb |
|
|
| c:\users\5jghkoaofdp\desktop\3jfxkhsyxeb-izzig.encrypted.jpg | 68.11 KB |
MD5:
0a504129cab7defe6c712687b9bf68f6
SHA1: dbac2d59a9e18069531b1abc809a21513d50dcd8 SHA256: 8a290a9e3c410c409cbcb73a3161009d86dda59ac9d4f930a9c63b64eed91e9e |
|
|
| c:\users\5jghkoaofdp\desktop\4rd-.encrypted.mkv | 9.05 KB |
MD5:
605ddf7053c6403cb5d1418aaa8f54e6
SHA1: 01106b1381bd2f2631b5ea07b6ff6aef9c126de4 SHA256: c1b2ee8d2345b57b5795c55980744a0060347032b3d3b98a7a22e96eadecf701 |
|
|
| c:\users\5jghkoaofdp\desktop\5bxmcpnoungldmora7z.encrypted.png | 96.42 KB |
MD5:
0efd1705d03f89e7ecd32cde3d153b53
SHA1: c1c94c0bd406607c381f4fb5c45b29390edb6832 SHA256: 4304b2bd29be0b15a7dafb82831f146ef05b5b23727b193c11a15de822193380 |
|
|
| c:\users\5jghkoaofdp\desktop\5y0kuhp.encrypted.mp4 | 36.70 KB |
MD5:
84d60144cda55673a9ae89596905ee7d
SHA1: a7ee019e98a59c4d5b1234bd912e4ed5f3128219 SHA256: 722762d45da17ffc825e1bd3dc3e1a903b40de5dc2d2af6884695767d91d39d2 |
|
|
| c:\users\5jghkoaofdp\desktop\6ejm6ng0-2a.encrypted.mkv | 15.72 KB |
MD5:
ef3b1ce037a7608c977fb8d4201c2411
SHA1: c3c9fbe6d21e1187e4ce70e113ebf6637f9bbbdf SHA256: fb59e7adc88a5a2b932f5303c3950f8b378bf78c85f61f36f97301efa665ba96 |
|
|
| c:\users\5jghkoaofdp\desktop\7ovr2-ym3wc.encrypted.docx | 36.98 KB |
MD5:
a4ea4ad74696586b8fc0d6e2129b4ebd
SHA1: 33f41c770bc542b75c2195fdb149859f0c86c53b SHA256: 25920e46619b83fb5c9a0c2cb96f7da5379f45e544b8de264e6ee5adfe7dac8f |
|
|
| c:\users\5jghkoaofdp\desktop\8hc8iqmy0zp.encrypted.bmp | 75.67 KB |
MD5:
281e34b7a6bd5cac76831f6c5f3cfca4
SHA1: b5d52514f52c399feb48b95f1d60bacebc0be2d1 SHA256: 1eb619affc86a31fad4e6f46370023194e2aa0b68f2812d1cb2d1062177061ac |
|
|
| c:\users\5jghkoaofdp\desktop\du_jqkduq.encrypted.avi | 86.34 KB |
MD5:
e50c80d624403d8c5462d22ce503b6a4
SHA1: 5f2616f7a220d5dad4e8a9471d9558e55b3664c9 SHA256: 6ef6f9dcdbe94472a81ce962c69011be7e3cd14e511cd67cbadd57d5d85cd98a |
|
|
| c:\users\5jghkoaofdp\desktop\en3ltfi-_w.encrypted.m4a | 85.89 KB |
MD5:
a6e885b265777891629c86322087ca37
SHA1: e3bf2876df603cc62000cd580d709a36fdfdfdf1 SHA256: b38a69db08651e174b06baf0eb5ae9c5071942cd640a3fda044b16f261623dd8 |
|
|
| c:\users\5jghkoaofdp\desktop\fuic g1t3bfvb.encrypted.m4a | 94.89 KB |
MD5:
a2f4c9240b4a055fadb7c7b41aa63977
SHA1: 4a206bde2e6d74b9fe4f0f3f69ebe58aefe71f5c SHA256: ba31b471ef1c3263d6319be697a07570d7a047618dced435c8b3bc28123fd3f4 |
|
|
| c:\users\5jghkoaofdp\desktop\hu jzpl4k\7o8asytjbz0p_imc9ins.encrypted.mp4 | 24.84 KB |
MD5:
be5431d09b39e681c1ebd5b4866fe507
SHA1: 50876f281861ac1ee73ee4b9608bf0ff1aae8af4 SHA256: 331ea59b8138ed4486a8499621a28fb7d8757f8cf366a2597c5b0b18d16a59f4 |
|
|
| c:\users\5jghkoaofdp\desktop\hu jzpl4k\7r1-ym.encrypted.mp4 | 17.34 KB |
MD5:
f1a0797a312ef2865e7518069278b75d
SHA1: f8ad6a96f9f46a629f6ae85b77f4e4c79144fce1 SHA256: 29e5ff28a1652689100d47ca57f4de13d61b73c4e334d7ea710ca844283e014b |
|
|
| c:\users\5jghkoaofdp\desktop\hu jzpl4k\n_djibbbqt.encrypted.swf | 80.17 KB |
MD5:
728e4cae734a0f0473a85f1acb5542ea
SHA1: c9f36650004d58c61c56e39d305e93e7dea2f838 SHA256: 2689fa83c5e3f287cdad8fce774e87208c2ea9cf0ba9e4fefc5ec16f6ff4d7a6 |
|
|
| c:\users\5jghkoaofdp\desktop\hu jzpl4k\tvm0d.encrypted.m4a | 86.94 KB |
MD5:
12b9cdd108b820c0b6b7e5162970ab35
SHA1: 971836bdc401f5c2df370bc7a4ddaf3a0bb2ec56 SHA256: 9d450089b68f35d3e9d32c2052812e78ecf8fe10d8dd383e1e23e6000f736ca7 |
|
|
| c:\users\5jghkoaofdp\desktop\hu jzpl4k\w8bv jh\dex2qsw8ygpwbqs_.encrypted.ods | 58.97 KB |
MD5:
4407dcc2ee93968117a09e2bf7d2b11f
SHA1: e1de73ef600cdd18c1f9c058ed9600e3a4dea543 SHA256: 5a927b0d172e22571d0159aeebc665423b571b25c3ed7416f23b737f43b1a93c |
|
|
| c:\users\5jghkoaofdp\desktop\hu jzpl4k\w8bv jh\ejdtg4n_t.encrypted.doc | 41.30 KB |
MD5:
e81fe0d88506b529ad4e8fad99c075dc
SHA1: 5263cea58289747006c72c3c3c4134f0a2b88a2e SHA256: 1a9f63bfd59a3de5aa9037f94f6bb518036a8f8651057991fe43a3ea3a1fca6e |
|
|
| c:\users\5jghkoaofdp\desktop\hu jzpl4k\w8bv jh\foc_mfqo1nsfns.encrypted.jpg | 67.31 KB |
MD5:
c9a3323377e36ea16b1f568d75987f95
SHA1: af0806bc2892816813f2a540f81738877d9a8393 SHA256: c69b0eae037fbce474385fe4f0e353c372a9596d61e1c3db0136234a5b934e0a |
|
|
| c:\users\5jghkoaofdp\desktop\hu jzpl4k\w8bv jh\iqi3hzwu_m.encrypted.bmp | 2.30 KB |
MD5:
25117edbb7c410aa9c71840b51bda897
SHA1: 05433737e213074dd7012213e5f0cf2eb7975952 SHA256: 5594475dca1a2d511495feb482d6b4f8a04ce69aa93470d1b131f2e109d33d92 |
|
|
| c:\users\5jghkoaofdp\desktop\hu jzpl4k\w8bv jh\mmkedf5rp.encrypted.avi | 7.97 KB |
MD5:
f390e47d07cfc542a65218151c840be9
SHA1: 2f7c977f8b34d2e3e4d81884f2fd825003aa0de6 SHA256: 225447fed46068e4aa1cde22528adb68427109fa54909c1905a48abdebe5412a |
|
|
| c:\users\5jghkoaofdp\desktop\hu jzpl4k\w8bv jh\weizf.encrypted.odp | 57.39 KB |
MD5:
d2f21d46411dd7d6e9b5308261db46ac
SHA1: 58458fecf771156dd39c826ea5aecc6825926aba SHA256: 45925d9363450d900c84ab875bc57f0b00256fd0bf9f078c485602fc0a598172 |
|
|
| c:\users\5jghkoaofdp\desktop\hu jzpl4k\w8bv jh\zkq9sxhvto.encrypted.wav | 24.48 KB |
MD5:
3cba6fbf60b52fc4e6b4a26ab8f78763
SHA1: e1d76798f79a3629998066369b1357c08408d77f SHA256: d3649d1b43c47a649f23551a082917722a4c14a381b52286a2b16c74b2b431b8 |
|
|
| c:\users\5jghkoaofdp\desktop\hu jzpl4k\zw2fdo8sme.encrypted.jpg | 38.44 KB |
MD5:
0bb7947c4194a0cf9e01ee9ab423cf62
SHA1: 15461335cd76cad4146b941891903e1a9c6ef535 SHA256: a1e409e0ce74aa6f1740c960148d250046c15c51fb70173120cc0b853bbed1c2 |
|
|
| c:\users\5jghkoaofdp\desktop\jk2_gj ztujc3mt6f\0hjckm1rfpkx.encrypted.m4a | 4.27 KB |
MD5:
69413ceb84c5d076dfe72e607d100498
SHA1: 81c4cb88812190c27fa50f9cfa5296fd15eee443 SHA256: 7a0e14e2e08a28d15f9cc9b9f38f3f98160d241c592ceca14ecc1905bb2f07fe |
|
|
| c:\users\5jghkoaofdp\desktop\kjoyg5.encrypted.avi | 2.17 KB |
MD5:
39a9f3928b913ace6fa94994570099af
SHA1: e6f938f483e81708fc46816b50029699f9d2d413 SHA256: 5f5200422fceac69c8487bd5f13aa381a60775a220ed8137a0db213d01a9a1e0 |
|
|
| c:\users\5jghkoaofdp\desktop\lsm4takhswwyuuylx3j.encrypted.bmp | 98.97 KB |
MD5:
5db45673f8b944533b75157334454b9d
SHA1: 74bbf97ec262ecb267dfe00441008da5e10f6557 SHA256: 73aee3bd03a20644361dfad4f9bd88b5a0428ed6dd81c376f2a738e5ae1a3188 |
|
|
| c:\users\5jghkoaofdp\desktop\pokcza.encrypted.png | 33.44 KB |
MD5:
fc9c8a5d83a5f65c43521bf7fffd87bb
SHA1: 5432438399a6ac3c374b61ac524d7e71be039e76 SHA256: e2825314ba3d66c1dcf557b2021fdc18e5cd5c1c61070293adeb7f827eb15872 |
|
|
| c:\users\5jghkoaofdp\desktop\sf29dhov5.encrypted.swf | 34.20 KB |
MD5:
2c2a24afa2a9b4b1a456869387c4670d
SHA1: 80736ce3d860a10184f2ea5fc9c23b5ccab2b3b2 SHA256: aa1663c7b6379d90cf21c3fb416751da271b8193003311d59399bac09e8fd70e |
|
|
| c:\users\5jghkoaofdp\desktop\vrbefmij3.encrypted.mp3 | 32.16 KB |
MD5:
fb2317b11639fd6f2f1a7f145a2e6dbe
SHA1: 7fe8fb8ca07d281cf56b36e430792e33914c64d6 SHA256: c094b333afd5a9a84318321a2bd142b039e08d91660ce8f5ced44b96a3b92fbd |
|
|
| c:\users\5jghkoaofdp\desktop\v_mff9fkwkwn.encrypted.gif | 85.69 KB |
MD5:
cde01367283726ce034db3d9c01db0d9
SHA1: 2a6a3b20b240d0c6adb314bd885b9a672d0d128d SHA256: 5be03442ccc9c4e419c92ecb2e1b8a4d50a5b9f540e6901b9462256128c914ba |
|
|
| c:\users\5jghkoaofdp\desktop\xobzgp-nq nymn\kaf1 oga4cxdi0az3.encrypted.avi | 68.06 KB |
MD5:
cedce463cf28afe729ca854cf1144cb4
SHA1: c02cbde4d6f3894de47c8dc56d631201e433e02d SHA256: 8a5d9a484c80b667fb2c369408991db0c02b66b73fdbc67da861141d13c2d5e8 |
|
|
| c:\users\5jghkoaofdp\desktop\xobzgp-nq nymn\msfbqyvew1.encrypted.m4a | 68.39 KB |
MD5:
aa46e02c7d788b20079e3fc51eb8f28a
SHA1: 47d86ed30690a91fbdc52cf5652771e0bde3cef2 SHA256: 14a5c1e6d572e165eaf188e4f57164c94452a03d1e7ed662f0a19fac78326adb |
|
|
| c:\users\5jghkoaofdp\desktop\xobzgp-nq nymn\oqs yhnhnvjjl.encrypted.gif | 18.42 KB |
MD5:
12d6dbffe28f6eb51b294ced6d4c3290
SHA1: 5d1d828d215ac4fda53f54d48b2ce8d30bbfeb77 SHA256: 632cf59c3bf13c90ec76884968ea76be25e064a191e3e710131b16d3e434f971 |
|
|
| c:\users\5jghkoaofdp\desktop\xobzgp-nq nymn\sprnsnxzlcmi9cfw.encrypted.csv | 15.88 KB |
MD5:
da95f4540491ad4c7fdd1b57217bf91c
SHA1: f5fda83880c7513898fff89e908eecc1fa014d5e SHA256: 6f4cc963c7edc5ceb1906c9bdf02cb3311e44e87b338e7e96929a77dac2dfed1 |
|
|
| c:\users\5jghkoaofdp\desktop\y5aahqbx.encrypted.xls | 4.59 KB |
MD5:
85ecaf3430dc29dfe5eb2a1be8753ef9
SHA1: 312f37dd17b4ba8fd7afce6242d075cb76cb1066 SHA256: ce68db56629200d6d8835e9ee042821e9388e097ea329e6e39a34a998408e740 |
|
|
| c:\users\5jghkoaofdp\desktop\z1_9k e9-s6.encrypted.flv | 52.00 KB |
MD5:
a8538231e89e459c472bb69fba45b18a
SHA1: 2d4041dd1d4757740100b1c92d84c6dc9d233938 SHA256: e37360aff1de1b933ce98ef3781eb8db585e6599f20dc284e740eccecb6d744b |
|
|
| c:\users\5jghkoaofdp\desktop\zmmw.encrypted.mp3 | 71.25 KB |
MD5:
ccc9db1c756950809077884809b333f5
SHA1: e87e3009a638cd57a48a1bc1feb170c4a7c9ae6b SHA256: e29e590ba0692ca6766634659b996a604913214c399efe2452a971db2c8042a5 |
|
|
| c:\users\5jghkoaofdp\desktop\_wcwnxx.encrypted.jpg | 71.80 KB |
MD5:
cf2a5fe4857ada44154bffea856b6c9a
SHA1: 1e86f6c1e4e5799e9293f505c0042c8069e3c5de SHA256: 48d8fd88e82d123067fdaeb4aaa898e3cb0157b17e7e867c4d416f4108633e5c |
|
|
| c:\users\5jghkoaofdp\documents\0brr10c_vf.encrypted.docx | 65.75 KB |
MD5:
924cc46689d2cdbc775cb481a8636d10
SHA1: f0c15f1a56fe5baa2ed3b3320ff8716396254e31 SHA256: 2e8f02d9b70afaa1a4520009699595c30b983cb3cc70afeeab8036f9a9283eed |
|
|
| c:\users\5jghkoaofdp\documents\4xmn-tklhnexkn-3h-1.encrypted.docx | 97.08 KB |
MD5:
b93df7520340c580a64be929941fa012
SHA1: 3a349f404a9d71a76099738838d3dd015c00864b SHA256: 136ad00b98dc27ece4858f70f8cf95971388a15077653f9782566387787c131c |
|
|
| c:\users\5jghkoaofdp\documents\6dahhtfpbawiamgph0.encrypted.doc | 74.61 KB |
MD5:
6724d8cac2df9b484c445400999dc00c
SHA1: 0241095591a9d8ccc06293ba6c1ad673b170ab43 SHA256: 3fe96e7d7507c2c5c5f05c91d54a9f740cdf403af3bf5de43ed0056c203f1cea |
|
|
| c:\users\5jghkoaofdp\documents\6izpquy.encrypted.ppt | 94.77 KB |
MD5:
ee6e6bbcd4ea848836127c6d363bc206
SHA1: 64eb03f5653d94525e58c78c2e086096d45cd868 SHA256: e75b338e6c51c0cc942fc07aed49f5fed710c3309c2221685448db0a1a2a81ea |
|
|
| c:\users\5jghkoaofdp\documents\7 ge5dw.encrypted.pptx | 11.73 KB |
MD5:
6a7342cba58265ade89ad5040e202353
SHA1: 2b91441c3748a97396eb909426249ee74741983b SHA256: c2e2edc946247fd9fb3994c0769bd05c9c8276104145f56ce31fc1d6ab3e927f |
|
|
| c:\users\5jghkoaofdp\documents\7_higqquih9.encrypted.pptx | 50.22 KB |
MD5:
51aa083214e4e06b420aaa40b1b968c0
SHA1: b1722f4d92af8196a6a0199af045e557fe1e3598 SHA256: d63e12b2fd8a08487abcedaa1c34172ce6bac427e9be0dac4b497e3abddd309b |
|
|
| c:\users\5jghkoaofdp\documents\a6fplipjcquc.encrypted.xlsx | 81.78 KB |
MD5:
af251bcfcc8df8cf7e8f13ffe8ca7baf
SHA1: 76395a4d60f6951dc9eb78d75956753e016153ef SHA256: b496cceef7e27d5c5fab8707520f4ab5af2512653bec45566479ba6871a7c108 |
|
|
| c:\users\5jghkoaofdp\documents\av_qfrzat4bcsr2r2.encrypted.pptx | 88.55 KB |
MD5:
2eab3437761204a99125d3c346867b89
SHA1: 4416fc07a735c7cabea65e5d8a846351b7b3d035 SHA256: e0e26120b593c84c3699a2b69b77e1f3ba4954b2b8a106642c40e986bcd4fcf1 |
|
|
| c:\users\5jghkoaofdp\documents\enn8byb.encrypted.pptx | 91.42 KB |
MD5:
711f35013cdabfe582a8c1ac6e65429f
SHA1: f15837c3127345385736638ce0b2b9e369aa7777 SHA256: bd10933717e5f9eba8b1e91588360cc0b4adc50750188c3cbe8019c7ed959902 |
|
|
| c:\users\5jghkoaofdp\documents\fzya1g8.encrypted.docx | 93.25 KB |
MD5:
2bee2274e41f55d4dd18cc6c04809cca
SHA1: 7d2b2820ed3b7dbc2c5ba97b1c8430c4159384e5 SHA256: 7d7eea03a2191bc357594cfd9925bdd0640185c00cb63b50d48a586127ed6ae7 |
|
|
| c:\users\5jghkoaofdp\documents\gaf9c9wmaoc64y.encrypted.docx | 41.97 KB |
MD5:
e9617d287cd423ef505cc780f0876912
SHA1: e11afc27ccaea715737d7cc9bee9b0f4f0f17b81 SHA256: fb07fbdc072b71603c2eb6c543eaee3440f7f09ed0ca4fcd8a2ed1ea0231d038 |
|
|
| c:\users\5jghkoaofdp\documents\jx5vwqk00yn.encrypted.xlsx | 88.11 KB |
MD5:
33bfb861f6bb670e2fd9e6214428d54f
SHA1: 822bf6173fd522c605bd8f33ca2539a9ea505f68 SHA256: 43c9dab35c6ccf939516cf02798565808911ad34114ead33b183b343febceac2 |
|
|
| c:\users\5jghkoaofdp\documents\kl1isbov3 vuszg.encrypted.ods | 52.19 KB |
MD5:
60584f1b8b121123790e64a1b1f7684f
SHA1: 704aa45dbb01d1185147e92e66d640cc44b48031 SHA256: 46ca6bc7864086bda07410dc28ced2954b2ac04d7b74157805e666dceeafd6f8 |
|
|
| c:\users\5jghkoaofdp\documents\krhdnmv.encrypted.xlsx | 67.34 KB |
MD5:
7890a800f8c3c3116bc70e4b46a51760
SHA1: 4287f5d7cc3d1b10dc0aa1ffea25d47b8155e0ea SHA256: 5569b7247a1638c7f638a798249450c3eb301c863bef38226cbdbda1f03dca6d |
|
|
| c:\users\5jghkoaofdp\documents\my new app.encrypted.accdb | 340.02 KB |
MD5:
536fd6aaeb7ad670a46e7a62ff91e011
SHA1: cb39c2df8651eeec983cc019608cbf4c85a073a9 SHA256: b72762a97aaf66f3b0f78fdf1f3724799a137ea5f1ac3d26756498abe6fd7bd9 |
|
|
| c:\users\5jghkoaofdp\documents\my shapes\_private\folder.encrypted.ico | 29.23 KB |
MD5:
c8ba6b8948e3d53076c3de02a556ead9
SHA1: 6e93e5a001edb90482233468dd3c38e7a31f0551 SHA256: 1c5c6e7800851828ebb0238dc3cf2f9a50389c84ad3615044e384f6327c9ba46 |
|
|
| c:\users\5jghkoaofdp\documents\ndqrnmx.encrypted.pptx | 68.98 KB |
MD5:
e6a61316aa90fa4b5c7a59b4c54bfaa6
SHA1: b12d6981e052b999460bd5a77a2cc5d56d3e52e3 SHA256: 31af8ca3480d3439a088d98febdd051c9ed1828afc9fe9559df918a99c98e593 |
|
|
| c:\users\5jghkoaofdp\documents\ntzysno8sclmaq9dt.encrypted.xlsx | 2.59 KB |
MD5:
b64a74a3e31a45062014d3528b5e158d
SHA1: 89da7d2fa92fdb72dae4db66092601ee2999a5b3 SHA256: 0d2aedcc684eaeddc3c6b0097b726462f8db47a56694cd4641e50ab1d8f712c0 |
|
|
| c:\users\5jghkoaofdp\documents\nu0r5.encrypted.pptx | 22.83 KB |
MD5:
41536196998c6edf606d6db0d0572917
SHA1: 216f73e8fca24e9be29439ce736b8b4479d68360 SHA256: 1edf83b603287e7cd8e646fd8a353a23e3344fc8852b75859c05b898a64d328e |
|
|
| c:\users\5jghkoaofdp\documents\oapmgoy.encrypted.docx | 96.88 KB |
MD5:
32c293b66afccc2f3fe2ec28f6a4fdcb
SHA1: 6b1d9a29765a7e5a3564a61effdf5ea5068efc31 SHA256: f891676e6f56c8b150b85687943128f46aff3f9fb6b1a77142504195002772e7 |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\j2q6rpjqlwrnko9k1e\owfns9w.encrypted.ppt | 71.81 KB |
MD5:
75d2cccc8ec3abafa898fda53c56a3af
SHA1: dd674b0976305e6a543a2baed8e2019a3107fb0e SHA256: 218dad9113e3f5bde45de24ec43f1c9a8c244249f3909670fcac97dd8178fff5 |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\j2q6rpjqlwrnko9k1e\p4g4qgo\-zq55batzud1r.encrypted.doc | 65.22 KB |
MD5:
4ae5f02a811cbbdfaf6a0830e131effd
SHA1: 1102aa420c2969cd933d6446e1c5967b52a0358f SHA256: dd8ef151b71e566853c3a98c72502915367a70e5743a51c570fc4c4283bccd15 |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\j2q6rpjqlwrnko9k1e\p4g4qgo\mwzg.encrypted.ods | 79.56 KB |
MD5:
65a47b06178d07572d3425e6614afb10
SHA1: 797d9b431b0588622cb0e2beb8c418da91a5484a SHA256: aad90eb53224d36f085310847e7aabaf4c7c0faaf12e56413ab39efee94be9dc |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\j2q6rpjqlwrnko9k1e\p4g4qgo\r2iboaou.encrypted.ots | 24.28 KB |
MD5:
939d92e099d161e4b4bdac43aec2ec2c
SHA1: 1d0557f926756adc4ee66f1f7d6cce49ff9935ae SHA256: 935e4932d7e785e9a4483465b2b54bf4750321d4d6a55a0323faece96e4e13c1 |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\j2q6rpjqlwrnko9k1e\p4g4qgo\ufigfwih4-sodvwyj1u.encrypted.xlsx | 29.16 KB |
MD5:
66d4f70c9db15e89458e6c71579d0ae2
SHA1: 0211e0f3c37fce225b1bdeaaa8c50dbc6db945ba SHA256: d7bf64cb853b21a4b184d7f5a0558dac8796bd5e553526da34e3d2995797063d |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\j2q6rpjqlwrnko9k1e\p4g4qgo\vvh1qnl8xvopwhbf.encrypted.pdf | 59.23 KB |
MD5:
042dac8c73cffd7e4ef9db18a9ad94e1
SHA1: fbdbacf58c5ed66972d4ab84fe8f25c76fcdea51 SHA256: b65d57ba7ac09a528844e36e410bb1abfb53e8766b45fbf2fdaaaf84ce93d7be |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\j2q6rpjqlwrnko9k1e\xtkr4wd0emenal0vgl.encrypted.ods | 72.02 KB |
MD5:
d3ae3d83d6ff2c8fee12642b35b60ee3
SHA1: 4fe7ab8b3739e963eb5c2583860057c7d5b11b12 SHA256: fb3ddd9825838c768f19e71cd304ec1e006c371281422f5cc01461f472b0c84b |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\peik\5bkr6puka0cjq4uq.encrypted.csv | 76.59 KB |
MD5:
27a0863f1522084e5f1df63fa224b578
SHA1: a98d27dfbc7bf17d0d3c441447a90166eb1592a7 SHA256: 84fb88cbcbf49b7eaad33c4e52380ba7417ec181b8f73ccbf389db787ce8a365 |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\peik\qfup_fukykew.encrypted.csv | 45.20 KB |
MD5:
9cf0aa3134d2f9fcfbd88c04644e9add
SHA1: 7a1407fb2b70602747de6f0435248f093ea7d762 SHA256: a6c5a95bc279228fb977217f68e1442593767921f360fd91dc7f7a78c58676cd |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\rahjwfipaxftnudk.encrypted.ods | 48.95 KB |
MD5:
a62a467daa6df2ca71c175063386bf3f
SHA1: 016389f86055e959e0c84f39c3bbc3d882ee37db SHA256: f8ca4b934b0a2dc14f79486d5fbdb75b437a8b1a44165b0f068da009f33c7dbb |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\slbooivzw6bdt1j4\a20ehj.encrypted.xlsx | 90.02 KB |
MD5:
1229d4091ba51698b5e46bd75c2f1d60
SHA1: 281af6d6fb0eb161caf8423e280246483c0f2edc SHA256: c107d454d906713bae7a6c7cd45bf2eb3989474a51ede98d4893ed94aea73e2e |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\slbooivzw6bdt1j4\jjibi4zhzah8ee.encrypted.pptx | 28.81 KB |
MD5:
c662973c0ae489aa1cdd0dec674c1864
SHA1: 31c6ef8aad323022ce95a8b400a6dce812e76833 SHA256: bb3959104c667ca22e4dd3eb76e08bfcdd81b6bac8c26c3a093b7d65b4004b7f |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\slbooivzw6bdt1j4\kcnxxdoo39.encrypted.odp | 34.98 KB |
MD5:
dfb1f5f7359fd8111953191bea16d255
SHA1: 9bc52a1acb37c87c5bebf8ffa95f263eaad02b90 SHA256: 2367db7ff7eae372ef27ab1095d225b28ef77bc84fe64d79f302b998c8a409d6 |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\slbooivzw6bdt1j4\s8llodq9a.encrypted.doc | 66.06 KB |
MD5:
1fc3d3acba524d1494c40bc7dd83e0d0
SHA1: 1155149153cb4e494ff13e73a558163d8ec0f793 SHA256: 56f5f92f600b4f21beb19b2c1df45c1c5520170c760c52ac42a79019041c4f47 |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\slbooivzw6bdt1j4\txwhp2.encrypted.rtf | 13.58 KB |
MD5:
174845ed6b437fa69d55bfa438e702c5
SHA1: fe2a361a6f488c81ffe6ffbda00f089ff0ae7af7 SHA256: 6591b262a829232add94fab8a741d5f5e6bde19a0a6aebe25f7c0c6d2214cd60 |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\slbooivzw6bdt1j4\ugdlfiwdd20-er\b6ipptj.encrypted.pps | 86.66 KB |
MD5:
9247bbbf5bda1815bd4b9dbb8e81320b
SHA1: 895640922fb124faeb9c4bf8344e8e9660c19237 SHA256: 04f57283b251369b0243a324a7a876503ba9e08ecf5fcf714cc39967011bb78b |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\slbooivzw6bdt1j4\ugdlfiwdd20-er\evbfa7b.encrypted.ots | 68.92 KB |
MD5:
4e2acc0473aa48b6f8b3cc5a6f35d560
SHA1: 73a61b77e56c2ee7898744f2b7887ed02d8b315c SHA256: 07a67c91deb2ac8a02732ff9c23e6e5a9582f59f6ac9c7089a1e00269a0aeb8b |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\slbooivzw6bdt1j4\ugdlfiwdd20-er\hy8eycmmejjfu_b1e al.encrypted.odt | 45.08 KB |
MD5:
797b69d38b45b422bfa66359d562284b
SHA1: 707382fa567353e0f32deb90cbec92b57fdbd1a7 SHA256: 06b5e7b0e8509f7779f739d364d7124cebd86897cc3e20f3bec27276e323662f |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\slbooivzw6bdt1j4\ugdlfiwdd20-er\j39qnvz0zpe.encrypted.odt | 91.48 KB |
MD5:
8ef9fb2219915840cb47a2d2a569a87c
SHA1: a6e9596ecdeafb2f7b0ac646d6b09b5e36029386 SHA256: 6888ff3c28bbe99aaa016fddd913a85c02d11375dcf1a88dbb4a3ad475304113 |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\slbooivzw6bdt1j4\ugdlfiwdd20-er\kts_uf3r.encrypted.xlsx | 7.45 KB |
MD5:
c8bf1f15f7a13e6efe14e8b7e7f829f7
SHA1: 205e0a915529764e6a817dab513fd44beedecd13 SHA256: 0b116431b3e80fdd9cde60d46939451fc3146bb4df705c14668afd72297d6950 |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\slbooivzw6bdt1j4\ugdlfiwdd20-er\pxixonj u3pyiiw.encrypted.ppt | 23.97 KB |
MD5:
47c303ef1eb503a39615ffd594285f83
SHA1: 9ba15af5c633e553c731a24590b20b5a4d03c691 SHA256: c8996302964f01cb88bbc6c5777225e3d4e744bfd3f6d5ff3e09f3bc4a9c3739 |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\slbooivzw6bdt1j4\ugdlfiwdd20-er\q4qgx9j.encrypted.xlsx | 42.69 KB |
MD5:
968ff57cf79e99722bbc2ab33389488b
SHA1: 3ede22ca9ad94f881d4549dbf14d36f7516b3d31 SHA256: db2ed3186a1ddfdc289ee38f272c37a953b78b59beaa25914754579f4888d914 |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\slbooivzw6bdt1j4\ugdlfiwdd20-er\yfvotm2ql.encrypted.pdf | 83.14 KB |
MD5:
af0f0f10fbfa6042523bcb397da9660a
SHA1: 7022bf1b33758a87f3e75e45e56463072828ccaa SHA256: 7a1ddac3f9ec97b5a9c0690866fd8c8b6dc95e640c3a67c53e05e72d42c3f66c |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\v_7eriztl\hviakqsti8a0qv5h.encrypted.pptx | 10.69 KB |
MD5:
f88ac20a2d9bf86e9982c85c9f5569c1
SHA1: 0d0d3af3192f1d85841df5fc73d60942cd99b98d SHA256: a73308522d7de6d88bd7132e20f7f1949295c53c872a580918b9f03cbaa42340 |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\v_7eriztl\kbud.encrypted.odt | 12.78 KB |
MD5:
a512205a334bd4e1f393ecb5b1e97124
SHA1: b1328c23b907bbc42adbd7b5e3f68cf81a4ca6c0 SHA256: 073ae6e7c4ded9df0b0babc384972568763bdb5fbcd7ee7986b839105fb22bd8 |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\v_7eriztl\pqmwnjumi 8yaf.encrypted.odt | 93.98 KB |
MD5:
9fb79f8acef6f8102c08d6f87821a529
SHA1: 943b080b20c5ff8757140866541157c014be031f SHA256: 3946742e2396de1774135400ae46970a1d72ed4c0fe5c881b281e1b678d43341 |
|
|
| c:\users\5jghkoaofdp\documents\oefjisv2iruyidt\ytawm8diyw_.encrypted.docx | 77.89 KB |
MD5:
e06b658aaa9ca54f7ab9f8dacf02379e
SHA1: bd18ca34a6a5d6a4bcb6dab76977c9a7cbbe08d1 SHA256: 19892187db04a0ec86cb71a876431663b11131ff92f81ec2e1d7bc3ea9137ed4 |
|
|
| c:\users\5jghkoaofdp\documents\oeg42d1n-pct.encrypted.docx | 67.92 KB |
MD5:
47e66c03b8fdd4c0d364f9a2704cff65
SHA1: 0fe1be2689b4e20e4396307332ab1517fab9dd8b SHA256: 9ce4f02ddc8c8f3c72b3ef9e3ffd88de9378056a30353469f5bc4eecf64bfe36 |
|
|
| c:\users\5jghkoaofdp\documents\onenote notebooks\my notebook\open notebook.encrypted.onetoc2 | 6.05 KB |
MD5:
f2cc173d174e704e9aebf65845965458
SHA1: 49f27679ce25d94c0b7c8df2de3203209fa3104f SHA256: 3d3e0e5e399b68be72490c57d67e857310213b9c83fabd475f8debaff7cbc767 |
|
|
| c:\users\5jghkoaofdp\documents\onenote notebooks\my notebook\quick notes.encrypted.one | 353.55 KB |
MD5:
a69f2ca9a86ff65a20fe15da3b209015
SHA1: 7379613257232439e793963e032a39240488b87f SHA256: ba7699e2f03605b8f0a9c998c12c4352fef30141ce8b26c730bf5bd82c813ab3 |
|
|
| c:\users\5jghkoaofdp\documents\sepdrd5izptpbil3jo.encrypted.xlsx | 9.12 KB |
MD5:
21869b5a2ac9c2b671add5661d56dc32
SHA1: b18615339bd4018ebfdef2dd7b9cb10b0cea14e5 SHA256: 26aa72d5d050dd815eb496905d061cd7da2b4d1852a54c875e9a7b40e1e8ade5 |
|
|
| c:\users\5jghkoaofdp\documents\yq6ijn.encrypted.pptx | 67.48 KB |
MD5:
a1fd27ca130caa3d27e8a11751238d57
SHA1: a7b6163f8f422df55f71de32f76e4aa90db699f8 SHA256: 7fda164fbf8f3ac93eb3c564cb06011e2a1b7122bb15dd752c24f75483de7f44 |
|
|
| c:\users\5jghkoaofdp\music\0bqxkirc2ra02v.encrypted.mp3 | 15.56 KB |
MD5:
0df09e732d1e51a1efef9932dfe3f162
SHA1: ae1d6c6330e397b417b8dfdbdba7a2124beecda8 SHA256: 8de00ae6dde7aace5c4f42404b75c2463302c7f1f449432babf2bc25a9aafa46 |
|
|
| c:\users\5jghkoaofdp\music\2cxf6yezu\ww4k87_yj.encrypted.mp3 | 51.36 KB |
MD5:
9af5734f9949a48eccd258de4a00f1e9
SHA1: e36ad6a1882b5ee02215d6fce29fc1e5d07767d1 SHA256: ce9c601e3ce00ee2eaa8b3467f1bb3ce9d0b2f296a28c9659997d544a4caa0b4 |
|
|
| c:\users\5jghkoaofdp\music\9cdgt6fjqes8j\--flhg8yvkdq.encrypted.m4a | 39.88 KB |
MD5:
685ebad647f6abf8d544d31f3cbd211c
SHA1: aec0f312a3d748f0f0066ad87f25a6f1f7e6d865 SHA256: 38085e4e3ef11617cff09007d96a259a3c29bd5b4b6ae6ad82774d6bcfa58c17 |
|
|
| c:\users\5jghkoaofdp\music\9cdgt6fjqes8j\gmrufipoj.encrypted.mp3 | 30.47 KB |
MD5:
4e75d125f02bebd63eb9470ffdfbd754
SHA1: 495177ad9529beeae0c772e811b6cd1838a14630 SHA256: 73fb82a0b7ad5d8ec44d6e8dcb03499b9b74fe675274754b6756ecae0ea6d25f |
|
|
| c:\users\5jghkoaofdp\music\9cdgt6fjqes8j\okmtwedlc_j2plgt5f.encrypted.m4a | 32.55 KB |
MD5:
b599b80cc0dbd20fafd75e4a1c9e35a9
SHA1: 7a68095a52b41872b1ad7f47912ab6367d7aea0f SHA256: a257de454ee112eacac10cdaee03cbd9f28140ebaa1810572139281a79044dee |
|
|
| c:\users\5jghkoaofdp\music\9cdgt6fjqes8j\q6pnwp.encrypted.wav | 54.44 KB |
MD5:
9d478fab2811262d51ebf2253c505382
SHA1: 77a6fb4ba875e5c2492ffbe6792ae6f50203f768 SHA256: 7c8ab344af9579841a870de15740d3ba2d49692f742454836305c298df85007f |
|
|
| c:\users\5jghkoaofdp\music\9cdgt6fjqes8j\wmogcj psg3npzq94log.encrypted.mp3 | 71.81 KB |
MD5:
40204005c73034aa78cd88b459f11a8c
SHA1: 9e747540a8f663350aac57e98fa33cc67cdb65fd SHA256: 7fac0e9660f04231556a93e69ecf362425619577f72af209a34241cd1c8bcfee |
|
|
| c:\users\5jghkoaofdp\music\am isowjkv8-3.encrypted.m4a | 34.03 KB |
MD5:
f46872fee2fe96ec76460e1c66d0c382
SHA1: 8267d032414f68413680c4df88aea549f100cd63 SHA256: 90c316282c383c60bb9de24054a3e9ed78e9e5dcfecca150dfcd5fe31f60868c |
|
|
| c:\users\5jghkoaofdp\music\bt 6ls2uix0q6d83.encrypted.mp3 | 30.03 KB |
MD5:
db7e60a5bcc165e27480f37b7dbb6944
SHA1: 039bb30fc858dda82637826e9a483f48cbd4e8fe SHA256: 19acfca987d3c290584ab14159095bd0db3afe131eb3a24c9a6f36359ab542a2 |
|
|
| c:\users\5jghkoaofdp\music\giwnvgbpa1ur\hpqmzb4delw.encrypted.wav | 22.31 KB |
MD5:
1753e87505321982fcc08c42836f73ad
SHA1: 9b2eb9d102e2e5461d90a74951d43411cb274923 SHA256: ae5ea236941014e7238045afff51c086bc79cd70cab7408c7a0b0a5fde04ac7d |
|
|
| c:\users\5jghkoaofdp\music\giwnvgbpa1ur\hti6zn-redoawq1fz dv.encrypted.m4a | 92.41 KB |
MD5:
e3e1ebc4025cc9cf0c14c4ef03aacca7
SHA1: 374037f7b3eed069b08d4f5c1b326eee545b3431 SHA256: a5d22cfe77d74a0b3e0d7b562e0432fb313deea794847ae1aa8fe3aa3b69f244 |
|
|
| c:\users\5jghkoaofdp\music\giwnvgbpa1ur\mjyhk4k\8n1cthwhwsbak_talok.encrypted.wav | 37.78 KB |
MD5:
77b28c5433a65a66c7b25c1a9c6e4b92
SHA1: c43166440935a3aee536baf3272b86e44a698a30 SHA256: 93b3e03b8177bd1d93bfa76df12e6ac56f76b74fcd14ca10b107e374f183bfbe |
|
|
| c:\users\5jghkoaofdp\music\giwnvgbpa1ur\mjyhk4k\akpy8sjhpjrfhxh2s3.encrypted.m4a | 94.27 KB |
MD5:
9f3153f75364a82b81abc021888f563c
SHA1: 12d80011382bed8c2c8beabca5b2f09ed2558568 SHA256: 84ffce96e3bd673ae6944aa7bce22f278c5a8f896761c37a9d575a930a642fdc |
|
|
| c:\users\5jghkoaofdp\music\giwnvgbpa1ur\mjyhk4k\fy9nq.encrypted.wav | 94.20 KB |
MD5:
e5d3d907e2583f2d465ccaa4f2646dea
SHA1: b36e018416ce7b7db192bf6bb7dac81ac847e6af SHA256: 51afd09bc5859e4e50cbb33c8417505e1312da678d4d0d9cae14fbc3782a1e86 |
|
|
| c:\users\5jghkoaofdp\music\giwnvgbpa1ur\mjyhk4k\hxmo\9x43mj8vwmseyzg.encrypted.m4a | 19.91 KB |
MD5:
c7e7cf4daa4571e95bc122f5fec79aed
SHA1: 9c92abeeb2cac8f12d7556a8e7c2a2f7f16a7726 SHA256: 3fabe057d00cbb6c5407254abf209751c8d8440f0160b914651d8c1d61b600c2 |
|
|
| c:\users\5jghkoaofdp\music\giwnvgbpa1ur\mjyhk4k\hxmo\f--xxxodawz6eaqtlj.encrypted.m4a | 79.19 KB |
MD5:
7bb47191c4a071577015fd05a49e68bd
SHA1: 871ba3b3dfd8d3e24c459d9bf1ced244cf5748f2 SHA256: e6d5ea367c4745ef796df78c73574322f537943a09e879e13ed2d81a881562eb |
|
|
| c:\users\5jghkoaofdp\music\giwnvgbpa1ur\mjyhk4k\hxmo\oj01a.encrypted.m4a | 4.62 KB |
MD5:
33777cba73239a6aa12df19fbd75b3b7
SHA1: d0fd8de5c2b164e18dfdd06d2f586c5da607422e SHA256: 958c6df697b6901b607da38d6d6cd0a372aa016c215645f7f7e638515df80c70 |
|
|
| c:\users\5jghkoaofdp\music\giwnvgbpa1ur\mjyhk4k\hxmo\ry10cyt.encrypted.m4a | 28.05 KB |
MD5:
b4b3197f9f487f34eac4110d5ffed4f4
SHA1: 60a2f432a45075a1a6313a1acfe1a83ba28de883 SHA256: 666870ea9c105c53844bf3bac00165cf39f58af3af8c55af49fb88f98b2d3a30 |
|
|
| c:\users\5jghkoaofdp\music\giwnvgbpa1ur\mjyhk4k\hxmo\tbm3ubd.encrypted.m4a | 73.70 KB |
MD5:
d7d12a5e694cced6607048b39a21d0a7
SHA1: bbd8a8f2c55788c3e1d36ffe283b4e7be9c688c1 SHA256: 291df7f441b929baf062b2f56b5ec00ca16043940a588a203de4e01dc581871c |
|
|
| c:\users\5jghkoaofdp\music\giwnvgbpa1ur\mjyhk4k\myjamcbd5wikum.encrypted.wav | 53.59 KB |
MD5:
7de9f6a0d90cdecc9b1eaf43369a6093
SHA1: aeb12914874806e04d47451a6ffbe459f809f331 SHA256: 288dd38a6f88b4ba39321f6254f69d0d9e3a2d40e48e6f55750e5388926c7bf1 |
|
|
| c:\users\5jghkoaofdp\music\giwnvgbpa1ur\mjyhk4k\nh-xoowrj_swc.encrypted.m4a | 51.80 KB |
MD5:
e08f0acca36b92371decac7e426bd823
SHA1: b7042be077727a44839a4f1263d1939f1d9dde48 SHA256: 3a95240c85941f7638b8b3c22fba5fe8dc767e9a28a9ed16f4f5e3deeb49ab3a |
|
|
| c:\users\5jghkoaofdp\music\giwnvgbpa1ur\mjyhk4k\vyqwuqkuhw_t.encrypted.mp3 | 7.17 KB |
MD5:
bc688a3d5dc5caffd035a984194065c3
SHA1: 49781f71bf907c35d62a73caf2cc2b731c02f6c5 SHA256: 5620024d7231ef3fafd29ba08abd1e85c8a75b656bf3f2bc21c031923bab1248 |
|
|
| c:\users\5jghkoaofdp\music\giwnvgbpa1ur\ofdr70-sulq ezsaizv.encrypted.wav | 85.84 KB |
MD5:
beaa1245772d9bc34033a4dc0dc163b6
SHA1: 018a929344fe94f06a605f3a781942d92ae7765d SHA256: c7dc95c8723d83db5d08120022747c5c903b7b0337495a758e404f8ce086a2ca |
|
|
| c:\users\5jghkoaofdp\music\giwnvgbpa1ur\ulek7i54r.encrypted.wav | 99.73 KB |
MD5:
d7a3042c42a038b5bafb63e2c3cd9499
SHA1: 7a512ed5b26c654c827073fb8d3a54ad268f9fb4 SHA256: 32c656e6ab2e4ede8473864a50225235e00988fe42dd24e46f70025203b59bc0 |
|
|
| c:\users\5jghkoaofdp\music\hwh3je\qu-qkboki1erbhvh.encrypted.mp3 | 10.77 KB |
MD5:
02296e4e130b89ddc674efda9c9554cd
SHA1: 3279365b7bedee7caf6a89da738a1481520311a4 SHA256: c32106d2b7383949270c6ac5c49ec3002884dd9b65852977acbc11f0490af8e5 |
|
|
| c:\users\5jghkoaofdp\music\hwh3je\skvqvzgpd5maf.encrypted.wav | 18.80 KB |
MD5:
c3bfa6d8325d812bed44b1bf557537c6
SHA1: c3b65d67be19306b40f87f25384c805e8d6334b5 SHA256: 0a5d9c2e0889ae766f06a046c03f721a186917c94f01c5b022c1e33308b1a6ac |
|
|
| c:\users\5jghkoaofdp\music\hwh3je\utfu45cm-kagy.encrypted.wav | 6.27 KB |
MD5:
d0210cfcdc7565a90d080d0ad33800f4
SHA1: 725f26fb8a6508b4037d85b67de38b3c34a35743 SHA256: 125afb17efdfa6f431cb7623341b81b46e8e5877a9d37a6358113dd4b2a32db5 |
|
|
| c:\users\5jghkoaofdp\music\n9gpmf.encrypted.m4a | 31.06 KB |
MD5:
dc50883f5b7483d12eb38cf006d195ba
SHA1: 77d89a7e003731787043c0d5562f2239e0b80a8e SHA256: d20824bb4aa924c9b9631ecee649aa2b092d47e4c5431e123489090dc3a50119 |
|
|
| c:\users\5jghkoaofdp\music\nhkgcpngxlt7z.encrypted.mp3 | 71.73 KB |
MD5:
c6230c1f696aae641d58cff2c53b2508
SHA1: 0d9d99deea20f38bc431f63debcf0c0a690d575e SHA256: 915f9b96480fde5aedeb34a55356177faf967b086020213e30b24e6e2ea86ed2 |
|
|
| c:\users\5jghkoaofdp\music\qngimzhl82edg6c.encrypted.mp3 | 24.59 KB |
MD5:
dcb1602a10728b205ee3cb0881237da4
SHA1: 3c5995aa1dd97d463607c7f2093f64398726645e SHA256: b7832042255cfc7531c49c0e60d426653c776c1a709a1ac62581e4a1f7a3cae7 |
|
|
| c:\users\5jghkoaofdp\music\ta0rakczetctqy.encrypted.wav | 19.64 KB |
MD5:
329131a57e1dfaf73fb1d47ad56bd241
SHA1: 1f2bf293b6d0eeaf9f3b7f4ef0754bd95a5cf523 SHA256: 6b0091e9bcfcc1277acb4f7ce2ce77d9df3a5e654bd21f017122fb399388588e |
|
|
| c:\users\5jghkoaofdp\music\tgj_jv mns5by2rdps9.encrypted.m4a | 58.69 KB |
MD5:
62c35c31431e3eb6026c46729cad3153
SHA1: a04d07c312e6ead889d93521f33cb34c21a7c0d7 SHA256: 7c64608a2ff45958c2dfa824b6f2f0a0a0686d66a02de38146462d5ebbfe074e |
|
|
| c:\users\5jghkoaofdp\music\wm_rbsmvuonf22xbyt.encrypted.m4a | 38.31 KB |
MD5:
35422a938585aca97ea06d9dbfdf022c
SHA1: 8c1fc97fc728bdeac2ab25068090b40d5b18f37c SHA256: 040b39fd735afb05294866836579bc7a94fad834c08bac4995097c0a05c9072e |
|
|
| c:\users\5jghkoaofdp\music\wpavwzdbbq_aj5rfw.encrypted.wav | 7.77 KB |
MD5:
cb0a89b6edf6136ac531e6c03a16a2a8
SHA1: 4c5f2b772e4ee33a3ae82014b2703329565ad054 SHA256: 973ed99c7929541f557c3b1e4413a4165dac12bcfcccf9dfdfeeb0b96830eb3e |
|
|
| c:\users\5jghkoaofdp\pictures\7erxfzkxim\ja1enoib7nipk.encrypted.jpg | 7.27 KB |
MD5:
ca2528edb31f4d5f4332cbbaca17dec4
SHA1: 656aa5f94f090419655f8225737d7698dbde442f SHA256: 08b01963ac37f747d223e20b9b1f0115e4f83ad56fbab249418358d0ffe5b658 |
|
|
| c:\users\5jghkoaofdp\pictures\eokirfg2ostb_n\1l99\ggn771vx9iz45ssl.encrypted.jpg | 88.66 KB |
MD5:
d0dd1185dd87a0bff23fce394b49614c
SHA1: 454b54c72d481ae0659fa7f4a38c536162a0d0c4 SHA256: 7b4c9e7a316150e443d2c02d46167b145ffc9425732d9978901220e616ef83cb |
|
|
| c:\users\5jghkoaofdp\pictures\eokirfg2ostb_n\1l99\_j0npo8_irhc2gu1atq.encrypted.jpg | 55.61 KB |
MD5:
70ac08d24d24593f701037199ad3d6eb
SHA1: 5a18290faa62e02dfbcef952b8133779a3164148 SHA256: 80bff89607f062d4c93e29f7c5c098ba2e14cc6c3766c6b5d2bd4d356503a5a1 |
|
|
| c:\users\5jghkoaofdp\pictures\eokirfg2ostb_n\arwtqjjbyq8ixsvmfw.encrypted.bmp | 93.97 KB |
MD5:
f40c00bbe629257d3c2c350d23d09f72
SHA1: dd0c804fa4ea4930aaa5d0e8c2c3602290683120 SHA256: 3972905afbe47fad769129445bccc1639e40665890ad86da69b08fc007019766 |
|
|
| c:\users\5jghkoaofdp\pictures\eokirfg2ostb_n\dwey5ysxf8zdvlgtk-7\gtzajbx9m.encrypted.gif | 60.44 KB |
MD5:
2ded633b048b7aa9205fe3bbd830a934
SHA1: 165fdd069836e2b5963fb33fa5ffa1df04e1cada SHA256: d675ee738bd01b8bade9c658ad891a9be12afbf5c99ea604f5e8e9bba82be56f |
|
|
| c:\users\5jghkoaofdp\pictures\eokirfg2ostb_n\g-rhskxlnz91gcf3\1wvmatyncwiflqs.encrypted.gif | 28.39 KB |
MD5:
ef9cd069b3fe4fd43f48abca127e9503
SHA1: 01b1adddebaa19f3f91d30e5c6882638cb8ff560 SHA256: e25f570645bcf293221144680ddcd0d51060a5e365006caed4191e39251d0df4 |
|
|
| c:\users\5jghkoaofdp\pictures\eokirfg2ostb_n\k2gr3uxs6xidwvxov5og\gcanefppqlasbvj2mh.encrypted.gif | 92.94 KB |
MD5:
49864c18b9925a5dee53ae4da5b55b12
SHA1: b48f5a9b2899504f77a7ba44fd5034d4fbb4cb07 SHA256: 0667bdea9df079d3563f840730f0b6cc04e2bd43565e4b7ab6f43c9efd2881ac |
|
|
| c:\users\5jghkoaofdp\pictures\eokirfg2ostb_n\k2gr3uxs6xidwvxov5og\i aqfeb_gkxx4ej k.encrypted.jpg | 91.80 KB |
MD5:
dad71695bfcfbbabb9f1986473cca74a
SHA1: 8fb9f0fd2f9c5de3a715fb22467a4bc9ed86321e SHA256: 591334b6b4d25d04f6dd320d4546170b22fd3073d52055bddc80d2b581a8bafd |
|
|
| c:\users\5jghkoaofdp\pictures\eokirfg2ostb_n\k2gr3uxs6xidwvxov5og\l62bcz1rmpyf6l.encrypted.gif | 52.88 KB |
MD5:
81476c8bd4d7353d22dc8ecc1d9e81be
SHA1: 53b6ee6e2daecd37c4ac44bf0952a31db79cca1a SHA256: ce907d6bca9937c07def89107368e93ead4560490989e2b4bb5a515b0a3a2f44 |
|
|
| c:\users\5jghkoaofdp\pictures\eokirfg2ostb_n\k2gr3uxs6xidwvxov5og\ttfbkcflh.encrypted.jpg | 35.84 KB |
MD5:
6eb129802f1a07643fe75e77407a03b0
SHA1: 1a8f1c232cf428f980be8792911aa2d85aaac0ff SHA256: 8afcd07213a5a466ddde27eedf611ee9155ec583b8d5ddcf5a0c13b06a5a5bab |
|
|
| c:\users\5jghkoaofdp\pictures\eokirfg2ostb_n\k2gr3uxs6xidwvxov5og\zx lin0lmt23la.encrypted.gif | 2.59 KB |
MD5:
a5a4352e8aa678e346b2afb7acf4c15f
SHA1: 72180aa761a9ada2d9403604fb2ce602c9d09708 SHA256: 2a61c68fdba1de728ae8bbe2c24eb61deefc6bec7d08804ba5fef94aba1852d8 |
|
|
| c:\users\5jghkoaofdp\pictures\eokirfg2ostb_n\yrdrool8kl77xw3jpk\8g28bqg.encrypted.gif | 2.83 KB |
MD5:
8c32021cce3e6a39db6c89983ddb1a21
SHA1: 574a8071d788bbab18a7c515ecafa41e166608dd SHA256: 1d257fd6be8487fac4e6c58ea9f64140bc5c89b5c97a28910b3d58a160ffb601 |
|
|
| c:\users\5jghkoaofdp\pictures\eokirfg2ostb_n\yrdrool8kl77xw3jpk\tg3wrt0qxl.encrypted.png | 30.14 KB |
MD5:
0e7d70505847e79da933d0241ebd8430
SHA1: 268aa179f201044f9476fe89ca083d309c19603d SHA256: 242f5e421c03e1a89721f99dcc5e79a4b87e35da6bca7240e2827350254083de |
|
|
| c:\users\5jghkoaofdp\pictures\fzqkx6\2c0v4lcmnqrissvmnh.encrypted.png | 59.62 KB |
MD5:
3b9a99444af9e290d2c55a51ae011db3
SHA1: 727734ac9a81eeae721b4cbf10838183481eff1b SHA256: 7c131e40255e56629838eaeaf2740deee0d632d696fb0b3a7e19777fdea09930 |
|
|
| c:\users\5jghkoaofdp\pictures\fzqkx6\jyy8jykpqv-f8gh.encrypted.bmp | 70.48 KB |
MD5:
ef74cde4a23dee50f091ab47505c26b8
SHA1: e5571ec85f824bd99a62e2e68cf98dceb18d5e06 SHA256: 26abf7fdd994b546a26c372cef5e99b9561496cb9e47c9f60b855f63368eeb65 |
|
|
| c:\users\5jghkoaofdp\pictures\oci-q.encrypted.gif | 99.11 KB |
MD5:
323b0c5e6ea913316c27b2a9472e4c46
SHA1: 3f9e04146fc68890afa6b3df1c23cb724699dd58 SHA256: 3e4a98d168cab0066bf4d397352c3178f49724e11f104758a935097d4826a6ea |
|
|
| c:\users\5jghkoaofdp\pictures\p-p-gd.encrypted.gif | 81.48 KB |
MD5:
04ce919eb5945995b4559c9c8c192736
SHA1: 419f5a8b308f3aa98a729e60599a70b854e057ae SHA256: 166acf937d8cfe81d9fc5566c4ee6ba6a74c1e36f13155a6a2b4e09bb19f2886 |
|
|
| c:\users\5jghkoaofdp\pictures\rrx1n2vhruw.encrypted.jpg | 77.39 KB |
MD5:
44dd52608fe9853b6c14c297b1be5b91
SHA1: 15434d889be9342ece7177f2922d1e38ac764d7b SHA256: 4af4f6c8e13f24bfac9fcece9cca5187afdf064d754b25ac1bb826622bc8fcbf |
|
|
| c:\users\5jghkoaofdp\pictures\u3eekqdyzaxuq\u2urh7f2g_anvytgvb.encrypted.gif | 61.66 KB |
MD5:
840c0cddec05da12b8514614bb4e5506
SHA1: 35c0d7e74ad145b5918a6f8f9083ce5062495296 SHA256: e2546f3e14cb0d1fcf1bb58b9262c026cb8df8290e386b1cd60c92dd96354a0d |
|
|
| c:\users\5jghkoaofdp\pictures\u3eekqdyzaxuq\yz8dkj.encrypted.bmp | 32.50 KB |
MD5:
c1e7f30ffc73493551c9991b0e4e898c
SHA1: f44eeba22dc21faa8ee0f09567cc39a327cc9407 SHA256: d7a150317f5c33c91d6e9194f6663ae2a45c989c5afc6dd24333d243c833a6d3 |
|
|
| c:\users\5jghkoaofdp\pictures\va c aq 3jgdvwrah.encrypted.jpg | 32.41 KB |
MD5:
99137064dd5a2429e55787ccc5ba46fe
SHA1: 86488a18d97375d3a026bdace20fe488392cb2ab SHA256: 233f997947b584ad08a84d35564b09f3afdc0855e1ea09dda6f25d591b17e14b |
|
|
| c:\users\5jghkoaofdp\videos\fa6k.encrypted.avi | 62.73 KB |
MD5:
002481e01762cca63b2d920f17f7216c
SHA1: de3213e0a0ce4c770bb944698270ee64c1c153a5 SHA256: 82d3ff37e18ea7a40bd908d4a6633a25bc5ad8c941f6d3ff181ebdd75a4aa91e |
|
|
| c:\users\5jghkoaofdp\videos\j6m71gkevjvfs9iyhyrq.encrypted.mkv | 79.73 KB |
MD5:
a6be458c9632037a743fd54a25087272
SHA1: f25b4dc64e756d439e00b777dc8a275c7537bd75 SHA256: fdfad35ffcea77ecf1e951b56d3914e35c782dc546203490480aabba3b387606 |
|
|
| c:\users\5jghkoaofdp\videos\w7mj2euig4vnsi\go1watx3i5wfbnwtzae\-s51.encrypted.avi | 93.69 KB |
MD5:
918eb7e6fa1d13b1560ba21e35e92337
SHA1: b4847fbd79f62a12bc205365ba1c6d47522870fb SHA256: 424c425821abfdc6bb7becfe1a7a14be412ed8408707f89c0cff343d34844def |
|
|
| c:\users\5jghkoaofdp\videos\w7mj2euig4vnsi\go1watx3i5wfbnwtzae\jbo8crdrpf.encrypted.avi | 71.45 KB |
MD5:
c7219941be7e45218663cf09f73960b9
SHA1: c08dd73efeaa73e65b54e88037d7aebed6e7dc65 SHA256: 3db5ef1126df5105c68a7b4fbdf96fafb8474453b360e1c10536433c7a98e6c2 |
|
|
| c:\users\5jghkoaofdp\videos\w7mj2euig4vnsi\go1watx3i5wfbnwtzae\oi76t1yefvyvsdv-.encrypted.flv | 70.14 KB |
MD5:
b679eb5c4df4cabbf61c435caa7f7730
SHA1: fc4cc547dbe8e9bde8d4b5e2f14e352041344037 SHA256: fce9254e9ff9f4daf725c4b7165778b9d66d88c9551f2d9ed167fde20f5decde |
|
|
| c:\users\5jghkoaofdp\videos\w7mj2euig4vnsi\i34vb8v\faqdwk0jqtre7oy.encrypted.mp4 | 92.05 KB |
MD5:
d85a0e7c6b77a4d2cde5e57f4a15630e
SHA1: a1654c7085f8b64e5b5d78156d090fa30fbb30f1 SHA256: 7c10719e33a99482f8cb11f2b3a7795ba851532ba3e57698eff3146900b5356a |
|
|
| c:\users\5jghkoaofdp\videos\w7mj2euig4vnsi\i34vb8v\foyzb3wy.encrypted.mkv | 27.20 KB |
MD5:
4642e4cf0161e524745c7586c5c86dbf
SHA1: 1cb618f640c10f0b8aec1de6c9b264e153b21ee0 SHA256: 26f20ebcb7f3046634c3409ad42f481d245f5ac86a97ef9d08376ec33d30ff96 |
|
|
| c:\users\5jghkoaofdp\videos\w7mj2euig4vnsi\i34vb8v\ly9pykmqm52kjo\1qjab4g.encrypted.avi | 24.80 KB |
MD5:
93b7a499924094fe42688610d90825af
SHA1: ac805bccfbaca889347f14a89b4a308ecec3b5e7 SHA256: 76fc52c4f5a7b0a444851881d9a339be95e4f607f85017571981f6123d242b5b |
|
|
| c:\users\5jghkoaofdp\videos\w7mj2euig4vnsi\i34vb8v\ly9pykmqm52kjo\74ljzjj6v\9n8-jbx3bqwx\0otqer0rnnnxwob_.encrypted.swf | 24.34 KB |
MD5:
f770cfe460081f3d06d3a8a388d46f45
SHA1: a30e534b0be3ab022ca801020b82f060e911564f SHA256: 88cfd0adc9e0b025acbd5c4bdfa9126c5caa3ad65fcbf5c43910838f5e5fa944 |
|
|
| c:\users\5jghkoaofdp\videos\w7mj2euig4vnsi\i34vb8v\ly9pykmqm52kjo\74ljzjj6v\9n8-jbx3bqwx\0tepcnqkuw0n1-c.encrypted.swf | 29.53 KB |
MD5:
8f4279e5db0e9343cc8429f88349e761
SHA1: 5b596a3c047937a044f2bfaa530ba90e4b62dc91 SHA256: c57d37d7ecd412c96ff6250346b681e293e330f53067ab5bee1ebaf97035ced5 |
|
|
| c:\users\5jghkoaofdp\videos\w7mj2euig4vnsi\i34vb8v\ly9pykmqm52kjo\74ljzjj6v\9n8-jbx3bqwx\cbwthz394wcvbc.encrypted.flv | 50.50 KB |
MD5:
7cc3687c967776ca2de45f14da2df5a7
SHA1: 2968af8f7cc3f0b48397a90bae5db9ef003827a6 SHA256: 83568a645c67ac3fb7fc5fd70b121d315f81a7b49b0c64f6e261d1668103ec53 |
|
|
| c:\users\5jghkoaofdp\videos\w7mj2euig4vnsi\i34vb8v\ly9pykmqm52kjo\74ljzjj6v\9n8-jbx3bqwx\x2xtwyfgzsx9y.encrypted.swf | 53.16 KB |
MD5:
f36444a8ad94ff7982e6c9a7c02f7f17
SHA1: 32cad5590dcbe896cd4754c32c1098c230c10aba SHA256: a663d9b3df65a97783c0e471690eb79afff9745ccd2a206ac1d561c7fa7a7c72 |
|
|
| c:\users\5jghkoaofdp\videos\w7mj2euig4vnsi\i34vb8v\ly9pykmqm52kjo\74ljzjj6v\iycmvj8bx4.encrypted.avi | 24.78 KB |
MD5:
626b0b59ffb262869eb71910d7a04eba
SHA1: 6bcdf0621bdcbc0dd99f451f8054864126b79035 SHA256: 51edae44de95f0745e730881057b57ef91f02b813a881fa279b351a77a753d67 |
|
|
| c:\users\5jghkoaofdp\videos\w7mj2euig4vnsi\i34vb8v\ly9pykmqm52kjo\74ljzjj6v\ngk1gpnfdf.encrypted.avi | 38.67 KB |
MD5:
d63a3309ad10cdf8c46636e5e8af7161
SHA1: 89c89d4c18dc0f79d716d15f2d37db7ae8057c97 SHA256: a8482ca47674d0a48518d6ecc51f8d832ceafe058c1a6ed470285e926b5e77c9 |
|
|
| c:\users\5jghkoaofdp\videos\w7mj2euig4vnsi\i34vb8v\ly9pykmqm52kjo\nw67aapo0uo1m7uro.encrypted.mp4 | 5.69 KB |
MD5:
f6a014c63bc5d0afd0d1dfea1719ef93
SHA1: 3a2427a1d0a4260ee7e482cf5831f08934e14c09 SHA256: 8802cb03422f77f43c38e75f7c90db61f78061dad189a83547f1d93543afbd86 |
|
|
| c:\users\5jghkoaofdp\videos\w7mj2euig4vnsi\i34vb8v\ly9pykmqm52kjo\tdgsbvupdge9trlzn.encrypted.swf | 70.89 KB |
MD5:
a429dcf0e017dc24fa548be7a1dbb44c
SHA1: 0f80ef8a1812cc07b9fcdfb82d279c5cd2c7586e SHA256: 8e4d98535c87f8e52da014c354418017cb2a14e60f814f733da3618e58769802 |
|
|
| c:\users\5jghkoaofdp\videos\w7mj2euig4vnsi\i34vb8v\pfd6tl97hvocvx0.encrypted.flv | 92.41 KB |
MD5:
3318667f875606c5a8a8d6418cd82a2c
SHA1: 8505a2de9bdc95fc56a79e16a1f40f61057cbed1 SHA256: 600629258120e60fc000307ad6bfb3d7cc5eaf1adeace3e70bc7385ae410e653 |
|
|
| c:\users\5jghkoaofdp\videos\w7mj2euig4vnsi\qroavzbrrc4ysh.encrypted.mp4 | 89.22 KB |
MD5:
4fabe131b2e66d2772c58a045dad3f31
SHA1: 1cdfabda64d15fd7c0393ccddb45d5471a394ca2 SHA256: b34c1790bd9a2d91a4b5f6da30ed479bfe7b024cd5b90921a0fb47323fe4a433 |
|
|
| c:\users\5jghkoaofdp\videos\w7mj2euig4vnsi\u9ryi4sh.encrypted.flv | 57.55 KB |
MD5:
4c5986a2c2855a0516a54057370f503d
SHA1: 7349f41bd61031130946c3b9dcecde90c69dfd82 SHA256: e6ce8f3b3176af4794b08c44e5dc93a9c9ae24da85b36bfc635df8ba2c8cf336 |
|
|
| c:\users\5jghkoaofdp\videos\zv_si7-lwgxp9d.encrypted.mkv | 48.12 KB |
MD5:
89bc0887e0947dd49268b679dc2ec9ba
SHA1: ae396524df4e8c9aa9fea18ccd852a78ba38de08 SHA256: 5b3e3f27540ce3f8ae023ee415e3ef1412e7efda8c303c0df79d5d7cbe9fd333 |
|
|
| c:\users\5jghkoaofdp\videos\_xvl0u4alfuw\d8ymrxudc8\w-xtdkhkct-t1tdd.encrypted.mkv | 68.81 KB |
MD5:
9374d5c7878237bd06d107617786b334
SHA1: 3d7f8022cc48aec0914055bcf19bf7dac1f73369 SHA256: 1c464631821a985daf338ac1debf6520eadc51a8b07f26b0a7f79a6cf88005d9 |
|
|
| c:\users\5jghkoaofdp\videos\_xvl0u4alfuw\jriw ov.encrypted.mp4 | 12.62 KB |
MD5:
3c4b7eee3bf68ce9aa665a044248627e
SHA1: 3d62e8e4b260e107bd95d85cbad8de264ba86546 SHA256: d614041a8a0c6d4f0a7995c39b7bc63131f1207617ab462ce3d01d1a359afb90 |
|
|
| c:\users\5jghkoaofdp\videos\_xvl0u4alfuw\txlonoxv7.encrypted.mkv | 26.02 KB |
MD5:
69a669168e23b18e319f22c0dab1c127
SHA1: 8e79421e377a45d7dd2634f1c448a9653f8978b5 SHA256: 6dc2358761b95b5db50c4d59126c704fdb249a70eaa14e552671be4c972a4282 |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\5jghkoaofdp\appdata\local\microsoft\windows\inetcache\counters.dat | 0.12 KB |
MD5:
7f10c52604631a0f80b8283658f3ae11
SHA1: 6dc4a31c3264adf0cdf947bacd63d9b3cc8f416e SHA256: 5c53481b46b2ea31ae4a197451884c621f077dda319839dd16c4fbe3f5aa87c8 |
|
|
Host Behavior
File (2478)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\5JgHKoaOfdp\Contacts\Aclviho ASldjfl.contact | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Contacts\Aclviho ASldjfl.contact | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\log.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
97 | |
| Create | C:\Users\5JgHKoaOfdp\Contacts\asdlfk poopvy.contact | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Contacts\asdlfk poopvy.contact | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Contacts\asdlfk poopvy.encrypted.contact | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Contacts\asdlfk poopvy.contact | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\log.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
96 | |
