83870dd4...d947 | Grouped Behavior
Try VMRay Analyzer
VTI SCORE: 90/100
Dynamic Analysis Report
Classification: Riskware, Wiper, Trojan, Ransomware

83870dd4c1c44775e9c3aa5d5bd4abce782cb07f3454de4a82bf24f26381d947 (SHA256)

WscParent.exe

Windows Exe (x86-32)

Created at 2018-10-03 03:10:00

Notifications (2/2)

Some extracted files may be missing in the report since the total file extraction size limit was reached during the analysis. You can increase the limit in the configuration settings.

The operating system was rebooted during the analysis.

Monitored Processes

Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0xa5c Analysis Target High (Elevated) wscparent.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\WscParent.exe" -
#2 0xa6c Child Process High (Elevated) wscparent.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\WscParent.exe" #1
#3 0xa78 Child Process High (Elevated) cmd.exe "C:\Windows\system32\cmd.exe" #2
#4 0xab8 Child Process High (Elevated) mode.com mode con cp select=1251 #3
#5 0xae0 Child Process High (Elevated) vssadmin.exe vssadmin delete shadows /all /quiet #3

Behavior Information - Grouped by Category

Process #1: wscparent.exe
214 0
»
Information Value
ID #1
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\wscparent.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\WscParent.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:37, Reason: Analysis Target
Unmonitor End Time: 00:01:56, Reason: Self Terminated
Monitor Duration 00:00:19
OS Process Information
»
Information Value
PID 0xa5c
Parent PID 0x568 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory rw True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File rwx False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory r True False False -
locale.nls 0x001a0000 0x00206fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0021ffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0035ffff Private Memory rw True False False -
rsaenh.dll 0x002a0000 0x002dbfff Memory Mapped File r False False False -
~dfc7797a38c36d9797.tmp 0x002a0000 0x0031ffff Memory Mapped File rw True True False
pagefile_0x0000000000320000 0x00320000 0x00326fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000330000 0x00330000 0x00331fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000340000 0x00340000 0x00340fff Pagefile Backed Memory r True False False -
private_0x0000000000350000 0x00350000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x003dffff Private Memory rw True False False -
pagefile_0x00000000003e0000 0x003e0000 0x003e0fff Pagefile Backed Memory r True False False -
private_0x00000000003f0000 0x003f0000 0x003f0fff Private Memory rwx True False False -
wscparent.exe 0x00400000 0x00445fff Memory Mapped File rwx True True False
pagefile_0x0000000000450000 0x00450000 0x004cffff Pagefile Backed Memory rw True False False -
private_0x00000000004d0000 0x004d0000 0x005cffff Private Memory rw True False False -
pagefile_0x00000000005d0000 0x005d0000 0x00757fff Pagefile Backed Memory r True False False -
private_0x00000000007b0000 0x007b0000 0x007bffff Private Memory rw True False False -
pagefile_0x00000000007c0000 0x007c0000 0x00940fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000950000 0x00950000 0x01d4ffff Pagefile Backed Memory r True False False -
private_0x0000000001d50000 0x01d50000 0x0214ffff Private Memory rw True False False -
sortdefault.nls 0x02150000 0x0241efff Memory Mapped File r False False False -
private_0x0000000002420000 0x02420000 0x025fffff Private Memory rw True False False -
private_0x0000000002420000 0x02420000 0x0255ffff Private Memory rw True False False -
pagefile_0x0000000002420000 0x02420000 0x024fefff Pagefile Backed Memory r True False False -
private_0x0000000002520000 0x02520000 0x0255ffff Private Memory rw True False False -
private_0x00000000025c0000 0x025c0000 0x025fffff Private Memory rw True False False -
private_0x0000000002600000 0x02600000 0x027affff Private Memory rw True False False -
pagefile_0x0000000002600000 0x02600000 0x0267ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000002680000 0x02680000 0x026fffff Pagefile Backed Memory rw True False False -
private_0x0000000002770000 0x02770000 0x027affff Private Memory rw True False False -
private_0x00000000027b0000 0x027b0000 0x0294ffff Private Memory rw True False False -
pagefile_0x00000000027b0000 0x027b0000 0x0282ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000002830000 0x02830000 0x028affff Pagefile Backed Memory rw True False False -
private_0x0000000002940000 0x02940000 0x0294ffff Private Memory rw True False False -
pagefile_0x0000000002950000 0x02950000 0x02d4ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000002d50000 0x02d50000 0x03142fff Pagefile Backed Memory r True False False -
private_0x0000000003150000 0x03150000 0x032fffff Private Memory rw True False False -
pagefile_0x0000000003300000 0x03300000 0x036fffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000003700000 0x03700000 0x03afffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000003b00000 0x03b00000 0x03efffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000003f00000 0x03f00000 0x042fffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000004300000 0x04300000 0x046fffff Pagefile Backed Memory rw True False False -
staticcache.dat 0x04700000 0x0502ffff Memory Mapped File r False False False -
msvbvm60.dll 0x72940000 0x72a92fff Memory Mapped File rwx True False False -
dwmapi.dll 0x74f40000 0x74f52fff Memory Mapped File rwx False False False -
uxtheme.dll 0x74f60000 0x74fdffff Memory Mapped File rwx False False False -
wow64cpu.dll 0x74ff0000 0x74ff7fff Memory Mapped File rwx False False False -
wow64win.dll 0x75000000 0x7505bfff Memory Mapped File rwx False False False -
wow64.dll 0x75060000 0x7509efff Memory Mapped File rwx False False False -
rsaenh.dll 0x75440000 0x7547afff Memory Mapped File rwx False False False -
cryptsp.dll 0x75480000 0x75495fff Memory Mapped File rwx False False False -
sxs.dll 0x754a0000 0x754fefff Memory Mapped File rwx False False False -
cryptbase.dll 0x75600000 0x7560bfff Memory Mapped File rwx False False False -
sspicli.dll 0x75610000 0x7566ffff Memory Mapped File rwx False False False -
advapi32.dll 0x75720000 0x757bffff Memory Mapped File rwx False False False -
kernel32.dll 0x757c0000 0x758cffff Memory Mapped File rwx False False False -
usp10.dll 0x758d0000 0x7596cfff Memory Mapped File rwx False False False -
lpk.dll 0x75a70000 0x75a79fff Memory Mapped File rwx False False False -
msctf.dll 0x75ea0000 0x75f6bfff Memory Mapped File rwx False False False -
imm32.dll 0x75f80000 0x75fdffff Memory Mapped File rwx False False False -
msvcrt.dll 0x75fe0000 0x7608bfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76090000 0x7617ffff Memory Mapped File rwx False False False -
sechost.dll 0x761b0000 0x761c8fff Memory Mapped File rwx False False False -
kernelbase.dll 0x76260000 0x762a5fff Memory Mapped File rwx False False False -
oleaut32.dll 0x762b0000 0x7633efff Memory Mapped File rwx False False False -
ole32.dll 0x764e0000 0x7663bfff Memory Mapped File rwx False False False -
clbcatq.dll 0x76640000 0x766c2fff Memory Mapped File rwx False False False -
gdi32.dll 0x766d0000 0x7675ffff Memory Mapped File rwx False False False -
user32.dll 0x775b0000 0x776affff Memory Mapped File rwx False False False -
private_0x00000000776b0000 0x776b0000 0x777a9fff Private Memory rwx True False False -
private_0x00000000777b0000 0x777b0000 0x778cefff Private Memory rwx True False False -
ntdll.dll 0x778d0000 0x77a78fff Memory Mapped File rwx False False False -
ntdll.dll 0x77ab0000 0x77c2ffff Memory Mapped File rwx False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory r True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory rw True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory rw True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory rw True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory r True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EFF.tmp 11.50 KB MD5: fc99e2df8e39fef063822a59536f0341
SHA1: 20e31c454bb6e619847976fca9a3774761bc86ef
SHA256: ad2670867637b02e65896b6733f5332e8e04aa38ee7a3b4f32bbe8b0395d8d36
SSDeep: 12:rl3bEBl/jbuF6lG0QDNsHpycl/8cl/c8l/ccl/ccl/pYAPVFAFA7iSVlNsBl0Cb/:r2jbQsA08cyUccy0pddFAFAc/eAE
False
c:\users\5p5nrg~1\appdata\local\temp\~dfc7797a38c36d9797.tmp 17.03 KB MD5: 768b6de60861d9516e5309a4030fa40a
SHA1: ce702a7ad7609b9493ba7df3c28d14d8c6870b9f
SHA256: c255227646d9606ae8b9eec0a36e61b03edc174128cc1492a27c08752554ad74
SSDeep: 96:CmG8CL3uSTdfB4DioGPWO6JM4DHxO6JM4DmTOU3nrH7H7HDbdnH7HkoGrURI7hk:S3jID0KD8KDmTOU3rbbjdbOURI7hk
False
C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EDD.tmp 28.00 KB MD5: 411c54489c34049e2199610827061b0c
SHA1: 45c8b1cd0f797affa0278863e14fcdfbb408729a
SHA256: 511a7a4d360aeb07358c518453c936f10549be9d78dc8dec126ac5ffd738450c
SSDeep: 12:rl3bQl/8cl/qtl/ccl/cYFilG0QdsHp0VFAFA7iSIytOAeeeeeeeeeeeeeeeeeeN:rO8cUccymsMFAFAZNpCvL
False
C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EDE.tmp 28.00 KB MD5: d7115377f2a1359ccce686121cf3cc6b
SHA1: 67bfc3cd6bb3f78b961946c40887e54051fad107
SHA256: 699c88ebead36086b0db197877cdda0547c9bc18bab5acdeb69258aab1584b97
SSDeep: 12:rl3bQl/8cl/qtl/ccl/cYF0lG0QdsHp0VFAFA7iSIytOAeeeeeeeeeeeeeeeeeeN:rO8cUccyYsMFAFAZNpCvL
False
C:\Users\5P5NRG~1\AppData\Local\Temp\VB2D18.tmp 28.00 KB MD5: bf69580d4635091a3184ace19c354390
SHA1: c2e81ea2d0815446914495caffc135bd558d47d9
SHA256: 3252d12276d8d94d19ecd3fdcd4b4aeb0b561647bc8b7095a6afbea567e04ccf
SSDeep: 12:rl3bQl/8cl/qtl/ccl/cYFTolG0QdsHp0VFAFA7iSIytOAeeeeeeeeeeeeeeeeeg:rO8cUccy4ZsMFAFAZNpCvL
False
C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EEF.tmp 11.50 KB MD5: a2083c1d8c9d65724725a8329d632303
SHA1: 3018a18be1df123eeed4fa2bf2ce35449f43530b
SHA256: 59dec52e796b6c2a436f2f8cadb652ed645f5f2ccec38ba3fc1e3befa510a79b
SSDeep: 12:rl3bEBl/jbuFTYlG0QDNsHpycl/8cl/c8l/ccl/ccl/pYAPVFAFA7iSVlNsBl0CT:r2jbWsA08cyUccy0pddFAFAc/eAE
False
Host Behavior
COM (5)
»
Operation Class Interface Additional Information Success Count Logfile
Create D3E34B21-9D75-101A-8C3D-00AA001A1652 00000001-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER True 5
Fn
File (57)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\5P5NRG~1\AppData\Local\Temp\VB2D18.tmp desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EDD.tmp desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EDE.tmp desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EEF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EFF.tmp desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create Temp File C:\Users\5P5NRG~1\AppData\Local\Temp\VB2D18.tmp path = C:\Users\5P5NRG~1\AppData\Local\Temp\, prefix = VB True 1
Fn
Create Temp File C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EDD.tmp path = C:\Users\5P5NRG~1\AppData\Local\Temp\, prefix = VB True 1
Fn
Create Temp File C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EDE.tmp path = C:\Users\5P5NRG~1\AppData\Local\Temp\, prefix = VB True 1
Fn
Create Temp File C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EEF.tmp path = C:\Users\5P5NRG~1\AppData\Local\Temp\, prefix = VB True 1
Fn
Create Temp File C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EFF.tmp path = C:\Users\5P5NRG~1\AppData\Local\Temp\, prefix = VB True 1
Fn
Get Info STD_INPUT_HANDLE type = file_type False 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type False 1
Fn
Get Info STD_ERROR_HANDLE type = file_type False 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\VB2D18.tmp type = file_type True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EDD.tmp type = file_type True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EDE.tmp type = file_type True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EEF.tmp type = file_type True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EFF.tmp type = file_type True 1
Fn
Get Info C:\Windows\system32\.HLP type = file_attributes False 2
Fn
Get Info C:\Windows\Help\.HLP type = file_attributes False 2
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write C:\Users\5P5NRG~1\AppData\Local\Temp\VB2D18.tmp size = 4096 True 7
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EDD.tmp size = 4096 True 7
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EDE.tmp size = 4096 True 7
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EEF.tmp size = 4096 True 2
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EEF.tmp size = 3584 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EFF.tmp size = 4096 True 2
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EFF.tmp size = 3584 True 1
Fn
Data
Delete C:\Users\5P5NRG~1\AppData\Local\Temp\VB2D18.tmp - True 1
Fn
Delete C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EDD.tmp - True 1
Fn
Delete C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EDE.tmp - True 1
Fn
Delete C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EEF.tmp - True 1
Fn
Delete C:\Users\5P5NRG~1\AppData\Local\Temp\VB2EFF.tmp - True 1
Fn
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\HTML Help - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Help - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\HTML Help value_name = .HLP, data = 120 False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\WscParent.exe os_pid = 0xa6c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Thread (3)
»
Operation Process Additional Information Success Count Logfile
Get Context c:\users\5p5nrgjn0js halpmcxz\desktop\wscparent.exe os_tid = 0xa60 True 1
Fn
Set Context c:\users\5p5nrgjn0js halpmcxz\desktop\wscparent.exe os_tid = 0xa60 True 1
Fn
Resume c:\users\5p5nrgjn0js halpmcxz\desktop\wscparent.exe os_tid = 0xa60 True 1
Fn
Memory (6)
»
Operation Process Additional Information Success Count Logfile
Allocate C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\WscParent.exe address = 0x3f0004, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 5358144 True 1
Fn
Write C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\WscParent.exe address = 0x400000, size = 1024 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\WscParent.exe address = 0x40e000, size = 43008 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\WscParent.exe address = 0x40b000, size = 10240 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\WscParent.exe address = 0x401000, size = 40448 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\WscParent.exe address = 0x7efde008, size = 4 True 1
Fn
Data
Module (105)
»
Operation Module Additional Information Success Count Logfile
Load OLEAUT32.DLL base_address = 0x762b0000 True 1
Fn
Load SXS.DLL base_address = 0x754a0000 True 1
Fn
Load kernel32.dll base_address = 0x757c0000 True 1
Fn
Load c:\windows\system32\user32 base_address = 0x775b0000 True 1
Fn
Load ntdll base_address = 0x77ab0000 True 6
Fn
Load kernel32 base_address = 0x757c0000 True 3
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x757c0000 True 2
Fn
Get Handle c:\users\5p5nrgjn0js halpmcxz\desktop\wscparent.exe base_address = 0x400000 True 1
Fn
Get Handle c:\windows\syswow64\oleaut32.dll base_address = 0x762b0000 True 1
Fn
Get Handle c:\windows\syswow64\ole32.dll base_address = 0x764e0000 True 1
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x775b0000 True 1
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\wscparent.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\WscParent.exe, size = 260 True 3
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\wscparent.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 True 3
Fn
