89d00b1d6bd0415d525cc5db95aebabd915a085c1a2aa93faa9fa09d75aa0d27 (SHA256)
XyuEncrypt.exe
Windows Exe (x86-32)
Created at 2018-11-10 14:37:00
Notifications (2/2)
Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.
The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: xyuencrypt.exe
43692
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\ciihmnxmn6ps\desktop\xyuencrypt.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\XyuEncrypt.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:33, Reason: Analysis Target |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe08 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E0C
0x
E10
0x
E1C
0x
E20
0x
E54
0x
E58
0x
E5C
0x
E60
0x
E64
0x
9AC
0x
DDC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| xyuencrypt.exe | 0x00270000 | 0x00279fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x0028ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00296fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x003f0000 | 0x004adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004c6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x004d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x004f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x0050ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0051ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x00520fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x00630fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x00632fff | Pagefile Backed Memory | r |
|
|
|
- |
| comctl32.dll | 0x00640000 | 0x006e5fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x00640fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x006f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00703fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x00716fff | Private Memory | rw |
|
|
|
- |
| windowsshell.manifest | 0x00720000 | 0x00720fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x00726fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x00730fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x00750fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x00760fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00770fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x00780000 | 0x00783fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0x007a0000 | 0x007e2fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x007f0000 | 0x007f3fff | Memory Mapped File | r |
|
|
|
- |
| propsys.dll.mui | 0x00800000 | 0x00810fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0082ffff | Private Memory | rwx |
|
|
|
- |
| cversions.1.db | 0x00830000 | 0x00833fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x00830fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x00840000 | 0x00852fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x00860fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x00871fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x00a37fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x00bc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000bd0000 | 0x00bd0000 | 0x01fcffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001fd0000 | 0x01fd0000 | 0x020cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002110000 | 0x02110000 | 0x0211ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002120000 | 0x02120000 | 0x1a11ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001a120000 | 0x1a120000 | 0x1a48ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001a490000 | 0x1a490000 | 0x1a59efff | Private Memory | rw |
|
|
|
- |
| private_0x000000001a5a0000 | 0x1a5a0000 | 0x1a69ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x1a6a0000 | 0x1a9d6fff | Memory Mapped File | r |