| Create | C:\Users\5JgHKoaOfdp\Contacts\chucu jadnvk.contact | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Contacts\chucu jadnvk.contact | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Contacts\chucu jadnvk.encrypted.contact | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Contacts\chucu jadnvk.contact | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Contacts\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Contacts\lulcit amkdfe.contact | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Contacts\lulcit amkdfe.contact | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Contacts\lulcit amkdfe.encrypted.contact | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Contacts\lulcit amkdfe.contact | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Contacts\sikvnb huvuib.contact | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Contacts\sikvnb huvuib.contact | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Contacts\sikvnb huvuib.encrypted.contact | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Contacts\sikvnb huvuib.contact | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\1Tb75wBO1.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\1Tb75wBO1.mkv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\1Tb75wBO1.encrypted.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\1Tb75wBO1.mkv | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\3EZX86SAhXTW8_.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\3EZX86SAhXTW8_.m4a | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\3EZX86SAhXTW8_.encrypted.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\3EZX86SAhXTW8_.m4a | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\3JfxKHSyXeB-IzZIg.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\3JfxKHSyXeB-IzZIg.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\3JfxKHSyXeB-IzZIg.encrypted.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\3JfxKHSyXeB-IzZIg.jpg | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\4RD-.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\4RD-.mkv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\4RD-.encrypted.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\4RD-.mkv | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\5bxmCpnounGldMora7z.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\5bxmCpnounGldMora7z.png | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\5bxmCpnounGldMora7z.encrypted.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\5bxmCpnounGldMora7z.png | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\5y0kuHp.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\5y0kuHp.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\5y0kuHp.encrypted.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\5y0kuHp.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\6EJM6nG0-2A.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\6EJM6nG0-2A.mkv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\6EJM6nG0-2A.encrypted.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\6EJM6nG0-2A.mkv | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\7OvR2-yM3wC.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\7OvR2-yM3wC.docx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\7OvR2-yM3wC.encrypted.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\7OvR2-yM3wC.docx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\8hC8IQMY0ZP.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\8hC8IQMY0ZP.bmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\8hC8IQMY0ZP.encrypted.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\8hC8IQMY0ZP.bmp | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Du_JQkduq.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Du_JQkduq.avi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Du_JQkduq.encrypted.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Du_JQkduq.avi | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\En3LtfI-_W.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\En3LtfI-_W.m4a | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\En3LtfI-_W.encrypted.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\En3LtfI-_W.m4a | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\fUic g1t3BFvB.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\fUic g1t3BFvB.m4a | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\fUic g1t3BFvB.encrypted.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\fUic g1t3BFvB.m4a | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\7O8AsytJbZ0P_ImC9InS.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\7O8AsytJbZ0P_ImC9InS.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\7O8AsytJbZ0P_ImC9InS.encrypted.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\7O8AsytJbZ0P_ImC9InS.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\7R1-Ym.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\7R1-Ym.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\7R1-Ym.encrypted.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\7R1-Ym.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\N_dJiBBBqT.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\N_dJiBBBqT.swf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\N_dJiBBBqT.encrypted.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\N_dJiBBBqT.swf | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\TvM0D.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\TvM0D.m4a | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\TvM0D.encrypted.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\TvM0D.m4a | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\dEX2QsW8ygpWBqS_.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\dEX2QsW8ygpWBqS_.ods | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\dEX2QsW8ygpWBqS_.encrypted.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\dEX2QsW8ygpWBqS_.ods | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\EJdtg4n_T.doc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\EJdtg4n_T.doc | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\EJdtg4n_T.encrypted.doc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\EJdtg4n_T.doc | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\fOc_MFQo1nSfNS.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\fOc_MFQo1nSfNS.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\fOc_MFQo1nSfNS.encrypted.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\fOc_MFQo1nSfNS.jpg | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\IQI3hZwu_M.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\IQI3hZwu_M.bmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\IQI3hZwu_M.encrypted.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\IQI3hZwu_M.bmp | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\mmKeDF5Rp.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\mmKeDF5Rp.avi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\mmKeDF5Rp.encrypted.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\mmKeDF5Rp.avi | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\WeIzf.odp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\WeIzf.odp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\WeIzf.encrypted.odp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\WeIzf.odp | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\Zkq9sxhvtO.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\Zkq9sxhvtO.wav | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\Zkq9sxhvtO.encrypted.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\Zkq9sxhvtO.wav | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\zW2FdO8SmE.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\zW2FdO8SmE.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\zW2FdO8SmE.encrypted.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\zW2FdO8SmE.jpg | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Jk2_gj ZTujc3MT6f\0hJckM1RfPkx.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Jk2_gj ZTujc3MT6f\0hJckM1RfPkx.m4a | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Jk2_gj ZTujc3MT6f\0hJckM1RfPkx.encrypted.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Jk2_gj ZTujc3MT6f\0hJckM1RfPkx.m4a | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\KJOyg5.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\KJOyg5.avi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\KJOyg5.encrypted.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\KJOyg5.avi | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\lsm4taKhSWwYuuYlX3j.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\lsm4taKhSWwYuuYlX3j.bmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\lsm4taKhSWwYuuYlX3j.encrypted.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\lsm4taKhSWwYuuYlX3j.bmp | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\PCBhpE.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\PCBhpE.swf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\PCBhpE.encrypted.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\PCBhpE.swf | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\PokcZa.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\PokcZa.png | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\PokcZa.encrypted.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\PokcZa.png | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\S5cBuB-rHdetHt7WYi.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\S5cBuB-rHdetHt7WYi.avi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\S5cBuB-rHdetHt7WYi.encrypted.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\S5cBuB-rHdetHt7WYi.avi | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\sF29dHov5.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\sF29dHov5.swf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\sF29dHov5.encrypted.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\sF29dHov5.swf | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Sy1211x.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Sy1211x.ods | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Sy1211x.encrypted.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Sy1211x.ods | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Vrbefmij3.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Vrbefmij3.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Vrbefmij3.encrypted.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Vrbefmij3.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\V_mfF9fKWkwn.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\V_mfF9fKWkwn.gif | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\V_mfF9fKWkwn.encrypted.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\V_mfF9fKWkwn.gif | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\w4YpSCyD_vipA.odp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\w4YpSCyD_vipA.odp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\w4YpSCyD_vipA.encrypted.odp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\w4YpSCyD_vipA.odp | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\XoBZgP-NQ nymN\hF0M-QQaLGlO0.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\XoBZgP-NQ nymN\hF0M-QQaLGlO0.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\XoBZgP-NQ nymN\hF0M-QQaLGlO0.encrypted.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\XoBZgP-NQ nymN\hF0M-QQaLGlO0.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\XoBZgP-NQ nymN\kaF1 ogA4CxDi0az3.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\XoBZgP-NQ nymN\kaF1 ogA4CxDi0az3.avi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\XoBZgP-NQ nymN\kaF1 ogA4CxDi0az3.encrypted.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\XoBZgP-NQ nymN\kaF1 ogA4CxDi0az3.avi | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\XoBZgP-NQ nymN\msFBQYVEw1.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\XoBZgP-NQ nymN\msFBQYVEw1.m4a | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\XoBZgP-NQ nymN\msFBQYVEw1.encrypted.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\XoBZgP-NQ nymN\msFBQYVEw1.m4a | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\XoBZgP-NQ nymN\oqS YhNhNVjJl.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\XoBZgP-NQ nymN\oqS YhNhNVjJl.gif | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\XoBZgP-NQ nymN\oqS YhNhNVjJl.encrypted.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\XoBZgP-NQ nymN\oqS YhNhNVjJl.gif | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\XoBZgP-NQ nymN\SPrNsnXZLCmI9CFW.csv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\XoBZgP-NQ nymN\SPrNsnXZLCmI9CFW.csv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\XoBZgP-NQ nymN\SPrNsnXZLCmI9CFW.encrypted.csv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\XoBZgP-NQ nymN\SPrNsnXZLCmI9CFW.csv | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\y5aahqbX.xls | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\y5aahqbX.xls | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\y5aahqbX.encrypted.xls | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\y5aahqbX.xls | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Z1_9k e9-S6.flv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Z1_9k e9-S6.flv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Z1_9k e9-S6.encrypted.flv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\Z1_9k e9-S6.flv | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\ZMmw.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\ZMmw.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\ZMmw.encrypted.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\ZMmw.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\_wcwnxx.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\_wcwnxx.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\_wcwnxx.encrypted.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\_wcwnxx.jpg | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\0BRr10C_vf.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\0BRr10C_vf.docx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\0BRr10C_vf.encrypted.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\0BRr10C_vf.docx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\4XMn-TKlhNExKN-3H-1.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\4XMn-TKlhNExKN-3H-1.docx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\4XMn-TKlhNExKN-3H-1.encrypted.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\4XMn-TKlhNExKN-3H-1.docx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\6DAhHTfpbAWIamgph0.doc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\6DAhHTfpbAWIamgph0.doc | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\6DAhHTfpbAWIamgph0.encrypted.doc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\6DAhHTfpbAWIamgph0.doc | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\6iZPqUY.ppt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\6iZPqUY.ppt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\6iZPqUY.encrypted.ppt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\6iZPqUY.ppt | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\7 Ge5Dw.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\7 Ge5Dw.pptx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\7 Ge5Dw.encrypted.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\7 Ge5Dw.pptx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\7_HigqquIh9.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\7_HigqquIh9.pptx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\7_HigqquIh9.encrypted.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\7_HigqquIh9.pptx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\8zjzU_i3YhK3gy6-wl.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\8zjzU_i3YhK3gy6-wl.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\8zjzU_i3YhK3gy6-wl.encrypted.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\8zjzU_i3YhK3gy6-wl.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\A6fpLIPjcquc.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\A6fpLIPjcquc.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\A6fpLIPjcquc.encrypted.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\A6fpLIPjcquc.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\AV_QFrZAT4bCsR2r2.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\AV_QFrZAT4bCsR2r2.pptx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\AV_QFrZAT4bCsR2r2.encrypted.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\AV_QFrZAT4bCsR2r2.pptx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\eNn8BYb.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\eNn8BYb.pptx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\eNn8BYb.encrypted.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\eNn8BYb.pptx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\fzyA1G8.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\fzyA1G8.docx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\fzyA1G8.encrypted.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\fzyA1G8.docx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\GAF9c9wmAoc64y.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\GAF9c9wmAoc64y.docx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\GAF9c9wmAoc64y.encrypted.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\GAF9c9wmAoc64y.docx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\JX5vwqk00yn.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\JX5vwqk00yn.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\JX5vwqk00yn.encrypted.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\JX5vwqk00yn.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\Kl1ISboV3 VUszg.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\Kl1ISboV3 VUszg.ods | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\Kl1ISboV3 VUszg.encrypted.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\Kl1ISboV3 VUszg.ods | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\KrhDnmV.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\KrhDnmV.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\KrhDnmV.encrypted.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\KrhDnmV.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\My New App.accdb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\My New App.accdb | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\My New App.encrypted.accdb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\My New App.accdb | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\My Shapes\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\My Shapes\Favorites.vssx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\My Shapes\_private\folder.ico | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\My Shapes\_private\folder.ico | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\My Shapes\_private\folder.encrypted.ico | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\My Shapes\_private\folder.ico | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\NdqRnMX.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\NdqRnMX.pptx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\NdqRnMX.encrypted.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\NdqRnMX.pptx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\NtzYsnO8sClmAQ9dt.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\NtzYsnO8sClmAQ9dt.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\NtzYsnO8sClmAQ9dt.encrypted.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\NtzYsnO8sClmAQ9dt.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\nu0r5.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\nu0r5.pptx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\nu0r5.encrypted.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\nu0r5.pptx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\oaPMgoy.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\oaPMgoy.docx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\oaPMgoy.encrypted.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\oaPMgoy.docx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\8Y9ZK 2Bwq.ots | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\8Y9ZK 2Bwq.ots | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\8Y9ZK 2Bwq.encrypted.ots | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\8Y9ZK 2Bwq.ots | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\owFnS9w.ppt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\owFnS9w.ppt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\owFnS9w.encrypted.ppt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\owFnS9w.ppt | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\-zQ55baTzud1r.doc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\-zQ55baTzud1r.doc | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\-zQ55baTzud1r.encrypted.doc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\-zQ55baTzud1r.doc | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\BfinI9.ppt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\BfinI9.ppt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\BfinI9.encrypted.ppt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\BfinI9.ppt | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\Mwzg.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\Mwzg.ods | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\Mwzg.encrypted.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\Mwzg.ods | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\r2iBoAou.ots | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\r2iBoAou.ots | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\r2iBoAou.encrypted.ots | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\r2iBoAou.ots | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\UFigFWiH4-sodVWyJ1U.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\UFigFWiH4-sodVWyJ1U.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\UFigFWiH4-sodVWyJ1U.encrypted.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\UFigFWiH4-sodVWyJ1U.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\VVH1QNL8xVoPWHBf.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\VVH1QNL8xVoPWHBf.pdf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\VVH1QNL8xVoPWHBf.encrypted.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\VVH1QNL8xVoPWHBf.pdf | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\xM0Y.csv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\xM0Y.csv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\xM0Y.encrypted.csv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\xM0Y.csv | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\xTKr4wd0EMenAL0Vgl.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\xTKr4wd0EMenAL0Vgl.ods | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\xTKr4wd0EMenAL0Vgl.encrypted.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\xTKr4wd0EMenAL0Vgl.ods | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\PeIk\5BkR6pukA0CJq4Uq.csv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\PeIk\5BkR6pukA0CJq4Uq.csv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\PeIk\5BkR6pukA0CJq4Uq.encrypted.csv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\PeIk\5BkR6pukA0CJq4Uq.csv | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\PeIk\QfUP_FukyKEW.csv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\PeIk\QfUP_FukyKEW.csv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\PeIk\QfUP_FukyKEW.encrypted.csv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\PeIk\QfUP_FukyKEW.csv | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\RahJwFipaXFtnUdk.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\RahJwFipaXFtnUdk.ods | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\RahJwFipaXFtnUdk.encrypted.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\RahJwFipaXFtnUdk.ods | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\A20ehj.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\A20ehj.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\A20ehj.encrypted.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\A20ehj.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\JJIbI4zhzAH8EE.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\JJIbI4zhzAH8EE.pptx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\JJIbI4zhzAH8EE.encrypted.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\JJIbI4zhzAH8EE.pptx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\KCnxxDoO39.odp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\KCnxxDoO39.odp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\KCnxxDoO39.encrypted.odp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\KCnxxDoO39.odp | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\S8lLodQ9a.doc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\S8lLodQ9a.doc | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\S8lLodQ9a.encrypted.doc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\S8lLodQ9a.doc | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\tXwhp2.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\tXwhp2.rtf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\tXwhp2.encrypted.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\tXwhp2.rtf | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\b6IpPtj.pps | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\b6IpPtj.pps | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\b6IpPtj.encrypted.pps | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\b6IpPtj.pps | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\evbFa7b.ots | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\evbFa7b.ots | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\evbFa7b.encrypted.ots | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\evbFa7b.ots | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\Hy8eyCMMEjjfu_b1E al.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\Hy8eyCMMEjjfu_b1E al.odt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\Hy8eyCMMEjjfu_b1E al.encrypted.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\Hy8eyCMMEjjfu_b1E al.odt | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\J39qnvz0zpE.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\J39qnvz0zpE.odt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\J39qnvz0zpE.encrypted.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\J39qnvz0zpE.odt | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\kTS_UF3R.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\kTS_UF3R.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\kTS_UF3R.encrypted.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\kTS_UF3R.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\PXIXONj u3PYiiw.ppt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\PXIXONj u3PYiiw.ppt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\PXIXONj u3PYiiw.encrypted.ppt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\PXIXONj u3PYiiw.ppt | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\q4QGX9J.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\q4QGX9J.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\q4QGX9J.encrypted.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\q4QGX9J.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\YfvOTM2QL.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\YfvOTM2QL.pdf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\YfvOTM2QL.encrypted.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\YfvOTM2QL.pdf | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\xqMFdXWPJOX9Nmvq.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\xqMFdXWPJOX9Nmvq.rtf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\xqMFdXWPJOX9Nmvq.encrypted.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\xqMFdXWPJOX9Nmvq.rtf | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\v_7erIZtl\HviAkQsti8A0qV5H.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\v_7erIZtl\HviAkQsti8A0qV5H.pptx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\v_7erIZtl\HviAkQsti8A0qV5H.encrypted.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\v_7erIZtl\HviAkQsti8A0qV5H.pptx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\v_7erIZtl\KBud.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\v_7erIZtl\KBud.odt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\v_7erIZtl\KBud.encrypted.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\v_7erIZtl\KBud.odt | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\v_7erIZtl\PQmwNJuMI 8yaF.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\v_7erIZtl\PQmwNJuMI 8yaF.odt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\v_7erIZtl\PQmwNJuMI 8yaF.encrypted.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\v_7erIZtl\PQmwNJuMI 8yaF.odt | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\ytAwM8DIYW_.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\ytAwM8DIYW_.docx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\ytAwM8DIYW_.encrypted.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\ytAwM8DIYW_.docx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OeG42D1N-pCT.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OeG42D1N-pCT.docx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OeG42D1N-pCT.encrypted.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OeG42D1N-pCT.docx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OneNote Notebooks\My Notebook\Open Notebook.encrypted.onetoc2 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OneNote Notebooks\My Notebook\Quick Notes.one | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OneNote Notebooks\My Notebook\Quick Notes.one | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OneNote Notebooks\My Notebook\Quick Notes.encrypted.one | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\OneNote Notebooks\My Notebook\Quick Notes.one | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\Outlook Files\cjeijc.diuv@div.com.pst | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\Outlook Files\cjeijc.diuv@div.com.pst | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\Outlook Files\cjeijc.diuv@div.com.encrypted.pst | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\Outlook Files\cjeijc.diuv@div.com.pst | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\SePDrD5iZptpBIl3Jo.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\SePDrD5iZptpBIl3Jo.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\SePDrD5iZptpBIl3Jo.encrypted.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\SePDrD5iZptpBIl3Jo.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\Yq6ijn.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\Yq6ijn.pptx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\Yq6ijn.encrypted.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Documents\Yq6ijn.pptx | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Downloads\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Favorites\Bing.url | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Favorites\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Favorites\Links\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Links\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Links\Desktop.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Links\Downloads.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Links\RecentPlaces.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\0bqxKIRc2rA02v.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\0bqxKIRc2rA02v.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\0bqxKIRc2rA02v.encrypted.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\0bqxKIRc2rA02v.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\2Cxf6yeZU\Ww4k87_yJ.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\2Cxf6yeZU\Ww4k87_yJ.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\2Cxf6yeZU\Ww4k87_yJ.encrypted.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\2Cxf6yeZU\Ww4k87_yJ.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\--flhG8yvkDQ.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\--flhG8yvkDQ.m4a | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\--flhG8yvkDQ.encrypted.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\--flhG8yvkDQ.m4a | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\GmrufiPOj.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\GmrufiPOj.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\GmrufiPOj.encrypted.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\GmrufiPOj.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\OKMTWEDLC_J2PLgT5F.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\OKMTWEDLC_J2PLgT5F.m4a | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\OKMTWEDLC_J2PLgT5F.encrypted.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\OKMTWEDLC_J2PLgT5F.m4a | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\Q6pnwP.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\Q6pnwP.wav | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\Q6pnwP.encrypted.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\Q6pnwP.wav | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\TzM3m2.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\TzM3m2.wav | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\TzM3m2.encrypted.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\TzM3m2.wav | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\WMoGcJ psg3NPZQ94LOg.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\WMoGcJ psg3NPZQ94LOg.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\WMoGcJ psg3NPZQ94LOg.encrypted.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\WMoGcJ psg3NPZQ94LOg.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\Am isoWjkV8-3.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\Am isoWjkV8-3.m4a | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\Am isoWjkV8-3.encrypted.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\Am isoWjkV8-3.m4a | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\BT 6Ls2Uix0Q6d83.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\BT 6Ls2Uix0Q6d83.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\BT 6Ls2Uix0Q6d83.encrypted.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\BT 6Ls2Uix0Q6d83.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\HPqmZb4DELw.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\HPqmZb4DELw.wav | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\HPqmZb4DELw.encrypted.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\HPqmZb4DELw.wav | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\htI6zn-REdOAWQ1fz DV.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\htI6zn-REdOAWQ1fz DV.m4a | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\htI6zn-REdOAWQ1fz DV.encrypted.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\htI6zn-REdOAWQ1fz DV.m4a | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\8N1CtHWHwSbAK_TALoK.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\8N1CtHWHwSbAK_TALoK.wav | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\8N1CtHWHwSbAK_TALoK.encrypted.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\8N1CtHWHwSbAK_TALoK.wav | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\akPy8sjhpJrFHXh2s3.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\akPy8sjhpJrFHXh2s3.m4a | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\akPy8sjhpJrFHXh2s3.encrypted.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\akPy8sjhpJrFHXh2s3.m4a | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\fY9NQ.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\fY9NQ.wav | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\fY9NQ.encrypted.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\fY9NQ.wav | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\9X43Mj8VwmSEyzG.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\9X43Mj8VwmSEyzG.m4a | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\9X43Mj8VwmSEyzG.encrypted.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\9X43Mj8VwmSEyzG.m4a | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\F--xXxODAwz6EaqtLJ.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\F--xXxODAwz6EaqtLJ.m4a | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\F--xXxODAwz6EaqtLJ.encrypted.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\F--xXxODAwz6EaqtLJ.m4a | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\I Pap4u Q1S WukV.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\I Pap4u Q1S WukV.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\I Pap4u Q1S WukV.encrypted.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\I Pap4u Q1S WukV.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\Oj01a.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\Oj01a.m4a | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\Oj01a.encrypted.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\Oj01a.m4a | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\Ry10cYt.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\Ry10cYt.m4a | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\Ry10cYt.encrypted.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\Ry10cYt.m4a | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\Tbm3uBd.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\Tbm3uBd.m4a | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\Tbm3uBd.encrypted.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\Tbm3uBd.m4a | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\MYjamcbD5wiKum.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\MYjamcbD5wiKum.wav | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\MYjamcbD5wiKum.encrypted.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\MYjamcbD5wiKum.wav | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\nh-XoowRj_Swc.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\nh-XoowRj_Swc.m4a | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\nh-XoowRj_Swc.encrypted.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\nh-XoowRj_Swc.m4a | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\VyQWuqkuhW_t.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\VyQWuqkuhW_t.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\VyQWuqkuhW_t.encrypted.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\VyQWuqkuhW_t.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\ofDr70-sUlq ezsAIzV.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\ofDr70-sUlq ezsAIzV.wav | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\ofDr70-sUlq ezsAIzV.encrypted.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\ofDr70-sUlq ezsAIzV.wav | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\uLEK7i54R.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\uLEK7i54R.wav | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\uLEK7i54R.encrypted.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\uLEK7i54R.wav | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\HWh3je\Qu-qkBOki1erBhvH.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\HWh3je\Qu-qkBOki1erBhvH.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\HWh3je\Qu-qkBOki1erBhvH.encrypted.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\HWh3je\Qu-qkBOki1erBhvH.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\HWh3je\Skvqvzgpd5maF.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\HWh3je\Skvqvzgpd5maF.wav | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\HWh3je\Skvqvzgpd5maF.encrypted.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\HWh3je\Skvqvzgpd5maF.wav | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\HWh3je\UtFu45CM-kagY.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\HWh3je\UtFu45CM-kagY.wav | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\HWh3je\UtFu45CM-kagY.encrypted.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\HWh3je\UtFu45CM-kagY.wav | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\N9gPmF.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\N9gPmF.m4a | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\N9gPmF.encrypted.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\N9gPmF.m4a | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\nHKgCPNGxLt7Z.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\nHKgCPNGxLt7Z.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\nHKgCPNGxLt7Z.encrypted.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\nHKgCPNGxLt7Z.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\qNgimzHL82edG6C.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\qNgimzHL82edG6C.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\qNgimzHL82edG6C.encrypted.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\qNgimzHL82edG6C.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\Ta0rAKcZeTCtqy.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\Ta0rAKcZeTCtqy.wav | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\Ta0rAKcZeTCtqy.encrypted.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\Ta0rAKcZeTCtqy.wav | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\TGj_jV mNs5by2rDPS9.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\TGj_jV mNs5by2rDPS9.m4a | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\TGj_jV mNs5by2rDPS9.encrypted.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\TGj_jV mNs5by2rDPS9.m4a | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\Wm_rBSmVuOnF22XByT.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\Wm_rBSmVuOnF22XByT.m4a | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\Wm_rBSmVuOnF22XByT.encrypted.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\Wm_rBSmVuOnF22XByT.m4a | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\WpAvWZDBbQ_aj5RFw.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\WpAvWZDBbQ_aj5RFw.wav | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\WpAvWZDBbQ_aj5RFw.encrypted.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Music\WpAvWZDBbQ_aj5RFw.wav | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\NTUSER.DAT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\ntuser.dat.LOG1 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\ntuser.dat.LOG2 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\NTUSER.DAT{bbed3e3b-0b41-11e3-8249-d6927d06400b}.TM.blf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\NTUSER.DAT{bbed3e3b-0b41-11e3-8249-d6927d06400b}.TMContainer00000000000000000001.regtrans-ms | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\NTUSER.DAT{bbed3e3b-0b41-11e3-8249-d6927d06400b}.TMContainer00000000000000000002.regtrans-ms | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\ntuser.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\7ErxFZkXIM\JA1eNOIB7NiPk.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\7ErxFZkXIM\JA1eNOIB7NiPk.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\7ErxFZkXIM\JA1eNOIB7NiPk.encrypted.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\7ErxFZkXIM\JA1eNOIB7NiPk.jpg | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\1l99\Ggn771vX9IZ45ssL.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\1l99\Ggn771vX9IZ45ssL.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\1l99\Ggn771vX9IZ45ssL.encrypted.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\1l99\Ggn771vX9IZ45ssL.jpg | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\1l99\_j0NpO8_IRhC2gu1aTq.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\1l99\_j0NpO8_IRhC2gu1aTq.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\1l99\_j0NpO8_IRhC2gu1aTq.encrypted.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\1l99\_j0NpO8_IRhC2gu1aTq.jpg | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\ARWtqJJbYq8IXSVmfW.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\ARWtqJJbYq8IXSVmfW.bmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\ARWtqJJbYq8IXSVmfW.encrypted.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\ARWtqJJbYq8IXSVmfW.bmp | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\Dwey5ysxf8zDVlgtk-7\6oAGzbr.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\Dwey5ysxf8zDVlgtk-7\6oAGzbr.png | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\Dwey5ysxf8zDVlgtk-7\6oAGzbr.encrypted.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\Dwey5ysxf8zDVlgtk-7\6oAGzbr.png | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\Dwey5ysxf8zDVlgtk-7\gtZAJbx9M.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\Dwey5ysxf8zDVlgtk-7\gtZAJbx9M.gif | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\Dwey5ysxf8zDVlgtk-7\gtZAJbx9M.encrypted.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\Dwey5ysxf8zDVlgtk-7\gtZAJbx9M.gif | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\Dwey5ysxf8zDVlgtk-7\ySNBZV2WpSZu7yVHi.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\Dwey5ysxf8zDVlgtk-7\ySNBZV2WpSZu7yVHi.png | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\Dwey5ysxf8zDVlgtk-7\ySNBZV2WpSZu7yVHi.encrypted.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\Dwey5ysxf8zDVlgtk-7\ySNBZV2WpSZu7yVHi.png | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\g-RHSKXLnZ91gcF3\1wvmAtyNCwiflQs.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\g-RHSKXLnZ91gcF3\1wvmAtyNCwiflQs.gif | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\g-RHSKXLnZ91gcF3\1wvmAtyNCwiflQs.encrypted.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\g-RHSKXLnZ91gcF3\1wvmAtyNCwiflQs.gif | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\GCANefpPqLaSBVj2MH.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\GCANefpPqLaSBVj2MH.gif | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\GCANefpPqLaSBVj2MH.encrypted.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\GCANefpPqLaSBVj2MH.gif | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\I AqFEB_gkXX4EJ K.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\I AqFEB_gkXX4EJ K.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\I AqFEB_gkXX4EJ K.encrypted.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\I AqFEB_gkXX4EJ K.jpg | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\L62BcZ1RmpYf6l.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\L62BcZ1RmpYf6l.gif | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\L62BcZ1RmpYf6l.encrypted.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\L62BcZ1RmpYf6l.gif | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\rOxU_OHrqz3AluL1VAv.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\rOxU_OHrqz3AluL1VAv.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\rOxU_OHrqz3AluL1VAv.encrypted.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\rOxU_OHrqz3AluL1VAv.jpg | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\TtfBKCFLH.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\TtfBKCFLH.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\TtfBKCFLH.encrypted.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\TtfBKCFLH.jpg | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\zX lin0LmT23lA.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\zX lin0LmT23lA.gif | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\zX lin0LmT23lA.encrypted.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\zX lin0LmT23lA.gif | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\YRDrool8Kl77XW3JPk\8G28BQg.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\YRDrool8Kl77XW3JPk\8G28BQg.gif | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\YRDrool8Kl77XW3JPk\8G28BQg.encrypted.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\YRDrool8Kl77XW3JPk\8G28BQg.gif | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\YRDrool8Kl77XW3JPk\Tg3wrt0QXL.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\YRDrool8Kl77XW3JPk\Tg3wrt0QXL.png | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\YRDrool8Kl77XW3JPk\Tg3wrt0QXL.encrypted.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\YRDrool8Kl77XW3JPk\Tg3wrt0QXL.png | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\fzqKX6\2C0v4LCMNqRisSVmNH.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\fzqKX6\2C0v4LCMNqRisSVmNH.png | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\fzqKX6\2C0v4LCMNqRisSVmNH.encrypted.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\fzqKX6\2C0v4LCMNqRisSVmNH.png | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\fzqKX6\jyy8JyKpQV-F8gh.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\fzqKX6\jyy8JyKpQV-F8gh.bmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\fzqKX6\jyy8JyKpQV-F8gh.encrypted.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\fzqKX6\jyy8JyKpQV-F8gh.bmp | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\oci-Q.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\oci-Q.gif | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\oci-Q.encrypted.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\oci-Q.gif | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\P-p-GD.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\P-p-GD.gif | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\P-p-GD.encrypted.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\P-p-GD.gif | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\rRX1N2vHruw.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\rRX1N2vHruw.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\rRX1N2vHruw.encrypted.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\rRX1N2vHruw.jpg | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\U3eEkQdYzaXUq\u2urh7f2g_AnVYtgvB.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\U3eEkQdYzaXUq\u2urh7f2g_AnVYtgvB.gif | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\U3eEkQdYzaXUq\u2urh7f2g_AnVYtgvB.encrypted.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\U3eEkQdYzaXUq\u2urh7f2g_AnVYtgvB.gif | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\U3eEkQdYzaXUq\YZ8dKJ.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\U3eEkQdYzaXUq\YZ8dKJ.bmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\U3eEkQdYzaXUq\YZ8dKJ.encrypted.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\U3eEkQdYzaXUq\YZ8dKJ.bmp | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\va C Aq 3jGDvwrAh.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\va C Aq 3jGDvwrAh.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\va C Aq 3jGDvwrAh.encrypted.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\va C Aq 3jGDvwrAh.jpg | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\_LRt-TCRiK9QqHk2-\yG wF7 j.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\_LRt-TCRiK9QqHk2-\yG wF7 j.bmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\_LRt-TCRiK9QqHk2-\yG wF7 j.encrypted.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Pictures\_LRt-TCRiK9QqHk2-\yG wF7 j.bmp | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Saved Games\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Searches\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Searches\Everywhere.search-ms | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Searches\Indexed Locations.search-ms | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Searches\winrt--{S-1-5-21-3643094112-4209292109-138530109-1001}-.searchconnector-ms | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\FA6K.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\FA6K.avi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\FA6K.encrypted.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\FA6K.avi | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\j6M71gkeVJvfs9iyhYRq.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\j6M71gkeVJvfs9iyhYRq.mkv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\j6M71gkeVJvfs9iyhYRq.encrypted.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\j6M71gkeVJvfs9iyhYRq.mkv | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\Go1Watx3i5wfBNWTzAE\-S51.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\Go1Watx3i5wfBNWTzAE\-S51.avi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\Go1Watx3i5wfBNWTzAE\-S51.encrypted.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\Go1Watx3i5wfBNWTzAE\-S51.avi | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\Go1Watx3i5wfBNWTzAE\jbO8CRdRPf.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\Go1Watx3i5wfBNWTzAE\jbO8CRdRPf.avi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\Go1Watx3i5wfBNWTzAE\jbO8CRdRPf.encrypted.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\Go1Watx3i5wfBNWTzAE\jbO8CRdRPf.avi | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\Go1Watx3i5wfBNWTzAE\oI76T1YeFvYVSDV-.flv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\Go1Watx3i5wfBNWTzAE\oI76T1YeFvYVSDV-.flv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\Go1Watx3i5wfBNWTzAE\oI76T1YeFvYVSDV-.encrypted.flv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\Go1Watx3i5wfBNWTzAE\oI76T1YeFvYVSDV-.flv | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\FaQdwk0jqTrE7oy.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\FaQdwk0jqTrE7oy.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\FaQdwk0jqTrE7oy.encrypted.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\FaQdwk0jqTrE7oy.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\fOyZB3wY.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\fOyZB3wY.mkv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\fOyZB3wY.encrypted.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\fOyZB3wY.mkv | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\1QjaB4g.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\1QjaB4g.avi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\1QjaB4g.encrypted.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\1QjaB4g.avi | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\9n8-JbX3BQwX\0oTqER0rNNNxWoB_.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\9n8-JbX3BQwX\0oTqER0rNNNxWoB_.swf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\9n8-JbX3BQwX\0oTqER0rNNNxWoB_.encrypted.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\9n8-JbX3BQwX\0oTqER0rNNNxWoB_.swf | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\9n8-JbX3BQwX\0tepcNQkuW0n1-C.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\9n8-JbX3BQwX\0tepcNQkuW0n1-C.swf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\9n8-JbX3BQwX\0tepcNQkuW0n1-C.encrypted.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\9n8-JbX3BQwX\0tepcNQkuW0n1-C.swf | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\9n8-JbX3BQwX\cBWtHz394wcvBC.flv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\9n8-JbX3BQwX\cBWtHz394wcvBC.flv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\9n8-JbX3BQwX\cBWtHz394wcvBC.encrypted.flv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\9n8-JbX3BQwX\cBWtHz394wcvBC.flv | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\9n8-JbX3BQwX\kG1TsubK.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\9n8-JbX3BQwX\kG1TsubK.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\9n8-JbX3BQwX\kG1TsubK.encrypted.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\9n8-JbX3BQwX\kG1TsubK.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\9n8-JbX3BQwX\X2XTwYfgzSX9y.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\9n8-JbX3BQwX\X2XTwYfgzSX9y.swf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\9n8-JbX3BQwX\X2XTwYfgzSX9y.encrypted.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\9n8-JbX3BQwX\X2XTwYfgzSX9y.swf | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\iYCMVJ8bX4.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\iYCMVJ8bX4.avi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\iYCMVJ8bX4.encrypted.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\iYCMVJ8bX4.avi | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\NGK1gpNFDF.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\NGK1gpNFDF.avi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\NGK1gpNFDF.encrypted.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\NGK1gpNFDF.avi | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\nw67aApo0uo1M7UrO.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\nw67aApo0uo1M7UrO.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\nw67aApo0uo1M7UrO.encrypted.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\nw67aApo0uo1M7UrO.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\oy8pI.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\oy8pI.mkv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\oy8pI.encrypted.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\oy8pI.mkv | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\TdGSbvUpDge9tRLZN.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\TdGSbvUpDge9tRLZN.swf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\TdGSbvUpDge9tRLZN.encrypted.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\TdGSbvUpDge9tRLZN.swf | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\PFD6Tl97HVocvx0.flv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\PFD6Tl97HVocvx0.flv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\PFD6Tl97HVocvx0.encrypted.flv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\PFD6Tl97HVocvx0.flv | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\QroavZbRRC4ySH.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\QroavZbRRC4ySH.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\QroavZbRRC4ySH.encrypted.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\QroavZbRRC4ySH.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\u9rYI4sH.flv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\u9rYI4sH.flv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\u9rYI4sH.encrypted.flv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\u9rYI4sH.flv | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\zv_SI7-lWGxP9d.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\zv_SI7-lWGxP9d.mkv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\zv_SI7-lWGxP9d.encrypted.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\zv_SI7-lWGxP9d.mkv | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\_XVl0U4aLFuw\D8ymrXuDc8\w-XTDKhkCT-t1tdd.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\_XVl0U4aLFuw\D8ymrXuDc8\w-XTDKhkCT-t1tdd.mkv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\_XVl0U4aLFuw\D8ymrXuDc8\w-XTDKhkCT-t1tdd.encrypted.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\_XVl0U4aLFuw\D8ymrXuDc8\w-XTDKhkCT-t1tdd.mkv | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\_XVl0U4aLFuw\jriw oV.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\_XVl0U4aLFuw\jriw oV.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\_XVl0U4aLFuw\jriw oV.encrypted.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\_XVl0U4aLFuw\jriw oV.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\_XVl0U4aLFuw\TXLONoXv7.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\_XVl0U4aLFuw\TXLONoXv7.mkv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\_XVl0U4aLFuw\TXLONoXv7.encrypted.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Videos\_XVl0U4aLFuw\TXLONoXv7.mkv | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\3123635631 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\31236356313123635631 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\1365363213 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | type = file_type |