Get Filename c:\users\5p5nrgjn0js halpmcxz\desktop\wscparent.exe process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\wscparent.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\WscParent.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsTNT, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x757d5235 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = OleLoadPictureEx, address_out = 0x763170a1 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = DispCallFunc, address_out = 0x762c3dcf True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = LoadTypeLibEx, address_out = 0x762c07b7 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = UnRegisterTypeLib, address_out = 0x762e1ca9 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = CreateTypeLib2, address_out = 0x762c8e70 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDateFromUdate, address_out = 0x762c7684 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarUdateFromDate, address_out = 0x762ccc98 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = GetAltMonthNames, address_out = 0x762f903a True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarNumFromParseNum, address_out = 0x762c6231 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarParseNumFromStr, address_out = 0x762c5fea True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromR4, address_out = 0x762d3f94 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromR8, address_out = 0x762d4e9e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromDate, address_out = 0x762fdb72 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromI4, address_out = 0x762e2a8c True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromCy, address_out = 0x762fd737 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarR4FromDec, address_out = 0x762fe015 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = GetRecordInfoFromTypeInfo, address_out = 0x762fcc3d True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = GetRecordInfoFromGuids, address_out = 0x762fd1c4 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayGetRecordInfo, address_out = 0x762fd48c True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArraySetRecordInfo, address_out = 0x762fd4c6 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayGetIID, address_out = 0x762fd509 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArraySetIID, address_out = 0x762ce7bb True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayCopyData, address_out = 0x762ce496 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayAllocDescriptorEx, address_out = 0x762cddf1 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayCreateEx, address_out = 0x762fd53f True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormat, address_out = 0x76302055 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatDateTime, address_out = 0x763020ea True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatNumber, address_out = 0x76302151 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatPercent, address_out = 0x763021f5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatCurrency, address_out = 0x76302288 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarWeekdayName, address_out = 0x76302335 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarMonthName, address_out = 0x763023d5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarAdd, address_out = 0x762d5934 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarAnd, address_out = 0x762d5a98 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarCat, address_out = 0x762d59b4 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDiv, address_out = 0x7632e405 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarEqv, address_out = 0x7632ef07 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarIdiv, address_out = 0x7632f00a True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarImp, address_out = 0x7632ef47 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarMod, address_out = 0x7632f15e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarMul, address_out = 0x7632dbd4 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarOr, address_out = 0x7632ecfa True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarPow, address_out = 0x7632ea66 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarSub, address_out = 0x7632d332 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarXor, address_out = 0x7632ee2e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarAbs, address_out = 0x7632ca11 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFix, address_out = 0x7632cc5f True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarInt, address_out = 0x7632cde7 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarNeg, address_out = 0x7632c802 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarNot, address_out = 0x7632ec66 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarRound, address_out = 0x7632d155 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarCmp, address_out = 0x762cb0dc True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecAdd, address_out = 0x762e5f3e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecCmp, address_out = 0x762d4fd0 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarBstrCat, address_out = 0x762d0d2c True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarCyMulI4, address_out = 0x762e59ed True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarBstrCmp, address_out = 0x762bf8b8 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstanceEx, address_out = 0x76529d4e True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CLSIDFromProgIDEx, address_out = 0x764f0782 True 1
Fn
Get Address c:\windows\syswow64\sxs.dll function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x754e7685 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSystemMetrics, address_out = 0x775c7d2f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromWindow, address_out = 0x775d3150 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromRect, address_out = 0x775ee7a0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromPoint, address_out = 0x775d5281 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EnumDisplayMonitors, address_out = 0x775d451a True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMonitorInfoA, address_out = 0x775d4413 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetProcessDEPPolicy, address_out = 0x757eeb9a True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CallWindowProcA, address_out = 0x775d792f True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtAllocateVirtualMemory, address_out = 0x77acfab0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x757d5223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x757d103d True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtUnmapViewOfSection, address_out = 0x77acfc70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteVirtualMemory, address_out = 0x77acfe04 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtGetContextThread, address_out = 0x77ad0c20 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtSetContextThread, address_out = 0x77ad1910 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtResumeThread, address_out = 0x77ad0058 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x757e174d True 1
Fn
Window (6)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = ThunderRT6Main, wndproc_parameter = 0 True 1
Fn
Create - class_name = VBMsoStdCompMgr, wndproc_parameter = 0 True 1
Fn
Create - class_name = VBFocusRT6, wndproc_parameter = 0 True 1
Fn
Create Form1 wndproc_parameter = 0 True 1
Fn
Set Attribute - class_name = VBMsoStdCompMgr, index = 0, new_long = 41361564 False 1
Fn
Set Attribute - class_name = VBMsoStdCompMgr, index = 0, new_long = 0 True 1
Fn
Keyboard (1)
»
Operation Additional Information Success Count Logfile
Get Info type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 True 1
Fn
System (10)
»
Operation Additional Information Success Count Logfile
Get Cursor x_out = 859, y_out = 336 True 1
Fn
Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
Register Hook type = WH_MSGFILTER, hookproc_address = 0x729a1e09 True 1
Fn
Get Info type = Operating System True 3
Fn
Get Info type = Operating System True 2
Fn
Get Info type = Hardware Information True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create - True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Ini (2)
»
Operation Filename Additional Information Success Count Logfile
Read WINHELP.INI section_name = FILES, key_name = .HLP False 2
Fn
Process #2: wscparent.exe
1873 0
»
Information Value
ID #2
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\wscparent.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\WscParent.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:05:22, Reason: Terminated by Timeout
Monitor Duration 00:03:32
OS Process Information
»
Information Value
PID 0xa6c
Parent PID 0xa5c (c:\users\5p5nrgjn0js halpmcxz\desktop\wscparent.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A70
0x A74
0x A80
0x A84
0x A88
0x A8C
0x AA0
0x AA4
0x AA8
0x AAC
0x AB0
0x AB4
0x AC4
0x AC8
0x ACC
0x AD0
0x AD4
0x ADC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
imm32.dll 0x00020000 0x0003dfff Memory Mapped File r False False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory rw True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File rwx False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory r True False False -
locale.nls 0x001a0000 0x00206fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory rw True False False -
pagefile_0x00000000003d0000 0x003d0000 0x003d7fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000003d0000 0x003d0000 0x003d6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000003e0000 0x003e0000 0x003e7fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000003e0000 0x003e0000 0x003e1fff Pagefile Backed Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x003fffff Private Memory rw True False False -
pagefile_0x00000000003f0000 0x003f0000 0x003f7fff Pagefile Backed Memory rw True False False -
private_0x0000000000400000 0x00400000 0x00418fff Private Memory rwx True False False -
private_0x0000000000420000 0x00420000 0x0045ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0049ffff Private Memory rw True False False -
pagefile_0x0000000000460000 0x00460000 0x00467fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000004a0000 0x004a0000 0x004a7fff Pagefile Backed Memory rw True False False -
private_0x00000000004d0000 0x004d0000 0x005cffff Private Memory rw True False False -
private_0x00000000005d0000 0x005d0000 0x0071ffff Private Memory rw True False False -
private_0x00000000005d0000 0x005d0000 0x0070ffff Private Memory rw True False False -
private_0x00000000005d0000 0x005d0000 0x006cffff Private Memory rw True False False -
private_0x00000000006d0000 0x006d0000 0x0070ffff Private Memory rw True False False -
private_0x0000000000710000 0x00710000 0x0071ffff Private Memory rw True False False -
pagefile_0x0000000000720000 0x00720000 0x008a7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000008b0000 0x008b0000 0x00a30fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000a40000 0x00a40000 0x01e3ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01e40000 0x0210efff Memory Mapped File r False False False -
private_0x0000000002110000 0x02110000 0x02210fff Private Memory rw True False False -
private_0x0000000002110000 0x02110000 0x0220ffff Private Memory rw True False False -
private_0x0000000002210000 0x02210000 0x0224ffff Private Memory rw True False False -
private_0x0000000002250000 0x02250000 0x0234ffff Private Memory rw True False False -
private_0x0000000002350000 0x02350000 0x0238ffff Private Memory rw True False False -
private_0x0000000002390000 0x02390000 0x0248ffff Private Memory rw True False False -
pagefile_0x0000000002490000 0x02490000 0x02882fff Pagefile Backed Memory r True False False -
private_0x0000000002890000 0x02890000 0x028cffff Private Memory rw True False False -
private_0x00000000028d0000 0x028d0000 0x029cffff Private Memory rw True False False -
private_0x00000000029d0000 0x029d0000 0x02a0ffff Private Memory rw True False False -
private_0x0000000002a10000 0x02a10000 0x02b0ffff Private Memory rw True False False -
private_0x0000000002b10000 0x02b10000 0x02b4ffff Private Memory rw True False False -
private_0x0000000002b50000 0x02b50000 0x02c4ffff Private Memory rw True False False -
private_0x0000000002c50000 0x02c50000 0x02c8ffff Private Memory rw True False False -
private_0x0000000002c90000 0x02c90000 0x02d8ffff Private Memory rw True False False -
private_0x0000000002d90000 0x02d90000 0x02dcffff Private Memory rw True False False -
private_0x0000000002dd0000 0x02dd0000 0x02ecffff Private Memory rw True False False -
private_0x0000000002ed0000 0x02ed0000 0x02fd0fff Private Memory rw True False False -
private_0x0000000002fe0000 0x02fe0000 0x0301ffff Private Memory rw True False False -
private_0x0000000003020000 0x03020000 0x0311ffff Private Memory rw True False False -
private_0x0000000003120000 0x03120000 0x03220fff Private Memory rw True False False -
private_0x0000000003230000 0x03230000 0x0326ffff Private Memory rw True False False -
private_0x0000000003270000 0x03270000 0x0336ffff Private Memory rw True False False -
private_0x0000000003370000 0x03370000 0x03470fff Private Memory rw True False False -
private_0x0000000003480000 0x03480000 0x034bffff Private Memory rw True False False -
private_0x00000000034c0000 0x034c0000 0x035bffff Private Memory rw True False False -
private_0x00000000035c0000 0x035c0000 0x036bffff Private Memory rw True False False -
private_0x00000000036c0000 0x036c0000 0x037c0fff Private Memory rw True False False -
private_0x00000000037d0000 0x037d0000 0x0380ffff Private Memory rw True False False -
private_0x0000000003810000 0x03810000 0x0390ffff Private Memory rw True False False -
private_0x0000000003910000 0x03910000 0x0394ffff Private Memory rw True False False -
private_0x0000000003950000 0x03950000 0x03a4ffff Private Memory rw True False False -
private_0x0000000003a50000 0x03a50000 0x03b50fff Private Memory rw True False False -
private_0x0000000003b60000 0x03b60000 0x03c60fff Private Memory rw True False False -
private_0x0000000003c70000 0x03c70000 0x03d70fff Private Memory rw True False False -
private_0x0000000003d80000 0x03d80000 0x03e80fff Private Memory rw True False False -
private_0x0000000003e90000 0x03e90000 0x0408ffff Private Memory rw True False False -
private_0x0000000004090000 0x04090000 0x040cffff Private Memory rw True False False -
private_0x00000000040d0000 0x040d0000 0x041cffff Private Memory rw True False False -
wow64cpu.dll 0x74ff0000 0x74ff7fff Memory Mapped File rwx False False False -
wow64win.dll 0x75000000 0x7505bfff Memory Mapped File rwx False False False -
wow64.dll 0x75060000 0x7509efff Memory Mapped File rwx False False False -
browcli.dll 0x75410000 0x7541cfff Memory Mapped File rwx False False False -
mpr.dll 0x75420000 0x75431fff Memory Mapped File rwx False False False -
netutils.dll 0x75440000 0x75448fff Memory Mapped File rwx False False False -
cscapi.dll 0x75450000 0x7545afff Memory Mapped File rwx False False False -
wkscli.dll 0x75460000 0x7546efff Memory Mapped File rwx False False False -
davhlpr.dll 0x75470000 0x75477fff Memory Mapped File rwx False False False -
davclnt.dll 0x75480000 0x75496fff Memory Mapped File rwx False False False -
ntlanman.dll 0x754a0000 0x754b3fff Memory Mapped File rwx False False False -
winsta.dll 0x754c0000 0x754e8fff Memory Mapped File rwx False False False -
drprov.dll 0x754f0000 0x754f7fff Memory Mapped File rwx False False False -
cryptbase.dll 0x75600000 0x7560bfff Memory Mapped File rwx False False False -
sspicli.dll 0x75610000 0x7566ffff Memory Mapped File rwx False False False -
advapi32.dll 0x75720000 0x757bffff Memory Mapped File rwx False False False -
kernel32.dll 0x757c0000 0x758cffff Memory Mapped File rwx False False False -
usp10.dll 0x758d0000 0x7596cfff Memory Mapped File rwx False False False -
nsi.dll 0x75970000 0x75975fff Memory Mapped File rwx False False False -
lpk.dll 0x75a70000 0x75a79fff Memory Mapped File rwx False False False -
msctf.dll 0x75ea0000 0x75f6bfff Memory Mapped File rwx False False False -
imm32.dll 0x75f80000 0x75fdffff Memory Mapped File rwx False False False -