|
|
|
- |
| rpcss.dll | 0x1a9e0000 | 0x1aab5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000001a9e0000 | 0x1a9e0000 | 0x1ab1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001a9e0000 | 0x1a9e0000 | 0x1aadffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ab10000 | 0x1ab10000 | 0x1ab1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ab20000 | 0x1ab20000 | 0x1ac1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ab20000 | 0x1ab20000 | 0x1ad1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ac20000 | 0x1ac20000 | 0x1ad1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ad20000 | 0x1ad20000 | 0x1ae1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ad20000 | 0x1ad20000 | 0x1ae0ffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-system.dat | 0x1ad20000 | 0x1ad95fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000001ae00000 | 0x1ae00000 | 0x1ae0ffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x1ae20000 | 0x1aeaafff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000001aeb0000 | 0x1aeb0000 | 0x1afaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001afb0000 | 0x1afb0000 | 0x1b0affff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b110000 | 0x1b110000 | 0x1b11ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000000001b120000 | 0x1b120000 | 0x1b30ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b120000 | 0x1b120000 | 0x1b21ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b300000 | 0x1b300000 | 0x1b30ffff | Private Memory | rw |
|
|
|
- |
| comctl32.dll | 0x1b310000 | 0x1b580fff | Memory Mapped File | r |
|
|
|
- |
| ~fontcache-fontface.dat | 0x1b310000 | 0x1c30ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000001c310000 | 0x1c310000 | 0x1c40ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000001c410000 | 0x1c410000 | 0x1c901fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00007ff5ffb18000 | 0x7ff5ffb18000 | 0x7ff5ffb19fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffb1a000 | 0x7ff5ffb1a000 | 0x7ff5ffb1bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffb1c000 | 0x7ff5ffb1c000 | 0x7ff5ffb1dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffb1e000 | 0x7ff5ffb1e000 | 0x7ff5ffb1ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffb20000 | 0x7ff5ffb20000 | 0x7ff5ffb2ffff | Private Memory | rwx |
|
|
|
- |
| private_0x00007ff5ffb30000 | 0x7ff5ffb30000 | 0x7ff5ffbcffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00007ff5ffbd0000 | 0x7ff5ffbd0000 | 0x7ff5ffccffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff5ffcd0000 | 0x7ff5ffcd0000 | 0x7ff5ffcf2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff5ffcf4000 | 0x7ff5ffcf4000 | 0x7ff5ffcf5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffcf6000 | 0x7ff5ffcf6000 | 0x7ff5ffcf7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffcf8000 | 0x7ff5ffcf8000 | 0x7ff5ffcf8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffcfa000 | 0x7ff5ffcfa000 | 0x7ff5ffcfbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffcfc000 | 0x7ff5ffcfc000 | 0x7ff5ffcfdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffcfe000 | 0x7ff5ffcfe000 | 0x7ff5ffcfffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff875af0000 | 0x7ff875af0000 | 0x7ff875afffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff875b00000 | 0x7ff875b00000 | 0x7ff875b0ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff875b10000 | 0x7ff875b10000 | 0x7ff875b9ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff875ba0000 | 0x7ff875ba0000 | 0x7ff875c0ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff875c10000 | 0x7ff875c10000 | 0x7ff875c4ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff875c50000 | 0x7ff875c50000 | 0x7ff875c5ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff875c60000 | 0x7ff875c60000 | 0x7ff875c6ffff | Private Memory | - |