|
2 | |
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Contacts\ | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5JgHKoaOfdp\Contacts\lulcit amkdfe.contact | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\ | type = file_attributes |
|
26 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\fUic g1t3BFvB.m4a | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\ | type = file_attributes |
|
5 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\ | type = file_attributes |
|
7 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\EJdtg4n_T.doc | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\Jk2_gj ZTujc3MT6f\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\PCBhpE.swf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\S5cBuB-rHdetHt7WYi.avi | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\Sy1211x.ods | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\w4YpSCyD_vipA.odp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\XoBZgP-NQ nymN\ | type = file_attributes |
|
5 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\XoBZgP-NQ nymN\hF0M-QQaLGlO0.mp3 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Documents\ | type = file_attributes |
|
23 | |
| Get Info | C:\Users\5JgHKoaOfdp\Documents\7 Ge5Dw.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Documents\8zjzU_i3YhK3gy6-wl.xlsx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Documents\eNn8BYb.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Documents\My Shapes\_private\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\ | type = file_attributes |
|
3 | |
| Get Info | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\8Y9ZK 2Bwq.ots | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\ | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\ | type = file_attributes |
|
7 | |
| Get Info | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\BfinI9.ppt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\P4g4qgo\xM0Y.csv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\j2q6rPjqlWrNko9k1E\xTKr4wd0EMenAL0Vgl.ods | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\PeIk\ | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\UgdLfIWdd20-er\ | type = file_attributes |
|
8 | |
| Get Info | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\sLbooIVzw6bDT1J4\xqMFdXWPJOX9Nmvq.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\v_7erIZtl\ | type = file_attributes |
|
3 | |
| Get Info | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\v_7erIZtl\KBud.odt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Documents\OEFjIsV2iRUyiDT\ytAwM8DIYW_.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Documents\OneNote Notebooks\My Notebook\ | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Documents\Outlook Files\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Documents\Outlook Files\cjeijc.diuv@div.com.pst | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Music\ | type = file_attributes |
|
10 | |
| Get Info | C:\Users\5JgHKoaOfdp\Music\2Cxf6yeZU\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\5JgHKoaOfdp\Music\9CdGT6fjqeS8J\TzM3m2.wav | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\ | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\5JgHKoaOfdp\Music\giwNvgbPA1Ur\MJyHK4k\HxMo\I Pap4u Q1S WukV.mp3 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Music\HWh3je\ | type = file_attributes |
|
3 | |
| Get Info | C:\Users\5JgHKoaOfdp\Pictures\7ErxFZkXIM\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Pictures\7ErxFZkXIM\JA1eNOIB7NiPk.jpg | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\1l99\ | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\Dwey5ysxf8zDVlgtk-7\ | type = file_attributes |
|
3 | |
| Get Info | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\Dwey5ysxf8zDVlgtk-7\6oAGzbr.png | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\Dwey5ysxf8zDVlgtk-7\ySNBZV2WpSZu7yVHi.png | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\g-RHSKXLnZ91gcF3\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\K2Gr3uxs6xidwVxov5oG\rOxU_OHrqz3AluL1VAv.jpg | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Pictures\EoKiRFG2ostB_n\YRDrool8Kl77XW3JPk\ | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Pictures\fzqKX6\ | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Pictures\fzqKX6\2C0v4LCMNqRisSVmNH.png | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Pictures\ | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5JgHKoaOfdp\Pictures\U3eEkQdYzaXUq\ | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Pictures\_LRt-TCRiK9QqHk2-\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Pictures\_LRt-TCRiK9QqHk2-\yG wF7 j.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Videos\ | type = file_attributes |
|
3 | |
| Get Info | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\Go1Watx3i5wfBNWTzAE\ | type = file_attributes |
|
3 | |
| Get Info | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\ | type = file_attributes |
|
3 | |
| Get Info | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\fOyZB3wY.mkv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\ | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\9n8-JbX3BQwX\ | type = file_attributes |
|
5 | |
| Get Info | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\9n8-JbX3BQwX\0oTqER0rNNNxWoB_.swf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\9n8-JbX3BQwX\kG1TsubK.mp4 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\74LJZjj6V\ | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\I34VB8V\Ly9PyKMqM52KJO\oy8pI.mkv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Videos\w7MJ2eUig4vNSi\ | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Videos\_XVl0U4aLFuw\D8ymrXuDc8\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Videos\_XVl0U4aLFuw\ | type = file_attributes |
|
2 | |
| Get Info | C:\PROGRA~1\COMMON~1\3123635631 | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Copy | C:\PROGRA~1\COMMON~1\sous.exe | source_filename = C:\Users\5JGHKO~1\Desktop\sous.exe, copy_flags = COPY_FILE_ALLOW_DECRYPTED_DESTINATION |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 0 |
|
97 | |
| Read | C:\Users\5JgHKoaOfdp\Contacts\asdlfk poopvy.contact | size = 65536, size_out = 1171 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Contacts\asdlfk poopvy.contact | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 65 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 0 |
|
96 | |
| Read | C:\Users\5JgHKoaOfdp\Contacts\chucu jadnvk.contact | size = 65536, size_out = 1177 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Contacts\chucu jadnvk.contact | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 128 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Contacts\lulcit amkdfe.contact | size = 65536, size_out = 1174 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Contacts\lulcit amkdfe.contact | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 190 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Contacts\sikvnb huvuib.contact | size = 65536, size_out = 1172 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Contacts\sikvnb huvuib.contact | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 253 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\1Tb75wBO1.mkv | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\1Tb75wBO1.mkv | size = 65536, size_out = 22689 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\1Tb75wBO1.mkv | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 316 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\3EZX86SAhXTW8_.m4a | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\3EZX86SAhXTW8_.m4a | size = 65536, size_out = 7734 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\3EZX86SAhXTW8_.m4a | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 370 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\3JfxKHSyXeB-IzZIg.jpg | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\3JfxKHSyXeB-IzZIg.jpg | size = 65536, size_out = 4196 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\3JfxKHSyXeB-IzZIg.jpg | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 429 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\4RD-.mkv | size = 65536, size_out = 9255 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\4RD-.mkv | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 491 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\5bxmCpnounGldMora7z.png | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\5bxmCpnounGldMora7z.png | size = 65536, size_out = 33187 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\5bxmCpnounGldMora7z.png | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 540 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\5y0kuHp.mp4 | size = 65536, size_out = 37581 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\5y0kuHp.mp4 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 604 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\6EJM6nG0-2A.mkv | size = 65536, size_out = 16093 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\6EJM6nG0-2A.mkv | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 656 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\7OvR2-yM3wC.docx | size = 65536, size_out = 37868 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\7OvR2-yM3wC.docx | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 712 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\8hC8IQMY0ZP.bmp | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\8hC8IQMY0ZP.bmp | size = 65536, size_out = 11949 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\8hC8IQMY0ZP.bmp | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 769 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Du_JQkduq.avi | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Du_JQkduq.avi | size = 65536, size_out = 22868 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Du_JQkduq.avi | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 825 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\En3LtfI-_W.m4a | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\En3LtfI-_W.m4a | size = 65536, size_out = 22405 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\En3LtfI-_W.m4a | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 879 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\fUic g1t3BFvB.m4a | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\fUic g1t3BFvB.m4a | size = 65536, size_out = 31628 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\fUic g1t3BFvB.m4a | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 934 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\7O8AsytJbZ0P_ImC9InS.mp4 | size = 65536, size_out = 25424 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\7O8AsytJbZ0P_ImC9InS.mp4 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 992 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\7R1-Ym.mp4 | size = 65536, size_out = 17746 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\7R1-Ym.mp4 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 1067 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\N_dJiBBBqT.swf | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\N_dJiBBBqT.swf | size = 65536, size_out = 16547 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\N_dJiBBBqT.swf | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 1128 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\TvM0D.m4a | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\TvM0D.m4a | size = 65536, size_out = 23485 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\TvM0D.m4a | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 1193 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\dEX2QsW8ygpWBqS_.ods | size = 65536, size_out = 60369 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\dEX2QsW8ygpWBqS_.ods | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 1253 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\EJdtg4n_T.doc | size = 65536, size_out = 42273 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\EJdtg4n_T.doc | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 1332 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\fOc_MFQo1nSfNS.jpg | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\fOc_MFQo1nSfNS.jpg | size = 65536, size_out = 3389 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\fOc_MFQo1nSfNS.jpg | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 1404 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\IQI3hZwu_M.bmp | size = 65536, size_out = 2337 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\IQI3hZwu_M.bmp | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 1481 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\mmKeDF5Rp.avi | size = 65536, size_out = 8148 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\mmKeDF5Rp.avi | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 1554 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\WeIzf.odp | size = 65536, size_out = 58767 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\WeIzf.odp | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 1626 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\Zkq9sxhvtO.wav | size = 65536, size_out = 25069 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\w8BV Jh\Zkq9sxhvtO.wav | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 1694 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\zW2FdO8SmE.jpg | size = 65536, size_out = 39352 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Hu JZPl4K\zW2FdO8SmE.jpg | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 1767 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Jk2_gj ZTujc3MT6f\0hJckM1RfPkx.m4a | size = 65536, size_out = 4361 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\Jk2_gj ZTujc3MT6f\0hJckM1RfPkx.m4a | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 1832 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\KJOyg5.avi | size = 65536, size_out = 2219 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\KJOyg5.avi | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 1907 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\lsm4taKhSWwYuuYlX3j.bmp | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\lsm4taKhSWwYuuYlX3j.bmp | size = 65536, size_out = 35802 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\lsm4taKhSWwYuuYlX3j.bmp | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 1958 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\PCBhpE.swf | size = 65536, size_out = 44785 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\PCBhpE.swf | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 2022 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\PokcZa.png | size = 65536, size_out = 34224 |
|
1 | |
| Read | C:\Users\5JgHKoaOfdp\Desktop\PokcZa.png | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 2073 |
|
1 | |
| Delete | C:\Users\5JgHKoaOfdp\Desktop\Z1_9k e9-S6.flv | - |
|
1 | |
|
For performance reasons, the remaining 834 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Registry (14)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Control Panel\Mouse | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU | - |
|
1 | |
| Open Key | HKEY_USERS | - |
|
4 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Mouse | value_name = SwapMouseButtons, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | value_name = EnableLinkedConnections, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 |
Process (5)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cmd.exe /c schtasks /create /sc onlogon /tn 3123635631 /rl highest /tr C:\PROGRA~1\COMMON~1\sous.exe | os_pid = 0xa7c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /C title 7652158|vssadmin.exe Delete Shadows /All /Quiet | os_pid = 0x830, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /C title 3988795|bcdedit /set {default} recoveryenabled No | os_pid = 0x3c8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /C title 9579842|bcdedit /set {default} bootstatuspolicy ignoreallfailures | os_pid = 0x3ec, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | os_pid = 0x914, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL |
|
1 |
Module (1823)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffb1b140000 |
|
979 | |
| Load | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
2 | |
| Load | Netapi32.dll | base_address = 0x7ffb17120000 |
|
4 | |
| Load | netapi32.dll | base_address = 0x7ffb17120000 |
|
2 | |
| Load | msvcrt.dll | base_address = 0x7ffb1af60000 |
|
193 | |
| Load | Advapi32.dll | base_address = 0x7ffb1cef0000 |
|
5 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffb1b140000 |
|
1 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghkoaofdp\desktop\sous.exe, file_name_orig = C:\Users\5JgHKoaOfdp\Desktop\sous.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghkoaofdp\desktop\sous.exe, file_name_orig = C:\Users\5JgHKoaOfdp\Desktop\sous.exe, size = 32767 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7ffb1b1433b8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffb1b143500 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffb1b141704 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffb1b1416f4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffb1b142eb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffb1b143010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffb1b1f496c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffb1b142d2c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffb1b143560 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffb1d732728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffb1d731198 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffb1d733178 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffb1b1435a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffb1d7334d8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffb1d7301a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffb1d77b910 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffb1d756c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffb1d77a7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffb1b14dfc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffb1b21c8c4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffb1ae79310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffb1b21ca44 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffb1b142f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffb1b21cb20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffb1b142ca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffb1b1fb6e4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffb1b142c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffb1b1442ac |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffb1b142ef0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffb1adaa7dc |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffb1b14166c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffb1b21d498 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetGetJoinInformation, address_out = 0x7ffb170e19a0 |
|
2 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetApiBufferSize, address_out = 0x7ffb19d05584 |
|
1 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetApiBufferFree, address_out = 0x7ffb19d01010 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptCreateHash, address_out = 0x7ffb1cef1a20 |
|
18 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptEncrypt, address_out = 0x7ffb1cf2672c |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptHashData, address_out = 0x7ffb1cef1a30 |
|
173 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptGetKeyParam, address_out = 0x7ffb1cf2675c |
|
192 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x7ffb1af61690 |
|
189 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptReleaseContext, address_out = 0x7ffb1cef1a00 |
|
3 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDestroyKey, address_out = 0x7ffb1cefeaf0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContext, address_out = 0x0 |
|
4 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextA, address_out = 0x7ffb1cefeb50 |
|
4 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFile, address_out = 0x0 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7ffb1b141510 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7ffb1b1490f8 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDestroyHash, address_out = 0x7ffb1cef1a10 |
|
1 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | AutoIt v3 | class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 |
System (45)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 750 milliseconds (0.750 seconds) |
|
29 | |
| Get Time | type = System Time, time = 2018-04-13 00:35:31 (UTC) |
|
13 | |
| Get Time | type = System Time, time = 2018-04-13 00:35:55 (UTC) |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = USERPROFILE, result_out = C:\Users\5JgHKoaOfdp |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
4 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\5jghkoaofdp\desktop\sous.exe | - |
|
1 |
Network Behavior
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 194 bytes |
| Total Data Received | 14 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | blockchain.info |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | AutoIt |
| Server Name | blockchain.info |
| Server Port | 443 |
| Data Sent | 194 |
| Data Received | 14 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = AutoIt, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = blockchain.info, server_port = 443 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /tobtc?currency=USD&value=1000, accept_types = 0, flags = INTERNET_FLAG_SECURE |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = blockchain.info/tobtc?currency=USD&value=1000 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_CONTENT_LENGTH |
|
1 | |
| Read Response | size = 10, size_out = 10 |
|
1 | |
| Read Response | size = 10, size_out = 0 |
|
1 | |
| Close Session | - |
|
1 |
Process #2: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c schtasks /create /sc onlogon /tn 3123635631 /rl highest /tr C:\PROGRA~1\COMMON~1\sous.exe |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:46, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:48 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa7c |
| Parent PID | 0x3d4 (c:\users\5jghkoaofdp\desktop\sous.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A8C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000006edd4b0000 | 0x6edd4b0000 | 0x6edd4cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000006edd4b0000 | 0x6edd4b0000 | 0x6edd4bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000006edd4c0000 | 0x6edd4c0000 | 0x6edd4c6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000006edd4d0000 | 0x6edd4d0000 | 0x6edd4defff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000006edd4e0000 | 0x6edd4e0000 | 0x6edd5dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000006edd5e0000 | 0x6edd5e0000 | 0x6edd5e3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000006edd5f0000 | 0x6edd5f0000 | 0x6edd5f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000006edd600000 | 0x6edd600000 | 0x6edd601fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x6edd610000 | 0x6edd68dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000006edd6e0000 | 0x6edd6e0000 | 0x6edd7dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000006edd870000 | 0x6edd870000 | 0x6edd87ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff675d30000 | 0x7ff675d30000 | 0x7ff675e2ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff675e30000 | 0x7ff675e30000 | 0x7ff675e52fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff675e5b000 | 0x7ff675e5b000 | 0x7ff675e5bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff675e5e000 | 0x7ff675e5e000 | 0x7ff675e5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x7ff6762d0000 | 0x7ff67632afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x7ff6762d0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffb1b140000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7ffb1b149180 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x7ffb1b14493c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7ffb1b142d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7ffb1adf0750 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #4: schtasks.exe
13
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\schtasks.exe |
| Command Line | schtasks /create /sc onlogon /tn 3123635631 /rl highest /tr C:\PROGRA~1\COMMON~1\sous.exe |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:50, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:44 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xabc |
| Parent PID | 0xa7c (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x00000012970a0000 | 0x12970a0000 | 0x12970bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000012970a0000 | 0x12970a0000 | 0x12970affff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000012970b0000 | 0x12970b0000 | 0x12970b6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000012970c0000 | 0x12970c0000 | 0x12970cefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000012970d0000 | 0x12970d0000 | 0x129714ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000001297150000 | 0x1297150000 | 0x1297153fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000001297160000 | 0x1297160000 | 0x1297160fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000001297170000 | 0x1297170000 | 0x1297171fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x1297180000 | 0x12971fdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000001297200000 | 0x1297200000 | 0x1297206fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000001297210000 | 0x1297210000 | 0x1297212fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000001297220000 | 0x1297220000 | 0x1297220fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000001297230000 | 0x1297230000 | 0x1297230fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000001297240000 | 0x1297240000 | 0x1297240fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000001297250000 | 0x1297250000 | 0x1297250fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000001297250000 | 0x1297250000 | 0x1297253fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000001297260000 | 0x1297260000 | 0x1297266fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000001297270000 | 0x1297270000 | 0x1297270fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000001297280000 | 0x1297280000 | 0x129728ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000001297290000 | 0x1297290000 | 0x1297290fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000012972f0000 | 0x12972f0000 | 0x12973effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000012973f0000 | 0x12973f0000 | 0x1297577fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000001297580000 | 0x1297580000 | 0x1297700fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000001297710000 | 0x1297710000 | 0x1298b0ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000001298b10000 | 0x1298b10000 | 0x1298f0bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x1298f10000 | 0x12991e4fff | Memory Mapped File | Readable |
|
|
|
- |
| rpcss.dll | 0x12991f0000 | 0x12992a7fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000012991f0000 | 0x12991f0000 | 0x129931ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000012991f0000 | 0x12991f0000 | 0x12992e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000001299310000 | 0x1299310000 | 0x129931ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff7b2d70000 | 0x7ff7b2d70000 | 0x7ff7b2e6ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff7b2e70000 | 0x7ff7b2e70000 | 0x7ff7b2e92fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff7b2e9d000 | 0x7ff7b2e9d000 | 0x7ff7b2e9dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b2e9e000 | 0x7ff7b2e9e000 | 0x7ff7b2e9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| schtasks.exe | 0x7ff7b3080000 | 0x7ff7b30b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x7ffb117b0000 | 0x7ffb117b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ktmw32.dll | 0x7ffb15c70000 | 0x7ffb15c7afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| taskschd.dll | 0x7ffb16ec0000 | 0x7ffb1705cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| xmllite.dll | 0x7ffb173b0000 | 0x7ffb173e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7ffb197a0000 | 0x7ffb198c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffb19920000 | 0x7ffb19929fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ffb1a830000 | 0x7ffb1a85afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffb1a860000 | 0x7ffb1a8bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffb1a9c0000 | 0x7ffb1a9c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffb1b070000 | 0x7ffb1b126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffb1b290000 | 0x7ffb1b407fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffb1b410000 | 0x7ffb1b580fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffb1b590000 | 0x7ffb1b6c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffb1b870000 | 0x7ffb1ba45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffb1ba50000 | 0x7ffb1baa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffb1cef0000 | 0x7ffb1cf94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7ffb1cfa0000 | 0x7ffb1d043fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffb1d230000 | 0x7ffb1d280fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffb1d2f0000 | 0x7ffb1d323fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffb1d450000 | 0x7ffb1d594fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffb1d5a0000 | 0x7ffb1d6d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
COM (8)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, new_interface = ITaskFolder |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = NewTask, new_interface = ITaskDefinition |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Actions, new_interface = IActionCollection |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Triggers, new_interface = ITriggerCollection |
|
1 | |
| Execute | TaskScheduler | ITriggerCollection | method_name = Create, type = TASK_TRIGGER_LOGON, new_interface = IDailyTrigger |
|
1 | |
| Execute | TaskScheduler | IDailyTrigger | method_name = put_StartBoundary, start_boundary = 2018-04-13T10:35:00 |
|
1 |
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 72 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\schtasks.exe | base_address = 0x7ff7b3080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\schtasks.exe, file_name_orig = C:\Windows\system32\schtasks.exe, size = 260 |
|
2 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Local Time, time = 2018-04-13 10:35:37 (Local Time) |
|
2 |
Process #5: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:51, Reason: Created Scheduled Job |
| Unmonitor | End Time: 00:01:11, Reason: Self Terminated |
| Monitor Duration | 00:00:20 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x324 |
| Parent PID | 0x1fc (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
84C
0x
848
0x
38
0x
4C4
0x
510
0x
488
0x
4B0
0x
BBC
0x
BB0
0x
9FC
0x
930
0x
824
0x
640
0x
428
0x
66C
0x
3CC
0x
394
0x
2B0
0x
2D8
0x
2E4
0x
3DC
0x
688
0x
658
0x
61C
0x
5B8
0x
508
0x
7F0
0x
7E4
0x
7D0
0x
7B4
0x
788
0x
784
0x
75C
0x
74C
0x
734
0x
6D8
0x
6D4
0x
694
0x
670
0x
55C
0x
484
0x
480
0x
470
0x
45C
0x
430
0x
120
0x
100
0x
3D0
0x
3A8
0x
280
0x
27C
0x
248
0x
244
0x
224
0x
138
0x
1EC
0x
3B0
0x
3AC
0x
36C
0x
354
0x
350
0x
340
0x
328
0x
AE4
0x
AF8
0x
B08
0x
B18
0x
B28
0x
B38
0x
B48
0x
B5C
0x
B80
0x
B84
0x
B7C
0x
BA8
0x
C8
0x
9F4
0x
54C
0x
610
0x
844
0x
2F8
0x
8AC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000c61d2e0000 | 0xc61d2e0000 | 0xc61d2effff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61d2f0000 | 0xc61d2f0000 | 0xc61d2f6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61d300000 | 0xc61d300000 | 0xc61d30efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000c61d310000 | 0xc61d310000 | 0xc61d38ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61d390000 | 0xc61d390000 | 0xc61d393fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000c61d3a0000 | 0xc61d3a0000 | 0xc61d3a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000c61d3b0000 | 0xc61d3b0000 | 0xc61d3b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0xc61d3c0000 | 0xc61d43dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000c61d440000 | 0xc61d440000 | 0xc61d446fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61d450000 | 0xc61d450000 | 0xc61d452fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000c61d460000 | 0xc61d460000 | 0xc61d460fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61d470000 | 0xc61d470000 | 0xc61d470fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61d480000 | 0xc61d480000 | 0xc61d480fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61d490000 | 0xc61d490000 | 0xc61d490fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000c61d4a0000 | 0xc61d4a0000 | 0xc61d4a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000c61d4b0000 | 0xc61d4b0000 | 0xc61d4b0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61d4c0000 | 0xc61d4c0000 | 0xc61d4c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61d4d0000 | 0xc61d4d0000 | 0xc61d5cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61d5d0000 | 0xc61d5d0000 | 0xc61d757fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000c61d760000 | 0xc61d760000 | 0xc61d762fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000c61d770000 | 0xc61d770000 | 0xc61d776fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61d780000 | 0xc61d780000 | 0xc61d78ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61d790000 | 0xc61d790000 | 0xc61d910fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000c61d920000 | 0xc61d920000 | 0xc61d9dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000c61d9e0000 | 0xc61d9e0000 | 0xc61dddbfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000c61dde0000 | 0xc61dde0000 | 0xc61de5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cversions.2.db | 0xc61de60000 | 0xc61de63fff | Memory Mapped File | Readable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000006.db | 0xc61de70000 | 0xc61deaefff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0xc61deb0000 | 0xc61deb3fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000c61dec0000 | 0xc61dec0000 | 0xc61dec0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61ded0000 | 0xc61ded0000 | 0xc61ded0fff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0xc61dee0000 | 0xc61e1b4fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000c61e1c0000 | 0xc61e1c0000 | 0xc61e23ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61e240000 | 0xc61e240000 | 0xc61e2bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61e2c0000 | 0xc61e2c0000 | 0xc61e33ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61e340000 | 0xc61e340000 | 0xc61e3bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61e3c0000 | 0xc61e3c0000 | 0xc61e3c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000c61e3d0000 | 0xc61e3d0000 | 0xc61e3dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61e3e0000 | 0xc61e3e0000 | 0xc61e45ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61e460000 | 0xc61e460000 | 0xc61e4dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61e4e0000 | 0xc61e4e0000 | 0xc61e55ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61e560000 | 0xc61e560000 | 0xc61e5dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61e5e0000 | 0xc61e5e0000 | 0xc61e6dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61e6e0000 | 0xc61e6e0000 | 0xc61e75ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61e760000 | 0xc61e760000 | 0xc61e7dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61e7e0000 | 0xc61e7e0000 | 0xc61e85ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61e860000 | 0xc61e860000 | 0xc61e8dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61e8e0000 | 0xc61e8e0000 | 0xc61e95ffff | Private Memory | Readable, Writable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0xc61e960000 | 0xc61e9e2fff | Memory Mapped File | Readable |
|
|
|
- |
| activeds.dll.mui | 0xc61e9f0000 | 0xc61e9f0fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000c61ea10000 | 0xc61ea10000 | 0xc61ea16fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61ea20000 | 0xc61ea20000 | 0xc61ea26fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61ea30000 | 0xc61ea30000 | 0xc61ea30fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61ea40000 | 0xc61ea40000 | 0xc61ea4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61ea50000 | 0xc61ea50000 | 0xc61eacffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61ead0000 | 0xc61ead0000 | 0xc61eb4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61eb50000 | 0xc61eb50000 | 0xc61ebcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61ebd0000 | 0xc61ebd0000 | 0xc61ec4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61ec50000 | 0xc61ec50000 | 0xc61eccffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61ecd0000 | 0xc61ecd0000 | 0xc61ed4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61ed50000 | 0xc61ed50000 | 0xc61ee4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61ee50000 | 0xc61ee50000 | 0xc61eecffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61eed0000 | 0xc61eed0000 | 0xc61ef4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61ef50000 | 0xc61ef50000 | 0xc61efcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61efd0000 | 0xc61efd0000 | 0xc61f0cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61f0d0000 | 0xc61f0d0000 | 0xc61f14ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61f150000 | 0xc61f150000 | 0xc61f1cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61f1d0000 | 0xc61f1d0000 | 0xc61f24ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61f250000 | 0xc61f250000 | 0xc61f2cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61f2d0000 | 0xc61f2d0000 | 0xc61f34ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61f350000 | 0xc61f350000 | 0xc61f38efff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61f390000 | 0xc61f390000 | 0xc61f390fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61f3a0000 | 0xc61f3a0000 | 0xc61f3a7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61f3b0000 | 0xc61f3b0000 | 0xc61f3bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61f3c0000 | 0xc61f3c0000 | 0xc61f3cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61f3d0000 | 0xc61f3d0000 | 0xc61f44ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61f450000 | 0xc61f450000 | 0xc61f4cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61f4d0000 | 0xc61f4d0000 | 0xc61f5cffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61f5d0000 | 0xc61f5d0000 | 0xc61f64ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61f650000 | 0xc61f650000 | 0xc61f65ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61f660000 | 0xc61f660000 | 0xc61f66ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61f670000 | 0xc61f670000 | 0xc61f6effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61f6f0000 | 0xc61f6f0000 | 0xc61f76ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61f770000 | 0xc61f770000 | 0xc61f770fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61f780000 | 0xc61f780000 | 0xc61f780fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61f790000 | 0xc61f790000 | 0xc61f98ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61f990000 | 0xc61f990000 | 0xc61fa0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61fa10000 | 0xc61fa10000 | 0xc61fa1ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61fa20000 | 0xc61fa20000 | 0xc61fa2ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61fa30000 | 0xc61fa30000 | 0xc61fa3ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61fa40000 | 0xc61fa40000 | 0xc61fa4ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61fa50000 | 0xc61fa50000 | 0xc61fa5ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61fa60000 | 0xc61fa60000 | 0xc61fa6ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61fa70000 | 0xc61fa70000 | 0xc61fa73fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61fa80000 | 0xc61fa80000 | 0xc61fa81fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61fa90000 | 0xc61fa90000 | 0xc61fb0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61fb10000 | 0xc61fb10000 | 0xc61fb8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61fb90000 | 0xc61fb90000 | 0xc61fc0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61fc10000 | 0xc61fc10000 | 0xc61fc8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61fc90000 | 0xc61fc90000 | 0xc61fd0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61fd10000 | 0xc61fd10000 | 0xc61fd5bfff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61fd60000 | 0xc61fd60000 | 0xc61fd60fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61fd70000 | 0xc61fd70000 | 0xc61fd7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61fd80000 | 0xc61fd80000 | 0xc61fd87fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61fd90000 | 0xc61fd90000 | 0xc61fe0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61fe10000 | 0xc61fe10000 | 0xc61fe5bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61fe60000 | 0xc61fe60000 | 0xc61fe8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61fe90000 | 0xc61fe90000 | 0xc61ff0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c61ff10000 | 0xc61ff10000 | 0xc61ff8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61ff90000 | 0xc61ff90000 | 0xc61ff9ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61ffa0000 | 0xc61ffa0000 | 0xc61ffaffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61ffb0000 | 0xc61ffb0000 | 0xc61ffbffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61ffc0000 | 0xc61ffc0000 | 0xc61ffcffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61ffd0000 | 0xc61ffd0000 | 0xc61ffdffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c61ffe0000 | 0xc61ffe0000 | 0xc61ffeffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| datastore.edb | 0xc61fff0000 | 0xc61fffffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000c620000000 | 0xc620000000 | 0xc62000ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c620010000 | 0xc620010000 | 0xc62001ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c620020000 | 0xc620020000 | 0xc62002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c620030000 | 0xc620030000 | 0xc62003ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c620040000 | 0xc620040000 | 0xc62004ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c620050000 | 0xc620050000 | 0xc6200cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c6200d0000 | 0xc6200d0000 | 0xc62014ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c620150000 | 0xc620150000 | 0xc6201cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c6201d0000 | 0xc6201d0000 | 0xc62024ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c620250000 | 0xc620250000 | 0xc6202cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c6202d0000 | 0xc6202d0000 | 0xc62034ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c620350000 | 0xc620350000 | 0xc6203cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c6203d0000 | 0xc6203d0000 | 0xc62044ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c620450000 | 0xc620450000 | 0xc6204cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c6204d0000 | 0xc6204d0000 | 0xc6205cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c6205d0000 | 0xc6205d0000 | 0xc62064ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c620650000 | 0xc620650000 | 0xc62065ffff | Private Memory | Readable, Writable |
|
|
|
- |
| msxml6r.dll | 0xc620660000 | 0xc620660fff | Memory Mapped File | Readable |
|
|
|
- |
| datastore.edb | 0xc620670000 | 0xc62067ffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000c620680000 | 0xc620680000 | 0xc620687fff | Private Memory | Readable, Writable |
|
|
|
- |
| datastore.edb | 0xc620690000 | 0xc62069ffff | Memory Mapped File | Readable |
|
|
|
- |
| datastore.edb | 0xc6206a0000 | 0xc6206affff | Memory Mapped File | Readable |
|
|
|
- |
| datastore.edb | 0xc6206b0000 | 0xc6206bffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000c6206c0000 | 0xc6206c0000 | 0xc6206cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c6206d0000 | 0xc6206d0000 | 0xc6207cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c6207d0000 | 0xc6207d0000 | 0xc62084ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c620850000 | 0xc620850000 | 0xc6208cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c6208d0000 | 0xc6208d0000 | 0xc6208d1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c620950000 | 0xc620950000 | 0xc6209cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c6209d0000 | 0xc6209d0000 | 0xc620a4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c620a50000 | 0xc620a50000 | 0xc620a5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| datastore.edb | 0xc620a60000 | 0xc620a6ffff | Memory Mapped File | Readable |