msvcrt.dll 0x75fe0000 0x7608bfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76090000 0x7617ffff Memory Mapped File rwx False False False -
sechost.dll 0x761b0000 0x761c8fff Memory Mapped File rwx False False False -
shlwapi.dll 0x761d0000 0x76226fff Memory Mapped File rwx False False False -
kernelbase.dll 0x76260000 0x762a5fff Memory Mapped File rwx False False False -
gdi32.dll 0x766d0000 0x7675ffff Memory Mapped File rwx False False False -
ws2_32.dll 0x768c0000 0x768f4fff Memory Mapped File rwx False False False -
shell32.dll 0x76900000 0x77549fff Memory Mapped File rwx False False False -
user32.dll 0x775b0000 0x776affff Memory Mapped File rwx False False False -
private_0x00000000776b0000 0x776b0000 0x777a9fff Private Memory rwx True False False -
private_0x00000000777b0000 0x777b0000 0x778cefff Private Memory rwx True False False -
ntdll.dll 0x778d0000 0x77a78fff Memory Mapped File rwx False False False -
ntdll.dll 0x77ab0000 0x77c2ffff Memory Mapped File rwx False False False -
private_0x000000007ef86000 0x7ef86000 0x7ef88fff Private Memory rw True False False -
private_0x000000007ef89000 0x7ef89000 0x7ef8bfff Private Memory rw True False False -
private_0x000000007ef8c000 0x7ef8c000 0x7ef8efff Private Memory rw True False False -
private_0x000000007ef8f000 0x7ef8f000 0x7ef91fff Private Memory rw True False False -
private_0x000000007ef92000 0x7ef92000 0x7ef94fff Private Memory rw True False False -
private_0x000000007ef95000 0x7ef95000 0x7ef97fff Private Memory rw True False False -
private_0x000000007ef98000 0x7ef98000 0x7ef9afff Private Memory rw True False False -
private_0x000000007ef9b000 0x7ef9b000 0x7ef9dfff Private Memory rw True False False -
private_0x000000007ef9e000 0x7ef9e000 0x7efa0fff Private Memory rw True False False -
private_0x000000007efa1000 0x7efa1000 0x7efa3fff Private Memory rw True False False -
private_0x000000007efa4000 0x7efa4000 0x7efa6fff Private Memory rw True False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory rw True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory rw True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory rw True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory r True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory rw True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory rw True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory rw True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory rw True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory rw True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory r True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\wscparent.exe 0xa60 address = 0x400000, size = 1024 True 1
Fn
Data
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\wscparent.exe 0xa60 address = 0x40e000, size = 43008 True 1
Fn
Data
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\wscparent.exe 0xa60 address = 0x40b000, size = 10240 True 1
Fn
Data
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\wscparent.exe 0xa60 address = 0x401000, size = 40448 True 1
Fn
Data
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\wscparent.exe 0xa60 address = 0x7efde008, size = 4 True 1
Fn
Data
Modify Control Flow #1: c:\users\5p5nrgjn0js halpmcxz\desktop\wscparent.exe 0xa60 os_tid = 0xa70, address = 0x77ac01c4 True 1
Fn
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\WscParent.exe 272.00 KB MD5: a51357c529b915b24d18105d30c9dd91
SHA1: 77ab5f79590793bce0d3901b4a39ffccdec0e391
SHA256: 83870dd4c1c44775e9c3aa5d5bd4abce782cb07f3454de4a82bf24f26381d947
SSDeep: 3072:FiGqGhFIcZLkdFoB6CPYqivJUBe9hxWK+:NIMAsbLqJUBe9s
False
C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.id-9C354B42.[btc@fros.cc].btc 1.56 KB MD5: 4382030387e79a2b1515d612e2d7ce22
SHA1: 224f46db29fc68f0dec92288550f324cd85d0cd3
SHA256: e2cec532ac29404195b27bc1a5975b8b8610562ae2593d8cba4e6e06becee2c9
SSDeep: 48:pu35FwWSmmxvuBmkxFbL5K/CAk9jAlbV2IcIsWTVqmpTe1rA:pu35FrSSHxFb1Xj2bsI3jVqmGA
False
C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.xml.id-9C354B42.[btc@fros.cc].btc 16.70 KB MD5: 6bedf01bdf5cd5890af04877dfa9e82a
SHA1: 1e6df99bb108348188253d9141416062cb9f3668
SHA256: a2994ff5719a42157a4dd1ee470e313fe852ad6e17435229fca9f41fc9c2f83d
SSDeep: 384:4siVJGx5ZQBsQkYTG91MRTNPLzxd0JfpRxMFAYhYngH:18J65ZQBDjRTNDzgfpl3nY
False
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab.id-9C354B42.[btc@fros.cc].btc 10.00 MB MD5: 3d0e1f18676626331ffefafe53b18248
SHA1: 80d370bf723a4b00b769c1a7266d63de82280ab0
SHA256: 9ceac29cec7a9772266c3c6ed68bc7f25dcb38c12c388fe9f21e58890e9cf26f
SSDeep: 196608:PFNUxdiOm1j3/abCsYwFOSQo2pWDOQs4hW6s63HS:qPmN3/abtYIQoROQ93RS
False
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML.id-9C354B42.[btc@fros.cc].btc 1.05 KB MD5: 1376d3a85f7117ce29016240cd40100e
SHA1: 6b819528fbc6472402b481f9b3d692e6cb2739fd
SHA256: bb66ca13d575264d47b57b935b1c3c0ea9d0572d081d2b0cd882f27eeb109b1f
SSDeep: 24:RlR2ov+G1FG2a1HsuODYRKfkN0epEC8A065exWS29SprD2:RlN+G3XqsiXN0eAV2Orq
False
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc 2.04 KB MD5: 1955e83cf8562aaa33c7397141eaf0d9
SHA1: db5a6eafa354926f81fbbc4df6361b7a2fc27748
SHA256: f050c9f43cf76a4e70c3d4b3beb4b8ca15e343fe358ea7d0c61b2e17e8dfaaf4
SSDeep: 48:Fp8BkMV6y3t2N0z8UB18Ji6VUmVdQfkGa8l3swLjWArY:zUL6y3t2KBalVFtdeLCgY
False
C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi.id-9C354B42.[btc@fros.cc].btc 3.16 MB MD5: 05716e079128ed480102496258311e18
SHA1: a2ce12a9c2510cd9e104374c730b16dd3d1c2e29
SHA256: 53a87e8b2b8050339c7bbd875fd45a3fc967077b386ac3fc88cbd06e566681a8
SSDeep: 49152:zDxL8QBoSTex4S120ytJySH18/ily78eNXpSbU4rDY:zR89r1aHm/UMXpSbUs8
False
C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc 2.60 KB MD5: bfc31abf07c6027925fc8ff4da236e1f
SHA1: 6162672da516db0743b087e4f7dff4d0c6fdd4ac
SHA256: 77e4d2177f49fa71293093d10a7688f0110260c3a9db24fb6700c9f24fe4656b
SSDeep: 48:J15kR8ef5+CaFPARF9HvtCJtcxx/PXUki7zbBFX2KlNkBmVWpFrY:f5kR8a5+9FENvt0E3XU9TzkBmVWjY
False
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml.id-9C354B42.[btc@fros.cc].btc 1.05 KB MD5: 0ef3cce40ac67114e72ee0370f8a1934
SHA1: fc2012d58fb3467b2855a94b01086b754ae40a30
SHA256: ded094138739f76ac56fd8e7fdf1d5cfc62d52d485702055fefeef92888e0fb0
SSDeep: 24:LS7bo0sRn33Y2WEPI/XoKFqdha7XyZ9M48RAMjEbsbdp+H82S2dhprD2:LS7bX2WEPMorUCZ9ZsjR2S2d7rq
False
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml.id-9C354B42.[btc@fros.cc].btc 1.66 KB MD5: f8bf09cb94f1817ba7407c2500b26738
SHA1: 4717031829c9714b7553edec619a1829c41a0764
SHA256: d810340a82b39c2ec6d2b3bf3d0db948ff3e413e62a5deceae8602652f1e9039
SSDeep: 48:HsxC3aNVqxG/owMMeSk6XWADx9WxF0M4XSKoGVJBrY:HsQ30oxGQwMxSkFKYFx4CKo2PY
False
C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi.id-9C354B42.[btc@fros.cc].btc 3.14 MB MD5: 2b5a87740a28674364918546a5524761
SHA1: 1ae40fa5f7efb3f5d474d99507d01bd0639c07e4
SHA256: bf58b425bcc8b2a4b5cc6b7f5a968f81f96a5cdc1b606df31f30d66cfef4da21
SSDeep: 49152:zDxL8QBo0Tex4S120ytJyCMaJGRE0GjZE:zR89t1KMQGRDGjZE
False
C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc 1.65 KB MD5: b1cb50d2d9e44db385b3d07f43363337
SHA1: 8006bf38020eb1f03ece66f180dca30deb4fc34d
SHA256: 61aae7209e30f10def6a6007ec58fc6f648b94d962c5d6108f0927b35e016a34
SSDeep: 48:VKTNCmgLg0GxZLNLnDaiTibr1nxlckMlrY:VKTQmQGpmiWlnxlzUY
False
C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml.id-9C354B42.[btc@fros.cc].btc 1.81 KB MD5: 5e2d74e903279b0cca591f218ad47a66
SHA1: 7aebac22e6ee363628af5170f5e2bbdb0688a8de
SHA256: 27770486696caf55c353aa2ebef25c332cfed18bb1ffef26f845afd9957a0bae
SSDeep: 48:lIQp1+1sxcvy2I7OqEP8QMMrqanwP93qfU1cQCIVe7rW:WQTS0krM+q7P93wvQsW
False
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\setup.chm.id-9C354B42.[btc@fros.cc].btc 65.85 KB MD5: 6928c18541c08a5e0c1a7914caa44293
SHA1: 85c1223071a9df6356d48f903b8893c6ee7d06d6
SHA256: 14e15c250a2b28d9fdbb79c250469d4344b53d0ca3300c02bbb6b23a626bbc8d
SSDeep: 1536:eBhg0x1ElhcLtL3p+B2r/gWYHuyY7JcOAM8BU+Ikyk5Y:mhg0x0hcJL3pZ/IWcO41jY
False
C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.xml.id-9C354B42.[btc@fros.cc].btc 1.05 KB MD5: e1aa87bd32fec204a2c7635f1ef35571
SHA1: b283305f04a41c4a4887c4b642b0d941c9dab982
SHA256: 6779975e40ef4f0223c2033052fffcec25fb0e0b3d643bcc06297b6c64d082eb
SSDeep: 24:NHILL4DEx9Fd88BRAyuTHYk/OMDv5TZTTLWS2BeprD2:NHIaGH8WR24k28fTB2BMrq
False
C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml.id-9C354B42.[btc@fros.cc].btc 1.66 KB MD5: 284369515314d3791e3a254f20a9a7e8
SHA1: 3611e0732916f30ae26f98f91b924949509ba630
SHA256: 3dc8ee790b3f49d520bb11a53f1263e176c423a4cf5ad12a7200966b09a47c90
SSDeep: 24:3htUAXcrauU+88l/UVIYJ5JhMgpc0/fbhCQmFeKJ+bABa2KtehrD2:b3c+uUMl/UVIODhMgTYQmFVx6ehrq
False
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\ExcelMUI.XML.id-9C354B42.[btc@fros.cc].btc 1.76 KB MD5: daa56710979a8bfd7b5d5fe4f51c6ac3
SHA1: 04b0623fe9e95425e5e4e2825a30ebe64d2a18c2
SHA256: 369dee6479c440ee286235e5b83ffbca1812a32ce4fba59d3e9f76767ce8dadb
SSDeep: 48:hsi1xK408hXE7WHP4XlNHdF7d9SMBgUCBM0q0xrC:cEXEiwHfzFglBM0qIC
False
C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab.id-9C354B42.[btc@fros.cc].btc 10.00 MB MD5: 2fb10a322517f7cbfb3a6cfe3f7ec571
SHA1: f50dbea0bf05e4a4f73abb265fef52fa43db4e07
SHA256: 5ef870f132dab830dd5380a5f66f2db9ead790ee6610fc191c638c2aecd616a4
SSDeep: 196608:6a8A7fKP0ReD0wXKLUEfRrDXP2ifogB2jHcSBLWiyvyWJRMLhdPWfi:6aRDKP0q0wM9JrL2ifJcjhW/6vL3Ai
False
C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc 2.18 KB MD5: b7c5bc3b85d54e41306e091693db084c
SHA1: cc447d9d70eb398a204cf4d1192ff5e938d61016
SHA256: 70db1eec3c54c52809c59b422692165e5307957972931a83fd384b73c729f6b3
SSDeep: 48:/YT5WLvYb0z45SKWEFs8WtRsuDhtf8MhCJLeO8NPZTq09nU7NYrY:/YT5Wbr4LWsWtRztfjE1eO8NPJq084Y
False
C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc 30.60 KB MD5: bbebe24d9f1463194f89717c032c580c
SHA1: 21a6a147fc9cea8aa4a1af6cae1d1bb3e73e4239
SHA256: 1d99ee999918dc87829a0507786c4b68b52fbaf14279e06af00ee7f70943a1b9
SSDeep: 768:+ta8m4QprbY8pD2aWYzQihoeTcKLVriZVMtQ66hCnmqZ:P8mbvrwwQVaJLeMO66hCmqZ
False
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml.id-9C354B42.[btc@fros.cc].btc 1.03 KB MD5: b98b44d4ba1e831ce24fce8ae7693393
SHA1: 0ab7eb6660cad30b4f91e60686b54f521f61a12b
SHA256: 7916a30c8775d24d6836f61e318378f2bd5c70bcc21904e01a3e9c8a4af7dedb
SSDeep: 24:RzRz6XEOf9fwWJb6D8YR+XFQdE+kSU593+SFySMpYoTd69BDbTI8ZRrDe:R16EubqVR+XFxSSydjd69Jbc8ZRrC
False
C:\BOOTSECT.BAK.id-9C354B42.[btc@fros.cc].btc 8.25 KB MD5: b53d9708d7c54707a438854f1158ec1d
SHA1: 270f69ac030d16f593bcb357ebb84676caf63a52
SHA256: 84a588f18d411277e57b186bf3dd5491e8438e635813d3d3c3f7e8ee26f8fc31
SSDeep: 96:JrsIZv1S5DYWRspmFeOA30N860EGql6Hl5LQjeF6l6r10yMbrDprfQy8Auzu8/lC:JnFWRskFAiQH8CF6lmXWrDprfQy8D5Y
False
C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\branding.xml.id-9C354B42.[btc@fros.cc].btc 582.61 KB MD5: bc1affc3077741e2b2c7768549d6e9e9
SHA1: e8245cbd5748e58332df31cd448c6ac017927b46
SHA256: 7f150b6c6f727b11b46533a260fdb3d28fd44083f132fc9c77eb1f64c221f642
SSDeep: 12288:srHoHXl5PGDj1/WuiHrXTtMdvRnE55qxxG2mAnyCL:srHoHXlpGDjw3LjidvRnEA9mAyCL
False
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc 2.47 KB MD5: 74a1707819347b4b912a8c436708385a
SHA1: a45224cd84f34b2fba2ebe1b8db95b6411920ed7
SHA256: 9bcc9198ae1b8a99caddd02d40a0d26a91ec516fcc78b28fc9f90133864abf23
SSDeep: 48:vwefbsRtgis1rVzU0xSrwxgfTNrT+REFNUTPo4nIrY:v7bFiMN1SrwCfTNX+qGPRnoY
False
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\README.HTM.id-9C354B42.[btc@fros.cc].btc 2.13 KB MD5: c10d94ca5552c64186abe37a9c846813
SHA1: d50444855ad5e0ccb5e88a8f7c09900f8e9366e1
SHA256: e3e70bc4055213312a6cb36d12b4866eab16b52aac96497cb5689892d4ed9e4b
SSDeep: 48:jZIKZ1AWpfhg0RaLsAOGlHnS6RFCfM0kWxQ42Eru:9XZ1jFhrHIHnzXCfvThu
False
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi.id-9C354B42.[btc@fros.cc].btc 848.75 KB MD5: f78878b5c7abb3463a5f4baff84ced8b
SHA1: 5912b57c210926b80c50db6b7cd2d6a1b67814b4
SHA256: 4d58d316110a9492618bc53882d882751b3776a211858abbe40ee3177e78ede7
SSDeep: 24576:ztM+BeO4R1AFQ3XmSbrYglaOrHv3vAtBKo4UPkLFz1HuZZ:JMUD4TOQ3W0EgJvot49UPkvHun
False
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi.id-9C354B42.[btc@fros.cc].btc 860.74 KB MD5: 0de3c0263a5acb6f2e001a40b1372aaa
SHA1: cbcaed20a9b1b0b61cc8ff3a5e80bed47202f87b
SHA256: c83c10dbfb354996edee5b3484372d485547f67cd8cb0371b48705a2206d46f9
SSDeep: 24576:lnzj7bZZpLbu8keff+2Up+l0zxZ84Rw9DLwfHJC:hHFy81Re+OxZ84RC
False
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab.id-9C354B42.[btc@fros.cc].btc 10.00 MB MD5: 052b4a3aaf24e1879297e0f1408c7662
SHA1: ccf2d2087988828f8117c27f1ec3ccaf4b5b926d
SHA256: 6c23fd16b44e1eefdf52ac7ad99a1fc46a9b4b3e77c6643dd26d1ad79a2d1021
SSDeep: 196608:Vf1gRyjQR9g8YYIcjfXontQdQGzFZaGkGdN7p06H1JX/WanfW/OIV0h:V1WbR9YY5AJGBZWGRz1kaza0h
False
C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml.id-9C354B42.[btc@fros.cc].btc 1.60 KB MD5: c582b09e4c0dfd63a9e0c041d40c743a
SHA1: 581a7b6695509500bdb0b73c0908161116928aa2
SHA256: e1831baf5d2c6f6f24f134a3736378a8424945a3b35a3775f4091ce91133ecbb
SSDeep: 48:q0CZYEGEE9us7BtgOB5IkJ1dwxbb9c+o1e06rU:NCZYiE9us7x0kr+gOU
False
C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000\desktop.ini.id-9C354B42.[btc@fros.cc].btc 0.37 KB MD5: fb194179f98e420f5e1b52b74ee00319
SHA1: 5765d383bd66b7ecab4dd609ed9bbc8f757b9869
SHA256: 13c2267c59a124e4c33cc00bed5163269654e64b518cf0df89e5b2c875a68f49
SSDeep: 6:k6b0WqO1Rbsdd9yQLSytRxNCkwUX6WCMZx9GVWKGGeE4ckmWxUI8qlZDW0666:k6YtO3GyQekb7wDisVWKGjmI7DDW0g
False
C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.xml.id-9C354B42.[btc@fros.cc].btc 4.42 KB MD5: 0e0ec8cf1c6b2529b2dd85a7c508b26c
SHA1: a60a506ab3fb0c2ffc8fcd6f62e9bb6684780e11
SHA256: dde7696748f5a25bd12160084f6d2f160c2e8b89946649019868bed2f559933a
SSDeep: 96:uifNBhoU0FuuGkLxbekNTRAP40NfhY8FArCcRW:usoU2umxbekRRAjBhnFArCP
False
C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc 4.33 KB MD5: 7e5a98ccb757a8aff7d55b16136c1f25
SHA1: 3df5d8ba966d2620c7f9f8134b0eed9aabbdc961
SHA256: 9fbb3bd7483ca5c48997b505373ce227f9dc6b42c7e961097314e34d07745fd8
SSDeep: 96:Az/Z0Vij8Vdqj6fQLSIXKK0sdOQDypvfu9DgMrk9dc3sl7Z+CAa8C5dY:A628Vdc6fQLSmr1O0ypvfkT4c8FhAO0
False
C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc 2.07 KB MD5: 1deaf94aab8530a86b45165073ecb2eb
SHA1: 50a563a9d44c820aab8a97b75c9a41c2c4827c9d
SHA256: 08b8b10645e96433be79dcdc6e3f7ca1bbdcf09c4746f896c3d6d4ec825ad8b0
SSDeep: 48:gnWzNjCpChl6Jd9RZI7aJpKTCOZaeiJrPIpnrY:gnWz9CpCs/ZNKtZ1iV+rY
False
C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml.id-9C354B42.[btc@fros.cc].btc 3.36 KB MD5: 1d873f9ae538b3a7fffd334860e1ff08
SHA1: 27e5a3a97397c9ed82751c8f7323969cfc65d427
SHA256: e6670033625ad933582f57e8900f31433b4206ddaf0d081a47af489a16865444
SSDeep: 96:aBP92ZcnPv6+5C15zF81AoajUA5/fnqCrqW:1Zc95CPdoajUWfnqI
False
C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi.id-9C354B42.[btc@fros.cc].btc 3.15 MB MD5: 60a8f28a97fb7193beae43a4c39f23b5
SHA1: 9ba43d467f2de7cbb0c0c3ef20b0f2855ece79ee
SHA256: f72b493ff8d7bb682100d19bf03224e711899368328939b0a0eb6aad8e2e5e2a
SSDeep: 49152:zDxL8QBonTex4S120ytJy19O+scw5cYHOgvQt:zR89K1HOzeGO/t
False
C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab.id-9C354B42.[btc@fros.cc].btc 10.00 MB MD5: 4fb6c079967f604d4b8cdf477caf6de0
SHA1: a8777ca0e49e5d98d01a6b007c7b62b5dffb5b63
SHA256: 9fac05c1ffc4b8060b0a5b942d35cc90c0bff012af1a00a6712c6d03018b083f
SSDeep: 196608:MaurJM4k8IMj3kMxfGbWaxJMKMA4JxuiNQG3A2r7rfiSFhysD8uxDxKj:EOn8IQkM2BFEx96G3AUf7FnzKj
False
C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc 2.80 KB MD5: 757c5c1dabe3ed008622f6cf22e2219d
SHA1: 9a1979947d8b66d54da87fae6f17a9cd879ba37a
SHA256: 37e2c614e4c505d35fd5d3144dc2ca0553d5d7811a3b5ec1b44b8a225bd95c5b
SSDeep: 48:/1RHrT5P2XBMFoLj375zds7TlTUlMrC1ZVz08hSmiPaFd345LmV27hIrY:/1tlPmBf375KJUlMrCJMxP094pmV27qY
False
C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml.id-9C354B42.[btc@fros.cc].btc 1.66 KB MD5: 0fc473d7108183c453e741b01484b9c9
SHA1: f23d41da440f3b8db6c6e4fe39999ba0bc2512fe
SHA256: c61b81f9001a8424a81aa2662fbc12b351814273da8b7ef0c4ccc8fde4247cb5
SSDeep: 24:S1EzoxLXLNod1e7GHYzfp8A8IvcK8N3H4ImhnovA0P1D+tJ7W0dHKV0l6eud7rDK:SaUNXLSigY6ZIEKSAN0PkJi0QG6eu9rW