|
|
|
- |
| comctl32.dll | 0x7ff8d1870000 | 0x7ff8d1919fff | Memory Mapped File | rwx |
|
|
|
- |
| system.windows.forms.ni.dll | 0x7ff8d1ee0000 | 0x7ff8d2dbffff | Memory Mapped File | rwx |
|
|
|
- |
| system.drawing.ni.dll | 0x7ff8d2dc0000 | 0x7ff8d2fa9fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x7ff8d2fb0000 | 0x7ff8d3bc3fff | Memory Mapped File | rwx |
|
|
|
- |
| clrjit.dll | 0x7ff8d3bd0000 | 0x7ff8d3cd0fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x7ff8d3ce0000 | 0x7ff8d517afff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr120_clr0400.dll | 0x7ff8d5180000 | 0x7ff8d5276fff | Memory Mapped File | rwx |
|
|
|
- |
| clr.dll | 0x7ff8d5280000 | 0x7ff8d5bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7ff8d5f40000 | 0x7ff8d5fd6fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7ff8d5fe0000 | 0x7ff8d6047fff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x7ff8d9a40000 | 0x7ff8d9be8fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x7ff8e0a60000 | 0x7ff8e0bf6fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7ff8e37f0000 | 0x7ff8e3a48fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ff8e3a50000 | 0x7ff8e3a59fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ff8e3c30000 | 0x7ff8e3fa5fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e57b0000 | 0x7ff8e5a23fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ff8e79b0000 | 0x7ff8e7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ff8e8fb0000 | 0x7ff8e8fd1fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ff8e9500000 | 0x7ff8e9577fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ff8e9680000 | 0x7ff8e9715fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 8 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\2FqWk.lnk | 0.95 KB |
MD5:
e77a798d70edc98d3885e5cf553e73da
SHA1: 65cbadcde1a5e54e1a16c9d03ada6abaf67fc9ba SHA256: ad32def6a3ce39ee7824b83a7fe506c06d5b26004bb412f89284e483a9d11b0b SSDeep: 24:CGRrs4W2l2fbLv/huTkWu5wpC13Hxwtk/vQf:FRrZlqbLv/huTkt5wpC13HKtg0 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\JPgSFw.lnk | 0.64 KB |
MD5:
a78196beec17df68ca77a2b88e1c2c34
SHA1: 2633324c3b92b83cb149467c528a9ed826c0ab63 SHA256: 31b0e95d77a85da1244f6cdc5452c25a0371945f7e71d4f36e747138fc87df75 SSDeep: 12:v7AqHaaYLtpBOCaachwg5CuijZkZ3fdpT/qPoLO55PuRVyQq/opiowbrBkYBQ7:zAqHaZVaac+gwuijZkRfdpWkPkQq/o0S |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\4TX0WLVzI0D.lnk | 1.02 KB |
MD5:
280a8e499ca3bb487d37f9cd9e8e8d75
SHA1: 1e0b69e4c5d14b2032a88ff7b79f44968d94f2a0 SHA256: 9dcff5bc05e88bd5e311a0ad4b6ca4e9ef2cfb5d9486766d6406fd8d3a03ff2e SSDeep: 24:BkkEWWd4q06OeLqlyTz4XrN6WbeX0vRCb2Hvsg+KxuNvTwuxeVuCS0ObkiNVXjxR:/Wd4t6OSvMNdbeX0vRCaUg5oNvWVhUBb |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Z_MokPYp K.lnk | 1.38 KB |
MD5:
22d8f7a2753cc14dddc79db3b3f9140c
SHA1: 7d01b5bab18b8716fff8abdcc1d3050886109a76 SHA256: a5925760639f8521d4772045bf4cc37e541fd55863918b4b6cddede336780bfc SSDeep: 24:ywbu0zr/FpCFO1LbSCpPPTv1aBz7qHY76RMaHYzhSNepJEhFs69h:ywbVvNkO1LhHTv1gq4mVrAEhFs69h |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\-HzS.lnk | 1.00 KB |
MD5:
98fbff721a62ade94cffd882ede41114
SHA1: c0226729b18d05e58c256c2ae10020ad0cdcbdae SHA256: ee437bd69dde15484175bc897b8af25c11ac58dd6d5677e4000d5a0ea8835603 SSDeep: 24:GbJ2j7cZpfWHG5AeOLZfrGcVcHTZ/KlEAHVm+J3d+QYA:Gb8j2fWHwAZfNyHd/KhVJ3UlA |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\vg-2sbVgxsUfL6fnj8H.lnk | 1.59 KB |
MD5:
b81dd881d4c1e43d96d0dd9449e2fad7