|
|
|
- |
| datastore.edb | 0xc620a70000 | 0xc620a7ffff | Memory Mapped File | Readable |
|
|
|
- |
|
For performance reasons, the remaining 395 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #6: cmd.exe
61
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /C title 7652158|vssadmin.exe Delete Shadows /All /Quiet |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:26 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x830 |
| Parent PID | 0x3d4 (c:\users\5jghkoaofdp\desktop\sous.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
118
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000b3c6f60000 | 0xb3c6f60000 | 0xb3c6f7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000b3c6f60000 | 0xb3c6f60000 | 0xb3c6f6ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000b3c6f70000 | 0xb3c6f70000 | 0xb3c6f76fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000b3c6f80000 | 0xb3c6f80000 | 0xb3c6f8efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000b3c6f90000 | 0xb3c6f90000 | 0xb3c708ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000b3c7090000 | 0xb3c7090000 | 0xb3c7093fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000b3c70a0000 | 0xb3c70a0000 | 0xb3c70a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000b3c70b0000 | 0xb3c70b0000 | 0xb3c70b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0xb3c70c0000 | 0xb3c713dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000b3c7230000 | 0xb3c7230000 | 0xb3c732ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000b3c7440000 | 0xb3c7440000 | 0xb3c744ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0xb3c7450000 | 0xb3c7724fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00007ff675eb0000 | 0x7ff675eb0000 | 0x7ff675faffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff675fb0000 | 0x7ff675fb0000 | 0x7ff675fd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff675fd8000 | 0x7ff675fd8000 | 0x7ff675fd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff675fde000 | 0x7ff675fde000 | 0x7ff675fdffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x7ff6762d0000 | 0x7ff67632afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (12)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Get Info | vssadmin.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x960, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\vssadmin.exe | os_pid = 0x664, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x7ff6762d0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffb1b140000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7ffb1b149180 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x7ffb1b14493c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7ffb1b142d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7ffb1adf0750 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
3 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
4 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
2 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #7: cmd.exe
60
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /C title 3988795|bcdedit /set {default} recoveryenabled No |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:26 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3c8 |
| Parent PID | 0x3d4 (c:\users\5jghkoaofdp\desktop\sous.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9A8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000009953f30000 | 0x9953f30000 | 0x9953f4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000009953f30000 | 0x9953f30000 | 0x9953f3ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009953f40000 | 0x9953f40000 | 0x9953f46fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000009953f50000 | 0x9953f50000 | 0x9953f5efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000009953f60000 | 0x9953f60000 | 0x995405ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000009954060000 | 0x9954060000 | 0x9954063fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000009954070000 | 0x9954070000 | 0x9954070fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000009954080000 | 0x9954080000 | 0x9954081fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x9954090000 | 0x995410dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000099541c0000 | 0x99541c0000 | 0x99541cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009954210000 | 0x9954210000 | 0x995430ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x9954310000 | 0x99545e4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00007ff6751d0000 | 0x7ff6751d0000 | 0x7ff6752cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff6752d0000 | 0x7ff6752d0000 | 0x7ff6752f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff6752f3000 | 0x7ff6752f3000 | 0x7ff6752f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6752fe000 | 0x7ff6752fe000 | 0x7ff6752fffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x7ff6762d0000 | 0x7ff67632afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x888, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\bcdedit.exe | os_pid = 0x81c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x7ff6762d0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffb1b140000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7ffb1b149180 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x7ffb1b14493c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7ffb1b142d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7ffb1adf0750 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
3 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
4 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
2 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #8: cmd.exe
60
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /C title 9579842|bcdedit /set {default} bootstatuspolicy ignoreallfailures |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:26 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3ec |
| Parent PID | 0x3d4 (c:\users\5jghkoaofdp\desktop\sous.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
444
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000fd8c480000 | 0xfd8c480000 | 0xfd8c49ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000fd8c480000 | 0xfd8c480000 | 0xfd8c48ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000fd8c490000 | 0xfd8c490000 | 0xfd8c496fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000fd8c4a0000 | 0xfd8c4a0000 | 0xfd8c4aefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000fd8c4b0000 | 0xfd8c4b0000 | 0xfd8c5affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000fd8c5b0000 | 0xfd8c5b0000 | 0xfd8c5b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000fd8c5c0000 | 0xfd8c5c0000 | 0xfd8c5c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000fd8c5d0000 | 0xfd8c5d0000 | 0xfd8c5d1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0xfd8c5e0000 | 0xfd8c65dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000fd8c660000 | 0xfd8c660000 | 0xfd8c666fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000fd8c6e0000 | 0xfd8c6e0000 | 0xfd8c7dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000fd8c870000 | 0xfd8c870000 | 0xfd8c87ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0xfd8c880000 | 0xfd8cb54fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00007ff675b00000 | 0x7ff675b00000 | 0x7ff675bfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff675c00000 | 0x7ff675c00000 | 0x7ff675c22fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff675c2b000 | 0x7ff675c2b000 | 0x7ff675c2bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff675c2e000 | 0x7ff675c2e000 | 0x7ff675c2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x7ff6762d0000 | 0x7ff67632afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x5f8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\bcdedit.exe | os_pid = 0x940, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x7ff6762d0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffb1b140000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7ffb1b149180 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x7ffb1b14493c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7ffb1b142d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7ffb1adf0750 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
3 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
4 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
2 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #13: cmd.exe
42
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /S /D /c" title 3988795" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:09, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:25 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x888 |
| Parent PID | 0x3c8 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
63C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000007fd34d0000 | 0x7fd34d0000 | 0x7fd34effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000007fd34d0000 | 0x7fd34d0000 | 0x7fd34dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000007fd34e0000 | 0x7fd34e0000 | 0x7fd34e6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000007fd34f0000 | 0x7fd34f0000 | 0x7fd34fefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000007fd3500000 | 0x7fd3500000 | 0x7fd35fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000007fd3600000 | 0x7fd3600000 | 0x7fd3603fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000007fd3610000 | 0x7fd3610000 | 0x7fd3610fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000007fd3620000 | 0x7fd3620000 | 0x7fd3621fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x7fd3630000 | 0x7fd36adfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000007fd37b0000 | 0x7fd37b0000 | 0x7fd38affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000007fd3a70000 | 0x7fd3a70000 | 0x7fd3a7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff675e70000 | 0x7ff675e70000 | 0x7ff675f6ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff675f70000 | 0x7ff675f70000 | 0x7ff675f92fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff675f9a000 | 0x7ff675f9a000 | 0x7ff675f9afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff675f9e000 | 0x7ff675f9e000 | 0x7ff675f9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x7ff6762d0000 | 0x7ff67632afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x7ff6762d0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffb1b140000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7ffb1b149180 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x7ffb1b14493c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7ffb1b142d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7ffb1adf0750 |
|
1 |
Environment (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 |
Process #14: cmd.exe
42
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /S /D /c" title 7652158" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:09, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:25 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x960 |
| Parent PID | 0x830 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
950
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000004bceb50000 | 0x4bceb50000 | 0x4bceb6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004bceb50000 | 0x4bceb50000 | 0x4bceb5ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004bceb60000 | 0x4bceb60000 | 0x4bceb66fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004bceb70000 | 0x4bceb70000 | 0x4bceb7efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000004bceb80000 | 0x4bceb80000 | 0x4bcec7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004bcec80000 | 0x4bcec80000 | 0x4bcec83fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000004bcec90000 | 0x4bcec90000 | 0x4bcec90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000004bceca0000 | 0x4bceca0000 | 0x4bceca1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x4bcecb0000 | 0x4bced2dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000004bcedc0000 | 0x4bcedc0000 | 0x4bceebffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004bcf060000 | 0x4bcf060000 | 0x4bcf06ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff6753b0000 | 0x7ff6753b0000 | 0x7ff6754affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff6754b0000 | 0x7ff6754b0000 | 0x7ff6754d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff6754dd000 | 0x7ff6754dd000 | 0x7ff6754ddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6754de000 | 0x7ff6754de000 | 0x7ff6754dffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x7ff6762d0000 | 0x7ff67632afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x7ff6762d0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffb1b140000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7ffb1b149180 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x7ffb1b14493c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7ffb1b142d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7ffb1adf0750 |
|
1 |
Environment (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 |
Process #15: cmd.exe
42
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /S /D /c" title 9579842" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:09, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:25 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5f8 |
| Parent PID | 0x3ec (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8E4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x00000006078f0000 | 0x6078f0000 | 0x60790ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000006078f0000 | 0x6078f0000 | 0x6078fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000607900000 | 0x607900000 | 0x607906fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000607910000 | 0x607910000 | 0x60791efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000607920000 | 0x607920000 | 0x607a1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000607a20000 | 0x607a20000 | 0x607a23fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000607a30000 | 0x607a30000 | 0x607a30fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000607a40000 | 0x607a40000 | 0x607a41fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x607a50000 | 0x607acdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000607b80000 | 0x607b80000 | 0x607c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000607e30000 | 0x607e30000 | 0x607e3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff675870000 | 0x7ff675870000 | 0x7ff67596ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff675970000 | 0x7ff675970000 | 0x7ff675992fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff67599c000 | 0x7ff67599c000 | 0x7ff67599cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff67599e000 | 0x7ff67599e000 | 0x7ff67599ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x7ff6762d0000 | 0x7ff67632afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x7ff6762d0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffb1b140000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7ffb1b149180 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x7ffb1b14493c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7ffb1b142d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7ffb1adf0750 |
|
1 |
Environment (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 |
Process #16: bcdedit.exe
0
0
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\windows\system32\bcdedit.exe |
| Command Line | bcdedit /set {default} bootstatuspolicy ignoreallfailures |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:24 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x940 |
| Parent PID | 0x3ec (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8E0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x00000094b59a0000 | 0x94b59a0000 | 0x94b59bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000094b59a0000 | 0x94b59a0000 | 0x94b59affff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000094b59b0000 | 0x94b59b0000 | 0x94b59b6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000094b59c0000 | 0x94b59c0000 | 0x94b59cefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000094b59d0000 | 0x94b59d0000 | 0x94b5a4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000094b5a50000 | 0x94b5a50000 | 0x94b5a53fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000094b5a60000 | 0x94b5a60000 | 0x94b5a60fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000094b5a70000 | 0x94b5a70000 | 0x94b5a71fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x94b5a80000 | 0x94b5afdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000094b5b30000 | 0x94b5b30000 | 0x94b5b3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000094b5c30000 | 0x94b5c30000 | 0x94b5d2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff746370000 | 0x7ff746370000 | 0x7ff74646ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff746470000 | 0x7ff746470000 | 0x7ff746492fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff74649d000 | 0x7ff74649d000 | 0x7ff74649efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff74649f000 | 0x7ff74649f000 | 0x7ff74649ffff | Private Memory | Readable, Writable |
|
|
|
- |
| bcdedit.exe | 0x7ff746a70000 | 0x7ff746ac7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffb1ba50000 | 0x7ffb1baa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffb1cef0000 | 0x7ffb1cf94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffb1d5a0000 | 0x7ffb1d6d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #17: bcdedit.exe
0
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\windows\system32\bcdedit.exe |
| Command Line | bcdedit /set {default} recoveryenabled No |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:24 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x81c |
| Parent PID | 0x3c8 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
90C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000f13e640000 | 0xf13e640000 | 0xf13e65ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000f13e660000 | 0xf13e660000 | 0xf13e66efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000f13e670000 | 0xf13e670000 | 0xf13e6effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000f13e6f0000 | 0xf13e6f0000 | 0xf13e6f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000f13e700000 | 0xf13e700000 | 0xf13e700fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000f13e710000 | 0xf13e710000 | 0xf13e711fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f13e7e0000 | 0xf13e7e0000 | 0xf13e8dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff745f60000 | 0x7ff745f60000 | 0x7ff745f82fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff745f8a000 | 0x7ff745f8a000 | 0x7ff745f8afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff745f8e000 | 0x7ff745f8e000 | 0x7ff745f8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| bcdedit.exe | 0x7ff746a70000 | 0x7ff746ac7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #18: vssadmin.exe
0
0
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\system32\vssadmin.exe |
| Command Line | vssadmin.exe Delete Shadows /All /Quiet |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:24 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x664 |
| Parent PID | 0x830 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8A4
0x
780
0x
884
0x
440
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000be18410000 | 0xbe18410000 | 0xbe1842ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000be18410000 | 0xbe18410000 | 0xbe1841ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000be18420000 | 0xbe18420000 | 0xbe18426fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000be18430000 | 0xbe18430000 | 0xbe1843efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000be18440000 | 0xbe18440000 | 0xbe184bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000be184c0000 | 0xbe184c0000 | 0xbe184c3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000be184d0000 | 0xbe184d0000 | 0xbe184d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000be184e0000 | 0xbe184e0000 | 0xbe184e1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0xbe184f0000 | 0xbe1856dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000be18570000 | 0xbe18570000 | 0xbe18576fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000be18580000 | 0xbe18580000 | 0xbe18582fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000be18590000 | 0xbe18590000 | 0xbe18590fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000be185a0000 | 0xbe185a0000 | 0xbe1869ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000be186a0000 | 0xbe186a0000 | 0xbe18827fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| vssadmin.exe.mui | 0xbe18830000 | 0xbe1883cfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000be18840000 | 0xbe18840000 | 0xbe18840fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000be18850000 | 0xbe18850000 | 0xbe18850fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000be18860000 | 0xbe18860000 | 0xbe18860fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000be18870000 | 0xbe18870000 | 0xbe18870fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000be18880000 | 0xbe18880000 | 0xbe1888ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000be18890000 | 0xbe18890000 | 0xbe18a10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000be18a20000 | 0xbe18a20000 | 0xbe19e1ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0xbe19e20000 | 0xbe1a0f4fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000be1a100000 | 0xbe1a100000 | 0xbe1a17ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000be1a180000 | 0xbe1a180000 | 0xbe1a1fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000be1a200000 | 0xbe1a200000 | 0xbe1a27ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff7e17c0000 | 0x7ff7e17c0000 | 0x7ff7e18bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff7e18c0000 | 0x7ff7e18c0000 | 0x7ff7e18e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff7e18e7000 | 0x7ff7e18e7000 | 0x7ff7e18e8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7e18e9000 | 0x7ff7e18e9000 | 0x7ff7e18eafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7e18eb000 | 0x7ff7e18eb000 | 0x7ff7e18ecfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7e18ed000 | 0x7ff7e18ed000 | 0x7ff7e18eefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7e18ef000 | 0x7ff7e18ef000 | 0x7ff7e18effff | Private Memory | Readable, Writable |
|
|
|
- |
| vssadmin.exe | 0x7ff7e2670000 | 0x7ff7e2698fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| vss_ps.dll | 0x7ffb0b860000 | 0x7ffb0b874fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| vsstrace.dll | 0x7ffb130f0000 | 0x7ffb13105fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| vssapi.dll | 0x7ffb13110000 | 0x7ffb1328ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcd.dll | 0x7ffb16730000 | 0x7ffb16749fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| atl.dll | 0x7ffb17100000 | 0x7ffb1711afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x7ffb171a0000 | 0x7ffb171a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffb19920000 | 0x7ffb19929fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffb19f50000 | 0x7ffb19f84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffb1a310000 | 0x7ffb1a32dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffb1a540000 | 0x7ffb1a565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffb1a860000 | 0x7ffb1a8bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffb1a9c0000 | 0x7ffb1a9c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ffb1b010000 | 0x7ffb1b067fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffb1b070000 | 0x7ffb1b126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ffb1b280000 | 0x7ffb1b288fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffb1b290000 | 0x7ffb1b407fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffb1b410000 | 0x7ffb1b580fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffb1b590000 | 0x7ffb1b6c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffb1b870000 | 0x7ffb1ba45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffb1ba50000 | 0x7ffb1baa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffb1cef0000 | 0x7ffb1cf94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7ffb1cfa0000 | 0x7ffb1d043fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffb1d230000 | 0x7ffb1d280fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffb1d2f0000 | 0x7ffb1d323fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffb1d450000 | 0x7ffb1d594fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffb1d5a0000 | 0x7ffb1d6d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #20: sous.exe
157
0
| Information | Value |
|---|---|
| ID | #20 |
| File Name | c:\users\5jghko~1\desktop\sous.exe |
| Command Line | C:\Users\5JGHKO~1\Desktop\sous.exe |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:11, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:23 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x914 |
| Parent PID | 0x3d4 (c:\users\5jghkoaofdp\desktop\sous.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
92C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| imageres.dll | 0xe500000000 | 0xe502e95fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000e57b130000 | 0xe57b130000 | 0xe57b14ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e57b130000 | 0xe57b130000 | 0xe57b13ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e57b140000 | 0xe57b140000 | 0xe57b146fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e57b150000 | 0xe57b150000 | 0xe57b15efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000e57b160000 | 0xe57b160000 | 0xe57b55ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e57b560000 | 0xe57b560000 | 0xe57b563fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e57b570000 | 0xe57b570000 | 0xe57b571fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000e57b580000 | 0xe57b580000 | 0xe57b581fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e57b590000 | 0xe57b590000 | 0xe57b596fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e57b5a0000 | 0xe57b5a0000 | 0xe57b5a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e57b5b0000 | 0xe57b5b0000 | 0xe57b5b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e57b5c0000 | 0xe57b5c0000 | 0xe57b5c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e57b5c0000 | 0xe57b5c0000 | 0xe57b5c3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e57b5d0000 | 0xe57b5d0000 | 0xe57b5d1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000e57b5e0000 | 0xe57b5e0000 | 0xe57b5e6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e57b5f0000 | 0xe57b5f0000 | 0xe57b9effff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0xe57b9f0000 | 0xe57ba6dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000e57ba70000 | 0xe57ba70000 | 0xe57ba70fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e57ba80000 | 0xe57ba80000 | 0xe57ba80fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e57ba90000 | 0xe57ba90000 | 0xe57ba90fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e57baa0000 | 0xe57baa0000 | 0xe57baaffff | Private Memory | Readable, Writable |
|
|
|
- |
| rpcss.dll | 0xe57bab0000 | 0xe57bb67fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000e57bab0000 | 0xe57bab0000 | 0xe57bab0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e57bab0000 | 0xe57bab0000 | 0xe57bab2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e57bac0000 | 0xe57bac0000 | 0xe57bac0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| user32.dll.mui | 0xe57bad0000 | 0xe57bad4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000e57bae0000 | 0xe57bae0000 | 0xe57bb23fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e57bb30000 | 0xe57bb30000 | 0xe57bb54fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e57bb90000 | 0xe57bb90000 | 0xe57bb9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e57bba0000 | 0xe57bba0000 | 0xe57bd27fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e57bd30000 | 0xe57bd30000 | 0xe57beb0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e57bec0000 | 0xe57bec0000 | 0xe57d2bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e57d2c0000 | 0xe57d2c0000 | 0xe57d3b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000e57d3c0000 | 0xe57d3c0000 | 0xe57d4bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e57d4c0000 | 0xe57d4c0000 | 0xe57d5b9fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0xe57d4c0000 | 0xe57d794fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000e57d7a0000 | 0xe57d7a0000 | 0xe57dc91fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| staticcache.dat | 0xe57dca0000 | 0xe57eb0ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000e57eb10000 | 0xe57eb10000 | 0xe57ed27fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e57ed30000 | 0xe57ed30000 | 0xe57f12bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff757940000 | 0x7ff757940000 | 0x7ff757a3ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff757a40000 | 0x7ff757a40000 | 0x7ff757a62fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff757a69000 | 0x7ff757a69000 | 0x7ff757a69fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff757a6e000 | 0x7ff757a6e000 | 0x7ff757a6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sous.exe | 0x7ff757f40000 | 0x7ff758041fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffb117b0000 | 0x7ffb117b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmmbase.dll | 0x7ffb133a0000 | 0x7ffb133c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmm.dll | 0x7ffb13500000 | 0x7ffb1351efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wsock32.dll | 0x7ffb142a0000 | 0x7ffb142a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x7ffb15750000 | 0x7ffb1576afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x7ffb15770000 | 0x7ffb15a18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x7ffb15a20000 | 0x7ffb15c4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x7ffb16750000 | 0x7ffb16759fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x7ffb16760000 | 0x7ffb16788fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x7ffb170e0000 | 0x7ffb170f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x7ffb17120000 | 0x7ffb17134fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7ffb18f20000 | 0x7ffb19179fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x7ffb19210000 | 0x7ffb1922ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x7ffb193e0000 | 0x7ffb1947efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7ffb197a0000 | 0x7ffb198c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7ffb198d0000 | 0x7ffb198f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffb19920000 | 0x7ffb19929fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x7ffb19d00000 | 0x7ffb19d0bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffb19f50000 | 0x7ffb19f84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7ffb1a060000 | 0x7ffb1a07efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffb1a310000 | 0x7ffb1a32dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffb1a540000 | 0x7ffb1a565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7ffb1a7d0000 | 0x7ffb1a7f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffb1a860000 | 0x7ffb1a8bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffb1a9c0000 | 0x7ffb1a9c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffb1aa50000 | 0x7ffb1aa63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ffb1ad50000 | 0x7ffb1ad99fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ffb1b010000 | 0x7ffb1b067fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffb1b070000 | 0x7ffb1b126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ffb1b280000 | 0x7ffb1b288fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffb1b290000 | 0x7ffb1b407fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffb1b410000 | 0x7ffb1b580fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffb1b590000 | 0x7ffb1b6c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffb1b870000 | 0x7ffb1ba45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffb1ba50000 | 0x7ffb1baa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7ffb1bac0000 | 0x7ffb1ced6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x7ffb1cee0000 | 0x7ffb1cee6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffb1cef0000 | 0x7ffb1cf94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffb1d230000 | 0x7ffb1d280fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffb1d2f0000 | 0x7ffb1d323fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comdlg32.dll | 0x7ffb1d3b0000 | 0x7ffb1d449fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffb1d450000 | 0x7ffb1d594fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffb1d5a0000 | 0x7ffb1d6d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\progra~1\common~1\3123635631 | 0.00 KB |
MD5:
a54f0041a9e15b050f25c463f1db7449
SHA1: d9be6524a5f5047db5866813acf3277892a7a30a SHA256: ad95131bc0b799c0b1af477fb14fcf26a6a9f76079e48bf090acb7e8367bfd0e |
|
|
Host Behavior
File (28)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\log.txt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| Create | C:\PROGRA~1\COMMON~1\1365363213 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\31236356313123635631 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\3123635631 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Get Info | C:\Users\5JGHKO~1\Desktop\sous.exe | type = file_type |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | type = file_type |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Get Info | C:\PROGRA~1\COMMON~1\ | type = file_attributes |
|
1 | |
| Get Info | C:\PROGRA~1\COMMON~1\3123635631 | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 14357 |
|
4 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 0 |
|
2 | |
| Read | C:\PROGRA~1\COMMON~1\1365363213 | size = 65536, size_out = 27 |
|
2 | |
| Read | C:\PROGRA~1\COMMON~1\1365363213 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\31236356313123635631 | size = 65536, size_out = 16 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\31236356313123635631 | size = 65536, size_out = 0 |
|
1 | |
| Delete | C:\PROGRA~1\COMMON~1\3123635631 | - |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Control Panel\Mouse | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Mouse | value_name = SwapMouseButtons, data = 48 |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | os_pid = 0xab8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL |
|
1 |
Module (68)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffb1b140000 |
|
6 | |
| Load | C:\Users\5JGHKO~1\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | user32.dll | base_address = 0x7ffb1b410000 |
|
1 | |
| Load | Netapi32.dll | base_address = 0x7ffb17120000 |
|
4 | |
| Load | netapi32.dll | base_address = 0x7ffb17120000 |
|
2 | |
| Load | Advapi32.dll | base_address = 0x7ffb1cef0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffb1b140000 |
|
1 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 32767 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7ffb1b1433b8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffb1b143500 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffb1b141704 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffb1b1416f4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffb1b142eb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffb1b143010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffb1b1f496c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffb1b142d2c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffb1b143560 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffb1d732728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffb1d731198 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffb1d733178 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffb1b1435a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffb1d7334d8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffb1d7301a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffb1d77b910 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffb1d756c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffb1d77a7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffb1b14dfc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffb1b21c8c4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffb1ae79310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffb1b21ca44 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffb1b142f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffb1b21cb20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffb1b142ca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffb1b1fb6e4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffb1b142c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffb1b1442ac |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffb1b142ef0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffb1adaa7dc |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffb1b14166c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffb1b21d498 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = SendMessageW, address_out = 0x7ffb1b415080 |
|
1 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetGetJoinInformation, address_out = 0x7ffb170e19a0 |
|
2 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetApiBufferSize, address_out = 0x7ffb19d05584 |
|
2 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetApiBufferFree, address_out = 0x7ffb19d01010 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContext, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextA, address_out = 0x7ffb1cefeb50 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptGetKeyParam, address_out = 0x7ffb1cf2675c |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDecrypt, address_out = 0x7ffb1cf1fc48 |
|
1 |
Window (11)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | AutoIt v3 | class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | CryptoWire | class_name = AutoIt v3 GUI, wndproc_parameter = 0 |
|
1 | |
| Create | Decrypt Files | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | Your files has been safely encrypted | class_name = static, wndproc_parameter = 0 |
|
1 | |
| Create | Decryptionkey | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | Buy Bitcoins | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | The only way you can recover your files is to buy a decryption key The payment method is: Bitcoins. The price is: $1000 = 0.12587388 Bitcoins When you are ready, send a message by email to wlojul@secmail.pro We will send you our BTC wallet for the transfer After confirmation we will send you the decryption key Click on the 'Buy decryption key' button. | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | - | - |
|
1 | |
| Create | - | - |
|
1 |
Keyboard (10)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
2 | |
| Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
5 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
3 |
System (30)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 506, y_out = 681 |
|
1 | |
| Get Cursor | x_out = 577, y_out = 530 |
|
2 | |
| Get Cursor | x_out = 882, y_out = 513 |
|
4 | |
| Get Cursor | x_out = 798, y_out = 503 |
|
2 | |
| Sleep | duration = 750 milliseconds (0.750 seconds) |
|
5 | |
| Sleep | duration = 40 milliseconds (0.040 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2018-04-13 00:35:58 (UTC) |
|
13 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = USERPROFILE, result_out = C:\Users\5JgHKoaOfdp |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\5jghko~1\desktop\sous.exe | - |
|
1 |
Process #22: sous.exe
277
0
| Information | Value |
|---|---|
| ID | #22 |
| File Name | c:\users\5jghko~1\desktop\sous.exe |
| Command Line | C:\Users\5JGHKO~1\Desktop\sous.exe |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:17, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:17 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xab8 |
| Parent PID | 0x914 (c:\users\5jghko~1\desktop\sous.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AD0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000004b0f070000 | 0x4b0f070000 | 0x4b0f08ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004b0f070000 | 0x4b0f070000 | 0x4b0f07ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004b0f080000 | 0x4b0f080000 | 0x4b0f086fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004b0f090000 | 0x4b0f090000 | 0x4b0f09efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000004b0f0a0000 | 0x4b0f0a0000 | 0x4b0f49ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004b0f4a0000 | 0x4b0f4a0000 | 0x4b0f4a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000004b0f4b0000 | 0x4b0f4b0000 | 0x4b0f4b1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000004b0f4c0000 | 0x4b0f4c0000 | 0x4b0f4c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x4b0f4d0000 | 0x4b0f54dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000004b0f550000 | 0x4b0f550000 | 0x4b0f556fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004b0f560000 | 0x4b0f560000 | 0x4b0f560fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004b0f570000 | 0x4b0f570000 | 0x4b0f570fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004b0f580000 | 0x4b0f580000 | 0x4b0f580fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000004b0f580000 | 0x4b0f580000 | 0x4b0f583fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000004b0f590000 | 0x4b0f590000 | 0x4b0f591fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| rpcss.dll | 0x4b0f5a0000 | 0x4b0f657fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000004b0f5a0000 | 0x4b0f5a0000 | 0x4b0f5a6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004b0f5b0000 | 0x4b0f5b0000 | 0x4b0f5b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004b0f5c0000 | 0x4b0f5c0000 | 0x4b0f5c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004b0f5d0000 | 0x4b0f5d0000 | 0x4b0f5d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004b0f5e0000 | 0x4b0f5e0000 | 0x4b0f5e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000004b0f5e0000 | 0x4b0f5e0000 | 0x4b0f5e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000004b0f5f0000 | 0x4b0f5f0000 | 0x4b0f5f0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004b0f600000 | 0x4b0f600000 | 0x4b0f643fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004b0f660000 | 0x4b0f660000 | 0x4b0fa5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004b0fa60000 | 0x4b0fa60000 | 0x4b0fbe7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000004b0fc10000 | 0x4b0fc10000 | 0x4b0fc1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004b0fc20000 | 0x4b0fc20000 | 0x4b0fda0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000004b0fdb0000 | 0x4b0fdb0000 | 0x4b111affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000004b111b0000 | 0x4b111b0000 | 0x4b112a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000004b112b0000 | 0x4b112b0000 | 0x4b112d4fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004b11300000 | 0x4b11300000 | 0x4b1130ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004b11310000 | 0x4b11310000 | 0x4b1140ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004b11410000 | 0x4b11410000 | 0x4b11509fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x4b11410000 | 0x4b116e4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000004b116f0000 | 0x4b116f0000 | 0x4b11be1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| staticcache.dat | 0x4b11bf0000 | 0x4b12a5ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000004b12a60000 | 0x4b12a60000 | 0x4b12c77fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| imageres.dll | 0x4b12c80000 | 0x4b15b15fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000004b15b20000 | 0x4b15b20000 | 0x4b15f1bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff756ed0000 | 0x7ff756ed0000 | 0x7ff756fcffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff756fd0000 | 0x7ff756fd0000 | 0x7ff756ff2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff756ff6000 | 0x7ff756ff6000 | 0x7ff756ff6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff756ffe000 | 0x7ff756ffe000 | 0x7ff756ffffff | Private Memory | Readable, Writable |
|
|
|
- |
| sous.exe | 0x7ff757f40000 | 0x7ff758041fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffb117b0000 | 0x7ffb117b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmmbase.dll | 0x7ffb133a0000 | 0x7ffb133c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmm.dll | 0x7ffb13500000 | 0x7ffb1351efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wsock32.dll | 0x7ffb142a0000 | 0x7ffb142a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x7ffb15750000 | 0x7ffb1576afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x7ffb15770000 | 0x7ffb15a18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x7ffb15a20000 | 0x7ffb15c4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x7ffb16750000 | 0x7ffb16759fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x7ffb16760000 | 0x7ffb16788fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x7ffb170e0000 | 0x7ffb170f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x7ffb17120000 | 0x7ffb17134fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7ffb18f20000 | 0x7ffb19179fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x7ffb19210000 | 0x7ffb1922ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x7ffb193e0000 | 0x7ffb1947efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7ffb197a0000 | 0x7ffb198c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7ffb198d0000 | 0x7ffb198f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffb19920000 | 0x7ffb19929fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x7ffb19d00000 | 0x7ffb19d0bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffb19f50000 | 0x7ffb19f84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7ffb1a060000 | 0x7ffb1a07efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffb1a310000 | 0x7ffb1a32dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffb1a540000 | 0x7ffb1a565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7ffb1a7d0000 | 0x7ffb1a7f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffb1a860000 | 0x7ffb1a8bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffb1a9c0000 | 0x7ffb1a9c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffb1aa50000 | 0x7ffb1aa63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ffb1ad50000 | 0x7ffb1ad99fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ffb1b010000 | 0x7ffb1b067fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffb1b070000 | 0x7ffb1b126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ffb1b280000 | 0x7ffb1b288fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffb1b290000 | 0x7ffb1b407fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffb1b410000 | 0x7ffb1b580fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffb1b590000 | 0x7ffb1b6c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffb1b870000 | 0x7ffb1ba45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffb1ba50000 | 0x7ffb1baa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7ffb1bac0000 | 0x7ffb1ced6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x7ffb1cee0000 | 0x7ffb1cee6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffb1cef0000 | 0x7ffb1cf94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffb1d230000 | 0x7ffb1d280fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffb1d2f0000 | 0x7ffb1d323fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comdlg32.dll | 0x7ffb1d3b0000 | 0x7ffb1d449fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffb1d450000 | 0x7ffb1d594fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffb1d5a0000 | 0x7ffb1d6d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (27)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\log.txt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| Create | C:\PROGRA~1\COMMON~1\1365363213 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\31236356313123635631 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\3123635631 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Get Info | C:\Users\5JGHKO~1\Desktop\sous.exe | type = file_type |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | type = file_type |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Get Info | C:\PROGRA~1\COMMON~1\3123635631 | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 14357 |
|
4 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 0 |
|
2 | |
| Read | C:\PROGRA~1\COMMON~1\1365363213 | size = 65536, size_out = 27 |
|
2 | |
| Read | C:\PROGRA~1\COMMON~1\1365363213 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\31236356313123635631 | size = 65536, size_out = 16 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\31236356313123635631 | size = 65536, size_out = 0 |
|
1 | |
| Delete | C:\PROGRA~1\COMMON~1\3123635631 | - |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Control Panel\Mouse | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Mouse | value_name = SwapMouseButtons, data = 48 |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | os_pid = 0xb68, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL |
|
1 |
Module (69)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffb1b140000 |
|
6 | |
| Load | C:\Users\5JGHKO~1\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | user32.dll | base_address = 0x7ffb1b410000 |
|
1 | |
| Load | Netapi32.dll | base_address = 0x7ffb17120000 |
|
4 | |
| Load | netapi32.dll | base_address = 0x7ffb17120000 |
|
2 | |
| Load | Advapi32.dll | base_address = 0x7ffb1cef0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffb1b140000 |
|
1 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 32767 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7ffb1b1433b8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffb1b143500 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffb1b141704 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffb1b1416f4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffb1b142eb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffb1b143010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffb1b1f496c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffb1b142d2c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffb1b143560 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffb1d732728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffb1d731198 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffb1d733178 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffb1b1435a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffb1d7334d8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffb1d7301a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffb1d77b910 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffb1d756c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffb1d77a7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffb1b14dfc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffb1b21c8c4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffb1ae79310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffb1b21ca44 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffb1b142f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffb1b21cb20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffb1b142ca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffb1b1fb6e4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffb1b142c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffb1b1442ac |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffb1b142ef0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffb1adaa7dc |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffb1b14166c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffb1b21d498 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = SendMessageW, address_out = 0x7ffb1b415080 |
|
1 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetGetJoinInformation, address_out = 0x7ffb170e19a0 |
|
2 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetApiBufferSize, address_out = 0x7ffb19d05584 |
|
2 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetApiBufferFree, address_out = 0x7ffb19d01010 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContext, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextA, address_out = 0x7ffb1cefeb50 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptHashData, address_out = 0x7ffb1cef1a30 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDeriveKey, address_out = 0x7ffb1cf4d0a4 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptGetKeyParam, address_out = 0x7ffb1cf2675c |
|
1 |
Window (11)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | AutoIt v3 | class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | CryptoWire | class_name = AutoIt v3 GUI, wndproc_parameter = 0 |
|
1 | |
| Create | Decrypt Files | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | Your files has been safely encrypted | class_name = static, wndproc_parameter = 0 |
|
1 | |
| Create | Decryptionkey | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | Buy Bitcoins | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | The only way you can recover your files is to buy a decryption key The payment method is: Bitcoins. The price is: $1000 = 0.12587388 Bitcoins When you are ready, send a message by email to wlojul@secmail.pro We will send you our BTC wallet for the transfer After confirmation we will send you the decryption key Click on the 'Buy decryption key' button. | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | - | - |
|
1 | |
| Create | - | - |
|
1 |
Keyboard (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
8 | |
| Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
10 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
2 |
System (140)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 798, y_out = 503 |
|
4 | |
| Get Cursor | x_out = 555, y_out = 531 |
|
5 | |
| Get Cursor | x_out = 876, y_out = 510 |
|
5 | |
| Get Cursor | x_out = 767, y_out = 505 |
|
1 | |
| Sleep | duration = 750 milliseconds (0.750 seconds) |
|
4 | |
| Sleep | duration = 40 milliseconds (0.040 seconds) |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
105 | |
| Get Time | type = System Time, time = 2018-04-13 00:36:04 (UTC) |
|
13 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = USERPROFILE, result_out = C:\Users\5JgHKoaOfdp |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\5jghko~1\desktop\sous.exe | - |
|
1 |
Process #23: sous.exe
230
0
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\users\5jghko~1\desktop\sous.exe |
| Command Line | C:\Users\5JGHKO~1\Desktop\sous.exe |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:14 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb68 |
| Parent PID | 0xab8 (c:\users\5jghko~1\desktop\sous.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B78
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x00000065ca760000 | 0x65ca760000 | 0x65ca77ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000065ca760000 | 0x65ca760000 | 0x65ca76ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000065ca770000 | 0x65ca770000 | 0x65ca776fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000065ca780000 | 0x65ca780000 | 0x65ca78efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000065ca790000 | 0x65ca790000 | 0x65cab8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000065cab90000 | 0x65cab90000 | 0x65cab93fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000065caba0000 | 0x65caba0000 | 0x65caba1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000065cabb0000 | 0x65cabb0000 | 0x65cabb1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000065cabc0000 | 0x65cabc0000 | 0x65cabc6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000065cabd0000 | 0x65cabd0000 | 0x65cabd0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000065cabe0000 | 0x65cabe0000 | 0x65cabe0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000065cabf0000 | 0x65cabf0000 | 0x65cafeffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x65caff0000 | 0x65cb06dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000065cb070000 | 0x65cb070000 | 0x65cb1f7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000065cb200000 | 0x65cb200000 | 0x65cb20ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000065cb210000 | 0x65cb210000 | 0x65cb390fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000065cb3a0000 | 0x65cb3a0000 | 0x65cc79ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000065cc7a0000 | 0x65cc7a0000 | 0x65cc7a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000065cc7a0000 | 0x65cc7a0000 | 0x65cc7a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000065cc7b0000 | 0x65cc7b0000 | 0x65cc7b1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| rpcss.dll | 0x65cc7c0000 | 0x65cc877fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000065cc7c0000 | 0x65cc7c0000 | 0x65cc8b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000065cc8c0000 | 0x65cc8c0000 | 0x65cc8c6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000065cc8d0000 | 0x65cc8d0000 | 0x65cc8d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000065cc8e0000 | 0x65cc8e0000 | 0x65cc8e0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000065cc8f0000 | 0x65cc8f0000 | 0x65cc8f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000065cc900000 | 0x65cc900000 | 0x65cc90ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000065cc910000 | 0x65cc910000 | 0x65cca0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000065cca10000 | 0x65cca10000 | 0x65ccb09fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x65cca10000 | 0x65ccce4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000065cccf0000 | 0x65cccf0000 | 0x65cd1e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| staticcache.dat | 0x65cd1f0000 | 0x65ce05ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000065ce060000 | 0x65ce060000 | 0x65ce277fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000065ce280000 | 0x65ce280000 | 0x65ce280fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| imageres.dll | 0x65ce280000 | 0x65d1115fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000065d1120000 | 0x65d1120000 | 0x65d1122fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000065d1130000 | 0x65d1130000 | 0x65d1130fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000065d1140000 | 0x65d1140000 | 0x65d153bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000065d1540000 | 0x65d1540000 | 0x65d1583fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000065d1590000 | 0x65d1590000 | 0x65d15b4fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff7570d0000 | 0x7ff7570d0000 | 0x7ff7571cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff7571d0000 | 0x7ff7571d0000 | 0x7ff7571f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff7571fd000 | 0x7ff7571fd000 | 0x7ff7571fdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7571fe000 | 0x7ff7571fe000 | 0x7ff7571fffff | Private Memory | Readable, Writable |
|
|
|
- |
| sous.exe | 0x7ff757f40000 | 0x7ff758041fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffb117b0000 | 0x7ffb117b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmmbase.dll | 0x7ffb133a0000 | 0x7ffb133c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmm.dll | 0x7ffb13500000 | 0x7ffb1351efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wsock32.dll | 0x7ffb142a0000 | 0x7ffb142a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x7ffb15750000 | 0x7ffb1576afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x7ffb15770000 | 0x7ffb15a18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x7ffb15a20000 | 0x7ffb15c4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x7ffb16750000 | 0x7ffb16759fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x7ffb16760000 | 0x7ffb16788fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x7ffb170e0000 | 0x7ffb170f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x7ffb17120000 | 0x7ffb17134fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7ffb18f20000 | 0x7ffb19179fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x7ffb19210000 | 0x7ffb1922ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x7ffb193e0000 | 0x7ffb1947efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7ffb197a0000 | 0x7ffb198c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7ffb198d0000 | 0x7ffb198f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffb19920000 | 0x7ffb19929fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x7ffb19d00000 | 0x7ffb19d0bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffb19f50000 | 0x7ffb19f84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7ffb1a060000 | 0x7ffb1a07efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffb1a310000 | 0x7ffb1a32dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffb1a540000 | 0x7ffb1a565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7ffb1a7d0000 | 0x7ffb1a7f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffb1a860000 | 0x7ffb1a8bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffb1a9c0000 | 0x7ffb1a9c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffb1aa50000 | 0x7ffb1aa63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ffb1ad50000 | 0x7ffb1ad99fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ffb1b010000 | 0x7ffb1b067fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffb1b070000 | 0x7ffb1b126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ffb1b280000 | 0x7ffb1b288fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffb1b290000 | 0x7ffb1b407fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffb1b410000 | 0x7ffb1b580fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffb1b590000 | 0x7ffb1b6c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffb1b870000 | 0x7ffb1ba45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffb1ba50000 | 0x7ffb1baa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7ffb1bac0000 | 0x7ffb1ced6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x7ffb1cee0000 | 0x7ffb1cee6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffb1cef0000 | 0x7ffb1cf94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffb1d230000 | 0x7ffb1d280fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffb1d2f0000 | 0x7ffb1d323fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comdlg32.dll | 0x7ffb1d3b0000 | 0x7ffb1d449fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffb1d450000 | 0x7ffb1d594fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffb1d5a0000 | 0x7ffb1d6d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (28)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\log.txt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| Create | C:\PROGRA~1\COMMON~1\1365363213 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\31236356313123635631 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\3123635631 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Get Info | C:\Users\5JGHKO~1\Desktop\sous.exe | type = file_type |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | type = file_type |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Get Info | C:\PROGRA~1\COMMON~1\ | type = file_attributes |
|
1 | |
| Get Info | C:\PROGRA~1\COMMON~1\3123635631 | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 14357 |
|
4 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 0 |
|
2 | |
| Read | C:\PROGRA~1\COMMON~1\1365363213 | size = 65536, size_out = 27 |
|
2 | |
| Read | C:\PROGRA~1\COMMON~1\1365363213 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\31236356313123635631 | size = 65536, size_out = 16 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\31236356313123635631 | size = 65536, size_out = 0 |
|
1 | |
| Delete | C:\PROGRA~1\COMMON~1\3123635631 | - |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Control Panel\Mouse | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Mouse | value_name = SwapMouseButtons, data = 48 |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | os_pid = 0x8a8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL |
|
1 |
Module (68)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffb1b140000 |
|
6 | |
| Load | C:\Users\5JGHKO~1\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | user32.dll | base_address = 0x7ffb1b410000 |
|
1 | |
| Load | Netapi32.dll | base_address = 0x7ffb17120000 |
|
4 | |
| Load | netapi32.dll | base_address = 0x7ffb17120000 |
|
2 | |
| Load | Advapi32.dll | base_address = 0x7ffb1cef0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffb1b140000 |
|
1 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 32767 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7ffb1b1433b8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffb1b143500 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffb1b141704 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffb1b1416f4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffb1b142eb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffb1b143010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffb1b1f496c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffb1b142d2c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffb1b143560 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffb1d732728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffb1d731198 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffb1d733178 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffb1b1435a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffb1d7334d8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffb1d7301a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffb1d77b910 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffb1d756c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffb1d77a7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffb1b14dfc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffb1b21c8c4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffb1ae79310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffb1b21ca44 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffb1b142f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffb1b21cb20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffb1b142ca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffb1b1fb6e4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffb1b142c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffb1b1442ac |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffb1b142ef0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffb1adaa7dc |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffb1b14166c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffb1b21d498 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = SendMessageW, address_out = 0x7ffb1b415080 |
|
1 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetGetJoinInformation, address_out = 0x7ffb170e19a0 |
|
2 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetApiBufferSize, address_out = 0x7ffb19d05584 |
|
2 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetApiBufferFree, address_out = 0x7ffb19d01010 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContext, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextA, address_out = 0x7ffb1cefeb50 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptGetKeyParam, address_out = 0x7ffb1cf2675c |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDecrypt, address_out = 0x7ffb1cf1fc48 |
|
1 |
Window (11)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | AutoIt v3 | class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | CryptoWire | class_name = AutoIt v3 GUI, wndproc_parameter = 0 |
|
1 | |
| Create | Decrypt Files | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | Your files has been safely encrypted | class_name = static, wndproc_parameter = 0 |
|
1 | |
| Create | Decryptionkey | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | Buy Bitcoins | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | The only way you can recover your files is to buy a decryption key The payment method is: Bitcoins. The price is: $1000 = 0.12587388 Bitcoins When you are ready, send a message by email to wlojul@secmail.pro We will send you our BTC wallet for the transfer After confirmation we will send you the decryption key Click on the 'Buy decryption key' button. | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | - | - |
|
1 | |
| Create | - | - |
|
1 |
Keyboard (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
7 | |
| Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
9 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
2 |
System (95)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 767, y_out = 505 |
|
3 | |
| Get Cursor | x_out = 549, y_out = 533 |
|
5 | |
| Get Cursor | x_out = 864, y_out = 510 |
|
5 | |
| Get Cursor | x_out = 794, y_out = 507 |
|
1 | |
| Sleep | duration = 750 milliseconds (0.750 seconds) |
|
3 | |
| Sleep | duration = 40 milliseconds (0.040 seconds) |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
62 | |
| Get Time | type = System Time, time = 2018-04-13 00:36:07 (UTC) |
|
13 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = USERPROFILE, result_out = C:\Users\5JgHKoaOfdp |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\5jghko~1\desktop\sous.exe | - |
|
1 |
Process #24: sous.exe
231
0
| Information | Value |
|---|---|
| ID | #24 |
| File Name | c:\users\5jghko~1\desktop\sous.exe |
| Command Line | C:\Users\5JGHKO~1\Desktop\sous.exe |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:23, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8a8 |
| Parent PID | 0xb68 (c:\users\5jghko~1\desktop\sous.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9AC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000de22b40000 | 0xde22b40000 | 0xde22b5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000de22b40000 | 0xde22b40000 | 0xde22b4ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de22b50000 | 0xde22b50000 | 0xde22b56fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000de22b60000 | 0xde22b60000 | 0xde22b6efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000de22b70000 | 0xde22b70000 | 0xde22f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000de22f70000 | 0xde22f70000 | 0xde22f73fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000de22f80000 | 0xde22f80000 | 0xde22f81fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000de22f90000 | 0xde22f90000 | 0xde22f91fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de22fa0000 | 0xde22fa0000 | 0xde22fa6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de22fb0000 | 0xde22fb0000 | 0xde22fb0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de22fc0000 | 0xde22fc0000 | 0xde22fc0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000de22fd0000 | 0xde22fd0000 | 0xde22fd0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000de22fd0000 | 0xde22fd0000 | 0xde22fd3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000de22fe0000 | 0xde22fe0000 | 0xde22fe1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000de22ff0000 | 0xde22ff0000 | 0xde22ff6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de23000000 | 0xde23000000 | 0xde23000fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de23010000 | 0xde23010000 | 0xde2340ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0xde23410000 | 0xde2348dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000de23490000 | 0xde23490000 | 0xde23617fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000de23620000 | 0xde23620000 | 0xde23620fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de23630000 | 0xde23630000 | 0xde23630fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de23640000 | 0xde23640000 | 0xde2364ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000de23650000 | 0xde23650000 | 0xde237d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000de237e0000 | 0xde237e0000 | 0xde24bdffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| rpcss.dll | 0xde24be0000 | 0xde24c97fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000de24be0000 | 0xde24be0000 | 0xde24cd0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000de24ce0000 | 0xde24ce0000 | 0xde24ceffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de24cf0000 | 0xde24cf0000 | 0xde24deffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000de24df0000 | 0xde24df0000 | 0xde24ee9fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0xde24df0000 | 0xde250c4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000de250d0000 | 0xde250d0000 | 0xde255c1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| staticcache.dat | 0xde255d0000 | 0xde2643ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000de26440000 | 0xde26440000 | 0xde26657fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000de26660000 | 0xde26660000 | 0xde26660fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| imageres.dll | 0xde26660000 | 0xde294f5fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000de29500000 | 0xde29500000 | 0xde29502fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000de29510000 | 0xde29510000 | 0xde29510fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000de29520000 | 0xde29520000 | 0xde2991bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000de29920000 | 0xde29920000 | 0xde29963fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000de29970000 | 0xde29970000 | 0xde29994fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff7571c0000 | 0x7ff7571c0000 | 0x7ff7572bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff7572c0000 | 0x7ff7572c0000 | 0x7ff7572e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff7572e4000 | 0x7ff7572e4000 | 0x7ff7572e4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7572ee000 | 0x7ff7572ee000 | 0x7ff7572effff | Private Memory | Readable, Writable |
|
|
|
- |
| sous.exe | 0x7ff757f40000 | 0x7ff758041fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffb117b0000 | 0x7ffb117b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmmbase.dll | 0x7ffb133a0000 | 0x7ffb133c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmm.dll | 0x7ffb13500000 | 0x7ffb1351efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wsock32.dll | 0x7ffb142a0000 | 0x7ffb142a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x7ffb15750000 | 0x7ffb1576afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x7ffb15770000 | 0x7ffb15a18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x7ffb15a20000 | 0x7ffb15c4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x7ffb16750000 | 0x7ffb16759fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x7ffb16760000 | 0x7ffb16788fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x7ffb170e0000 | 0x7ffb170f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x7ffb17120000 | 0x7ffb17134fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7ffb18f20000 | 0x7ffb19179fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x7ffb19210000 | 0x7ffb1922ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x7ffb193e0000 | 0x7ffb1947efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7ffb197a0000 | 0x7ffb198c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7ffb198d0000 | 0x7ffb198f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffb19920000 | 0x7ffb19929fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x7ffb19d00000 | 0x7ffb19d0bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffb19f50000 | 0x7ffb19f84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7ffb1a060000 | 0x7ffb1a07efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffb1a310000 | 0x7ffb1a32dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffb1a540000 | 0x7ffb1a565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7ffb1a7d0000 | 0x7ffb1a7f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffb1a860000 | 0x7ffb1a8bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffb1a9c0000 | 0x7ffb1a9c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffb1aa50000 | 0x7ffb1aa63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ffb1ad50000 | 0x7ffb1ad99fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ffb1b010000 | 0x7ffb1b067fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffb1b070000 | 0x7ffb1b126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ffb1b280000 | 0x7ffb1b288fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffb1b290000 | 0x7ffb1b407fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffb1b410000 | 0x7ffb1b580fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffb1b590000 | 0x7ffb1b6c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffb1b870000 | 0x7ffb1ba45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffb1ba50000 | 0x7ffb1baa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7ffb1bac0000 | 0x7ffb1ced6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x7ffb1cee0000 | 0x7ffb1cee6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffb1cef0000 | 0x7ffb1cf94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffb1d230000 | 0x7ffb1d280fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffb1d2f0000 | 0x7ffb1d323fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comdlg32.dll | 0x7ffb1d3b0000 | 0x7ffb1d449fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffb1d450000 | 0x7ffb1d594fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffb1d5a0000 | 0x7ffb1d6d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (28)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\log.txt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| Create | C:\PROGRA~1\COMMON~1\1365363213 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\31236356313123635631 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\3123635631 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Get Info | C:\Users\5JGHKO~1\Desktop\sous.exe | type = file_type |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | type = file_type |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Get Info | C:\PROGRA~1\COMMON~1\ | type = file_attributes |
|
1 | |
| Get Info | C:\PROGRA~1\COMMON~1\3123635631 | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 14357 |
|
4 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 0 |
|
2 | |
| Read | C:\PROGRA~1\COMMON~1\1365363213 | size = 65536, size_out = 27 |
|
2 | |
| Read | C:\PROGRA~1\COMMON~1\1365363213 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\31236356313123635631 | size = 65536, size_out = 16 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\31236356313123635631 | size = 65536, size_out = 0 |
|
1 | |
| Delete | C:\PROGRA~1\COMMON~1\3123635631 | - |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Control Panel\Mouse | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Mouse | value_name = SwapMouseButtons, data = 48 |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | os_pid = 0x4ec, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL |
|
1 |
Module (68)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffb1b140000 |
|
6 | |
| Load | C:\Users\5JGHKO~1\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | user32.dll | base_address = 0x7ffb1b410000 |
|
1 | |
| Load | Netapi32.dll | base_address = 0x7ffb17120000 |
|
4 | |
| Load | netapi32.dll | base_address = 0x7ffb17120000 |
|
2 | |
| Load | Advapi32.dll | base_address = 0x7ffb1cef0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffb1b140000 |
|
1 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 32767 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7ffb1b1433b8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffb1b143500 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffb1b141704 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffb1b1416f4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffb1b142eb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffb1b143010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffb1b1f496c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffb1b142d2c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffb1b143560 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffb1d732728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffb1d731198 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffb1d733178 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffb1b1435a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffb1d7334d8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffb1d7301a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffb1d77b910 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffb1d756c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffb1d77a7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffb1b14dfc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffb1b21c8c4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffb1ae79310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffb1b21ca44 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffb1b142f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffb1b21cb20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffb1b142ca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffb1b1fb6e4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffb1b142c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffb1b1442ac |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffb1b142ef0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffb1adaa7dc |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffb1b14166c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffb1b21d498 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = SendMessageW, address_out = 0x7ffb1b415080 |
|
1 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetGetJoinInformation, address_out = 0x7ffb170e19a0 |
|
2 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetApiBufferSize, address_out = 0x7ffb19d05584 |
|
2 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetApiBufferFree, address_out = 0x7ffb19d01010 |
|
2 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContext, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextA, address_out = 0x7ffb1cefeb50 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptGetKeyParam, address_out = 0x7ffb1cf2675c |
|
1 |
Window (11)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | AutoIt v3 | class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | CryptoWire | class_name = AutoIt v3 GUI, wndproc_parameter = 0 |
|
1 | |
| Create | Decrypt Files | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | Your files has been safely encrypted | class_name = static, wndproc_parameter = 0 |
|
1 | |
| Create | Decryptionkey | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | Buy Bitcoins | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | The only way you can recover your files is to buy a decryption key The payment method is: Bitcoins. The price is: $1000 = 0.12587388 Bitcoins When you are ready, send a message by email to wlojul@secmail.pro We will send you our BTC wallet for the transfer After confirmation we will send you the decryption key Click on the 'Buy decryption key' button. | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | - | - |
|
1 | |
| Create | - | - |
|
1 |
Keyboard (16)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
6 | |
| Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
8 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
2 |
System (98)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 794, y_out = 507 |
|
2 | |
| Get Cursor | x_out = 525, y_out = 543 |
|
6 | |
| Get Cursor | x_out = 877, y_out = 512 |
|
4 | |
| Get Cursor | x_out = 769, y_out = 507 |
|
1 | |
| Sleep | duration = 750 milliseconds (0.750 seconds) |
|
4 | |
| Sleep | duration = 40 milliseconds (0.040 seconds) |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
65 | |
| Get Time | type = System Time, time = 2018-04-13 00:36:10 (UTC) |
|
13 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = USERPROFILE, result_out = C:\Users\5JgHKoaOfdp |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\5jghko~1\desktop\sous.exe | - |
|
1 |
Process #25: sous.exe
236
0
| Information | Value |
|---|---|
| ID | #25 |
| File Name | c:\users\5jghko~1\desktop\sous.exe |
| Command Line | C:\Users\5JGHKO~1\Desktop\sous.exe |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:26, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4ec |
| Parent PID | 0x8a8 (c:\users\5jghko~1\desktop\sous.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4E4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x00000033d4ff0000 | 0x33d4ff0000 | 0x33d500ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000033d4ff0000 | 0x33d4ff0000 | 0x33d4ffffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000033d5000000 | 0x33d5000000 | 0x33d5006fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000033d5010000 | 0x33d5010000 | 0x33d501efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000033d5020000 | 0x33d5020000 | 0x33d541ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000033d5420000 | 0x33d5420000 | 0x33d5423fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000033d5430000 | 0x33d5430000 | 0x33d5431fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000033d5440000 | 0x33d5440000 | 0x33d5441fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000033d5450000 | 0x33d5450000 | 0x33d5456fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000033d5460000 | 0x33d5460000 | 0x33d5460fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000033d5470000 | 0x33d5470000 | 0x33d5470fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000033d5480000 | 0x33d5480000 | 0x33d5480fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000033d5480000 | 0x33d5480000 | 0x33d5483fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000033d5490000 | 0x33d5490000 | 0x33d588ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x33d5890000 | 0x33d590dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000033d5910000 | 0x33d5910000 | 0x33d5a97fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000033d5aa0000 | 0x33d5aa0000 | 0x33d5aa1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000033d5ab0000 | 0x33d5ab0000 | 0x33d5ab6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000033d5ac0000 | 0x33d5ac0000 | 0x33d5ac0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000033d5ad0000 | 0x33d5ad0000 | 0x33d5ad0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000033d5ae0000 | 0x33d5ae0000 | 0x33d5aeffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000033d5af0000 | 0x33d5af0000 | 0x33d5c70fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000033d5c80000 | 0x33d5c80000 | 0x33d707ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| rpcss.dll | 0x33d7080000 | 0x33d7137fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000033d7080000 | 0x33d7080000 | 0x33d7080fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000033d7090000 | 0x33d7090000 | 0x33d7090fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000033d7090000 | 0x33d7090000 | 0x33d7092fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000033d70a0000 | 0x33d70a0000 | 0x33d70a0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000033d70b0000 | 0x33d70b0000 | 0x33d70f3fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000033d7100000 | 0x33d7100000 | 0x33d7124fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000033d7150000 | 0x33d7150000 | 0x33d715ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000033d7160000 | 0x33d7160000 | 0x33d7250fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000033d7260000 | 0x33d7260000 | 0x33d735ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000033d7360000 | 0x33d7360000 | 0x33d7459fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x33d7360000 | 0x33d7634fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000033d7640000 | 0x33d7640000 | 0x33d7b31fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| staticcache.dat | 0x33d7b40000 | 0x33d89affff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000033d89b0000 | 0x33d89b0000 | 0x33d8bc7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| imageres.dll | 0x33d8bd0000 | 0x33dba65fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000033dba70000 | 0x33dba70000 | 0x33dbe6bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff757680000 | 0x7ff757680000 | 0x7ff75777ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff757780000 | 0x7ff757780000 | 0x7ff7577a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff7577ac000 | 0x7ff7577ac000 | 0x7ff7577acfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7577ae000 | 0x7ff7577ae000 | 0x7ff7577affff | Private Memory | Readable, Writable |
|
|
|
- |
| sous.exe | 0x7ff757f40000 | 0x7ff758041fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffb117b0000 | 0x7ffb117b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmmbase.dll | 0x7ffb133a0000 | 0x7ffb133c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmm.dll | 0x7ffb13500000 | 0x7ffb1351efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wsock32.dll | 0x7ffb142a0000 | 0x7ffb142a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x7ffb15750000 | 0x7ffb1576afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x7ffb15770000 | 0x7ffb15a18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x7ffb15a20000 | 0x7ffb15c4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x7ffb16750000 | 0x7ffb16759fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x7ffb16760000 | 0x7ffb16788fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x7ffb170e0000 | 0x7ffb170f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x7ffb17120000 | 0x7ffb17134fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7ffb18f20000 | 0x7ffb19179fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x7ffb19210000 | 0x7ffb1922ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x7ffb193e0000 | 0x7ffb1947efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7ffb197a0000 | 0x7ffb198c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7ffb198d0000 | 0x7ffb198f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffb19920000 | 0x7ffb19929fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x7ffb19d00000 | 0x7ffb19d0bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffb19f50000 | 0x7ffb19f84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7ffb1a060000 | 0x7ffb1a07efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffb1a310000 | 0x7ffb1a32dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffb1a540000 | 0x7ffb1a565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7ffb1a7d0000 | 0x7ffb1a7f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffb1a860000 | 0x7ffb1a8bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffb1a9c0000 | 0x7ffb1a9c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffb1aa50000 | 0x7ffb1aa63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ffb1ad50000 | 0x7ffb1ad99fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ffb1b010000 | 0x7ffb1b067fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffb1b070000 | 0x7ffb1b126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ffb1b280000 | 0x7ffb1b288fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffb1b290000 | 0x7ffb1b407fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffb1b410000 | 0x7ffb1b580fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffb1b590000 | 0x7ffb1b6c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffb1b870000 | 0x7ffb1ba45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffb1ba50000 | 0x7ffb1baa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7ffb1bac0000 | 0x7ffb1ced6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x7ffb1cee0000 | 0x7ffb1cee6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffb1cef0000 | 0x7ffb1cf94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffb1d230000 | 0x7ffb1d280fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffb1d2f0000 | 0x7ffb1d323fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comdlg32.dll | 0x7ffb1d3b0000 | 0x7ffb1d449fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffb1d450000 | 0x7ffb1d594fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffb1d5a0000 | 0x7ffb1d6d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (28)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\log.txt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| Create | C:\PROGRA~1\COMMON~1\1365363213 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\31236356313123635631 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\3123635631 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Get Info | C:\Users\5JGHKO~1\Desktop\sous.exe | type = file_type |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | type = file_type |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 14357 |
|
4 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 0 |
|
2 | |
| Read | C:\PROGRA~1\COMMON~1\1365363213 | size = 65536, size_out = 27 |
|
2 | |
| Read | C:\PROGRA~1\COMMON~1\1365363213 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\31236356313123635631 | size = 65536, size_out = 16 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\31236356313123635631 | size = 65536, size_out = 0 |
|
1 | |
| Write | - | size = 34 |
|
1 | |
| Write | C:\PROGRA~1\COMMON~1\3123635631 | size = 4 |
|
1 | |
| Delete | C:\PROGRA~1\COMMON~1\3123635631 | - |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Control Panel\Mouse | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Mouse | value_name = SwapMouseButtons, data = 48 |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | os_pid = 0x7d8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL |
|
1 |
Module (70)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffb1b140000 |
|
6 | |
| Load | C:\Users\5JGHKO~1\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | user32.dll | base_address = 0x7ffb1b410000 |
|
1 | |
| Load | Netapi32.dll | base_address = 0x7ffb17120000 |
|
4 | |
| Load | netapi32.dll | base_address = 0x7ffb17120000 |
|
2 | |
| Load | Advapi32.dll | base_address = 0x7ffb1cef0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffb1b140000 |
|
1 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 32767 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7ffb1b1433b8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffb1b143500 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffb1b141704 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffb1b1416f4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffb1b142eb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffb1b143010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffb1b1f496c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffb1b142d2c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffb1b143560 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffb1d732728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffb1d731198 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffb1d733178 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffb1b1435a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffb1d7334d8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffb1d7301a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffb1d77b910 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffb1d756c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffb1d77a7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffb1b14dfc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffb1b21c8c4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffb1ae79310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffb1b21ca44 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffb1b142f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffb1b21cb20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffb1b142ca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffb1b1fb6e4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffb1b142c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffb1b1442ac |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffb1b142ef0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffb1adaa7dc |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffb1b14166c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffb1b21d498 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = SendMessageW, address_out = 0x7ffb1b415080 |
|
1 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetGetJoinInformation, address_out = 0x7ffb170e19a0 |
|
2 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetApiBufferSize, address_out = 0x7ffb19d05584 |
|
2 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetApiBufferFree, address_out = 0x7ffb19d01010 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContext, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextA, address_out = 0x7ffb1cefeb50 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptHashData, address_out = 0x7ffb1cef1a30 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDeriveKey, address_out = 0x7ffb1cf4d0a4 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptGetKeyParam, address_out = 0x7ffb1cf2675c |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDestroyKey, address_out = 0x7ffb1cefeaf0 |
|
1 |
Window (11)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | AutoIt v3 | class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | CryptoWire | class_name = AutoIt v3 GUI, wndproc_parameter = 0 |
|
1 | |
| Create | Decrypt Files | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | Your files has been safely encrypted | class_name = static, wndproc_parameter = 0 |
|
1 | |
| Create | Decryptionkey | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | Buy Bitcoins | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | The only way you can recover your files is to buy a decryption key The payment method is: Bitcoins. The price is: $1000 = 0.12587388 Bitcoins When you are ready, send a message by email to wlojul@secmail.pro We will send you our BTC wallet for the transfer After confirmation we will send you the decryption key Click on the 'Buy decryption key' button. | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | - | - |
|
1 | |
| Create | - | - |
|
1 |
Keyboard (32)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
14 | |
| Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
16 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
2 |
System (85)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 769, y_out = 507 |