False
C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab.id-9C354B42.[btc@fros.cc].btc 10.00 MB MD5: b12c82f2e008acd18dfaa08ecbc08326
SHA1: cd5eead38a520946883d8e14d2054cd447d25f04
SHA256: 5a84a262aa9237cdc2948ad9cde7dfb1e0db463c1d392607e356242ba87aadba
SSDeep: 196608:aPUvTYpH9RBl/tus7o4L7tZiTnp/jE4U/bxlLRx+Lh:MUvTiNhU4L7tZiTnprP0txRsLh
False
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\InfoPathMUI.XML.id-9C354B42.[btc@fros.cc].btc 1.44 KB MD5: 467c168c391261a5bc38db00f7a031e1
SHA1: 072dba51327fd0b4d11e3b8821141a8b025043d3
SHA256: f0b0aa5812cc56e8bafaf4f5bcc9ec2f5546225c433862f45547acfbb521dda6
SSDeep: 24:xTfJn/taQ6xe0jRMpNGKSvkjYl4QvSWrYH9+tAwOcIQTDAkvtDchdwYmLIprDg:xTfp/dUjR24K6kG4ZdAA75QokvtDchB+
False
C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi.id-9C354B42.[btc@fros.cc].btc 3.14 MB MD5: 592dfb9af55fb800824c3331cdf64774
SHA1: 84311e14d1dcc14f78de4388b1b7d032a29e7767
SHA256: 6a378000939e3833ddd6861734bd75abf005842d94b000fa0cee49156b42a1de
SSDeep: 49152:zDxL8QBo6Tex4S120ytJyNiwh0AVNjndWldyQf7bZhOYiq:zR89j1MwegNgoEppiq
False
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc 5.97 KB MD5: f6fbcae965455e40000e892f3bf777b0
SHA1: d203eef9e15b90f7acc99b0278782b2c71764dcc
SHA256: a8218f02c4bd2fc15890092ca924ad699694f847c059dddd307f6e0d01052923
SSDeep: 96:yCR2BRVZxDq2sVyt13XHR12FUC+86AYEDKrT5cjoNSEf+S09kdDm3id819Nfp4jU:yzBB71XHWpoAc1cYfM9k9CSK9Nfp4rBG
False
C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml.id-9C354B42.[btc@fros.cc].btc 9.51 KB MD5: 6f8b491ae847fc8ac823d8ed1e8e5b6b
SHA1: 3f1965dc1488f9c02b2af720837250a736c97aa4
SHA256: 50ef25bf354ba10da365a4e015a5b1572ad637dd01710eef914078b286b6a52b
SSDeep: 192:R6C7SVEqKxbUhK2XwdgaEEvToUvRSvFA2g5NYvexEXnT:IGSVccF1aEnjyVYegT
False
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc 1.65 KB MD5: eff9bc7f64e650f877ecd0871172ed4e
SHA1: c285e1a1ee31c26cc9acea18c6df8fb8d4a89efb
SHA256: 4acc37cd1ae749a7cbf72c4d926c517bbcf5fb72d041c557353832bcf6827aa0
SSDeep: 48:25ZE/PZpwhwG4n2ZHj0JEIKoe/DyYbEIgrY:2LE/hpewMHAJioe/DXA7Y
False
C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.JPG.id-9C354B42.[btc@fros.cc].btc 1.27 KB MD5: f5afc2b54fc64cec5fe0790ff24d0c8c
SHA1: d10f203b570e9e7f695d01d0f90c9156f1874fa6
SHA256: 0f95040cadd8ff76a3ae9a93f4fc9d823f9ba6027bb767737139f6a5d1990c11
SSDeep: 24:6ALXiPVniCIWrB0patB2lzUskhE+RWqg7H59IdcT8OCL17rDa:6AALnd2loskhMqogBOCB7rG
False
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi.id-9C354B42.[btc@fros.cc].btc 865.24 KB MD5: 367273daad738c69751da9441d8892a7
SHA1: ca308dd6cd9c2a328bf141beb5dc149c7529297c
SHA256: 062ec44ff79a5884f13915389ea4a9925cfb6098ba7d9bacfab32ac8fa7e5478
SSDeep: 24576:Ozmskn/gHA/P3jIayYUYm0NRttXnbeOa+A9551zVKQ1rNuMfZHPOL/l8DB:OzZY/Y4vb7NRttXnbkL55m2NTxmDlYB
False
C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab.id-9C354B42.[btc@fros.cc].btc 10.00 MB MD5: 6b078cbccbab0d5edeaa1d85f11ba58a
SHA1: 66820f091ea72f244d2d2019748cbda0b7b9702d
SHA256: 7597007b7fd82fa6fc079ad255cc80561c20be4bc515df7968b4b0e377292774
SSDeep: 196608:H4KKCX5FvaeoDcBdxmOJR7nxOKOmE7dzaNQwr:H4KKCX5FvaVczxmUJnYSE7dzAT
False
C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi.id-9C354B42.[btc@fros.cc].btc 3.48 MB MD5: bc93fa6a468de8e883978f3ce56563eb
SHA1: a78525c53a5accda03119f9c3bd98254b80ff5ed
SHA256: 5faebe79bb251145ab9eb009c3749a75601ee6a2ed5303eb4c52c768d4fae011
SSDeep: 49152:fHYLL/WoWLljb1R6rOSN20yRJ6jAIkbVzEbvYL1so:fqLVW6v/PkbVzETYph
False
C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml.id-9C354B42.[btc@fros.cc].btc 1.14 KB MD5: 5bf8604429f6ebea9f98faf4cb383c45
SHA1: 2753fd6e087420ad43b1f2256cf031c593716b2f
SHA256: 7f724455448a6e62b407d0004b6f600096b27a271b06e2fd9187ca76f4f88ee6
SSDeep: 24:ZYter8NbF6DJ+DnFJabL5geEPmEHAD+oz70cTROGTpTaegrD0:ZSFeJUFJab1g7PmbvtkHegrA
False
C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc 2.54 KB MD5: 01d7073efbe8fa8b0bafbce26e52f2e9
SHA1: 76b4a0315635b09ff428cd45082f0423a0a1bfd4
SHA256: 3f413ca66fa11c58304f73821c9caf6f4af0b26eb2afb1499abef528165ddc1c
SSDeep: 48:p9GGiRVeWerkVSWvZlrpn7EqINDJS+MOBYV5+FQYT25v1rqw+izXrCMOGq8arY:WQrkSWxl9nAq4S+MOBG5+h25jXrTuY
False
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\pss10r.chm.id-9C354B42.[btc@fros.cc].btc 26.79 KB MD5: eab1bf584975074334f237349ac441e3
SHA1: 643ff92047e83aee0ba8b25471fef9f029439a10
SHA256: 2d945daf4b8c842ac5854031a38bdb1e3780514ba8b4eec1e89570043d6ddd39
SSDeep: 768:Em1J9FAsQxLoONDswpNzwWefBWtKp6qEh:39lQZXY5WmEh
False
C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml.id-9C354B42.[btc@fros.cc].btc 1.66 KB MD5: eaa11e005d971ce8ccc9898ce887d145
SHA1: 905a22a7cddd7eed971dc8dfd63e38024460d625
SHA256: 7f2061f56f2e1e1ce6e8a2d57653473ca02ffdd8d95138461865c21033ced158
SSDeep: 48:VSN2tXc6mCbMsGq+3htx8jIpqtPu8muteQro:8N2tBBosOmIpqt9Jo
False
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab.id-9C354B42.[btc@fros.cc].btc 10.00 MB MD5: 42ac6eff5aa1dad153cb32ec3d616e43
SHA1: 8d8693b1d4aa27f2f48345e6f2e760c5f205d163
SHA256: b8984acb419b90aab0f7fd9addaa90b10847e75aeaabfde74fc133085adf3455
SSDeep: 196608:Yu6eDsIwHBL4B9lCzT2bOgcDuihGYrLpVUBJ/7HAFGtNy6aMhnRTU+:WqsIwHNB26gVE7e/7JNMM5RTU+
False
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ADO210.CHM.id-9C354B42.[btc@fros.cc].btc 2.35 MB MD5: 5a4069ee8557bf0f2596e5b3576230b3
SHA1: 68925ebb4d771a51aeefff56ffd3f0711510930f
SHA256: a0b0aef1e25a5cc8650ed96708a409cd74c2930ca4a4fa71f442c1740421b4ea
SSDeep: 49152:R0opH/cgHa3HRxz+4gF8ArWJLJPJmmYKy:R0op1Har+kiWJVPU6y
False
C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc 2.04 KB MD5: 1a96d49553171f81c588db5dbc9e3c38
SHA1: c11aaadef136fdf517d3be3a812c9eb3b37147bb
SHA256: 521363cb9742a7991acf0ca39e2a5bb5f9299425448d7c57fc2e30958e86cd1a
SSDeep: 48:35b/1sA0T2VkiwEH6dDVXekl2DPj8QXSSkorY:N1sA0T2JwEKVXehDhRkIY
False
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi.id-9C354B42.[btc@fros.cc].btc 855.24 KB MD5: bd3d1387e7642b0672836d7fbdb0c713
SHA1: d788dcd2dc22e73af805762a326bc5e934dfa566
SHA256: 82c488410730adde0104b8dc6255418349c49dfce31a91d31a246854145bef03
SSDeep: 24576:NkCYS0bYJiQM42GlBAYw4wVs5gHfCig4ZkFe:qSnR1jAYfTGqiDKFe
False
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml.id-9C354B42.[btc@fros.cc].btc 582.61 KB MD5: 40805820bd21fe9cf0ea8618b09a7ccd
SHA1: fc2a0788d0892b343f78e03df4117794a0597cf1
SHA256: 31642a04216f4dc3ef727ee402e8afdad9fd50c292920a3578b3f48f49b78db9
SSDeep: 12288:isRnGPYL35rtwCiWQMfiRZ0yK/h8AT4K0CO2iXdngDlXVuyCHGTp:iOnGAL3nwgiVYh9T4Kg2iSxXVufmTp
False
C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.GIF.id-9C354B42.[btc@fros.cc].btc 1.27 KB MD5: 737affa03b43aaa51fd2f96724e464d1
SHA1: 6b6736b7e4afb3e01e0155104eaa837536c4c7e4
SHA256: 1412f1376b5c0f03acf76cd81716a4b56c65d3767fd1957d6d3e0fdc16bd876b
SSDeep: 24:acx7/kudiiImCcHS+sbFUQ159BTWm3Cg+tpUwej87OLRaob6QfoK2YrDa:F1/J5tHS+GPBTj3Cljnn7OLRTAmrG
False
C:\Boot\BOOTSTAT.DAT.id-9C354B42.[btc@fros.cc].btc 64.25 KB MD5: 9df8a5cf5cd8e3dc8c3fc575924c585e
SHA1: e0730edbca629f26542f555f66db3214ff8bfc47
SHA256: 7fc90603948e13df684ba09b2539377766c0af1b5afdf2fe0658093118e77de8
SSDeep: 1536:j1voGDTiZegsyezZzJewheHXDzcLeuBY0knzqNT7Npmnxc9e:jF9D+ZJsb9F7PjIzupGH
False
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUI.XML.id-9C354B42.[btc@fros.cc].btc 1.56 KB MD5: 526315f859a6345a3158ae8cf07814f8
SHA1: 83c5ce969f4dffd36cafbdb6f4b968202c2b0fc7
SHA256: df8fa3b2ea1b8f943a773cf76d47fb612212566cad4128a28c79962b963f1357
SSDeep: 48:SuyHZ6DR/ZrseljYFaYR0W/HE0FA45cSRwuMrA:SuyHEDXLljYFPX/HfFA45cv3A
False
C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml.id-9C354B42.[btc@fros.cc].btc 1.99 KB MD5: 8c44afa3984b669d7ea2d394f05c093a
SHA1: fa849b212c1798e0ae81622a112f7576e9ce5133
SHA256: bd783296c3e863f1cb3e1f742e8ca797167587af7b1a7d0991cb1c7cee328ebe
SSDeep: 48:m1RDVkeAS/B1k4w1nUy96VCZmmad8XVfdB8eGrs:mb5fAS/U4w1nUJVCjaGXV1Bas
False
C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Office32WW.xml.id-9C354B42.[btc@fros.cc].btc 4.42 KB MD5: ab95576902479062d19169ed78d4bc1e
SHA1: 08bf0b82c11f7320029d2df9eeb1ba27dc44cee8
SHA256: cda98a563d338a81e3ef6a444296e2bc4041df7811db0c93e0287699914b007e
SSDeep: 96:uGnRFSygVeaXs70jLvqnMrCrIfnlEB4lBESP/DgR73RW:uQaygoaX9wrsnlEB4jECrYk
False
C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml.id-9C354B42.[btc@fros.cc].btc 1.76 KB MD5: 15f99d54228d3a3c6552f788d7bcfa1f
SHA1: 309ee25dffefb31b752a57ad824b775cd7aa49b0
SHA256: 238d1a1d763a6c1258c87e54f47a83ce3c64d5301b39e2524a1f778487d031d5
SSDeep: 48:kSm0FAw8o6nkrdx5TQMva+KW1PleqHXenurC:k90FAPokivTPyI0qHfC
False
C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi.id-9C354B42.[btc@fros.cc].btc 853.75 KB MD5: 042b460c602283556f693e7d8ba64027
SHA1: 49a6daf99da8bd6e9de1f74fed01d687c92eff42
SHA256: f3ce488092c5fd3c24ba56f79384755a55de5120e85ee3f1664801820211aa7d
SSDeep: 24576:v7TdWdJd24z993bL3++XnUFk+AByNyyenXfn/ene:vIdHD++XUFfyjX/mne
False
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc 2.80 KB MD5: 6851a33f2613787f25d88553ba059f96
SHA1: 00a12f101c417608ce5c306be5cb1d7d366850f6
SHA256: e406aa53e65745af8725507c02bb0e0983fd4e86f0e56f7f52db9fa4c2587ae1
SSDeep: 48:6yqfK9JhnDojWH2VOq7Mtaj8+qGKbOgJzziSyOf/Kfik4ziaV2rY:RqiJojWH2VP7MJGKbt4QQik4eaVSY
False
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml.id-9C354B42.[btc@fros.cc].btc 1.66 KB MD5: da234924561004bd96527fb1286210d6
SHA1: 965b4047cb96202dd8bd8bac8da002e339599162
SHA256: c9497195e797b4cc924cf03fc5b4fdcdee678a1cd6dcfa07fa2b23357df0a88d
SSDeep: 48:qV/KM6yKFyXXLkFqS0OcXgn588bJ3v0YZrY:qV/uirSCg5Y
False
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc 9.37 KB MD5: 67bf177e58e81bef296c8f1fbc83bcc0
SHA1: 7b82ba9180a5522270416552533c092ed2a24d5b
SHA256: 0c87088ed24afde4680395675d2f1af671a5e0a7a32bade2e8208f0d720224b0
SSDeep: 192:3Sns3xYd+D2By5CLvusP9GvdDPqJXaOG+rRzATe+mC6:3wkr5qvTWWJKR+JATr96
False
C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\VisiorWW.xml.id-9C354B42.[btc@fros.cc].btc 8.76 KB MD5: 549e9a2c1951da1446d243ac2bab1a80
SHA1: bd1d927c94f659097da268af35d6379ec768c37e
SHA256: 67b078a861dee1e68eda82a59ae62b7798c9c2af76acd89e88de9db3bec32c64
SSDeep: 192:fvNQq9gSX7g1+VV0ji/rCQ3fZEC0Jg1MZACavAjvVpaAolo4:fFQahLp0u2QyC0Jg2u74jvVUAolo4
False
C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.PNG.id-9C354B42.[btc@fros.cc].btc 1.88 KB MD5: 551b352b22e5dcf2dc2a9a79f4740d32
SHA1: 0cd7406a8b417f8640939823f0383dcf97cdd3a4
SHA256: cd16686379ff75205757570949a48e9e0adf82a2df450808b5db126755e31842
SSDeep: 24:yz0IATVMN8JR77rfLZu3KmsiHwmi4HFbfHRJ411dVe50cjiJ67HcS+DkQrDa:O0IfN4rfLZUKl5qlzHRw1Lerh3+DkQrG
False
C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc 20.33 KB MD5: b720259ce00e042b6c80d42401ae86d3
SHA1: fd5bc71f579eaf729ea5eede2321de66f491c21e
SHA256: 3370b5be9ae8a58223abef6f7ed91f680def3f476591bf0478a02eba694a9899
SSDeep: 384:ZOz8NAlPlWcddtyMDAxsGgxPme5PErJXi3Av6+vrAw17Srh304R4RWd3:2BRMcdvTRGmm0srJ4AiGRcl5N
False
C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc 2.07 KB MD5: 24cfe0180b3623b8c440fd14ae1a4476
SHA1: bf49e73ad265e30cd4b13cc6dfec7c82bfae2511
SHA256: 0b2ec7fa8a0e857eb3b10f5821be1a6fef701a35fa4448273ce945a6ed4aa0b7
SSDeep: 48:7cGcysewIN/loZfNgDy5e4hVq/FrjwZFRquOKVGM+WkrY:7cGBZSZfNZ5pkpGsubcY
False
C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml.id-9C354B42.[btc@fros.cc].btc 1.44 KB MD5: 98448cea542eeafc310431ef040c239f
SHA1: 98a2def9f16e57899fe3c7c2cc0f04d7e241a4c3
SHA256: ede75a938a838d14003f3648f9e998f01f7f64be628a322876e88cd0e47c5299
SSDeep: 24:hJHLjKC804crXws3axjwAbU6H71T4DdTWHpfAOwhLikKamTYk1w/2PSWxZZnuyey:u04c8sapH7p4DdaHpfAOwhxmskSe1pug
False
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\GrooveMUI.XML.id-9C354B42.[btc@fros.cc].btc 1.14 KB MD5: 9ad92651ba456bcec196c2e6dd05ded9
SHA1: d5b7acd4990c7914cadf2ae20a0ad58019c2050f
SHA256: 41c1f88302d8cb0262d20139dfe77ed5181a52bfd2a4f8ec0e918680789ec4d9
SSDeep: 24:3ZapcEu9U2hz9QUsyTT4ocU3wFbq0KKsx8EPsIRHo+AALECrD0:JapcEcUEVsBo/wRqpKLkNRHorCrA
False
C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\PrjProrWW.xml.id-9C354B42.[btc@fros.cc].btc 6.51 KB MD5: bb99cb0e2fed8edc5e99cd0ceb57e88c
SHA1: b386a00aa3b9b775b7e2a621e2fe96c96314f525
SHA256: 25747f9ba3e07605e083b7dfb0bda6229c108ffa86219de22c8b0c7cd4da6b21
SSDeep: 192:OMm3bIR62tLtltEy+g04NAtpC6EeJQDb46:OlbAvn/Qg0vb12v
False
C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Office32WW.xml.id-9C354B42.[btc@fros.cc].btc 4.42 KB MD5: c100de8840bad17fbde59f1ed1f71781
SHA1: d4048a7b943aa760abafb8f7af8d56245a95a421
SHA256: f2fcab4ed5858f5d0d75e1d86ad5af171be7d1c0a8bf71209841f3913efd2a11
SSDeep: 96:FDwQuEvLV+k9QvfH+rrPTRS9UEAZ8/FL+lokjDIWoB0KPRCoYeJZW:FsQPkk9YfHwPtVEAZ8/F+XDAB5J7Ye6
False
C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.EPS.id-9C354B42.[btc@fros.cc].btc 14.94 KB MD5: fe2a09f174b87bdf630de980cb9da67f
SHA1: 3b7e2fd009f713c80d39adb674b969e9af573025
SHA256: 893ea4e0abeee418f99a39f019f0c7f2c520c94f48b7bb381d8fd0849e391bd8
SSDeep: 384:KRc4BbZ4P57/LCni1sz/Hmao+CHUStsvBPTdZtpDOQea5:54tZi57Z+S+CHKBLd3pDka5
False
C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc 2.47 KB MD5: 454821ca3e43c9783e052ac25cb54a2b
SHA1: 2f6874860cab2367d4c12dd6acae0aa5d7cd91c2
SHA256: d9385ec41d84268cbd866ef17350bb72147684fd4332f88c45139c91f94158de
SSDeep: 48:GWwVipP/YMLpscx++HQXvgvnEp0wNfhif67Zq8TrY:SoHjacx++HQiEp06fhif67c8fY
False
C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc 16.52 KB MD5: 2ebd106a6cd1260e09ed3c32c9d1c052
SHA1: 86ed0fc7d5bd80d71e6f9a56c350ab52a61103d7
SHA256: a9b09c4d536ddc7416ecb37f89c14510237f9666447ae5d45acf1a892402455a
SSDeep: 384:kCebmlZiEfXHvR5T7BmexCXP2NihNzkLy9vLVcyxmpX9cjUXu:W4HnR5fBfxW6ihNOyZFmh9eUe
False
C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc 6.33 KB MD5: 925bbdf58f4c42ce17de89302926d04b
SHA1: a127285a0a43c0be30a24d1f4c7ea7373cc8c3e7
SHA256: 3db9888ba4a020bbea97fef50224a280170fb165c7961b826b264f28aa63f836
SSDeep: 192:CbLOuTvvved9uH69577bp3xWEa6kLujIy6ICI7:CPOuTXvey+xBWz3LuEy6ICI7
False
C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab.id-9C354B42.[btc@fros.cc].btc 10.00 MB MD5: 0132354deb06c352353675fce278a129
SHA1: 82f447263c0d4d83d398af15034413083edcbc35
SHA256: 8e5451128ff68d309300dd54c2a3bb83f196e6fefb39f1e8d6b7c24b8a6f7307
SSDeep: 196608:TIwm3nNVAl+ig71eZ8FclBElWHEbyLbyo9crpLlR8ioLO0ZF9CrpbQ:OL71eiFge/GHyo2rpLkcoCrpbQ
False
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml.id-9C354B42.[btc@fros.cc].btc 1.55 KB MD5: 3b4226c2f0a31888d750c3bd5b8aea31
SHA1: 6f8fdf226927ffb69fb113ba3541c78546418324
SHA256: 35c569a91cff83312c1805cef7f00af40806506db77e6033ae9b28db9767daac
SSDeep: 24:mqeox0ifk11P1i0ycYplgdwJtUyPbL7nUiTqz1gGzQizeyPfChhnymibHDoHo5hv:mqeox/M119i0Bnw7dznLGcK43wBM1rY
False
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml.id-9C354B42.[btc@fros.cc].btc 5.67 KB MD5: 4002b453a8ec4c63e29ae850e76b75d1
SHA1: 954de66867bae63c534b943f6b5f504bfb5193e9
SHA256: 94a27d94de68660f7b5d22a4d17f2f685c3efb76c2370f8c61a179e44e760ade
SSDeep: 96:IOJYuH2Nqtln3QErgDKqsx3tAHZ7BvmCIcnl8g5cetb/zk5Gt49VajGlbA:IOJYuH7lnLlx34NpmOn+gXp/45b76
False
C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc 1.80 KB MD5: ecb1b95bc6f63d33a6a1fa7256e5ef0e
SHA1: 40965f44c3e535674f7fd7f8860a58280a40b9a2
SHA256: 934dd38c7234d765046e655ae087525e45b6bce51219c117bb3c12a2e313d488
SSDeep: 48:ozCQz3iwBveiqoEIZCGV0GlXFgstqlUmhJ7TXI26KhpAAWrY:ozCQz3i6Xv5gsgl7J7TYT4dyY
False
Host Behavior
File (1407)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\WscParent.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WscParent.exe desired_access = GENERIC_WRITE True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\WscParent.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WscParent.exe desired_access = GENERIC_WRITE True 1
Fn
Create C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WscParent.exe desired_access = GENERIC_WRITE True 1
Fn