|
2 | |
| Get Cursor | x_out = 542, y_out = 529 |
|
13 | |
| Get Cursor | x_out = 896, y_out = 514 |
|
5 | |
| Get Cursor | x_out = 768, y_out = 514 |
|
1 | |
| Sleep | duration = 750 milliseconds (0.750 seconds) |
|
4 | |
| Sleep | duration = 40 milliseconds (0.040 seconds) |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
44 | |
| Get Time | type = System Time, time = 2018-04-13 00:36:13 (UTC) |
|
13 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = USERPROFILE, result_out = C:\Users\5JgHKoaOfdp |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\5jghko~1\desktop\sous.exe | - |
|
1 |
Process #26: sous.exe
180
0
| Information | Value |
|---|---|
| ID | #26 |
| File Name | c:\users\5jghko~1\desktop\sous.exe |
| Command Line | C:\Users\5JGHKO~1\Desktop\sous.exe |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:30, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7d8 |
| Parent PID | 0x4ec (c:\users\5jghko~1\desktop\sous.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8B4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000008a54010000 | 0x8a54010000 | 0x8a5402ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008a54010000 | 0x8a54010000 | 0x8a5401ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008a54020000 | 0x8a54020000 | 0x8a54026fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008a54030000 | 0x8a54030000 | 0x8a5403efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000008a54040000 | 0x8a54040000 | 0x8a5443ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008a54440000 | 0x8a54440000 | 0x8a54443fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000008a54450000 | 0x8a54450000 | 0x8a54451fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000008a54460000 | 0x8a54460000 | 0x8a54461fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x8a54470000 | 0x8a544edfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000008a544f0000 | 0x8a544f0000 | 0x8a544f6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008a54500000 | 0x8a54500000 | 0x8a54500fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008a54510000 | 0x8a54510000 | 0x8a54510fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008a54520000 | 0x8a54520000 | 0x8a54520fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000008a54520000 | 0x8a54520000 | 0x8a54523fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000008a54530000 | 0x8a54530000 | 0x8a54531fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000008a54540000 | 0x8a54540000 | 0x8a5493ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008a54940000 | 0x8a54940000 | 0x8a54ac7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000008a54ad0000 | 0x8a54ad0000 | 0x8a54ad6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008a54ae0000 | 0x8a54ae0000 | 0x8a54ae0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008a54af0000 | 0x8a54af0000 | 0x8a54af0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008a54b00000 | 0x8a54b00000 | 0x8a54b00fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008a54b10000 | 0x8a54b10000 | 0x8a54b10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000008a54b10000 | 0x8a54b10000 | 0x8a54b12fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000008a54b20000 | 0x8a54b20000 | 0x8a54b20fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008a54b30000 | 0x8a54b30000 | 0x8a54b3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008a54b40000 | 0x8a54b40000 | 0x8a54cc0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000008a54cd0000 | 0x8a54cd0000 | 0x8a560cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| rpcss.dll | 0x8a560d0000 | 0x8a56187fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000008a560d0000 | 0x8a560d0000 | 0x8a561c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000008a561e0000 | 0x8a561e0000 | 0x8a561effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008a561f0000 | 0x8a561f0000 | 0x8a562effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008a562f0000 | 0x8a562f0000 | 0x8a563e9fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x8a562f0000 | 0x8a565c4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000008a565d0000 | 0x8a565d0000 | 0x8a56ac1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| staticcache.dat | 0x8a56ad0000 | 0x8a5793ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000008a57940000 | 0x8a57940000 | 0x8a57b57fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| imageres.dll | 0x8a57b60000 | 0x8a5a9f5fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000008a5aa00000 | 0x8a5aa00000 | 0x8a5adfbfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000008a5ae00000 | 0x8a5ae00000 | 0x8a5ae43fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008a5ae50000 | 0x8a5ae50000 | 0x8a5ae74fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff757a30000 | 0x7ff757a30000 | 0x7ff757b2ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff757b30000 | 0x7ff757b30000 | 0x7ff757b52fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff757b5c000 | 0x7ff757b5c000 | 0x7ff757b5dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff757b5e000 | 0x7ff757b5e000 | 0x7ff757b5efff | Private Memory | Readable, Writable |
|
|
|
- |
| sous.exe | 0x7ff757f40000 | 0x7ff758041fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffb117b0000 | 0x7ffb117b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmmbase.dll | 0x7ffb133a0000 | 0x7ffb133c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmm.dll | 0x7ffb13500000 | 0x7ffb1351efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wsock32.dll | 0x7ffb142a0000 | 0x7ffb142a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x7ffb15750000 | 0x7ffb1576afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x7ffb15770000 | 0x7ffb15a18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x7ffb15a20000 | 0x7ffb15c4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x7ffb16750000 | 0x7ffb16759fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x7ffb16760000 | 0x7ffb16788fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x7ffb170e0000 | 0x7ffb170f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x7ffb17120000 | 0x7ffb17134fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7ffb18f20000 | 0x7ffb19179fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x7ffb19210000 | 0x7ffb1922ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x7ffb193e0000 | 0x7ffb1947efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7ffb197a0000 | 0x7ffb198c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7ffb198d0000 | 0x7ffb198f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffb19920000 | 0x7ffb19929fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x7ffb19d00000 | 0x7ffb19d0bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffb19f50000 | 0x7ffb19f84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7ffb1a060000 | 0x7ffb1a07efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffb1a310000 | 0x7ffb1a32dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffb1a540000 | 0x7ffb1a565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7ffb1a7d0000 | 0x7ffb1a7f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffb1a860000 | 0x7ffb1a8bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffb1a9c0000 | 0x7ffb1a9c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffb1aa50000 | 0x7ffb1aa63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ffb1ad50000 | 0x7ffb1ad99fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ffb1b010000 | 0x7ffb1b067fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffb1b070000 | 0x7ffb1b126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ffb1b280000 | 0x7ffb1b288fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffb1b290000 | 0x7ffb1b407fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffb1b410000 | 0x7ffb1b580fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffb1b590000 | 0x7ffb1b6c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffb1b870000 | 0x7ffb1ba45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffb1ba50000 | 0x7ffb1baa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7ffb1bac0000 | 0x7ffb1ced6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x7ffb1cee0000 | 0x7ffb1cee6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffb1cef0000 | 0x7ffb1cf94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffb1d230000 | 0x7ffb1d280fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffb1d2f0000 | 0x7ffb1d323fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comdlg32.dll | 0x7ffb1d3b0000 | 0x7ffb1d449fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffb1d450000 | 0x7ffb1d594fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffb1d5a0000 | 0x7ffb1d6d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (28)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\log.txt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| Create | C:\PROGRA~1\COMMON~1\1365363213 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\31236356313123635631 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\3123635631 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Get Info | C:\Users\5JGHKO~1\Desktop\sous.exe | type = file_type |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | type = file_type |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Get Info | C:\PROGRA~1\COMMON~1\ | type = file_attributes |
|
1 | |
| Get Info | C:\PROGRA~1\COMMON~1\3123635631 | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 14357 |
|
4 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 0 |
|
2 | |
| Read | C:\PROGRA~1\COMMON~1\1365363213 | size = 65536, size_out = 27 |
|
2 | |
| Read | C:\PROGRA~1\COMMON~1\1365363213 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\31236356313123635631 | size = 65536, size_out = 16 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\31236356313123635631 | size = 65536, size_out = 0 |
|
1 | |
| Delete | C:\PROGRA~1\COMMON~1\3123635631 | - |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Control Panel\Mouse | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Mouse | value_name = SwapMouseButtons, data = 48 |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | os_pid = 0x768, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL |
|
1 |
Module (68)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffb1b140000 |
|
6 | |
| Load | C:\Users\5JGHKO~1\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | user32.dll | base_address = 0x7ffb1b410000 |
|
1 | |
| Load | Netapi32.dll | base_address = 0x7ffb17120000 |
|
4 | |
| Load | netapi32.dll | base_address = 0x7ffb17120000 |
|
2 | |
| Load | Advapi32.dll | base_address = 0x7ffb1cef0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffb1b140000 |
|
1 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 32767 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7ffb1b1433b8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffb1b143500 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffb1b141704 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffb1b1416f4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffb1b142eb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffb1b143010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffb1b1f496c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffb1b142d2c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffb1b143560 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffb1d732728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffb1d731198 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffb1d733178 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffb1b1435a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffb1d7334d8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffb1d7301a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffb1d77b910 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffb1d756c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffb1d77a7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffb1b14dfc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffb1b21c8c4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffb1ae79310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffb1b21ca44 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffb1b142f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffb1b21cb20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffb1b142ca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffb1b1fb6e4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffb1b142c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffb1b1442ac |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffb1b142ef0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffb1adaa7dc |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffb1b14166c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffb1b21d498 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = SendMessageW, address_out = 0x7ffb1b415080 |
|
1 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetGetJoinInformation, address_out = 0x7ffb170e19a0 |
|
2 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetApiBufferSize, address_out = 0x7ffb19d05584 |
|
2 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetApiBufferFree, address_out = 0x7ffb19d01010 |
|
2 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContext, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextA, address_out = 0x7ffb1cefeb50 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptGetKeyParam, address_out = 0x7ffb1cf2675c |
|
1 |
Window (11)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | AutoIt v3 | class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | CryptoWire | class_name = AutoIt v3 GUI, wndproc_parameter = 0 |
|
1 | |
| Create | Decrypt Files | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | Your files has been safely encrypted | class_name = static, wndproc_parameter = 0 |
|
1 | |
| Create | Decryptionkey | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | Buy Bitcoins | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | The only way you can recover your files is to buy a decryption key The payment method is: Bitcoins. The price is: $1000 = 0.12587388 Bitcoins When you are ready, send a message by email to wlojul@secmail.pro We will send you our BTC wallet for the transfer After confirmation we will send you the decryption key Click on the 'Buy decryption key' button. | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | - | - |
|
1 | |
| Create | - | - |
|
1 |
Keyboard (14)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
4 | |
| Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
7 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
3 |
System (49)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 768, y_out = 514 |
|
2 | |
| Get Cursor | x_out = 554, y_out = 536 |
|
4 | |
| Get Cursor | x_out = 888, y_out = 512 |
|
4 | |
| Get Cursor | x_out = 782, y_out = 503 |
|
2 | |
| Sleep | duration = 750 milliseconds (0.750 seconds) |
|
4 | |
| Sleep | duration = 40 milliseconds (0.040 seconds) |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
17 | |
| Get Time | type = System Time, time = 2018-04-13 00:36:17 (UTC) |
|
13 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = USERPROFILE, result_out = C:\Users\5JgHKoaOfdp |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\5jghko~1\desktop\sous.exe | - |
|
1 |
Process #27: sous.exe
204
0
| Information | Value |
|---|---|
| ID | #27 |
| File Name | c:\users\5jghko~1\desktop\sous.exe |
| Command Line | C:\Users\5JGHKO~1\Desktop\sous.exe |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:33, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x768 |
| Parent PID | 0x7d8 (c:\users\5jghko~1\desktop\sous.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9F0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000d8a6d00000 | 0xd8a6d00000 | 0xd8a6d1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000d8a6d00000 | 0xd8a6d00000 | 0xd8a6d0ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000d8a6d10000 | 0xd8a6d10000 | 0xd8a6d16fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000d8a6d20000 | 0xd8a6d20000 | 0xd8a6d2efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000d8a6d30000 | 0xd8a6d30000 | 0xd8a712ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000d8a7130000 | 0xd8a7130000 | 0xd8a7133fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000d8a7140000 | 0xd8a7140000 | 0xd8a7141fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000d8a7150000 | 0xd8a7150000 | 0xd8a7151fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000d8a7160000 | 0xd8a7160000 | 0xd8a716ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000d8a7170000 | 0xd8a7170000 | 0xd8a7176fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000d8a7180000 | 0xd8a7180000 | 0xd8a7180fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000d8a7190000 | 0xd8a7190000 | 0xd8a7190fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000d8a71a0000 | 0xd8a71a0000 | 0xd8a71affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000d8a71b0000 | 0xd8a71b0000 | 0xd8a71b1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000d8a71c0000 | 0xd8a71c0000 | 0xd8a75bffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0xd8a75c0000 | 0xd8a763dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000d8a7640000 | 0xd8a7640000 | 0xd8a77c7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000d8a77d0000 | 0xd8a77d0000 | 0xd8a7950fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000d8a7960000 | 0xd8a7960000 | 0xd8a8d5ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| rpcss.dll | 0xd8a8d60000 | 0xd8a8e17fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000d8a8d60000 | 0xd8a8d60000 | 0xd8a8d60fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000d8a8d60000 | 0xd8a8d60000 | 0xd8a8e50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000d8a8e60000 | 0xd8a8e60000 | 0xd8a8e63fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000d8a8e70000 | 0xd8a8e70000 | 0xd8a8e76fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000d8a8e80000 | 0xd8a8e80000 | 0xd8a8f7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000d8a8f80000 | 0xd8a8f80000 | 0xd8a9079fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000d8a8f80000 | 0xd8a8f80000 | 0xd8a8f80fff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0xd8a8f90000 | 0xd8a9264fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000d8a9270000 | 0xd8a9270000 | 0xd8a9270fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000d8a9280000 | 0xd8a9280000 | 0xd8a9280fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000d8a9290000 | 0xd8a9290000 | 0xd8a9781fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| staticcache.dat | 0xd8a9790000 | 0xd8aa5fffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000d8aa600000 | 0xd8aa600000 | 0xd8aa817fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000d8aa820000 | 0xd8aa820000 | 0xd8aa820fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| imageres.dll | 0xd8aa820000 | 0xd8ad6b5fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000d8ad6c0000 | 0xd8ad6c0000 | 0xd8ad6c2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000d8ad6d0000 | 0xd8ad6d0000 | 0xd8ad6d0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000d8ad6e0000 | 0xd8ad6e0000 | 0xd8adadbfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000d8adae0000 | 0xd8adae0000 | 0xd8adb23fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000d8adb30000 | 0xd8adb30000 | 0xd8adb54fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff757750000 | 0x7ff757750000 | 0x7ff75784ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff757850000 | 0x7ff757850000 | 0x7ff757872fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff757874000 | 0x7ff757874000 | 0x7ff757874fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff75787e000 | 0x7ff75787e000 | 0x7ff75787ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sous.exe | 0x7ff757f40000 | 0x7ff758041fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffb117b0000 | 0x7ffb117b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmmbase.dll | 0x7ffb133a0000 | 0x7ffb133c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmm.dll | 0x7ffb13500000 | 0x7ffb1351efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wsock32.dll | 0x7ffb142a0000 | 0x7ffb142a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x7ffb15750000 | 0x7ffb1576afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x7ffb15770000 | 0x7ffb15a18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x7ffb15a20000 | 0x7ffb15c4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x7ffb16750000 | 0x7ffb16759fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x7ffb16760000 | 0x7ffb16788fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x7ffb170e0000 | 0x7ffb170f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x7ffb17120000 | 0x7ffb17134fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7ffb18f20000 | 0x7ffb19179fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x7ffb19210000 | 0x7ffb1922ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x7ffb193e0000 | 0x7ffb1947efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7ffb197a0000 | 0x7ffb198c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7ffb198d0000 | 0x7ffb198f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffb19920000 | 0x7ffb19929fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x7ffb19d00000 | 0x7ffb19d0bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffb19f50000 | 0x7ffb19f84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7ffb1a060000 | 0x7ffb1a07efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffb1a310000 | 0x7ffb1a32dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffb1a540000 | 0x7ffb1a565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7ffb1a7d0000 | 0x7ffb1a7f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffb1a860000 | 0x7ffb1a8bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffb1a9c0000 | 0x7ffb1a9c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffb1aa50000 | 0x7ffb1aa63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ffb1ad50000 | 0x7ffb1ad99fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ffb1b010000 | 0x7ffb1b067fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffb1b070000 | 0x7ffb1b126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ffb1b280000 | 0x7ffb1b288fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffb1b290000 | 0x7ffb1b407fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffb1b410000 | 0x7ffb1b580fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffb1b590000 | 0x7ffb1b6c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffb1b870000 | 0x7ffb1ba45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffb1ba50000 | 0x7ffb1baa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7ffb1bac0000 | 0x7ffb1ced6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x7ffb1cee0000 | 0x7ffb1cee6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffb1cef0000 | 0x7ffb1cf94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffb1d230000 | 0x7ffb1d280fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffb1d2f0000 | 0x7ffb1d323fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comdlg32.dll | 0x7ffb1d3b0000 | 0x7ffb1d449fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffb1d450000 | 0x7ffb1d594fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffb1d5a0000 | 0x7ffb1d6d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (28)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\log.txt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| Create | C:\PROGRA~1\COMMON~1\1365363213 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\31236356313123635631 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\3123635631 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Get Info | C:\Users\5JGHKO~1\Desktop\sous.exe | type = file_type |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | type = file_type |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Get Info | C:\PROGRA~1\COMMON~1\ | type = file_attributes |
|
1 | |
| Get Info | C:\PROGRA~1\COMMON~1\3123635631 | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 14357 |
|
4 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 0 |
|
2 | |
| Read | C:\PROGRA~1\COMMON~1\1365363213 | size = 65536, size_out = 27 |
|
2 | |
| Read | C:\PROGRA~1\COMMON~1\1365363213 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\31236356313123635631 | size = 65536, size_out = 16 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\31236356313123635631 | size = 65536, size_out = 0 |
|
1 | |
| Delete | C:\PROGRA~1\COMMON~1\3123635631 | - |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Control Panel\Mouse | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Mouse | value_name = SwapMouseButtons, data = 48 |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | os_pid = 0xa5c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL |
|
1 |
Module (68)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffb1b140000 |
|
6 | |
| Load | C:\Users\5JGHKO~1\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | user32.dll | base_address = 0x7ffb1b410000 |
|
1 | |
| Load | Netapi32.dll | base_address = 0x7ffb17120000 |
|
4 | |
| Load | netapi32.dll | base_address = 0x7ffb17120000 |
|
2 | |
| Load | Advapi32.dll | base_address = 0x7ffb1cef0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffb1b140000 |
|
1 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 32767 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7ffb1b1433b8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffb1b143500 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffb1b141704 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffb1b1416f4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffb1b142eb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffb1b143010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffb1b1f496c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffb1b142d2c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffb1b143560 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffb1d732728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffb1d731198 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffb1d733178 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffb1b1435a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffb1d7334d8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffb1d7301a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffb1d77b910 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffb1d756c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffb1d77a7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffb1b14dfc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffb1b21c8c4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffb1ae79310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffb1b21ca44 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffb1b142f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffb1b21cb20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffb1b142ca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffb1b1fb6e4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffb1b142c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffb1b1442ac |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffb1b142ef0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffb1adaa7dc |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffb1b14166c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffb1b21d498 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = SendMessageW, address_out = 0x7ffb1b415080 |
|
1 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetGetJoinInformation, address_out = 0x7ffb170e19a0 |
|
2 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetApiBufferSize, address_out = 0x7ffb19d05584 |
|
2 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetApiBufferFree, address_out = 0x7ffb19d01010 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContext, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextA, address_out = 0x7ffb1cefeb50 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptCreateHash, address_out = 0x7ffb1cef1a20 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptGetKeyParam, address_out = 0x7ffb1cf2675c |
|
1 |
Window (11)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | AutoIt v3 | class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | CryptoWire | class_name = AutoIt v3 GUI, wndproc_parameter = 0 |
|
1 | |
| Create | Decrypt Files | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | Your files has been safely encrypted | class_name = static, wndproc_parameter = 0 |
|
1 | |
| Create | Decryptionkey | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | Buy Bitcoins | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | The only way you can recover your files is to buy a decryption key The payment method is: Bitcoins. The price is: $1000 = 0.12587388 Bitcoins When you are ready, send a message by email to wlojul@secmail.pro We will send you our BTC wallet for the transfer After confirmation we will send you the decryption key Click on the 'Buy decryption key' button. | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | - | - |
|
1 | |
| Create | - | - |
|
1 |
Keyboard (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
7 | |
| Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
10 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
3 |
System (67)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 782, y_out = 503 |
|
3 | |
| Get Cursor | x_out = 560, y_out = 532 |
|
5 | |
| Get Cursor | x_out = 886, y_out = 514 |
|
5 | |
| Get Cursor | x_out = 794, y_out = 515 |
|
2 | |
| Sleep | duration = 750 milliseconds (0.750 seconds) |
|
4 | |
| Sleep | duration = 40 milliseconds (0.040 seconds) |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
32 | |
| Get Time | type = System Time, time = 2018-04-13 00:36:20 (UTC) |
|
13 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = USERPROFILE, result_out = C:\Users\5JgHKoaOfdp |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\5jghko~1\desktop\sous.exe | - |
|
1 |
Process #28: sous.exe
187
0
| Information | Value |
|---|---|
| ID | #28 |
| File Name | c:\users\5jghko~1\desktop\sous.exe |
| Command Line | C:\Users\5JGHKO~1\Desktop\sous.exe |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:58 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa5c |
| Parent PID | 0x768 (c:\users\5jghko~1\desktop\sous.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9E4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000d854430000 | 0xd854430000 | 0xd85444ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000d854430000 | 0xd854430000 | 0xd85443ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000d854440000 | 0xd854440000 | 0xd854446fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000d854450000 | 0xd854450000 | 0xd85445efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000d854460000 | 0xd854460000 | 0xd85485ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000d854860000 | 0xd854860000 | 0xd854863fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000d854870000 | 0xd854870000 | 0xd854871fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000d854880000 | 0xd854880000 | 0xd854881fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000d854890000 | 0xd854890000 | 0xd854896fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000d8548a0000 | 0xd8548a0000 | 0xd8548a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000d8548b0000 | 0xd8548b0000 | 0xd854caffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0xd854cb0000 | 0xd854d2dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000d854d30000 | 0xd854d30000 | 0xd854eb7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000d854ec0000 | 0xd854ec0000 | 0xd854ec0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000d854ed0000 | 0xd854ed0000 | 0xd854edffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000d854ee0000 | 0xd854ee0000 | 0xd855060fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000d855070000 | 0xd855070000 | 0xd85646ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000d856470000 | 0xd856470000 | 0xd856470fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000d856470000 | 0xd856470000 | 0xd856473fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000d856480000 | 0xd856480000 | 0xd856481fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| rpcss.dll | 0xd856490000 | 0xd856547fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000d856490000 | 0xd856490000 | 0xd856580fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000d856590000 | 0xd856590000 | 0xd856596fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000d8565a0000 | 0xd8565a0000 | 0xd8565a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000d8565b0000 | 0xd8565b0000 | 0xd8565b0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000d8565c0000 | 0xd8565c0000 | 0xd8565c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000d8565d0000 | 0xd8565d0000 | 0xd8565d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000d8565d0000 | 0xd8565d0000 | 0xd8565d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000d8565e0000 | 0xd8565e0000 | 0xd8565e0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000d8565f0000 | 0xd8565f0000 | 0xd856633fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000d856640000 | 0xd856640000 | 0xd856664fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000d856680000 | 0xd856680000 | 0xd85668ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000d856690000 | 0xd856690000 | 0xd85678ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000d856790000 | 0xd856790000 | 0xd856889fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0xd856790000 | 0xd856a64fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000d856a70000 | 0xd856a70000 | 0xd856f61fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| staticcache.dat | 0xd856f70000 | 0xd857ddffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000d857de0000 | 0xd857de0000 | 0xd857ff7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| imageres.dll | 0xd858000000 | 0xd85ae95fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000d85aea0000 | 0xd85aea0000 | 0xd85b29bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff7579c0000 | 0x7ff7579c0000 | 0x7ff757abffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff757ac0000 | 0x7ff757ac0000 | 0x7ff757ae2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff757aec000 | 0x7ff757aec000 | 0x7ff757aecfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff757aee000 | 0x7ff757aee000 | 0x7ff757aeffff | Private Memory | Readable, Writable |
|
|
|
- |
| sous.exe | 0x7ff757f40000 | 0x7ff758041fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffb117b0000 | 0x7ffb117b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmmbase.dll | 0x7ffb133a0000 | 0x7ffb133c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmm.dll | 0x7ffb13500000 | 0x7ffb1351efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wsock32.dll | 0x7ffb142a0000 | 0x7ffb142a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x7ffb15750000 | 0x7ffb1576afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x7ffb15770000 | 0x7ffb15a18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x7ffb15a20000 | 0x7ffb15c4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x7ffb16750000 | 0x7ffb16759fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x7ffb16760000 | 0x7ffb16788fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x7ffb170e0000 | 0x7ffb170f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x7ffb17120000 | 0x7ffb17134fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7ffb18f20000 | 0x7ffb19179fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x7ffb19210000 | 0x7ffb1922ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x7ffb193e0000 | 0x7ffb1947efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7ffb197a0000 | 0x7ffb198c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7ffb198d0000 | 0x7ffb198f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffb19920000 | 0x7ffb19929fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x7ffb19d00000 | 0x7ffb19d0bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffb19f50000 | 0x7ffb19f84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7ffb1a060000 | 0x7ffb1a07efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffb1a310000 | 0x7ffb1a32dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffb1a540000 | 0x7ffb1a565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7ffb1a7d0000 | 0x7ffb1a7f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffb1a860000 | 0x7ffb1a8bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffb1a9c0000 | 0x7ffb1a9c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffb1aa50000 | 0x7ffb1aa63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ffb1ad50000 | 0x7ffb1ad99fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ffb1b010000 | 0x7ffb1b067fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffb1b070000 | 0x7ffb1b126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ffb1b280000 | 0x7ffb1b288fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffb1b290000 | 0x7ffb1b407fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffb1b410000 | 0x7ffb1b580fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffb1b590000 | 0x7ffb1b6c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffb1b870000 | 0x7ffb1ba45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffb1ba50000 | 0x7ffb1baa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7ffb1bac0000 | 0x7ffb1ced6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x7ffb1cee0000 | 0x7ffb1cee6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffb1cef0000 | 0x7ffb1cf94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffb1d230000 | 0x7ffb1d280fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffb1d2f0000 | 0x7ffb1d323fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comdlg32.dll | 0x7ffb1d3b0000 | 0x7ffb1d449fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffb1d450000 | 0x7ffb1d594fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffb1d5a0000 | 0x7ffb1d6d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (28)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\log.txt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| Create | C:\PROGRA~1\COMMON~1\1365363213 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\31236356313123635631 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\3123635631 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Get Info | C:\Users\5JGHKO~1\Desktop\sous.exe | type = file_type |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | type = file_type |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Get Info | C:\PROGRA~1\COMMON~1\ | type = file_attributes |
|
1 | |
| Get Info | C:\PROGRA~1\COMMON~1\3123635631 | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 14357 |
|
4 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 0 |
|
2 | |
| Read | C:\PROGRA~1\COMMON~1\1365363213 | size = 65536, size_out = 27 |
|
2 | |
| Read | C:\PROGRA~1\COMMON~1\1365363213 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\31236356313123635631 | size = 65536, size_out = 16 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\31236356313123635631 | size = 65536, size_out = 0 |
|
1 | |
| Delete | C:\PROGRA~1\COMMON~1\3123635631 | - |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Control Panel\Mouse | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Mouse | value_name = SwapMouseButtons, data = 48 |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | os_pid = 0xa2c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL |
|
1 |
Module (66)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffb1b140000 |
|
6 | |
| Load | C:\Users\5JGHKO~1\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | user32.dll | base_address = 0x7ffb1b410000 |
|
1 | |
| Load | Netapi32.dll | base_address = 0x7ffb17120000 |
|
4 | |
| Load | netapi32.dll | base_address = 0x7ffb17120000 |
|
2 | |
| Load | Advapi32.dll | base_address = 0x7ffb1cef0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffb1b140000 |
|
1 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 32767 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7ffb1b1433b8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffb1b143500 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffb1b141704 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffb1b1416f4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffb1b142eb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffb1b143010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffb1b1f496c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffb1b142d2c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffb1b143560 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffb1d732728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffb1d731198 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffb1d733178 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffb1b1435a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffb1d7334d8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffb1d7301a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffb1d77b910 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffb1d756c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffb1d77a7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffb1b14dfc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffb1b21c8c4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffb1ae79310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffb1b21ca44 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffb1b142f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffb1b21cb20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffb1b142ca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffb1b1fb6e4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffb1b142c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffb1b1442ac |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffb1b142ef0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffb1adaa7dc |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffb1b14166c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffb1b21d498 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = SendMessageW, address_out = 0x7ffb1b415080 |
|
1 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetGetJoinInformation, address_out = 0x7ffb170e19a0 |
|
2 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetApiBufferSize, address_out = 0x7ffb19d05584 |
|
2 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetApiBufferFree, address_out = 0x7ffb19d01010 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContext, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextA, address_out = 0x7ffb1cefeb50 |
|
1 |
Window (11)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | AutoIt v3 | class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | CryptoWire | class_name = AutoIt v3 GUI, wndproc_parameter = 0 |
|
1 | |
| Create | Decrypt Files | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | Your files has been safely encrypted | class_name = static, wndproc_parameter = 0 |
|
1 | |
| Create | Decryptionkey | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | Buy Bitcoins | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | The only way you can recover your files is to buy a decryption key The payment method is: Bitcoins. The price is: $1000 = 0.12587388 Bitcoins When you are ready, send a message by email to wlojul@secmail.pro We will send you our BTC wallet for the transfer After confirmation we will send you the decryption key Click on the 'Buy decryption key' button. | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | - | - |
|
1 | |
| Create | - | - |
|
1 |
Keyboard (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
7 | |
| Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
10 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
3 |
System (52)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 794, y_out = 515 |
|
3 | |
| Get Cursor | x_out = 532, y_out = 529 |
|
5 | |
| Get Cursor | x_out = 876, y_out = 505 |
|
5 | |
| Get Cursor | x_out = 784, y_out = 513 |
|
2 | |
| Sleep | duration = 750 milliseconds (0.750 seconds) |
|
4 | |
| Sleep | duration = 40 milliseconds (0.040 seconds) |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
17 | |
| Get Time | type = System Time, time = 2018-04-13 00:36:23 (UTC) |
|
13 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = USERPROFILE, result_out = C:\Users\5JgHKoaOfdp |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\5jghko~1\desktop\sous.exe | - |
|
1 |
Process #29: sous.exe
195
0
| Information | Value |
|---|---|
| ID | #29 |
| File Name | c:\users\5jghko~1\desktop\sous.exe |
| Command Line | C:\Users\5JGHKO~1\Desktop\sous.exe |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:39, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa2c |
| Parent PID | 0xa5c (c:\users\5jghko~1\desktop\sous.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A54
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000001776470000 | 0x1776470000 | 0x177648ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000001776470000 | 0x1776470000 | 0x177647ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000001776480000 | 0x1776480000 | 0x1776486fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000001776490000 | 0x1776490000 | 0x177649efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000017764a0000 | 0x17764a0000 | 0x177689ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000017768a0000 | 0x17768a0000 | 0x17768a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000017768b0000 | 0x17768b0000 | 0x17768b1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000017768c0000 | 0x17768c0000 | 0x17768c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x17768d0000 | 0x177694dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000001776950000 | 0x1776950000 | 0x1776956fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000001776960000 | 0x1776960000 | 0x1776960fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000001776970000 | 0x1776970000 | 0x1776970fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000001776980000 | 0x1776980000 | 0x1776980fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000001776980000 | 0x1776980000 | 0x1776983fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000001776990000 | 0x1776990000 | 0x1776991fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000017769a0000 | 0x17769a0000 | 0x17769a6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000017769b0000 | 0x17769b0000 | 0x17769b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000017769c0000 | 0x17769c0000 | 0x17769c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000017769d0000 | 0x17769d0000 | 0x17769d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000017769e0000 | 0x17769e0000 | 0x17769e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000017769e0000 | 0x17769e0000 | 0x17769e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000017769f0000 | 0x17769f0000 | 0x17769f0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000001776a00000 | 0x1776a00000 | 0x1776a24fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000001776a40000 | 0x1776a40000 | 0x1776a4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000001776a60000 | 0x1776a60000 | 0x1776e5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| rpcss.dll | 0x1776e60000 | 0x1776f17fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000001776e60000 | 0x1776e60000 | 0x1776f50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000001776fa0000 | 0x1776fa0000 | 0x1776faffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000001776fb0000 | 0x1776fb0000 | 0x1777137fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000001777140000 | 0x1777140000 | 0x17772c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000017772d0000 | 0x17772d0000 | 0x17786cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000017786d0000 | 0x17786d0000 | 0x17787cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000017787d0000 | 0x17787d0000 | 0x17788c9fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x17787d0000 | 0x1778aa4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000001778ab0000 | 0x1778ab0000 | 0x1778fa1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| staticcache.dat | 0x1778fb0000 | 0x1779e1ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000001779e20000 | 0x1779e20000 | 0x177a037fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| imageres.dll | 0x177a040000 | 0x177ced5fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000177cee0000 | 0x177cee0000 | 0x177d2dbfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000177d2e0000 | 0x177d2e0000 | 0x177d323fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff7570b0000 | 0x7ff7570b0000 | 0x7ff7571affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff7571b0000 | 0x7ff7571b0000 | 0x7ff7571d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff7571dd000 | 0x7ff7571dd000 | 0x7ff7571ddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7571de000 | 0x7ff7571de000 | 0x7ff7571dffff | Private Memory | Readable, Writable |