Create C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000\desktop.ini desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000\desktop.ini desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000\desktop.ini.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Boot\BCD.LOG desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Boot\BOOTSTAT.DAT desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\BOOTSTAT.DAT desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\BOOTSTAT.DAT.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\BOOTSECT.BAK desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\BOOTSECT.BAK desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\BOOTSECT.BAK.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\BCD desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Boot\BCD.LOG1 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\BCD.LOG2 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\cs-CZ\bootmgr.exe.mui desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\cs-CZ\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Boot\da-DK\bootmgr.exe.mui desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\da-DK\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Boot\de-DE\bootmgr.exe.mui desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\de-DE\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Boot\el-GR\bootmgr.exe.mui desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\el-GR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Boot\Fonts\jpn_boot.ttf desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\Fonts\kor_boot.ttf desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\Fonts\wgl4_boot.ttf desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Boot\fr-FR\bootmgr.exe.mui desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\fr-FR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Boot\hu-HU\bootmgr.exe.mui desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\hu-HU\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Boot\it-IT\bootmgr.exe.mui desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\it-IT\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Boot\ja-JP\bootmgr.exe.mui desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\ja-JP\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Boot\ko-KR\bootmgr.exe.mui desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\ko-KR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Boot\memtest.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\memtest.exe desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create C:\Boot\Fonts\wgl4_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\pss10r.chm desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\pss10r.chm desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\pss10r.chm.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\setup.chm desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\setup.chm desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\setup.chm.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\branding.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\branding.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\branding.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Office32WW.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Office32WW.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Office32WW.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\PrjProrWW.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Office32WW.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Office32WW.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Office32WW.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\PrjProrWW.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\PrjProrWW.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\VisiorWW.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.EPS desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.EPS desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.EPS.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\VisiorWW.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\VisiorWW.xml.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.GIF desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.GIF desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.GIF.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.JPG desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.JPG desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.JPG.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.PNG desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.PNG desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.PNG.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ADO210.CHM.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\README.HTM desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUI.XML.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\SETUP.XML desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\README.HTM desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\README.HTM.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\ExcelMUI.XML desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\ExcelMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\ExcelMUI.XML.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\SETUP.XML desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\GrooveMUI.XML desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\GrooveMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\GrooveMUI.XML.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\SETUP.XML desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\InfoPathMUI.XML desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\InfoPathMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\InfoPathMUI.XML.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\SETUP.XML desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OCT.CHM desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUI.XML desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OCT.CHM desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OCT.CHM.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUI.XML.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSCONFIG.CHM desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSCONFIG.CHM desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSCONFIG.CHM.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10O.CHM desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10O.CHM desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10O.CHM.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10R.CHM desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10R.CHM desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10R.CHM.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\Office32MUI.XML desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\Office32MUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\Office32MUI.XML.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\SETUP.XML desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.WW\Office32WW.XML desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.WW\Office32WW.XML desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.WW\Office32WW.XML.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\OneNoteMUI.XML desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\OneNoteMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\OneNoteMUI.XML.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\SETUP.XML desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\OutlookMUI.XML desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\OutlookMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\OutlookMUI.XML.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\SETUP.XML desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.msi desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.msi.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab.id-9C354B42.[btc@fros.cc].btc desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Get Info C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000\desktop.ini type = size, size_out = 129 True 1
Fn
Get Info C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000\desktop.ini type = file_attributes True 1
Fn
Get Info C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000\desktop.ini.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Boot\BOOTSTAT.DAT type = size, size_out = 65536 True 1
Fn
Get Info C:\Boot\BOOTSTAT.DAT type = file_attributes True 1
Fn
Get Info C:\Boot\BOOTSTAT.DAT.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\BOOTSECT.BAK type = size, size_out = 8192 True 1
Fn
Get Info C:\BOOTSECT.BAK type = file_attributes True 1
Fn
Get Info C:\BOOTSECT.BAK.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml type = size, size_out = 1565 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml type = size, size_out = 2296 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml type = size, size_out = 1450 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml type = size, size_out = 1886 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml type = size, size_out = 1450 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml type = size, size_out = 1608 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml type = size, size_out = 3186 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml type = size, size_out = 4207 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Boot\BCD.LOG1 type = size, size_out = 0 True 1
Fn
Get Info C:\Boot\BCD.LOG2 type = size, size_out = 0 True 1
Fn
Get Info C:\Boot\cs-CZ\bootmgr.exe.mui type = size, size_out = 89168 True 1
Fn
Get Info C:\Boot\cs-CZ\bootmgr.exe.mui type = file_attributes True 1
Fn
Get Info C:\Boot\cs-CZ\bootmgr.exe.mui.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Boot\da-DK\bootmgr.exe.mui type = size, size_out = 87616 True 1
Fn
Get Info C:\Boot\da-DK\bootmgr.exe.mui type = file_attributes True 1
Fn
Get Info C:\Boot\da-DK\bootmgr.exe.mui.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Boot\de-DE\bootmgr.exe.mui type = size, size_out = 91712 True 1
Fn
Get Info C:\Boot\de-DE\bootmgr.exe.mui type = file_attributes True 1
Fn
Get Info C:\Boot\de-DE\bootmgr.exe.mui.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Boot\el-GR\bootmgr.exe.mui type = size, size_out = 94800 True 1
Fn
Get Info C:\Boot\el-GR\bootmgr.exe.mui type = file_attributes True 1
Fn
Get Info C:\Boot\el-GR\bootmgr.exe.mui.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml type = size, size_out = 1800 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml type = size, size_out = 1347 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml type = size, size_out = 1457 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml type = size, size_out = 1458 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml type = size, size_out = 811 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml type = size, size_out = 5884 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml type = size, size_out = 1383 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Boot\Fonts\kor_boot.ttf type = size, size_out = 2371360 True 1
Fn
Get Info C:\Boot\Fonts\kor_boot.ttf type = file_attributes True 1
Fn
Get Info C:\Boot\Fonts\kor_boot.ttf.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Boot\fr-FR\bootmgr.exe.mui type = size, size_out = 93248 True 1
Fn
Get Info C:\Boot\fr-FR\bootmgr.exe.mui type = file_attributes True 1
Fn
Get Info C:\Boot\fr-FR\bootmgr.exe.mui.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Boot\hu-HU\bootmgr.exe.mui type = size, size_out = 90688 True 1
Fn
Get Info C:\Boot\hu-HU\bootmgr.exe.mui type = file_attributes True 1
Fn
Get Info C:\Boot\hu-HU\bootmgr.exe.mui.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Boot\it-IT\bootmgr.exe.mui type = size, size_out = 90704 True 1
Fn
Get Info C:\Boot\it-IT\bootmgr.exe.mui type = file_attributes True 1
Fn
Get Info C:\Boot\it-IT\bootmgr.exe.mui.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Boot\ja-JP\bootmgr.exe.mui type = size, size_out = 76352 True 1
Fn
Get Info C:\Boot\ja-JP\bootmgr.exe.mui type = file_attributes True 1
Fn
Get Info C:\Boot\ja-JP\bootmgr.exe.mui.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Boot\ko-KR\bootmgr.exe.mui type = size, size_out = 75344 True 1
Fn
Get Info C:\Boot\ko-KR\bootmgr.exe.mui type = file_attributes True 1
Fn
Get Info C:\Boot\ko-KR\bootmgr.exe.mui.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Boot\memtest.exe type = size, size_out = 485760 True 1
Fn
Get Info C:\Boot\memtest.exe type = file_attributes True 1
Fn
Get Info C:\Boot\memtest.exe.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Boot\memtest.exe type = size, size_out = 16972987 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Boot\Fonts\wgl4_boot.ttf type = size, size_out = 47452 True 1
Fn
Get Info C:\Boot\Fonts\wgl4_boot.ttf type = file_attributes True 1
Fn
Get Info C:\Boot\Fonts\wgl4_boot.ttf.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml type = size, size_out = 2362 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml type = size, size_out = 1231 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml type = size, size_out = 1852 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi type = size, size_out = 2506240 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Boot\el-GR\bootmgr.exe.mui type = size, size_out = 2503680 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Boot\Fonts\jpn_boot.ttf type = size, size_out = 1984228 True 1
Fn
Get Info C:\Boot\Fonts\jpn_boot.ttf type = file_attributes True 1
Fn
Get Info C:\Boot\Fonts\jpn_boot.ttf.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab type = size, size_out = 70361744 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml type = size, size_out = 2424 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml type = size, size_out = 6241 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml type = size, size_out = 9503 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml type = size, size_out = 1606 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml type = size, size_out = 1988 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml type = size, size_out = 1452 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml type = size, size_out = 1872 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml type = size, size_out = 1452 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml type = size, size_out = 913 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi type = size, size_out = 2513920 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab type = size, size_out = 9958388 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml type = size, size_out = 819 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\pss10r.chm type = size, size_out = 27195 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\pss10r.chm type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\pss10r.chm.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml type = size, size_out = 596341 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml type = size, size_out = 5557 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\setup.chm type = size, size_out = 67190 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\setup.chm type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\setup.chm.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab type = size, size_out = 14819276 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi type = size, size_out = 2865664 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml type = size, size_out = 9352 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml type = size, size_out = 1349 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\branding.xml type = size, size_out = 596341 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\branding.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\branding.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.xml type = size, size_out = 819 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Setup.xml type = size, size_out = 2624 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Setup.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.xml type = size, size_out = 4274 True 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.xml type = size, size_out = 16852 True 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab type = size, size_out = 43806141 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Setup.xml type = size, size_out = 31094 True 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Setup.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Office32WW.xml type = size, size_out = 4274 True 1
Fn
Get Info C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Office32WW.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Office32WW.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi type = size, size_out = 2522624 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Office32WW.xml type = size, size_out = 4274 True 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Office32WW.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Office32WW.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab type = size, size_out = 11482605 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\PrjProrWW.xml type = size, size_out = 6421 True 1
Fn
Get Info C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\PrjProrWW.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\PrjProrWW.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Setup.xml type = size, size_out = 16683 True 1
Fn
Get Info C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Setup.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Setup.xml type = size, size_out = 20577 True 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Setup.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.EPS type = size, size_out = 15067 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.EPS type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.EPS.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\VisiorWW.xml type = size, size_out = 8723 True 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\VisiorWW.xml type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\VisiorWW.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.GIF type = size, size_out = 1069 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.GIF type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.GIF.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.JPG type = size, size_out = 1061 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.JPG type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.JPG.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.PNG type = size, size_out = 1682 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.PNG type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.PNG.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml type = size, size_out = 791686 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml type = size, size_out = 27045 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi type = size, size_out = 875520 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi.id-9C354B42.[btc@fros.cc].btc type = size, size_out = 33280 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi type = size, size_out = 62976 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi type = size, size_out = 197120 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi type = size, size_out = 89600 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi type = size, size_out = 222208 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi type = size, size_out = 194048 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi type = size, size_out = 1600388 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml type = size, size_out = 31744 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml type = size, size_out = 224256 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml type = size, size_out = 212 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml type = size, size_out = 1434 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml type = size, size_out = 392 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml type = size, size_out = 727 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml type = size, size_out = 3150 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab type = size, size_out = 13642474 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml type = size, size_out = 384 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml type = size, size_out = 1118 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat type = size, size_out = 247 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi type = size, size_out = 881152 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab type = size, size_out = 21064532 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi type = size, size_out = 885760 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat type = size, size_out = 1100368 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat type = size, size_out = 2227968 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat type = size, size_out = 3195696 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat type = size, size_out = 4120784 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml type = size, size_out = 2592 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml type = size, size_out = 2462 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml type = size, size_out = 2436 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat type = size, size_out = 3053984 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml type = size, size_out = 815680 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML type = size, size_out = 819 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\SETUP.XML type = size, size_out = 2624 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\SETUP.XML type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi type = size, size_out = 868864 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\README.HTM type = size, size_out = 1941 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\README.HTM type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\README.HTM.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\ExcelMUI.XML type = size, size_out = 1565 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\ExcelMUI.XML type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\ExcelMUI.XML.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\GrooveMUI.XML type = size, size_out = 913 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\GrooveMUI.XML type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\GrooveMUI.XML.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\SETUP.XML type = size, size_out = 2296 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\SETUP.XML type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi type = size, size_out = 873984 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab type = size, size_out = 2928955 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab type = size, size_out = 18874884 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi type = size, size_out = 3124224 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\InfoPathMUI.XML type = size, size_out = 1231 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\InfoPathMUI.XML type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\InfoPathMUI.XML.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\SETUP.XML type = size, size_out = 1452 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\SETUP.XML type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\SETUP.XML type = size, size_out = 1852 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\SETUP.XML type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML type = size, size_out = 596341 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML type = size, size_out = 71236 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OCT.CHM type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OCT.CHM.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab type = size, size_out = 50823389 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi type = size, size_out = 2797568 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUI.XML type = size, size_out = 5557 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUI.XML type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUI.XML.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi type = size, size_out = 2503680 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab type = size, size_out = 17456632 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OCT.CHM type = size, size_out = 819 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSCONFIG.CHM type = size, size_out = 37689 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSCONFIG.CHM type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSCONFIG.CHM.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10O.CHM type = size, size_out = 26929 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10O.CHM type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10O.CHM.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10R.CHM type = size, size_out = 27195 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10R.CHM type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10R.CHM.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML type = size, size_out = 9352 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM type = size, size_out = 67190 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\Office32MUI.XML type = size, size_out = 1383 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\Office32MUI.XML type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\Office32MUI.XML.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\SETUP.XML type = size, size_out = 2362 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\SETUP.XML type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.WW\Office32WW.XML type = size, size_out = 4274 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.WW\Office32WW.XML type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.WW\Office32WW.XML.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\OneNoteMUI.XML type = size, size_out = 1606 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\OneNoteMUI.XML type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\OneNoteMUI.XML.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\OutlookMUI.XML type = size, size_out = 3186 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\OutlookMUI.XML type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\OutlookMUI.XML.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\SETUP.XML type = size, size_out = 1988 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\SETUP.XML type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\SETUP.XML type = size, size_out = 4207 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\SETUP.XML type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.msi type = size, size_out = 2511872 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.msi type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.msi.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab type = size, size_out = 8265165 True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab type = file_attributes True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab.id-9C354B42.[btc@fros.cc].btc type = file_attributes False 1
Fn
Move C:\Boot\Fonts\chs_boot.ttf.id-9C354B42.[btc@fros.cc].btc source_filename = C:\Boot\Fonts\chs_boot.ttf False 1
Fn
Move C:\Boot\Fonts\kor_boot.ttf.id-9C354B42.[btc@fros.cc].btc source_filename = C:\Boot\Fonts\kor_boot.ttf False 1
Fn
Move C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab.id-9C354B42.[btc@fros.cc].btc source_filename = C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi.id-9C354B42.[btc@fros.cc].btc source_filename = C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi True 1
Fn
Move C:\Boot\Fonts\cht_boot.ttf.id-9C354B42.[btc@fros.cc].btc source_filename = C:\Boot\Fonts\cht_boot.ttf False 1
Fn
Move C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi.id-9C354B42.[btc@fros.cc].btc source_filename = C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi True 1
Fn
Move C:\Boot\Fonts\jpn_boot.ttf.id-9C354B42.[btc@fros.cc].btc source_filename = C:\Boot\Fonts\jpn_boot.ttf False 1
Fn
Move C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab.id-9C354B42.[btc@fros.cc].btc source_filename = C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi.id-9C354B42.[btc@fros.cc].btc source_filename = C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab.id-9C354B42.[btc@fros.cc].btc source_filename = C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab.id-9C354B42.[btc@fros.cc].btc source_filename = C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi.id-9C354B42.[btc@fros.cc].btc source_filename = C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab.id-9C354B42.[btc@fros.cc].btc source_filename = C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi.id-9C354B42.[btc@fros.cc].btc source_filename = C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab.id-9C354B42.[btc@fros.cc].btc source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab True 1
Fn
Move C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.id-9C354B42.[btc@fros.cc].btc source_filename = C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi False 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab.id-9C354B42.[btc@fros.cc].btc source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab.id-9C354B42.[btc@fros.cc].btc source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab True 1
Fn
Move C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.id-9C354B42.[btc@fros.cc].btc source_filename = C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat False 1
Fn
Move C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.id-9C354B42.[btc@fros.cc].btc source_filename = C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat False 1
Fn
Move C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.id-9C354B42.[btc@fros.cc].btc source_filename = C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat False 1
Fn
Move C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ADO210.CHM.id-9C354B42.[btc@fros.cc].btc source_filename = C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ADO210.CHM True 1
Fn
Move C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.id-9C354B42.[btc@fros.cc].btc source_filename = C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat False 1
Fn
Move C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab.id-9C354B42.[btc@fros.cc].btc source_filename = C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab.id-9C354B42.[btc@fros.cc].btc source_filename = C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi.id-9C354B42.[btc@fros.cc].btc source_filename = C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab.id-9C354B42.[btc@fros.cc].btc source_filename = C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi.id-9C354B42.[btc@fros.cc].btc source_filename = C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi.id-9C354B42.[btc@fros.cc].btc source_filename = C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab.id-9C354B42.[btc@fros.cc].btc source_filename = C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.msi.id-9C354B42.[btc@fros.cc].btc source_filename = C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab.id-9C354B42.[btc@fros.cc].btc source_filename = C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab True 1
Fn
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\WscParent.exe size = 1048576, size_out = 278528 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\WscParent.exe size = 1048576, size_out = 0 True 1
Fn
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\WscParent.exe size = 1048576, size_out = 278528 True 2
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\WscParent.exe size = 1048576, size_out = 0 True 2
Fn
Read C:\Boot\BOOTSTAT.DAT size = 1048560, size_out = 65536 True 1
Fn
Data