|
|
|
- |
| sous.exe | 0x7ff757f40000 | 0x7ff758041fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffb117b0000 | 0x7ffb117b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmmbase.dll | 0x7ffb133a0000 | 0x7ffb133c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmm.dll | 0x7ffb13500000 | 0x7ffb1351efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wsock32.dll | 0x7ffb142a0000 | 0x7ffb142a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x7ffb15750000 | 0x7ffb1576afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x7ffb15770000 | 0x7ffb15a18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x7ffb15a20000 | 0x7ffb15c4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x7ffb16750000 | 0x7ffb16759fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x7ffb16760000 | 0x7ffb16788fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x7ffb170e0000 | 0x7ffb170f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x7ffb17120000 | 0x7ffb17134fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7ffb18f20000 | 0x7ffb19179fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x7ffb19210000 | 0x7ffb1922ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x7ffb193e0000 | 0x7ffb1947efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7ffb197a0000 | 0x7ffb198c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7ffb198d0000 | 0x7ffb198f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffb19920000 | 0x7ffb19929fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x7ffb19d00000 | 0x7ffb19d0bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffb19f50000 | 0x7ffb19f84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7ffb1a060000 | 0x7ffb1a07efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffb1a310000 | 0x7ffb1a32dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffb1a540000 | 0x7ffb1a565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7ffb1a7d0000 | 0x7ffb1a7f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffb1a860000 | 0x7ffb1a8bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffb1a9c0000 | 0x7ffb1a9c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffb1aa50000 | 0x7ffb1aa63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ffb1ad50000 | 0x7ffb1ad99fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ffb1b010000 | 0x7ffb1b067fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffb1b070000 | 0x7ffb1b126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ffb1b280000 | 0x7ffb1b288fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffb1b290000 | 0x7ffb1b407fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffb1b410000 | 0x7ffb1b580fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffb1b590000 | 0x7ffb1b6c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffb1b870000 | 0x7ffb1ba45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffb1ba50000 | 0x7ffb1baa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7ffb1bac0000 | 0x7ffb1ced6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x7ffb1cee0000 | 0x7ffb1cee6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffb1cef0000 | 0x7ffb1cf94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffb1d230000 | 0x7ffb1d280fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffb1d2f0000 | 0x7ffb1d323fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comdlg32.dll | 0x7ffb1d3b0000 | 0x7ffb1d449fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffb1d450000 | 0x7ffb1d594fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffb1d5a0000 | 0x7ffb1d6d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (28)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\log.txt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| Create | C:\PROGRA~1\COMMON~1\1365363213 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\31236356313123635631 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\3123635631 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Get Info | C:\Users\5JGHKO~1\Desktop\sous.exe | type = file_type |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | type = file_type |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Get Info | C:\PROGRA~1\COMMON~1\ | type = file_attributes |
|
1 | |
| Get Info | C:\PROGRA~1\COMMON~1\3123635631 | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 14357 |
|
4 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 0 |
|
2 | |
| Read | C:\PROGRA~1\COMMON~1\1365363213 | size = 65536, size_out = 27 |
|
2 | |
| Read | C:\PROGRA~1\COMMON~1\1365363213 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\31236356313123635631 | size = 65536, size_out = 16 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\31236356313123635631 | size = 65536, size_out = 0 |
|
1 | |
| Delete | C:\PROGRA~1\COMMON~1\3123635631 | - |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Control Panel\Mouse | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Mouse | value_name = SwapMouseButtons, data = 48 |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | os_pid = 0xa3c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL |
|
1 |
Module (68)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffb1b140000 |
|
6 | |
| Load | C:\Users\5JGHKO~1\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | user32.dll | base_address = 0x7ffb1b410000 |
|
1 | |
| Load | Netapi32.dll | base_address = 0x7ffb17120000 |
|
4 | |
| Load | netapi32.dll | base_address = 0x7ffb17120000 |
|
2 | |
| Load | Advapi32.dll | base_address = 0x7ffb1cef0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffb1b140000 |
|
1 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 32767 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7ffb1b1433b8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffb1b143500 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffb1b141704 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffb1b1416f4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffb1b142eb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffb1b143010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffb1b1f496c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffb1b142d2c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffb1b143560 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffb1d732728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffb1d731198 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffb1d733178 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffb1b1435a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffb1d7334d8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffb1d7301a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffb1d77b910 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffb1d756c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffb1d77a7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffb1b14dfc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffb1b21c8c4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffb1ae79310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffb1b21ca44 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffb1b142f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffb1b21cb20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffb1b142ca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffb1b1fb6e4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffb1b142c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffb1b1442ac |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffb1b142ef0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffb1adaa7dc |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffb1b14166c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffb1b21d498 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = SendMessageW, address_out = 0x7ffb1b415080 |
|
1 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetGetJoinInformation, address_out = 0x7ffb170e19a0 |
|
2 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetApiBufferSize, address_out = 0x7ffb19d05584 |
|
2 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetApiBufferFree, address_out = 0x7ffb19d01010 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContext, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextA, address_out = 0x7ffb1cefeb50 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptCreateHash, address_out = 0x7ffb1cef1a20 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptGetKeyParam, address_out = 0x7ffb1cf2675c |
|
1 |
Window (11)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | AutoIt v3 | class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | CryptoWire | class_name = AutoIt v3 GUI, wndproc_parameter = 0 |
|
1 | |
| Create | Decrypt Files | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | Your files has been safely encrypted | class_name = static, wndproc_parameter = 0 |
|
1 | |
| Create | Decryptionkey | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | Buy Bitcoins | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | The only way you can recover your files is to buy a decryption key The payment method is: Bitcoins. The price is: $1000 = 0.12587388 Bitcoins When you are ready, send a message by email to wlojul@secmail.pro We will send you our BTC wallet for the transfer After confirmation we will send you the decryption key Click on the 'Buy decryption key' button. | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | - | - |
|
1 | |
| Create | - | - |
|
1 |
Keyboard (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
6 | |
| Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
9 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
3 |
System (60)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 784, y_out = 513 |
|
4 | |
| Get Cursor | x_out = 555, y_out = 540 |
|
4 | |
| Get Cursor | x_out = 889, y_out = 515 |
|
4 | |
| Get Cursor | x_out = 792, y_out = 508 |
|
2 | |
| Sleep | duration = 750 milliseconds (0.750 seconds) |
|
4 | |
| Sleep | duration = 40 milliseconds (0.040 seconds) |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
26 | |
| Get Time | type = System Time, time = 2018-04-13 00:36:26 (UTC) |
|
13 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = USERPROFILE, result_out = C:\Users\5JgHKoaOfdp |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\5jghko~1\desktop\sous.exe | - |
|
1 |
Process #30: sous.exe
305
0
| Information | Value |
|---|---|
| ID | #30 |
| File Name | c:\users\5jghko~1\desktop\sous.exe |
| Command Line | C:\Users\5JGHKO~1\Desktop\sous.exe |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:42, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:52 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa3c |
| Parent PID | 0xa2c (c:\users\5jghko~1\desktop\sous.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x00000009861b0000 | 0x9861b0000 | 0x9861cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000009861b0000 | 0x9861b0000 | 0x9861bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000009861c0000 | 0x9861c0000 | 0x9861c6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000009861d0000 | 0x9861d0000 | 0x9861defff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000009861e0000 | 0x9861e0000 | 0x9865dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000009865e0000 | 0x9865e0000 | 0x9865e3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000009865f0000 | 0x9865f0000 | 0x9865f1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000986600000 | 0x986600000 | 0x986601fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x986610000 | 0x98668dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000986690000 | 0x986690000 | 0x986a8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000986a90000 | 0x986a90000 | 0x986a96fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000986aa0000 | 0x986aa0000 | 0x986aa0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000986ab0000 | 0x986ab0000 | 0x986ab0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000986ac0000 | 0x986ac0000 | 0x986ac0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000986ac0000 | 0x986ac0000 | 0x986ac3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000986ad0000 | 0x986ad0000 | 0x986ad1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| rpcss.dll | 0x986ae0000 | 0x986b97fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000986ae0000 | 0x986ae0000 | 0x986ae6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000986af0000 | 0x986af0000 | 0x986af0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000986b00000 | 0x986b00000 | 0x986b00fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000986b10000 | 0x986b10000 | 0x986b10fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000986b20000 | 0x986b20000 | 0x986b20fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000986b20000 | 0x986b20000 | 0x986b22fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000986b30000 | 0x986b30000 | 0x986b30fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000986b40000 | 0x986b40000 | 0x986b83fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000986b90000 | 0x986b90000 | 0x986bb4fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000986bc0000 | 0x986bc0000 | 0x986bcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000986c10000 | 0x986c10000 | 0x986c1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000986c20000 | 0x986c20000 | 0x986da7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000986db0000 | 0x986db0000 | 0x986f30fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000986f40000 | 0x986f40000 | 0x98833ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000988340000 | 0x988340000 | 0x988430fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000988440000 | 0x988440000 | 0x98853ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000988540000 | 0x988540000 | 0x988639fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x988540000 | 0x988814fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000988820000 | 0x988820000 | 0x988d11fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| staticcache.dat | 0x988d20000 | 0x989b8ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000989b90000 | 0x989b90000 | 0x989da7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| imageres.dll | 0x989db0000 | 0x98cc45fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000098cc50000 | 0x98cc50000 | 0x98d04bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff757110000 | 0x7ff757110000 | 0x7ff75720ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff757210000 | 0x7ff757210000 | 0x7ff757232fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff757235000 | 0x7ff757235000 | 0x7ff757235fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff75723e000 | 0x7ff75723e000 | 0x7ff75723ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sous.exe | 0x7ff757f40000 | 0x7ff758041fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffb117b0000 | 0x7ffb117b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmmbase.dll | 0x7ffb133a0000 | 0x7ffb133c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmm.dll | 0x7ffb13500000 | 0x7ffb1351efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wsock32.dll | 0x7ffb142a0000 | 0x7ffb142a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x7ffb15750000 | 0x7ffb1576afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x7ffb15770000 | 0x7ffb15a18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x7ffb15a20000 | 0x7ffb15c4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x7ffb16750000 | 0x7ffb16759fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x7ffb16760000 | 0x7ffb16788fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x7ffb170e0000 | 0x7ffb170f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x7ffb17120000 | 0x7ffb17134fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7ffb18f20000 | 0x7ffb19179fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x7ffb19210000 | 0x7ffb1922ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x7ffb193e0000 | 0x7ffb1947efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7ffb197a0000 | 0x7ffb198c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7ffb198d0000 | 0x7ffb198f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffb19920000 | 0x7ffb19929fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x7ffb19d00000 | 0x7ffb19d0bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffb19f50000 | 0x7ffb19f84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7ffb1a060000 | 0x7ffb1a07efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffb1a310000 | 0x7ffb1a32dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffb1a540000 | 0x7ffb1a565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7ffb1a7d0000 | 0x7ffb1a7f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffb1a860000 | 0x7ffb1a8bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffb1a9c0000 | 0x7ffb1a9c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffb1aa50000 | 0x7ffb1aa63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ffb1ad50000 | 0x7ffb1ad99fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ffb1b010000 | 0x7ffb1b067fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffb1b070000 | 0x7ffb1b126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ffb1b280000 | 0x7ffb1b288fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffb1b290000 | 0x7ffb1b407fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffb1b410000 | 0x7ffb1b580fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffb1b590000 | 0x7ffb1b6c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffb1b870000 | 0x7ffb1ba45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffb1ba50000 | 0x7ffb1baa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7ffb1bac0000 | 0x7ffb1ced6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x7ffb1cee0000 | 0x7ffb1cee6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffb1cef0000 | 0x7ffb1cf94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffb1d230000 | 0x7ffb1d280fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffb1d2f0000 | 0x7ffb1d323fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comdlg32.dll | 0x7ffb1d3b0000 | 0x7ffb1d449fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffb1d450000 | 0x7ffb1d594fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffb1d5a0000 | 0x7ffb1d6d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (26)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\log.txt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| Create | C:\PROGRA~1\COMMON~1\1365363213 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\31236356313123635631 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\3123635631 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Get Info | C:\Users\5JGHKO~1\Desktop\sous.exe | type = file_type |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | type = file_type |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 14357 |
|
4 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 0 |
|
2 | |
| Read | C:\PROGRA~1\COMMON~1\1365363213 | size = 65536, size_out = 27 |
|
2 | |
| Read | C:\PROGRA~1\COMMON~1\1365363213 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\31236356313123635631 | size = 65536, size_out = 16 |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\31236356313123635631 | size = 65536, size_out = 0 |
|
1 | |
| Delete | C:\PROGRA~1\COMMON~1\3123635631 | - |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Control Panel\Mouse | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Mouse | value_name = SwapMouseButtons, data = 48 |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | os_pid = 0x8d0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL |
|
1 |
Module (64)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffb1b140000 |
|
6 | |
| Load | C:\Users\5JGHKO~1\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | user32.dll | base_address = 0x7ffb1b410000 |
|
1 | |
| Load | Netapi32.dll | base_address = 0x7ffb17120000 |
|
4 | |
| Load | netapi32.dll | base_address = 0x7ffb17120000 |
|
2 | |
| Load | Advapi32.dll | base_address = 0x7ffb1cef0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffb1b140000 |
|
1 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 32767 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7ffb1b1433b8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffb1b143500 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffb1b141704 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffb1b1416f4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffb1b142eb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffb1b143010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffb1b1f496c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffb1b142d2c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffb1b143560 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffb1d732728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffb1d731198 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffb1d733178 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffb1b1435a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffb1d7334d8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffb1d7301a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffb1d77b910 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffb1d756c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffb1d77a7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffb1b14dfc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffb1b21c8c4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffb1ae79310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffb1b21ca44 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffb1b142f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffb1b21cb20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffb1b142ca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffb1b1fb6e4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffb1b142c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffb1b1442ac |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffb1b142ef0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffb1adaa7dc |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffb1b14166c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffb1b21d498 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = SendMessageW, address_out = 0x7ffb1b415080 |
|
1 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetGetJoinInformation, address_out = 0x7ffb170e19a0 |
|
2 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetApiBufferSize, address_out = 0x7ffb19d05584 |
|
2 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetApiBufferFree, address_out = 0x7ffb19d01010 |
|
1 |
Window (11)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | AutoIt v3 | class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | CryptoWire | class_name = AutoIt v3 GUI, wndproc_parameter = 0 |
|
1 | |
| Create | Decrypt Files | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | Your files has been safely encrypted | class_name = static, wndproc_parameter = 0 |
|
1 | |
| Create | Decryptionkey | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | Buy Bitcoins | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | The only way you can recover your files is to buy a decryption key The payment method is: Bitcoins. The price is: $1000 = 0.12587388 Bitcoins When you are ready, send a message by email to wlojul@secmail.pro We will send you our BTC wallet for the transfer After confirmation we will send you the decryption key Click on the 'Buy decryption key' button. | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | - | - |
|
1 | |
| Create | - | - |
|
1 |
Keyboard (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
8 | |
| Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
10 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
2 |
System (174)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 792, y_out = 508 |
|
2 | |
| Get Cursor | x_out = 526, y_out = 536 |
|
9 | |
| Get Cursor | x_out = 874, y_out = 512 |
|
4 | |
| Get Cursor | x_out = 766, y_out = 506 |
|
2 | |
| Sleep | duration = 750 milliseconds (0.750 seconds) |
|
4 | |
| Sleep | duration = 40 milliseconds (0.040 seconds) |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
134 | |
| Sleep | duration = 10 milliseconds (0.010 seconds) |
|
3 | |
| Get Time | type = System Time, time = 2018-04-13 00:36:29 (UTC) |
|
13 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = USERPROFILE, result_out = C:\Users\5JgHKoaOfdp |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\5jghko~1\desktop\sous.exe | - |
|
1 |
Process #31: sous.exe
115
0
| Information | Value |
|---|---|
| ID | #31 |
| File Name | c:\users\5jghko~1\desktop\sous.exe |
| Command Line | C:\Users\5JGHKO~1\Desktop\sous.exe |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:45, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:49 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8d0 |
| Parent PID | 0xa3c (c:\users\5jghko~1\desktop\sous.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
97C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000a8c3af0000 | 0xa8c3af0000 | 0xa8c3b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000a8c3af0000 | 0xa8c3af0000 | 0xa8c3afffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a8c3b00000 | 0xa8c3b00000 | 0xa8c3b06fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000a8c3b10000 | 0xa8c3b10000 | 0xa8c3b1efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000a8c3b20000 | 0xa8c3b20000 | 0xa8c3f1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000a8c3f20000 | 0xa8c3f20000 | 0xa8c3f23fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a8c3f30000 | 0xa8c3f30000 | 0xa8c3f31fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000a8c3f40000 | 0xa8c3f40000 | 0xa8c3f41fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0xa8c3f50000 | 0xa8c3fcdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000a8c3fd0000 | 0xa8c3fd0000 | 0xa8c3fd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a8c3fe0000 | 0xa8c3fe0000 | 0xa8c3fe0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a8c3ff0000 | 0xa8c3ff0000 | 0xa8c3ff0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000a8c4000000 | 0xa8c4000000 | 0xa8c4000fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a8c4000000 | 0xa8c4000000 | 0xa8c4003fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000a8c4010000 | 0xa8c4010000 | 0xa8c401ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000a8c4020000 | 0xa8c4020000 | 0xa8c4021fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000a8c4030000 | 0xa8c4030000 | 0xa8c4036fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a8c4040000 | 0xa8c4040000 | 0xa8c4040fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a8c4050000 | 0xa8c4050000 | 0xa8c444ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000a8c4450000 | 0xa8c4450000 | 0xa8c45d7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a8c45e0000 | 0xa8c45e0000 | 0xa8c4760fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a8c4770000 | 0xa8c4770000 | 0xa8c5b6ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| rpcss.dll | 0xa8c5b70000 | 0xa8c5c27fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000a8c5b70000 | 0xa8c5b70000 | 0xa8c5c60fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a8c5c70000 | 0xa8c5c70000 | 0xa8c5c70fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a8c5c80000 | 0xa8c5c80000 | 0xa8c5c80fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000a8c5c90000 | 0xa8c5c90000 | 0xa8c5c92fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a8c5ca0000 | 0xa8c5ca0000 | 0xa8c5ca0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000a8c5cb0000 | 0xa8c5cb0000 | 0xa8c5cd4fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a8c5ce0000 | 0xa8c5ce0000 | 0xa8c5ceffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a8c5cf0000 | 0xa8c5cf0000 | 0xa8c5deffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000a8c5df0000 | 0xa8c5df0000 | 0xa8c5ee9fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0xa8c5df0000 | 0xa8c60c4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000a8c60d0000 | 0xa8c60d0000 | 0xa8c65c1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| staticcache.dat | 0xa8c65d0000 | 0xa8c743ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000a8c7440000 | 0xa8c7440000 | 0xa8c7657fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| imageres.dll | 0xa8c7660000 | 0xa8ca4f5fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000a8ca500000 | 0xa8ca500000 | 0xa8ca8fbfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a8ca900000 | 0xa8ca900000 | 0xa8ca943fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff7578f0000 | 0x7ff7578f0000 | 0x7ff7579effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff7579f0000 | 0x7ff7579f0000 | 0x7ff757a12fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff757a1c000 | 0x7ff757a1c000 | 0x7ff757a1dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff757a1e000 | 0x7ff757a1e000 | 0x7ff757a1efff | Private Memory | Readable, Writable |
|
|
|
- |
| sous.exe | 0x7ff757f40000 | 0x7ff758041fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffb117b0000 | 0x7ffb117b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmmbase.dll | 0x7ffb133a0000 | 0x7ffb133c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmm.dll | 0x7ffb13500000 | 0x7ffb1351efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wsock32.dll | 0x7ffb142a0000 | 0x7ffb142a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x7ffb15750000 | 0x7ffb1576afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x7ffb15770000 | 0x7ffb15a18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x7ffb15a20000 | 0x7ffb15c4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x7ffb16750000 | 0x7ffb16759fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x7ffb16760000 | 0x7ffb16788fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x7ffb170e0000 | 0x7ffb170f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x7ffb17120000 | 0x7ffb17134fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7ffb18f20000 | 0x7ffb19179fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x7ffb19210000 | 0x7ffb1922ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x7ffb193e0000 | 0x7ffb1947efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7ffb197a0000 | 0x7ffb198c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7ffb198d0000 | 0x7ffb198f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffb19920000 | 0x7ffb19929fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x7ffb19d00000 | 0x7ffb19d0bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffb19f50000 | 0x7ffb19f84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7ffb1a060000 | 0x7ffb1a07efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffb1a310000 | 0x7ffb1a32dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffb1a540000 | 0x7ffb1a565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7ffb1a7d0000 | 0x7ffb1a7f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffb1a860000 | 0x7ffb1a8bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffb1a9c0000 | 0x7ffb1a9c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffb1aa50000 | 0x7ffb1aa63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ffb1ad50000 | 0x7ffb1ad99fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ffb1b010000 | 0x7ffb1b067fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffb1b070000 | 0x7ffb1b126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ffb1b280000 | 0x7ffb1b288fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffb1b290000 | 0x7ffb1b407fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffb1b410000 | 0x7ffb1b580fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffb1b590000 | 0x7ffb1b6c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffb1b870000 | 0x7ffb1ba45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffb1ba50000 | 0x7ffb1baa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7ffb1bac0000 | 0x7ffb1ced6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x7ffb1cee0000 | 0x7ffb1cee6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffb1cef0000 | 0x7ffb1cf94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffb1d230000 | 0x7ffb1d280fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffb1d2f0000 | 0x7ffb1d323fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comdlg32.dll | 0x7ffb1d3b0000 | 0x7ffb1d449fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffb1d450000 | 0x7ffb1d594fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffb1d5a0000 | 0x7ffb1d6d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (16)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\PROGRA~1\COMMON~1\log.txt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| Get Info | C:\Users\5JGHKO~1\Desktop\sous.exe | type = file_type |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 14357 |
|
4 | |
| Read | C:\PROGRA~1\COMMON~1\log.txt | size = 65536, size_out = 0 |
|
2 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Control Panel\Mouse | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Mouse | value_name = SwapMouseButtons, data = 48 |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | os_pid = 0x820, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL |
|
1 |
Module (50)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffb1b140000 |
|
6 | |
| Load | C:\Users\5JGHKO~1\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | user32.dll | base_address = 0x7ffb1b410000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffb1b140000 |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 32767 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7ffb1b1433b8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffb1b143500 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffb1b141704 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffb1b1416f4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffb1b142eb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffb1b143010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffb1b1f496c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffb1b142d2c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffb1b143560 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffb1d732728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffb1d731198 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffb1d733178 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffb1b1435a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffb1d7334d8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffb1d7301a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffb1d77b910 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffb1d756c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffb1d77a7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffb1b14dfc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffb1b21c8c4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffb1ae79310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffb1b21ca44 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffb1b142f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffb1b21cb20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffb1b142ca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffb1b1fb6e4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffb1b142c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffb1b1442ac |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffb1b142ef0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffb1adaa7dc |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffb1b14166c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffb1b21d498 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffb1b21d488 |
|
1 |
Window (11)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | AutoIt v3 | class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | CryptoWire | class_name = AutoIt v3 GUI, wndproc_parameter = 0 |
|
1 | |
| Create | Decrypt Files | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | Your files has been safely encrypted | class_name = static, wndproc_parameter = 0 |
|
1 | |
| Create | Decryptionkey | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | Buy Bitcoins | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | The only way you can recover your files is to buy a decryption key The payment method is: Bitcoins. The price is: $1000 = 0.12587388 Bitcoins When you are ready, send a message by email to wlojul@secmail.pro We will send you our BTC wallet for the transfer After confirmation we will send you the decryption key Click on the 'Buy decryption key' button. | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | - | - |
|
1 | |
| Create | - | - |
|
1 |
Keyboard (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
2 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 |
System (25)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 766, y_out = 506 |
|
1 | |
| Get Cursor | x_out = 570, y_out = 532 |
|
2 | |
| Get Cursor | x_out = 892, y_out = 503 |
|
3 | |
| Get Cursor | x_out = 777, y_out = 510 |
|
1 | |
| Sleep | duration = 750 milliseconds (0.750 seconds) |
|
2 | |
| Sleep | duration = 40 milliseconds (0.040 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2018-04-13 00:36:32 (UTC) |
|
13 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = USERPROFILE, result_out = C:\Users\5JgHKoaOfdp |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\5jghko~1\desktop\sous.exe | - |
|
1 |
Process #32: sous.exe
89
0
| Information | Value |
|---|---|
| ID | #32 |
| File Name | c:\users\5jghko~1\desktop\sous.exe |
| Command Line | C:\Users\5JGHKO~1\Desktop\sous.exe |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:48, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:46 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x820 |
| Parent PID | 0x8d0 (c:\users\5jghko~1\desktop\sous.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
85C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000c6a4150000 | 0xc6a4150000 | 0xc6a416ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c6a4150000 | 0xc6a4150000 | 0xc6a415ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c6a4160000 | 0xc6a4160000 | 0xc6a4166fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c6a4170000 | 0xc6a4170000 | 0xc6a417efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000c6a4180000 | 0xc6a4180000 | 0xc6a457ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c6a4580000 | 0xc6a4580000 | 0xc6a4583fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000c6a4590000 | 0xc6a4590000 | 0xc6a4591fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000c6a45a0000 | 0xc6a45a0000 | 0xc6a45a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0xc6a45b0000 | 0xc6a462dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000c6a4630000 | 0xc6a4630000 | 0xc6a4636fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c6a4640000 | 0xc6a4640000 | 0xc6a4640fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c6a4650000 | 0xc6a4650000 | 0xc6a4650fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c6a4660000 | 0xc6a4660000 | 0xc6a4660fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000c6a4660000 | 0xc6a4660000 | 0xc6a4663fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000c6a4670000 | 0xc6a4670000 | 0xc6a4671fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000c6a4680000 | 0xc6a4680000 | 0xc6a4686fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c6a4690000 | 0xc6a4690000 | 0xc6a4690fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c6a46a0000 | 0xc6a46a0000 | 0xc6a46a0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c6a46b0000 | 0xc6a46b0000 | 0xc6a46b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c6a46c0000 | 0xc6a46c0000 | 0xc6a46cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c6a46d0000 | 0xc6a46d0000 | 0xc6a4acffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c6a4ad0000 | 0xc6a4ad0000 | 0xc6a4c57fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000c6a4c60000 | 0xc6a4c60000 | 0xc6a4c62fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000c6a4c70000 | 0xc6a4c70000 | 0xc6a4c70fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000c6a4ca0000 | 0xc6a4ca0000 | 0xc6a4caffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c6a4cb0000 | 0xc6a4cb0000 | 0xc6a4e30fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000c6a4e40000 | 0xc6a4e40000 | 0xc6a623ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| rpcss.dll | 0xc6a6240000 | 0xc6a62f7fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000c6a6240000 | 0xc6a6240000 | 0xc6a6330fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000c6a6340000 | 0xc6a6340000 | 0xc6a643ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000c6a6440000 | 0xc6a6440000 | 0xc6a6539fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0xc6a6440000 | 0xc6a6714fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000c6a6720000 | 0xc6a6720000 | 0xc6a6c11fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| staticcache.dat | 0xc6a6c20000 | 0xc6a7a8ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000c6a7a90000 | 0xc6a7a90000 | 0xc6a7ca7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| imageres.dll | 0xc6a7cb0000 | 0xc6aab45fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000c6aab50000 | 0xc6aab50000 | 0xc6aaf4bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000c6aaf50000 | 0xc6aaf50000 | 0xc6aaf93fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff7578e0000 | 0x7ff7578e0000 | 0x7ff7579dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff7579e0000 | 0x7ff7579e0000 | 0x7ff757a02fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff757a0d000 | 0x7ff757a0d000 | 0x7ff757a0dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff757a0e000 | 0x7ff757a0e000 | 0x7ff757a0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sous.exe | 0x7ff757f40000 | 0x7ff758041fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffb117b0000 | 0x7ffb117b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmmbase.dll | 0x7ffb133a0000 | 0x7ffb133c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmm.dll | 0x7ffb13500000 | 0x7ffb1351efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wsock32.dll | 0x7ffb142a0000 | 0x7ffb142a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x7ffb15750000 | 0x7ffb1576afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x7ffb15770000 | 0x7ffb15a18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x7ffb15a20000 | 0x7ffb15c4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x7ffb16750000 | 0x7ffb16759fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x7ffb16760000 | 0x7ffb16788fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x7ffb170e0000 | 0x7ffb170f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x7ffb17120000 | 0x7ffb17134fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7ffb18f20000 | 0x7ffb19179fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x7ffb19210000 | 0x7ffb1922ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x7ffb193e0000 | 0x7ffb1947efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7ffb197a0000 | 0x7ffb198c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7ffb198d0000 | 0x7ffb198f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffb19920000 | 0x7ffb19929fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x7ffb19d00000 | 0x7ffb19d0bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffb19f50000 | 0x7ffb19f84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7ffb1a060000 | 0x7ffb1a07efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffb1a310000 | 0x7ffb1a32dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffb1a540000 | 0x7ffb1a565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7ffb1a7d0000 | 0x7ffb1a7f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffb1a860000 | 0x7ffb1a8bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffb1a9c0000 | 0x7ffb1a9c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffb1aa50000 | 0x7ffb1aa63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ffb1ad50000 | 0x7ffb1ad99fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ffb1b010000 | 0x7ffb1b067fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffb1b070000 | 0x7ffb1b126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ffb1b280000 | 0x7ffb1b288fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffb1b290000 | 0x7ffb1b407fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffb1b410000 | 0x7ffb1b580fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffb1b590000 | 0x7ffb1b6c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffb1b870000 | 0x7ffb1ba45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffb1ba50000 | 0x7ffb1baa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7ffb1bac0000 | 0x7ffb1ced6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x7ffb1cee0000 | 0x7ffb1cee6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffb1cef0000 | 0x7ffb1cf94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffb1d230000 | 0x7ffb1d280fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffb1d2f0000 | 0x7ffb1d323fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comdlg32.dll | 0x7ffb1d3b0000 | 0x7ffb1d449fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffb1d450000 | 0x7ffb1d594fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffb1d5a0000 | 0x7ffb1d6d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\5JGHKO~1\Desktop\sous.exe | type = file_type |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Control Panel\Mouse | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Mouse | value_name = SwapMouseButtons, data = 48 |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | os_pid = 0xabc, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL |
|
1 |
Module (47)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffb1b140000 |
|
4 | |
| Load | C:\Users\5JGHKO~1\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffb1b140000 |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 32767 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7ffb1b1433b8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffb1b143500 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffb1b141704 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffb1b1416f4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffb1b142eb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffb1b143010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffb1b1f496c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffb1b142d2c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffb1b143560 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffb1d732728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffb1d731198 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffb1d733178 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffb1b1435a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffb1d7334d8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffb1d7301a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffb1d77b910 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffb1d756c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffb1d77a7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffb1b14dfc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffb1b21c8c4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffb1ae79310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffb1b21ca44 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffb1b142f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffb1b21cb20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffb1b142ca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffb1b1fb6e4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffb1b142c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffb1b1442ac |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffb1b142ef0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffb1adaa7dc |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffb1b14166c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffb1b21d498 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffb1b21d488 |
|
1 |
Window (4)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | AutoIt v3 | class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Create | - | - |
|
1 | |
| Create | - | - |
|
1 |
System (22)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 542, y_out = 547 |
|
1 | |
| Get Cursor | x_out = 860, y_out = 508 |
|
3 | |
| Get Cursor | x_out = 793, y_out = 511 |
|
1 | |
| Sleep | duration = 750 milliseconds (0.750 seconds) |
|
2 | |
| Get Time | type = System Time, time = 2018-04-13 00:36:34 (UTC) |
|
13 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\5jghko~1\desktop\sous.exe | - |
|
1 |
Process #33: sous.exe
80
0
| Information | Value |
|---|---|
| ID | #33 |
| File Name | c:\users\5jghko~1\desktop\sous.exe |
| Command Line | C:\Users\5JGHKO~1\Desktop\sous.exe |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:44 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xabc |