Read C:\Boot\BOOTSTAT.DAT size = 1048560, size_out = 0 True 1
Fn
Read C:\BOOTSECT.BAK size = 1048560, size_out = 8192 True 1
Fn
Data
Read C:\BOOTSECT.BAK size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml size = 1048560, size_out = 1565 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 2296 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml size = 1048560, size_out = 1450 True 1
Fn
Data
Read C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000\desktop.ini size = 1048560, size_out = 129 True 1
Fn
Data
Read C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000\desktop.ini size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 1886 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml size = 1048560, size_out = 1450 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 1608 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml size = 1048560, size_out = 3186 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 4207 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml size = 1048560, size_out = 1347 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml size = 1048560, size_out = 1457 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml size = 1048560, size_out = 1458 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml size = 1048560, size_out = 811 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 5884 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml size = 1048560, size_out = 1383 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab.id-9C354B42.[btc@fros.cc].btc size = 262144, size_out = 262144 True 3
Fn
Data
Read C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 2362 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml size = 1048560, size_out = 1231 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 1852 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi.id-9C354B42.[btc@fros.cc].btc size = 262144, size_out = 262144 True 3
Fn
Data
Read C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi.id-9C354B42.[btc@fros.cc].btc size = 262144, size_out = 262144 True 3
Fn
Data
Read C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab.id-9C354B42.[btc@fros.cc].btc size = 262144, size_out = 262144 True 3
Fn
Data
Read C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 2424 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 6241 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml size = 1048560, size_out = 9503 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml size = 1048560, size_out = 1606 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 1988 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml size = 1048560, size_out = 1800 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml size = 1048560, size_out = 1452 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 1872 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 1452 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml size = 1048560, size_out = 913 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi.id-9C354B42.[btc@fros.cc].btc size = 262144, size_out = 262144 True 3
Fn
Data
Read C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml size = 1048560, size_out = 0 True 2
Fn
Read C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab.id-9C354B42.[btc@fros.cc].btc size = 262144, size_out = 262144 True 3
Fn
Data
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml size = 1048560, size_out = 819 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\pss10r.chm size = 1048560, size_out = 27195 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml size = 1048560, size_out = 596341 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml size = 1048560, size_out = 5557 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\setup.chm size = 1048560, size_out = 67190 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab.id-9C354B42.[btc@fros.cc].btc size = 262144, size_out = 262144 True 3
Fn
Data
Read C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi.id-9C354B42.[btc@fros.cc].btc size = 262144, size_out = 262144 True 3
Fn
Data
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\pss10r.chm size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\setup.chm size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 9352 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml size = 1048560, size_out = 1349 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\branding.xml size = 1048560, size_out = 596341 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.xml size = 1048560, size_out = 819 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 2624 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.xml size = 1048560, size_out = 4274 True 1
Fn
Data
Read C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.xml size = 1048560, size_out = 16852 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab.id-9C354B42.[btc@fros.cc].btc size = 262144, size_out = 262144 True 3
Fn
Data
Read C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 31094 True 1
Fn
Data
Read C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Office32WW.xml size = 1048560, size_out = 4274 True 1
Fn
Data
Read C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\PrjProrWW.xml size = 1048560, size_out = 0 True 2
Fn
Read C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Office32WW.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi.id-9C354B42.[btc@fros.cc].btc size = 262144, size_out = 262144 True 3
Fn
Data
Read C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\branding.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Office32WW.xml size = 1048560, size_out = 4274 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab.id-9C354B42.[btc@fros.cc].btc size = 262144, size_out = 262144 True 3
Fn
Data
Read C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Office32WW.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\PrjProrWW.xml size = 1048560, size_out = 6421 True 1
Fn
Data
Read C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 16683 True 1
Fn
Data
Read C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 20577 True 1
Fn
Data
Read C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Setup.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.EPS size = 1048560, size_out = 15067 True 1
Fn
Data
Read C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\VisiorWW.xml size = 1048560, size_out = 8723 True 1
Fn
Data
Read C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.GIF size = 1048560, size_out = 1069 True 1
Fn
Data
Read C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\VisiorWW.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.JPG size = 1048560, size_out = 1061 True 1
Fn
Data
Read C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.PNG size = 1048560, size_out = 1682 True 1
Fn
Data
Read C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.EPS size = 1048560, size_out = 0 True 1
Fn
Read C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml size = 1048560, size_out = 0 True 1
Fn
Read C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.GIF size = 1048560, size_out = 0 True 1
Fn
Read C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.PNG size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi size = 1048560, size_out = 875520 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab.id-9C354B42.[btc@fros.cc].btc size = 262144, size_out = 262144 True 3
Fn
Data
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab.id-9C354B42.[btc@fros.cc].btc size = 262144, size_out = 262144 True 3
Fn
Data
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi size = 1048560, size_out = 881152 True 1
Fn
Data
Read C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ADO210.CHM.id-9C354B42.[btc@fros.cc].btc size = 262144, size_out = 262144 True 3
Fn
Data
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi size = 1048560, size_out = 885760 True 1
Fn
Data
Read C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat size = 1048560, size_out = 1349 True 1
Fn
Data
Read C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML size = 1048560, size_out = 819 True 1
Fn
Data
Read C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat size = 1048560, size_out = 0 True 1
Fn
Read C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML size = 1048560, size_out = 0 True 1
Fn
Read C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\SETUP.XML size = 1048560, size_out = 2624 True 1
Fn
Data
Read C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\SETUP.XML size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi size = 1048560, size_out = 868864 True 1
Fn
Data
Read C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\README.HTM size = 1048560, size_out = 1941 True 1
Fn
Data
Read C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\ExcelMUI.XML size = 1048560, size_out = 1565 True 1
Fn
Data
Read C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\README.HTM size = 1048560, size_out = 0 True 1
Fn
Read C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\ExcelMUI.XML size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi size = 1048560, size_out = 873984 True 1
Fn
Data
Read C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\GrooveMUI.XML size = 1048560, size_out = 913 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab.id-9C354B42.[btc@fros.cc].btc size = 262144, size_out = 262144 True 3
Fn
Data
Read C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\SETUP.XML size = 1048560, size_out = 2296 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi size = 1048560, size_out = 0 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab.id-9C354B42.[btc@fros.cc].btc size = 262144, size_out = 262144 True 3
Fn
Data
Read C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi.id-9C354B42.[btc@fros.cc].btc size = 262144, size_out = 262144 True 3
Fn
Data
Read C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\GrooveMUI.XML size = 1048560, size_out = 0 True 1
Fn
Read C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\SETUP.XML size = 1048560, size_out = 1452 True 1
Fn
Data
Write C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000\desktop.ini.id-9C354B42.[btc@fros.cc].btc size = 144 True 1
Fn
Data
Write C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000\desktop.ini.id-9C354B42.[btc@fros.cc].btc size = 234 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.EPS.id-9C354B42.[btc@fros.cc].btc size = 15072 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.EPS.id-9C354B42.[btc@fros.cc].btc size = 224 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.JPG.id-9C354B42.[btc@fros.cc].btc size = 1072 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.JPG.id-9C354B42.[btc@fros.cc].btc size = 224 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.GIF.id-9C354B42.[btc@fros.cc].btc size = 1072 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.GIF.id-9C354B42.[btc@fros.cc].btc size = 224 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi size = 1696 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi size = 224 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi size = 875536 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi size = 230 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUI.XML.id-9C354B42.[btc@fros.cc].btc size = 1360 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUI.XML.id-9C354B42.[btc@fros.cc].btc size = 238 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML.id-9C354B42.[btc@fros.cc].btc size = 832 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML.id-9C354B42.[btc@fros.cc].btc size = 244 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc size = 2640 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc size = 230 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ADO210.CHM.id-9C354B42.[btc@fros.cc].btc size = 786688 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\README.HTM.id-9C354B42.[btc@fros.cc].btc size = 1952 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\README.HTM.id-9C354B42.[btc@fros.cc].btc size = 232 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\SETUP.XML size = 1568 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\SETUP.XML size = 236 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ADO210.CHM.id-9C354B42.[btc@fros.cc].btc size = 262144 True 3
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\SETUP.XML size = 874000 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc size = 236 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\SETUP.XML size = 242 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\GrooveMUI.XML.id-9C354B42.[btc@fros.cc].btc size = 928 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\GrooveMUI.XML.id-9C354B42.[btc@fros.cc].btc size = 238 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc size = 1456 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc size = 230 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\InfoPathMUI.XML.id-9C354B42.[btc@fros.cc].btc size = 1232 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\InfoPathMUI.XML.id-9C354B42.[btc@fros.cc].btc size = 242 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc size = 2304 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc size = 230 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc size = 1856 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc size = 230 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML.id-9C354B42.[btc@fros.cc].btc size = 596352 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML.id-9C354B42.[btc@fros.cc].btc size = 236 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OCT.CHM.id-9C354B42.[btc@fros.cc].btc size = 71248 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OCT.CHM.id-9C354B42.[btc@fros.cc].btc size = 226 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUI.XML.id-9C354B42.[btc@fros.cc].btc size = 5568 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUI.XML.id-9C354B42.[btc@fros.cc].btc size = 238 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10O.CHM.id-9C354B42.[btc@fros.cc].btc size = 26944 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10O.CHM.id-9C354B42.[btc@fros.cc].btc size = 232 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10R.CHM.id-9C354B42.[btc@fros.cc].btc size = 27200 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10R.CHM.id-9C354B42.[btc@fros.cc].btc size = 232 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML.id-9C354B42.[btc@fros.cc].btc size = 832 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML.id-9C354B42.[btc@fros.cc].btc size = 244 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSCONFIG.CHM.id-9C354B42.[btc@fros.cc].btc size = 37696 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSCONFIG.CHM.id-9C354B42.[btc@fros.cc].btc size = 236 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc size = 9360 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM.id-9C354B42.[btc@fros.cc].btc size = 67200 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc size = 230 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc size = 2368 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\SETUP.XML.id-9C354B42.[btc@fros.cc].btc size = 230 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\Office32MUI.XML.id-9C354B42.[btc@fros.cc].btc size = 1392 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\Office32MUI.XML.id-9C354B42.[btc@fros.cc].btc size = 242 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.WW\Office32WW.XML.id-9C354B42.[btc@fros.cc].btc size = 4288 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.WW\Office32WW.XML.id-9C354B42.[btc@fros.cc].btc size = 240 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM.id-9C354B42.[btc@fros.cc].btc size = 230 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\SETUP.XML size = 262144 True 3
Fn
Data
Delete C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\branding.xml - True 1
Fn
For performance reasons, the remaining 323 entries are omitted.
The remaining entries can be found in glog.xml.