| Parent PID | 0x820 (c:\users\5jghko~1\desktop\sous.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x00000047801e0000 | 0x47801e0000 | 0x47801fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000047801e0000 | 0x47801e0000 | 0x47801effff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000047801f0000 | 0x47801f0000 | 0x47801f6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004780200000 | 0x4780200000 | 0x478020efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000004780210000 | 0x4780210000 | 0x478060ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004780610000 | 0x4780610000 | 0x4780613fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000004780620000 | 0x4780620000 | 0x4780621fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000004780630000 | 0x4780630000 | 0x4780631fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x4780640000 | 0x47806bdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000047806c0000 | 0x47806c0000 | 0x47806c6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000047806d0000 | 0x47806d0000 | 0x47806d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000047806e0000 | 0x47806e0000 | 0x4780adffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004780ae0000 | 0x4780ae0000 | 0x4780c67fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000004780c70000 | 0x4780c70000 | 0x4780c70fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004780c80000 | 0x4780c80000 | 0x4780c80fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000004780c80000 | 0x4780c80000 | 0x4780c83fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000004780c90000 | 0x4780c90000 | 0x4780c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004780ca0000 | 0x4780ca0000 | 0x4780e20fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000004780e30000 | 0x4780e30000 | 0x478222ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000004782230000 | 0x4782230000 | 0x4782231fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000004782240000 | 0x4782240000 | 0x4782246fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004782250000 | 0x4782250000 | 0x4782250fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000047822d0000 | 0x47822d0000 | 0x47822dffff | Private Memory | Readable, Writable |
|
|
|
- |
| rpcss.dll | 0x47822e0000 | 0x4782397fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000047822e0000 | 0x47822e0000 | 0x47823d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000047823e0000 | 0x47823e0000 | 0x47824dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000047824e0000 | 0x47824e0000 | 0x47825d9fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x47824e0000 | 0x47827b4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00007ff7576e0000 | 0x7ff7576e0000 | 0x7ff7577dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff7577e0000 | 0x7ff7577e0000 | 0x7ff757802fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff75780c000 | 0x7ff75780c000 | 0x7ff75780cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff75780e000 | 0x7ff75780e000 | 0x7ff75780ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sous.exe | 0x7ff757f40000 | 0x7ff758041fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffb117b0000 | 0x7ffb117b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmmbase.dll | 0x7ffb133a0000 | 0x7ffb133c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmm.dll | 0x7ffb13500000 | 0x7ffb1351efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wsock32.dll | 0x7ffb142a0000 | 0x7ffb142a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x7ffb15750000 | 0x7ffb1576afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x7ffb15770000 | 0x7ffb15a18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x7ffb15a20000 | 0x7ffb15c4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x7ffb16750000 | 0x7ffb16759fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x7ffb16760000 | 0x7ffb16788fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7ffb18f20000 | 0x7ffb19179fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x7ffb19210000 | 0x7ffb1922ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x7ffb193e0000 | 0x7ffb1947efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7ffb197a0000 | 0x7ffb198c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7ffb198d0000 | 0x7ffb198f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffb19920000 | 0x7ffb19929fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7ffb1a060000 | 0x7ffb1a07efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffb1a860000 | 0x7ffb1a8bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffb1a9c0000 | 0x7ffb1a9c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffb1aa50000 | 0x7ffb1aa63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ffb1ad50000 | 0x7ffb1ad99fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ffb1b010000 | 0x7ffb1b067fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffb1b070000 | 0x7ffb1b126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ffb1b280000 | 0x7ffb1b288fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffb1b290000 | 0x7ffb1b407fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffb1b410000 | 0x7ffb1b580fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffb1b590000 | 0x7ffb1b6c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffb1b870000 | 0x7ffb1ba45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffb1ba50000 | 0x7ffb1baa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7ffb1bac0000 | 0x7ffb1ced6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x7ffb1cee0000 | 0x7ffb1cee6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffb1cef0000 | 0x7ffb1cf94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffb1d230000 | 0x7ffb1d280fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffb1d2f0000 | 0x7ffb1d323fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comdlg32.dll | 0x7ffb1d3b0000 | 0x7ffb1d449fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffb1d450000 | 0x7ffb1d594fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffb1d5a0000 | 0x7ffb1d6d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\5JGHKO~1\Desktop\sous.exe | type = file_type |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Control Panel\Mouse | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Mouse | value_name = SwapMouseButtons, data = 48 |
|
1 |
Module (47)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffb1b140000 |
|
4 | |
| Load | C:\Users\5JGHKO~1\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Load | C:\Users\5JgHKoaOfdp\Desktop\sous.exe | base_address = 0x7ff757f40000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffb1b140000 |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghko~1\desktop\sous.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\sous.exe, size = 32767 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7ffb1b1433b8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffb1b143500 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffb1b141704 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffb1b1416f4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffb1b142eb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffb1b143010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffb1b1f496c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffb1b142d2c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffb1b143560 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffb1d732728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffb1d731198 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffb1d733178 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffb1b1435a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffb1d7334d8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffb1d7301a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffb1d77b910 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffb1d756c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffb1d77a7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffb1b14dfc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffb1b21c8c4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffb1ae79310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffb1b21ca44 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffb1b142f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffb1b21cb20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffb1b142ca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffb1b1fb6e4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffb1b142c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffb1b1442ac |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffb1b142ef0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffb1adaa7dc |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffb1b14166c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffb1b21d488 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffb1b21d498 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffb1b21d488 |
|
1 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | AutoIt v3 | class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 |
System (16)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2018-04-13 00:36:37 (UTC) |
|
13 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\5jghko~1\desktop\sous.exe | - |
|
1 |
Process #34: System
0
0
| Information | Value |
|---|---|
| ID | #34 |
| File Name | System |
| Command Line | - |
| Initial Working Directory | - |
| Monitor | Start Time: 00:01:54, Reason: Kernel Analysis |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:40 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
8
0x
18
0x
14
0x
1C
0x
4C
0x
24
0x
28
0x
2C
0x
30
0x
48
0x
90
0x
94
0x
98
0x
A0
0x
9C
0x
78
0x
38
0x
CC
0x
D8
0x
A4
0x
E0
0x
E4
0x
100
0x
104
0x
108
0x
10C
0x
110
0x
7C
0x
114
0x
A8
0x
AC
0x
6C
0x
3C
0x
120
0x
34
0x
138
0x
13C
0x
140
0x
144
0x
148
0x
14C
0x
150
0x
154
0x
20
0x
1A4
0x
10
0x
68
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000ac0ae10000 | 0xac0ae10000 | 0xac0ae32fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
Process #35: smss.exe
0
0
| Information | Value |
|---|---|
| ID | #35 |
| File Name | c:\windows\system32\smss.exe |
| Command Line | \SystemRoot\System32\smss.exe |
| Initial Working Directory | C:\Windows |
| Monitor | Start Time: 00:01:57, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:37 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xec |
| Parent PID | 0x4 (System) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
F0
0x
F4
0x
0
0x
1CC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x00000024442b0000 | 0x24442b0000 | 0x24442cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000024442d0000 | 0x24442d0000 | 0x24442defff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000024442e0000 | 0x24442e0000 | 0x244435ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff7353b0000 | 0x7ff7353b0000 | 0x7ff7353d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff7353da000 | 0x7ff7353da000 | 0x7ff7353dafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7353de000 | 0x7ff7353de000 | 0x7ff7353dffff | Private Memory | Readable, Writable |
|
|
|
- |
| smss.exe | 0x7ff7359e0000 | 0x7ff735a04fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffaa3390000 | 0x7ffaa3539fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #36: autochk.exe
0
0
| Information | Value |
|---|---|
| ID | #36 |
| File Name | c:\windows\system32\autochk.exe |
| Command Line | \??\C:\Windows\system32\autochk.exe * |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:57, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:37 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf8 |
| Parent PID | 0xec (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
FC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000aa75f50000 | 0xaa75f50000 | 0xaa75f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000aa75f70000 | 0xaa75f70000 | 0xaa75f7efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000aa75f80000 | 0xaa75f80000 | 0xaa75ffffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000aa761e0000 | 0xaa761e0000 | 0xaa762dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff623b90000 | 0x7ff623b90000 | 0x7ff623bb2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff623bbd000 | 0x7ff623bbd000 | 0x7ff623bbefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff623bbf000 | 0x7ff623bbf000 | 0x7ff623bbffff | Private Memory | Readable, Writable |
|
|
|
- |
| autochk.exe | 0x7ff6245b0000 | 0x7ff62468dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffaa3390000 | 0x7ffaa3539fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #37: smss.exe
0
0
| Information | Value |
|---|---|
| ID | #37 |
| File Name | c:\windows\system32\smss.exe |
| Command Line | \SystemRoot\System32\smss.exe 00000000 00000050 |
| Initial Working Directory | C:\Windows\ |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:30 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x128 |
| Parent PID | 0xec (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
12C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000bf095f0000 | 0xbf095f0000 | 0xbf0960ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000bf09610000 | 0xbf09610000 | 0xbf0961efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000bf09620000 | 0xbf09620000 | 0xbf0969ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff734a90000 | 0x7ff734a90000 | 0x7ff734ab2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff734abd000 | 0x7ff734abd000 | 0x7ff734abefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff734abf000 | 0x7ff734abf000 | 0x7ff734abffff | Private Memory | Readable, Writable |
|
|
|
- |
| smss.exe | 0x7ff7359e0000 | 0x7ff735a04fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffaa3390000 | 0x7ffaa3539fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #38: csrss.exe
0
0
| Information | Value |
|---|---|
| ID | #38 |
| File Name | c:\windows\system32\csrss.exe |
| Command Line | %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:30 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x130 |
| Parent PID | 0x128 (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
134
0x
0
0x
158
0x
15C
0x
160
0x
164
0x
19C
0x
1BC
0x
1C4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x00000068e9180000 | 0x68e9180000 | 0x68e919ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000068e9180000 | 0x68e9180000 | 0x68e9180fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000068e9180000 | 0x68e9180000 | 0x68e9186fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000068e9190000 | 0x68e9190000 | 0x68e9192fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000068e91a0000 | 0x68e91a0000 | 0x68e91aefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000068e91b0000 | 0x68e91b0000 | 0x68e91effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000068e91b0000 | 0x68e91b0000 | 0x68e91bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| marlett.ttf | 0x68e91c0000 | 0x68e91c6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000068e91d0000 | 0x68e91d0000 | 0x68e91e7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x68e91f0000 | 0x68e926dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000068e9270000 | 0x68e9270000 | 0x68e9270fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000068e9280000 | 0x68e9280000 | 0x68e9280fff | Private Memory | Readable, Writable |
|
|
|
- |
| vgasys.fon | 0x68e9290000 | 0x68e9291fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000068e92a0000 | 0x68e92a0000 | 0x68e939ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000068e93a0000 | 0x68e93a0000 | 0x68e9520fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000068e9530000 | 0x68e9530000 | 0x68e992bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000068e9930000 | 0x68e9930000 | 0x68e996ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000068e9970000 | 0x68e9970000 | 0x68e99affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000068e99b0000 | 0x68e99b0000 | 0x68e99effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000068e99f0000 | 0x68e99f0000 | 0x68e9a2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000068e9a30000 | 0x68e9a30000 | 0x68e9bb7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000068e9bc0000 | 0x68e9bc0000 | 0x68e9bc0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000068e9bd0000 | 0x68e9bd0000 | 0x68e9c0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000068e9c10000 | 0x68e9c10000 | 0x68e9c4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000068e9c50000 | 0x68e9c50000 | 0x68e9c8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| segoeui.ttf | 0x68e9c90000 | 0x68e9d5dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000068e9d60000 | 0x68e9d60000 | 0x68e9d8ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000068e9d90000 | 0x68e9d90000 | 0x68eb18ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000068eb190000 | 0x68eb190000 | 0x68eb190fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000068eb1a0000 | 0x68eb1a0000 | 0x68eb1a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000068eb1b0000 | 0x68eb1b0000 | 0x68eb1b3fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000068eb1b0000 | 0x68eb1b0000 | 0x68eb1b0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000068eb1b0000 | 0x68eb1b0000 | 0x68eb1bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000068eb1c0000 | 0x68eb1c0000 | 0x68eb1c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6726bc000 | 0x7ff6726bc000 | 0x7ff6726bdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6726be000 | 0x7ff6726be000 | 0x7ff6726bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff6726c0000 | 0x7ff6726c0000 | 0x7ff6727bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff6727c0000 | 0x7ff6727c0000 | 0x7ff6727e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff6727e4000 | 0x7ff6727e4000 | 0x7ff6727e5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6727e6000 | 0x7ff6727e6000 | 0x7ff6727e6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6727e8000 | 0x7ff6727e8000 | 0x7ff6727e9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6727ea000 | 0x7ff6727ea000 | 0x7ff6727ebfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6727ec000 | 0x7ff6727ec000 | 0x7ff6727edfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6727ee000 | 0x7ff6727ee000 | 0x7ff6727effff | Private Memory | Readable, Writable |
|
|
|
- |
| csrss.exe | 0x7ff6728a0000 | 0x7ff6728a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaa0510000 | 0x7ffaa056ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffaa0570000 | 0x7ffaa0579fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sxs.dll | 0x7ffaa0580000 | 0x7ffaa0616fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sxssrv.dll | 0x7ffaa0720000 | 0x7ffaa072cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsrv.dll | 0x7ffaa0730000 | 0x7ffaa0761fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| basesrv.dll | 0x7ffaa0770000 | 0x7ffaa0782fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| csrsrv.dll | 0x7ffaa0790000 | 0x7ffaa07a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffaa0b00000 | 0x7ffaa0c0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffaa0c10000 | 0x7ffaa0d45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffaa0d50000 | 0x7ffaa0ec0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffaa14f0000 | 0x7ffaa1629fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffaa2ca0000 | 0x7ffaa2de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffaa3390000 | 0x7ffaa3539fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #39: smss.exe
0
0
| Information | Value |
|---|---|
| ID | #39 |
| File Name | c:\windows\system32\smss.exe |
| Command Line | \SystemRoot\System32\smss.exe 00000001 00000050 |
| Initial Working Directory | C:\Windows\ |
| Monitor | Start Time: 00:02:05, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:29 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x168 |
| Parent PID | 0xec (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
16C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000ce750c0000 | 0xce750c0000 | 0xce750dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000ce750e0000 | 0xce750e0000 | 0xce750eefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000ce750f0000 | 0xce750f0000 | 0xce7516ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff734a30000 | 0x7ff734a30000 | 0x7ff734a52fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff734a5d000 | 0x7ff734a5d000 | 0x7ff734a5efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff734a5f000 | 0x7ff734a5f000 | 0x7ff734a5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| smss.exe | 0x7ff7359e0000 | 0x7ff735a04fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffaa3390000 | 0x7ffaa3539fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #40: csrss.exe
0
0
| Information | Value |
|---|---|
| ID | #40 |
| File Name | c:\windows\system32\csrss.exe |
| Command Line | %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:05, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:29 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x170 |
| Parent PID | 0x168 (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
174
0x
180
0x
184
0x
188
0x
18C
0x
190
0x
1A8
0x
1B8
0x
1C0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000006882ce0000 | 0x6882ce0000 | 0x6882cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000006882ce0000 | 0x6882ce0000 | 0x6882ce0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000006882ce0000 | 0x6882ce0000 | 0x6882ce6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000006882cf0000 | 0x6882cf0000 | 0x6882cf2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000006882d00000 | 0x6882d00000 | 0x6882d0efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000006882d10000 | 0x6882d10000 | 0x6882d4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x6882d50000 | 0x6882dcdfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000006882dd0000 | 0x6882dd0000 | 0x6882dd0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000006882de0000 | 0x6882de0000 | 0x6882de0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000006882df0000 | 0x6882df0000 | 0x6882df0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000006882e00000 | 0x6882e00000 | 0x6882e00fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000006882e10000 | 0x6882e10000 | 0x6882e10fff | Private Memory | Readable, Writable |
|
|
|
- |
| vgasys.fon | 0x6882e20000 | 0x6882e21fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000006882e30000 | 0x6882e30000 | 0x6882e6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000006882e70000 | 0x6882e70000 | 0x6882eaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000006882f10000 | 0x6882f10000 | 0x688300ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000006883010000 | 0x6883010000 | 0x6883190fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000068831a0000 | 0x68831a0000 | 0x688359bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000068835a0000 | 0x68835a0000 | 0x6883a91fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff672090000 | 0x7ff672090000 | 0x7ff67218ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff672190000 | 0x7ff672190000 | 0x7ff6721b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff6721b8000 | 0x7ff6721b8000 | 0x7ff6721b9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6721ba000 | 0x7ff6721ba000 | 0x7ff6721bafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6721bc000 | 0x7ff6721bc000 | 0x7ff6721bdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6721be000 | 0x7ff6721be000 | 0x7ff6721bffff | Private Memory | Readable, Writable |
|
|
|
- |
| csrss.exe | 0x7ff6728a0000 | 0x7ff6728a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sxssrv.dll | 0x7ffaa0720000 | 0x7ffaa072cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsrv.dll | 0x7ffaa0730000 | 0x7ffaa0761fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| basesrv.dll | 0x7ffaa0770000 | 0x7ffaa0782fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| csrsrv.dll | 0x7ffaa0790000 | 0x7ffaa07a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffaa0b00000 | 0x7ffaa0c0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffaa0d50000 | 0x7ffaa0ec0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffaa14f0000 | 0x7ffaa1629fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffaa2ca0000 | 0x7ffaa2de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffaa3390000 | 0x7ffaa3539fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #41: wininit.exe
0
0
| Information | Value |
|---|---|
| ID | #41 |
| File Name | c:\windows\system32\wininit.exe |
| Command Line | wininit.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:05, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:29 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x178 |
| Parent PID | 0x128 (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
17C
0x
0
0x
1A0
0x
1AC
0x
1C8
0x
1F0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000141fa90000 | 0x141fa90000 | 0x141faaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000141fa90000 | 0x141fa90000 | 0x141fa9ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000141faa0000 | 0x141faa0000 | 0x141faa6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000141fab0000 | 0x141fab0000 | 0x141fabefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000141fac0000 | 0x141fac0000 | 0x141fb3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x141fb40000 | 0x141fbbdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000141fbc0000 | 0x141fbc0000 | 0x141fc6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000141fbc0000 | 0x141fbc0000 | 0x141fbc6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000141fbd0000 | 0x141fbd0000 | 0x141fbd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000141fbe0000 | 0x141fbe0000 | 0x141fbe0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000141fbf0000 | 0x141fbf0000 | 0x141fbf0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000141fc00000 | 0x141fc00000 | 0x141fc00fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000141fc10000 | 0x141fc10000 | 0x141fc10fff | Private Memory | Readable, Writable |
|
|
|
- |
| user32.dll.mui | 0x141fc10000 | 0x141fc14fff | Memory Mapped File | Readable |
|
|
|
- |
| user32.dll.mui | 0x141fc20000 | 0x141fc24fff | Memory Mapped File | Readable |
|
|
|
- |
| aero_arrow.cur | 0x141fc20000 | 0x141fc27fff | Memory Mapped File | Readable |
|
|
|
- |
| aero_up.cur | 0x141fc20000 | 0x141fc27fff | Memory Mapped File | Readable |
|
|
|
- |
| aero_helpsel.cur | 0x141fc20000 | 0x141fc27fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000141fc30000 | 0x141fc30000 | 0x141fc5ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000141fc60000 | 0x141fc60000 | 0x141fc6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000141fc70000 | 0x141fc70000 | 0x141fd6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000141fd70000 | 0x141fd70000 | 0x141fe7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000141fd70000 | 0x141fd70000 | 0x141fdeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000141fdf0000 | 0x141fdf0000 | 0x141fe6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000141fe70000 | 0x141fe70000 | 0x141fe7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000141fe80000 | 0x141fe80000 | 0x1420007fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000001420010000 | 0x1420010000 | 0x1420190fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000014201a0000 | 0x14201a0000 | 0x142059bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| aero_busy.ani | 0x14201a0000 | 0x1420227fff | Memory Mapped File | Readable |
|
|
|
- |
| aero_working.ani | 0x14201a0000 | 0x1420227fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000014201a0000 | 0x14201a0000 | 0x142159ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| malgun.ttf | 0x14205a0000 | 0x1420ec6fff | Memory Mapped File | Readable |
|
|
|
- |
| msyh.ttc | 0x14205a0000 | 0x1421a41fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000014215a0000 | 0x14215a0000 | 0x142161ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x1421620000 | 0x14218f4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00007ff7ad4b0000 | 0x7ff7ad4b0000 | 0x7ff7ad5affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff7ad5b0000 | 0x7ff7ad5b0000 | 0x7ff7ad5d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff7ad5d3000 | 0x7ff7ad5d3000 | 0x7ff7ad5d3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7ad5d8000 | 0x7ff7ad5d8000 | 0x7ff7ad5d9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7ad5da000 | 0x7ff7ad5da000 | 0x7ff7ad5dbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7ad5dc000 | 0x7ff7ad5dc000 | 0x7ff7ad5ddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7ad5de000 | 0x7ff7ad5de000 | 0x7ff7ad5dffff | Private Memory | Readable, Writable |
|
|
|
- |
| wininit.exe | 0x7ff7ade60000 | 0x7ff7ade85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wls0wndh.dll | 0x7ffaa0610000 | 0x7ffaa0617fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kbdus.dll | 0x7ffaa0670000 | 0x7ffaa0673fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininitext.dll | 0x7ffaa06a0000 | 0x7ffaa06a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffaa0700000 | 0x7ffaa0713fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffaa0b00000 | 0x7ffaa0c0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffaa0c10000 | 0x7ffaa0d45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffaa0d50000 | 0x7ffaa0ec0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffaa1340000 | 0x7ffaa13e6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffaa14f0000 | 0x7ffaa1629fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffaa1650000 | 0x7ffaa16a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffaa2ca0000 | 0x7ffaa2de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffaa3390000 | 0x7ffaa3539fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #42: winlogon.exe
0
0
| Information | Value |
|---|---|
| ID | #42 |
| File Name | c:\windows\system32\winlogon.exe |
| Command Line | winlogon.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:06, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:28 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x194 |
| Parent PID | 0x168 (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
198
0x
1B0
0x
1B4
0x
0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000ff0f930000 | 0xff0f930000 | 0xff0f94ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000ff0f930000 | 0xff0f930000 | 0xff0f93ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000ff0f940000 | 0xff0f940000 | 0xff0f946fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000ff0f950000 | 0xff0f950000 | 0xff0f95efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000ff0f960000 | 0xff0f960000 | 0xff0f9dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000ff0f9e0000 | 0xff0f9e0000 | 0xff0f9e6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000ff0f9f0000 | 0xff0f9f0000 | 0xff0f9f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000ff0fa00000 | 0xff0fa00000 | 0xff0fa00fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000ff0fa10000 | 0xff0fa10000 | 0xff0fb0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0xff0fb10000 | 0xff0fb8dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000ff0fb90000 | 0xff0fb90000 | 0xff0fb90fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000ff0fba0000 | 0xff0fba0000 | 0xff0fba0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000ff0fbb0000 | 0xff0fbb0000 | 0xff0fc2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000ff0fc30000 | 0xff0fc30000 | 0xff0fc30fff | Private Memory | Readable, Writable |
|
|
|
- |
| user32.dll.mui | 0xff0fc30000 | 0xff0fc34fff | Memory Mapped File | Readable |
|
|
|
- |
| user32.dll.mui | 0xff0fc40000 | 0xff0fc44fff | Memory Mapped File | Readable |
|
|
|
- |
| aero_arrow.cur | 0xff0fc40000 | 0xff0fc47fff | Memory Mapped File | Readable |
|
|
|
- |
| aero_up.cur | 0xff0fc40000 | 0xff0fc47fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000ff0fc60000 | 0xff0fc60000 | 0xff0fc6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000ff0fc70000 | 0xff0fc70000 | 0xff0fdf7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000ff0fe00000 | 0xff0fe00000 | 0xff0ff80fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000ff0ff90000 | 0xff0ff90000 | 0xff1038bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| aero_busy.ani | 0xff0ff90000 | 0xff10017fff | Memory Mapped File | Readable |
|
|
|
- |
| aero_working.ani | 0xff0ff90000 | 0xff10017fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000ff10390000 | 0xff10390000 | 0xff1040ffff | Private Memory | Readable, Writable |
|
|
|
- |
| malgun.ttf | 0xff10410000 | 0xff10d36fff | Memory Mapped File | Readable |
|
|
|
- |
| msyh.ttc | 0xff10410000 | 0xff118b1fff | Memory Mapped File | Readable |
|
|
|
- |
| batang.ttc | 0xff10410000 | 0xff11392fff | Memory Mapped File | Readable |
|
|
|
- |
| malgunbd.ttf | 0xff10410000 | 0xff10c91fff | Memory Mapped File | Readable |
|
|
|
- |
| segoeuib.ttf | 0xff10410000 | 0xff104dbfff | Memory Mapped File | Readable |
|
|
|
- |
| msmincho.ttc | 0xff10410000 | 0xff10dadfff | Memory Mapped File | Readable |
|
|
|
- |
| segoeui.ttf | 0xff10410000 | 0xff104ddfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000ff10410000 | 0xff10410000 | 0xff1043ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff7a4c30000 | 0x7ff7a4c30000 | 0x7ff7a4d2ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff7a4d30000 | 0x7ff7a4d30000 | 0x7ff7a4d52fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff7a4d59000 | 0x7ff7a4d59000 | 0x7ff7a4d5afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7a4d5b000 | 0x7ff7a4d5b000 | 0x7ff7a4d5cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7a4d5d000 | 0x7ff7a4d5d000 | 0x7ff7a4d5dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7a4d5e000 | 0x7ff7a4d5e000 | 0x7ff7a4d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| winlogon.exe | 0x7ff7a55e0000 | 0x7ff7a566efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x7ffaa0620000 | 0x7ffaa0676fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kbdus.dll | 0x7ffaa0670000 | 0x7ffaa0673fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winlogonext.dll | 0x7ffaa0680000 | 0x7ffaa0697fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| powrprof.dll | 0x7ffaa06b0000 | 0x7ffaa06f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffaa0700000 | 0x7ffaa0713fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffaa0b00000 | 0x7ffaa0c0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffaa0c10000 | 0x7ffaa0d45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffaa0d50000 | 0x7ffaa0ec0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffaa1340000 | 0x7ffaa13e6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffaa14f0000 | 0x7ffaa1629fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffaa1650000 | 0x7ffaa16a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffaa16b0000 | 0x7ffaa1754fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffaa2ca0000 | 0x7ffaa2de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffaa3010000 | 0x7ffaa3148fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffaa3340000 | 0x7ffaa3373fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffaa3390000 | 0x7ffaa3539fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #43: services.exe
0
0
| Information | Value |
|---|---|
| ID | #43 |
| File Name | c:\windows\system32\services.exe |
| Command Line | C:\Windows\system32\services.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:26 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1d0 |
| Parent PID | 0x178 (c:\windows\system32\wininit.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
1D4
0x
0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x00000040075b0000 | 0x40075b0000 | 0x40075cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000040075b0000 | 0x40075b0000 | 0x40075bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000040075c0000 | 0x40075c0000 | 0x40075c6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000040075d0000 | 0x40075d0000 | 0x40075defff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000040075e0000 | 0x40075e0000 | 0x400765ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004007660000 | 0x4007660000 | 0x4007663fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000004007670000 | 0x4007670000 | 0x4007670fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x4007680000 | 0x40076fdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000004007700000 | 0x4007700000 | 0x40077affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004007700000 | 0x4007700000 | 0x4007706fff | Private Memory | Readable, Writable |
|
|
|
- |
| 1394.pnf | 0x4007710000 | 0x4007714fff | Memory Mapped File | Readable |
|
|
|
- |
| acpi.pnf | 0x4007710000 | 0x4007712fff | Memory Mapped File | Readable |
|
|
|
- |
| acpipagr.pnf | 0x4007710000 | 0x4007711fff | Memory Mapped File | Readable |
|
|
|
- |
| acpipmi.pnf | 0x4007710000 | 0x4007711fff | Memory Mapped File | Readable |
|
|
|
- |
| cpu.pnf | 0x4007710000 | 0x4007716fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000040077a0000 | 0x40077a0000 | 0x40077affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004007800000 | 0x4007800000 | 0x40078fffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x4007900000 | 0x4007bd4fff | Memory Mapped File | Readable |
|
|
|
- |
| machine.pnf | 0x4007be0000 | 0x4007cbffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00007ff6f6080000 | 0x7ff6f6080000 | 0x7ff6f617ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff6f6180000 | 0x7ff6f6180000 | 0x7ff6f61a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff6f61ad000 | 0x7ff6f61ad000 | 0x7ff6f61aefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6f61af000 | 0x7ff6f61af000 | 0x7ff6f61affff | Private Memory | Readable, Writable |
|
|
|
- |
| services.exe | 0x7ff6f6710000 | 0x7ff6f6774fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| spinf.dll | 0x7ffaa02f0000 | 0x7ffaa030cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7ffaa0310000 | 0x7ffaa0334fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| eventaggregation.dll | 0x7ffaa0340000 | 0x7ffaa034afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dabapi.dll | 0x7ffaa0350000 | 0x7ffaa0357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| scext.dll | 0x7ffaa0360000 | 0x7ffaa036ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ffaa04e0000 | 0x7ffaa050afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaa0510000 | 0x7ffaa056ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffaa0570000 | 0x7ffaa0579fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffaa0700000 | 0x7ffaa0713fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffaa0b00000 | 0x7ffaa0c0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffaa0c10000 | 0x7ffaa0d45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffaa1340000 | 0x7ffaa13e6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffaa14f0000 | 0x7ffaa1629fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffaa1650000 | 0x7ffaa16a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffaa3390000 | 0x7ffaa3539fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #44: lsass.exe
0
0
| Information | Value |
|---|---|
| ID | #44 |
| File Name | c:\windows\system32\lsass.exe |
| Command Line | C:\Windows\system32\lsass.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:09, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:25 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1d8 |
| Parent PID | 0x178 (c:\windows\system32\wininit.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
1DC
0x
0
0x
1E0
0x
1E4
0x
1E8
0x
1EC
0x
1F4
0x
1F8
0x
1FC
0x
200
0x
204
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000008565760000 | 0x8565760000 | 0x856577ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008565760000 | 0x8565760000 | 0x856576ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008565770000 | 0x8565770000 | 0x8565770fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008565780000 | 0x8565780000 | 0x856578efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000008565790000 | 0x8565790000 | 0x856580ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008565810000 | 0x8565810000 | 0x8565813fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000008565820000 | 0x8565820000 | 0x8565820fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000008565830000 | 0x8565830000 | 0x8565831fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x8565840000 | 0x85658bdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000085658c0000 | 0x85658c0000 | 0x856593ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008565940000 | 0x8565940000 | 0x8565946fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008565950000 | 0x8565950000 | 0x8565956fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008565960000 | 0x8565960000 | 0x856596ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008565970000 | 0x8565970000 | 0x856597ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008565980000 | 0x8565980000 | 0x8565a7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008565a80000 | 0x8565a80000 | 0x8565afffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008565b00000 | 0x8565b00000 | 0x8565b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008565b80000 | 0x8565b80000 | 0x8565b82fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000008565b90000 | 0x8565b90000 | 0x8565b90fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008565ba0000 | 0x8565ba0000 | 0x8565baffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008565bb0000 | 0x8565bb0000 | 0x8565bbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008565bc0000 | 0x8565bc0000 | 0x8565c3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008565c40000 | 0x8565c40000 | 0x856603bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000008566040000 | 0x8566040000 | 0x8566040fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008566040000 | 0x8566040000 | 0x8566040fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008566040000 | 0x8566040000 | 0x8566140fff | Private Memory | Readable, Writable |
|
|
|
- |
| c_28591.nls | 0x8566040000 | 0x8566050fff | Memory Mapped File | Readable |
|
|
|
- |
| sortdefault.nls | 0x8566060000 | 0x8566334fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000008566340000 | 0x8566340000 | 0x856634ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008566340000 | 0x8566340000 | 0x8566340fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008566350000 | 0x8566350000 | 0x85663cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000085663d0000 | 0x85663d0000 | 0x85663d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000085663e0000 | 0x85663e0000 | 0x85663e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000085663f0000 | 0x85663f0000 | 0x85663f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008566400000 | 0x8566400000 | 0x8566400fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008566410000 | 0x8566410000 | 0x8566410fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008566420000 | 0x8566420000 | 0x8566420fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008566430000 | 0x8566430000 | 0x8566430fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008566440000 | 0x8566440000 | 0x8566440fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008566450000 | 0x8566450000 | 0x85664cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000085664d0000 | 0x85664d0000 | 0x856654ffff | Private Memory | Readable, Writable |
|
|
|
- |
| b2178b99-f9f6-47ad-b0eb-4e709bc8dfda | 0x8566550000 | 0x8566550fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000008566550000 | 0x8566550000 | 0x8566550fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008566550000 | 0x8566550000 | 0x85665cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000085665d0000 | 0x85665d0000 | 0x85665d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff67b63a000 | 0x7ff67b63a000 | 0x7ff67b63bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff67b63c000 | 0x7ff67b63c000 | 0x7ff67b63dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff67b63e000 | 0x7ff67b63e000 | 0x7ff67b63ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff67b640000 | 0x7ff67b640000 | 0x7ff67b73ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff67b740000 | 0x7ff67b740000 | 0x7ff67b762fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff67b763000 | 0x7ff67b763000 | 0x7ff67b764fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff67b765000 | 0x7ff67b765000 | 0x7ff67b766fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff67b767000 | 0x7ff67b767000 | 0x7ff67b768fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff67b769000 | 0x7ff67b769000 | 0x7ff67b76afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff67b76b000 | 0x7ff67b76b000 | 0x7ff67b76cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff67b76d000 | 0x7ff67b76d000 | 0x7ff67b76efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff67b76f000 | 0x7ff67b76f000 | 0x7ff67b76ffff | Private Memory | Readable, Writable |
|
|
|
- |
| lsass.exe | 0x7ff67c3c0000 | 0x7ff67c3cdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| scecli.dll | 0x7ffa9faa0000 | 0x7ffa9fae6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| credssp.dll | 0x7ffa9fae0000 | 0x7ffa9fae9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dpapisrv.dll | 0x7ffa9faf0000 | 0x7ffa9fb22fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| efslsaext.dll | 0x7ffa9fb30000 | 0x7ffa9fb41fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| schannel.dll | 0x7ffa9fb50000 | 0x7ffa9fbbafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wdigest.dll | 0x7ffa9fbc0000 | 0x7ffa9fbf9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffa9fc00000 | 0x7ffa9fc34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| livessp.dll | 0x7ffa9fc40000 | 0x7ffa9fc9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pku2u.dll | 0x7ffa9fca0000 | 0x7ffa9fce6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| tspkg.dll | 0x7ffa9fcf0000 | 0x7ffa9fd0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7ffa9fd10000 | 0x7ffa9fd2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x7ffa9fd30000 | 0x7ffa9fd6cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x7ffa9fd70000 | 0x7ffa9fe12fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netlogon.dll | 0x7ffa9fe20000 | 0x7ffa9feeefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msv1_0.dll | 0x7ffa9fef0000 | 0x7ffa9ff57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x7ffa9ff60000 | 0x7ffa9ffb7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffa9ffc0000 | 0x7ffa9ffddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kerberos.dll | 0x7ffa9ffe0000 | 0x7ffaa00cafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptdll.dll | 0x7ffaa00d0000 | 0x7ffaa00e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| negoexts.dll | 0x7ffaa00f0000 | 0x7ffaa0115fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netjoin.dll | 0x7ffaa0120000 | 0x7ffaa016ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msprivs.dll | 0x7ffaa0170000 | 0x7ffaa0171fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntasn1.dll | 0x7ffaa0180000 | 0x7ffaa01b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ncrypt.dll | 0x7ffaa01c0000 | 0x7ffaa01e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffaa01f0000 | 0x7ffaa0215fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samsrv.dll | 0x7ffaa0220000 | 0x7ffaa02edfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lsasrv.dll | 0x7ffaa0370000 | 0x7ffaa04ccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspisrv.dll | 0x7ffaa04d0000 | 0x7ffaa04dafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ffaa04e0000 | 0x7ffaa050afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaa0510000 | 0x7ffaa056ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffaa0570000 | 0x7ffaa0579fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| powrprof.dll | 0x7ffaa06b0000 | 0x7ffaa06f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffaa0700000 | 0x7ffaa0713fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x7ffaa07b0000 | 0x7ffaa07c1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x7ffaa07d0000 | 0x7ffaa09a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ffaa0a60000 | 0x7ffaa0aa9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffaa0b00000 | 0x7ffaa0c0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffaa0c10000 | 0x7ffaa0d45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffaa1340000 | 0x7ffaa13e6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ffaa1490000 | 0x7ffaa14e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffaa14f0000 | 0x7ffaa1629fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ffaa1630000 | 0x7ffaa1638fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffaa1650000 | 0x7ffaa16a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffaa16b0000 | 0x7ffaa1754fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffaa3390000 | 0x7ffaa3539fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