Registry (8)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders value_name = Startup, data = 83, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders value_name = Startup, data = %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders value_name = Common Startup, data = %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup, type = REG_EXPAND_SZ True 1
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = WscParent.exe, data = C:\Windows\System32\WscParent.exe, size = 66, type = REG_SZ True 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\cmd.exe os_pid = 0xa78, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Module (135)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x757c0000 True 1
Fn
Load advapi32.dll base_address = 0x75720000 True 1
Fn
Load user32.dll base_address = 0x775b0000 True 1
Fn
Load Shell32.dll base_address = 0x76900000 True 1
Fn
Load ntdll.dll base_address = 0x77ab0000 True 1
Fn
Load mpr.dll base_address = 0x75420000 True 1
Fn
Load ws2_32.dll base_address = 0x768c0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x757c0000 True 16
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\wscparent.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\WscParent.exe, size = 32767 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x757d1222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x757d34b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x757d54ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x757d4442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileW, address_out = 0x757e9af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSizeEx, address_out = 0x757d59e2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x757d4950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileAttributesW, address_out = 0x757d1b18 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x757d7a10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x757d5223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameW, address_out = 0x757ddd0e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameA, address_out = 0x757eb6e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexW, address_out = 0x757d424c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x757d1700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x757d5a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x757d1809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x757d1136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalDrives, address_out = 0x757d5371 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x757d110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x757d89b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x757d170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x757d1916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x757d10ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77ad2270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x757d3ed3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x757d3f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenMutexW, address_out = 0x757d5151 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x77ad22b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForMultipleObjects, address_out = 0x757d4220 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiW, address_out = 0x757ed5cd True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiA, address_out = 0x757d3e8e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x77ae45f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseMutex, address_out = 0x757d111e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x757d1410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x757d4467 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x757d34d5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsW, address_out = 0x757d4173 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x757d1725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceFrequency, address_out = 0x757d41f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x757d11f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileAttributesW, address_out = 0x757ed4f7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVolumeInformationW, address_out = 0x757ec860 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x757d1282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x757ec807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEndOfFile, address_out = 0x757ece2e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x757d4435 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x757d14e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77af1f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x77ade026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x757d14c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreatePipe, address_out = 0x7585415b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetHandleInformation, address_out = 0x757e195c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x757d103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringW, address_out = 0x757d3bca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringA, address_out = 0x757d3c5a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x757d1986 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x757ed802 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTime, address_out = 0x757d5a96 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SystemTimeToFileTime, address_out = 0x757d5a7e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x757d11c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x757f735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x757f896c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x757f8baf True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x7573468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x757346ad True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x757314d6 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x7573469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenProcessToken, address_out = 0x75734304 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetTokenInformation, address_out = 0x7573431c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenSCManagerW, address_out = 0x7572ca64 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenServiceW, address_out = 0x7572ca4c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CloseServiceHandle, address_out = 0x7573369c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ControlService, address_out = 0x75747144 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = QueryServiceStatus, address_out = 0x75732a86 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = EnumDependentServicesW, address_out = 0x75721e3a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = EnumServicesStatusExW, address_out = 0x7572b466 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SystemParametersInfoW, address_out = 0x775c90d3 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x76921e46 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySystemInformation, address_out = 0x77acfda0 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetCloseEnum, address_out = 0x75422dd6 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetOpenEnumW, address_out = 0x75422f06 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetEnumResourceW, address_out = 0x75423058 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = WSAStartup, address_out = 0x768c3ab2 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = socket, address_out = 0x768c3eb8 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = send, address_out = 0x768c6f01 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = recv, address_out = 0x768c6b0e True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = connect, address_out = 0x768c6bdd True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = closesocket, address_out = 0x768c3918 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = gethostbyname, address_out = 0x768d7673 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = inet_addr, address_out = 0x768c311b True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = ntohl, address_out = 0x768c2d57 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = htonl, address_out = 0x768c2d57 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = htons, address_out = 0x768c2d8b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Wow64DisableWow64FsRedirection, address_out = 0x757ed650 True 16
Fn
Service (51)
»
Operation Additional Information Success Count Logfile
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 3
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 3
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 4
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 4
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 4
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 4
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 3
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 4
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 4
Fn
System (162)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = XDUWTFONO True 1
Fn
Sleep duration = 500 milliseconds (0.500 seconds) True 16
Fn
Sleep duration = -1 (infinite) False 1
Fn
Sleep duration = 100 milliseconds (0.100 seconds) True 9
Fn
Get Time type = Ticks, time = 143708 True 3
Fn
Get Time type = Ticks, time = 145018 True 1
Fn
Get Time type = Ticks, time = 145143 True 1
Fn
Get Time type = Ticks, time = 145252 True 1
Fn
Get Time type = Ticks, time = 145361 True 1
Fn
Get Time type = Ticks, time = 145470 True 2
Fn
Get Time type = Ticks, time = 145580 True 1
Fn
Get Time type = Ticks, time = 145689 True 1
Fn
Get Time type = Ticks, time = 145782 True 1
Fn
Get Time type = Ticks, time = 145923 True 1
Fn
Get Time type = Ticks, time = 146001 True 1
Fn
Get Time type = Ticks, time = 146282 True 1
Fn
Get Time type = Ticks, time = 146453 True 2
Fn
Get Time type = Ticks, time = 146500 True 2
Fn
Get Time type = Ticks, time = 146562 True 1
Fn
Get Time type = Ticks, time = 146609 True 1
Fn
Get Time type = Ticks, time = 146952 True 2
Fn
Get Time type = Ticks, time = 147108 True 2
Fn
Get Time type = Ticks, time = 147374 True 2
Fn
Get Time type = Ticks, time = 147732 True 4
Fn
Get Time type = Ticks, time = 147998 True 2
Fn
Get Time type = Ticks, time = 148154 True 2
Fn
Get Time type = Ticks, time = 148263 True 2
Fn
Get Time type = Ticks, time = 148388 True 2
Fn
Get Time type = Ticks, time = 148497 True 2
Fn
Get Time type = Ticks, time = 148606 True 2
Fn
Get Time type = Ticks, time = 148809 True 4
Fn
Get Time type = Ticks, time = 149152 True 2
Fn
Get Time type = Ticks, time = 149292 True 2
Fn
Get Time type = Ticks, time = 149589 True 2
Fn
Get Time type = Ticks, time = 149807 True 2
Fn
Get Time type = Ticks, time = 149916 True 4
Fn
Get Time type = Ticks, time = 150026 True 2
Fn
Get Time type = Ticks, time = 150135 True 2
Fn
Get Time type = Ticks, time = 150244 True 2
Fn
Get Time type = Ticks, time = 150353 True 2
Fn
Get Time type = Ticks, time = 150462 True 2
Fn
Get Time type = Ticks, time = 150587 True 2
Fn
Get Time type = Ticks, time = 150696 True 2
Fn
Get Time type = Ticks, time = 150962 True 2
Fn
Get Time type = Ticks, time = 150977 True 2
Fn
Get Time type = Ticks, time = 151242 True 2
Fn
Get Time type = Ticks, time = 151523 True 2
Fn
Get Time type = Ticks, time = 151632 True 2
Fn
Get Time type = Ticks, time = 151742 True 2
Fn
Get Time type = Ticks, time = 151851 True 2
Fn
Get Time type = Ticks, time = 151960 True 2
Fn
Get Time type = Ticks, time = 152069 True 4
Fn
Get Time type = Ticks, time = 152256 True 2
Fn
Get Time type = Ticks, time = 152459 True 2
Fn
Get Time type = Ticks, time = 152584 True 1
Fn
Get Time type = Ticks, time = 152600 True 1
Fn
Get Time type = Ticks, time = 152693 True 1
Fn
Get Time type = Ticks, time = 152709 True 1
Fn
Get Time type = Ticks, time = 152802 True 1
Fn
Get Time type = Ticks, time = 152834 True 1
Fn
Get Time type = Ticks, time = 152912 True 1
Fn
Get Time type = Ticks, time = 152943 True 1
Fn
Get Time type = Ticks, time = 153021 True 1
Fn
Get Time type = Ticks, time = 153052 True 1
Fn
Get Time type = Ticks, time = 153130 True 2
Fn
Get Time type = Ticks, time = 153161 True 2
Fn
Get Time type = Ticks, time = 153364 True 2
Fn
Get Time type = Ticks, time = 153473 True 2
Fn
Get Time type = Ticks, time = 153582 True 2
Fn
Get Time type = Ticks, time = 153754 True 2
Fn
Get Time type = Ticks, time = 153863 True 2
Fn
Get Time type = Ticks, time = 153972 True 2
Fn
Get Time type = Ticks, time = 154082 True 2
Fn
Get Time type = Ticks, time = 154191 True 4
Fn
Get Time type = Ticks, time = 154300 True 2
Fn
Get Time type = Ticks, time = 154487 True 2
Fn
Get Info type = Operating System True 2
Fn
Mutex (4)
»
Operation Additional Information Success Count Logfile
Create mutex_name = Global\syncronize_74DX46A True 1
Fn
Create mutex_name = Global\syncronize_74DX46U True 1
Fn
Open mutex_name = Global\syncronize_74DX46A, desired_access = SYNCHRONIZE False 1
Fn
Open mutex_name = Global\syncronize_74DX46U, desired_access = SYNCHRONIZE False 1
Fn
Process #3: cmd.exe
245 0
»
Information Value
ID #3
File Name c:\windows\system32\cmd.exe
Command Line "C:\Windows\system32\cmd.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:54, Reason: Child Process
Unmonitor End Time: 00:05:22, Reason: Terminated by Timeout
Monitor Duration 00:03:28
OS Process Information
»
Information Value
PID 0xa78
Parent PID 0xa6c (c:\users\5p5nrgjn0js halpmcxz\desktop\wscparent.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
c_1251.nls 0x00100000 0x00110fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x0022ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
private_0x00000000005b0000 0x005b0000 0x005bffff Private Memory rw True False False -
pagefile_0x00000000005c0000 0x005c0000 0x00747fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000750000 0x00750000 0x008d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000008e0000 0x008e0000 0x01cdffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001ce0000 0x01ce0000 0x02022fff Pagefile Backed Memory r True False False -
basebrd.dll 0x02030000 0x020f7fff Memory Mapped File r False False False -
pagefile_0x0000000002100000 0x02100000 0x024f2fff Pagefile Backed Memory r True False False -
sortdefault.nls 0x02500000 0x027cefff Memory Mapped File r False False False -
cmd.exe 0x4a800000 0x4a858fff Memory Mapped File rwx True False False -
user32.dll 0x776b0000 0x777a9fff Memory Mapped File rwx False False False -
kernel32.dll 0x777b0000 0x778cefff Memory Mapped File rwx False False False -
ntdll.dll 0x778d0000 0x77a78fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff4000 0x7fff4000 0x7fff4fff Private Memory rw True False False -
winbrand.dll 0x7fef59f0000 0x7fef59f7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd8d0000 0x7fefd93afff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdec0000 0x7fefdecdfff Memory Mapped File rwx False False False -
imm32.dll 0x7fefdfb0000 0x7fefdfddfff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefe100000 0x7fefe166fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe170000 0x7fefe20efff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe210000 0x7fefe318fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe320000 0x7fefe3e8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffbf0000 0x7feffbf0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (182)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop type = file_attributes True 2
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 11
Fn
Get Info STD_INPUT_HANDLE type = file_type True 5
Fn
Open STD_OUTPUT_HANDLE - True 25
Fn
Open STD_INPUT_HANDLE - True 69
Fn
Read STD_INPUT_HANDLE size = 1, size_out = 1 True 60
Fn
Data
Write STD_OUTPUT_HANDLE size = 36 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 2 True 4
Fn
Data
Write STD_OUTPUT_HANDLE size = 63 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 38 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 24 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (4)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\mode.com os_pid = 0xab8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Create C:\Windows\system32\vssadmin.exe os_pid = 0xae0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Get Info C:\Windows\system32\mode.com type = PROCESS_BASIC_INFORMATION True 1
Fn
Get Info C:\Windows\system32\vssadmin.exe type = PROCESS_BASIC_INFORMATION True 1
Fn
Memory (2)
»
Operation Process Additional Information Success Count Logfile
Read C:\Windows\system32\mode.com address = 0x7fffffdf000, size = 896 True 1
Fn
Data
Read C:\Windows\system32\vssadmin.exe address = 0x7fffffdc000, size = 896 True 1
Fn
Data
Module (10)
»
Operation Module Additional Information Success Count Logfile
Load NTDLL.DLL base_address = 0x778d0000 True 1
Fn
Get Handle c:\windows\system32\cmd.exe base_address = 0x4a800000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x777b0000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x777c6d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x777c23d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x777b8290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x777c17e0 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = NtQueryInformationProcess, address_out = 0x779214a0 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-10-03 03:11:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 144472 True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (25)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 8
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 3
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 3
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = PROMPT, result_out = $P$G True 2
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop True 1
Fn
Set Environment String name = COPYCMD True 2
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #4: mode.com
0 0
»
Information Value
ID #4
File Name c:\windows\system32\mode.com
Command Line mode con cp select=1251
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:02:06, Reason: Self Terminated
Monitor Duration 00:00:07
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xab8
Parent PID 0xa78 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x ABC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e6fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
c_1251.nls 0x00170000 0x00180fff Memory Mapped File r False False False -
pagefile_0x0000000000190000 0x00190000 0x00191fff Pagefile Backed Memory rw True False False -
ulib.dll.mui 0x001a0000 0x001d7fff Memory Mapped File rw False False False -
private_0x0000000000250000 0x00250000 0x0025ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory rw True False False -
pagefile_0x0000000000530000 0x00530000 0x006b7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006c0000 0x006c0000 0x00840fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000850000 0x00850000 0x01c4ffff Pagefile Backed Memory r True False False -
user32.dll 0x776b0000 0x777a9fff Memory Mapped File rwx False False False -
kernel32.dll 0x777b0000 0x778cefff Memory Mapped File rwx False False False -
ntdll.dll 0x778d0000 0x77a78fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
mode.com 0xff0d0000 0xff0dbfff Memory Mapped File rwx False False False -
ulib.dll 0x7fef42f0000 0x7fef4317fff Memory Mapped File rwx False False False -
ureg.dll 0x7fef8200000 0x7fef820bfff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fefc140000 0x7fefc195fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd8d0000 0x7fefd93afff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdec0000 0x7fefdecdfff Memory Mapped File rwx False False False -
imm32.dll 0x7fefdfb0000 0x7fefdfddfff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefe100000 0x7fefe166fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe170000 0x7fefe20efff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe210000 0x7fefe318fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe320000 0x7fefe3e8fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe3f0000 0x7fefe4cafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefe4d0000 0x7fefe5fcfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefea30000 0x7fefea4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffbf0000 0x7feffbf0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #5: vssadmin.exe
0 0
»
Information Value
ID #5
File Name c:\windows\system32\vssadmin.exe
Command Line vssadmin delete shadows /all /quiet
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:10, Reason: Child Process
Unmonitor End Time: 00:05:22, Reason: Terminated by Timeout
Monitor Duration 00:03:12
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xae0
Parent PID 0xa78 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AE4
0x AEC
0x AF0
0x AF4
0x AF8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
pagefile_0x0000000000140000 0x00140000 0x00146fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory rw True False False -
vssadmin.exe.mui 0x00160000 0x0016cfff Memory Mapped File rw False False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
c_1251.nls 0x00190000 0x001a0fff Memory Mapped File r False False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c0fff Pagefile Backed Memory r True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
pagefile_0x00000000004e0000 0x004e0000 0x00667fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000670000 0x00670000 0x007f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000800000 0x00800000 0x01bfffff Pagefile Backed Memory r True False False -
private_0x0000000001c80000 0x01c80000 0x01cfffff Private Memory rw True False False -
private_0x0000000001e70000 0x01e70000 0x01eeffff Private Memory rw True False False -
sortdefault.nls 0x01ef0000 0x021befff Memory Mapped File r False False False -
user32.dll 0x776b0000 0x777a9fff Memory Mapped File rwx False False False -
kernel32.dll 0x777b0000 0x778cefff Memory Mapped File rwx False False False -
ntdll.dll 0x778d0000 0x77a78fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
vssadmin.exe 0xff4d0000 0xff4fcfff Memory Mapped File rwx False False False -
vsstrace.dll 0x7fefa8d0000 0x7fefa8e6fff Memory Mapped File rwx False False False -
vssapi.dll 0x7fefa8f0000 0x7fefaa9ffff Memory Mapped File rwx False False False -
atl.dll 0x7fefb2d0000 0x7fefb2e8fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefce10000 0x7fefce56fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd110000 0x7fefd126fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd710000 0x7fefd71efff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd800000 0x7fefd813fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd8d0000 0x7fefd93afff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdec0000 0x7fefdecdfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefded0000 0x7fefdfa6fff Memory Mapped File rwx False False False -
imm32.dll 0x7fefdfb0000 0x7fefdfddfff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefe100000 0x7fefe166fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe170000 0x7fefe20efff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe210000 0x7fefe318fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe320000 0x7fefe3e8fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe3f0000 0x7fefe4cafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefe4d0000 0x7fefe5fcfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe600000 0x7fefe698fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefea30000 0x7fefea4efff Memory Mapped File rwx False False False -
ole32.dll 0x7feff9d0000 0x7feffbd2fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffbf0000 0x7feffbf0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image