SHA1: 94372994fe85ccbf4274fe9e4f16953de4b5c96e SHA256: 73a4b30e7932fa6db6a150130eb7d138d79c8d503d96eee0007575a1ea6a1d19 SSDeep: 48:0Y9WYTFoBO36Zw67Q1PpPmY8OxoPg+StyFGARO:bi0mYLxggXb |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\B05_T\ag70uOVMAZyHaepYdjne.wav | 97.62 KB |
MD5:
79633eb3ed838f148139e9b0db8b63d8
SHA1: 3a11caf76580e24cb72f3e67934e1fc8605f4c56 SHA256: c1a07013b294eec15b774939ddc0857ba0108fa5cd3d7c82cdae8688367730b0 SSDeep: 1536:z1LZVStkZjF34pZmKbBeOxB5mzPisc07U3Xh6TDPURA42Jyq1QXzdGl/:JTTZjd/K1FbmhPoX2DuMbOXy/ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\shyNwC.lnk | 0.98 KB |
MD5:
427e3f8e479bbda2067adc2224ea7657
SHA1: 5b8049db8c3bc93d4ec42d71888421b3b0ed3eb7 SHA256: fbbc39140283ff2ebf714c0f873997a32b122d09c284d2f53b707c564ed721a3 SSDeep: 12:vTsFWnC2J45aqqa64lilQlok1XjCnrRf5HLRYbnS+eDwc6T2TIR1JisejM7fNyzP:rNs7TeQlG5LRYbZesc6T0IR1hewwsj8X |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\sYRXyP3UmUCc7I mkd_.lnk | 1.09 KB |
MD5:
c8370998d1f681673ec6d3f41fd7bdc9
SHA1: 8e724754e47c53b2e321586fc7d96a7a2a2e1ea4 SHA256: 68e975931b101b28ae5ceae151cffd6cefe2a16a224ee64b7e3d5297e7d0fd74 SSDeep: 24:e1qqcqKziyN6U43ex4cOTJI2kY23VwgQSFjEACeabKzvghWeO9ng+3:sUqw6H31NI263Vwrp3eaWjg1O9ngi |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\NGHgpHRGY.lnk | 0.86 KB |
MD5:
6f2a5ba720e8d6c39c6e8178131a7452
SHA1: 5cdfab1768125948e32f9ac66769b51800353c2e SHA256: b3deec5ad2572fa6270c429d42c28b808d7aad0bf3fd036be3503c71a9d997a2 SSDeep: 12:vsF0NoQdRoKfHxxgGuh+0kVtXCuQT5Z5fZ4PURpEEgy06xF3Hj2DN/uIjap+4Wt0:5oQQgHXgVKXK08RpfLPXIjI+/t0n |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\pLIymR0ZfD9imcx8V2H.lnk | 0.86 KB |
MD5:
5a66ea6de5d9522f622e4952424972d4
SHA1: 1fe2861c82bb638669af230f952963363cbe3fdb SHA256: 81f40ed3711fa282ebff237a080b0afb02e5a6ccbe5b58e088d224a0924db8c9 SSDeep: 24:UVQMQIxlVZUqn5192+zXcgd3MNetrVnEV2JwbDj7osG:AwIxl7j192+7d3M8tdEVywbDj3G |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\TllDAUU2CxF.lnk | 1.28 KB |
MD5:
d9640efd9c350d6c19bce328281ea7c7
SHA1: 830bc548826d698b686794c806121abe6e853443 SHA256: 07a3775e7586e2683be8f1ace163334876b7f511cd40d588ffd720a454d27a45 SSDeep: 24:+VrfFPeDHcU49BmiDtRHEuOg4ECf4k1Ztyr/3gowrV0l7arHJa9DP:gBegDtRHHOg46Dp1f |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\6nnSA.lnk | 0.95 KB |
MD5:
5c76e5a056d6ce23571cf560e0081960
SHA1: 1272d4c6d37fdaa6e43c6752e0a119fb27d33ed3 SHA256: 8f1df438c6307ae29c62d2bc3b9b3e41ec4de710efa9cb12ed7104669c445c73 SSDeep: 24:7GxyaClxrtWOGLoNOiJ1NISl6xn+kholRy6rlAThVNdcm/:wy/lZtBOi/RIxLolzCThx/ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Zyo85Jd4gSHjAVsjV.lnk | 1.17 KB |
MD5:
087bfccc2c888ec302a960a7e28e22a2
SHA1: 562a9df273b40258aa6c7510990cd48f0a95ec41 SHA256: ca9519a218f9e1183d22e75a9e85748968fbf6e57907fdfb4ac8a84ccbf6af0f SSDeep: 24:dMQE/OuL9YLPcS+ZMCWy2Os0uKAsbSO74LRQHr5fTOPLR8imV9JDC2hxrAZ:PE/zJYL2OvNrKAdEGRkOPLs9JDC2hxry |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\d Y_MLHa.lnk | 1.08 KB |
MD5:
f9c50adbeb726454db91ade883e18fd0
SHA1: 036548d4d8664c3679c34fac24f33dd3d8585d38 SHA256: 760c13306a6cb6f3753331f69df420bd8d62247bb3faf0e80eb3ef7df09285ff SSDeep: 24:H01Owgv7whm4OGRTZA30DVcLPlV01lLFjRJedj9blxvH0ZOF6LxQBcnMJ:H01OxE9bo30VlB9cdhz7GxJS |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9cfafb05ce914942.automaticDestinations-ms | 2.52 KB |
MD5:
d95398344d5b599a4146d13cc964147f
SHA1: d660043071c990faf051d58496ebbfdb0ea0435b SHA256: e333eb88c4b597728e70a715e816d9f26178222c534d3eaa1120fb976a4a34a8 SSDeep: 48:osg+zUYrVrpCu1u5tYQs6t5vpUajDkUmrvK7WoOr3q6uopi5yAHZwN/A+U:r1VrwUu5WQs4vpUeQUMSKmyAHCBrU |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | 8.00 KB |
MD5:
736712c52c687f26406987a43adafbad
SHA1: 8e7bea1e5391177f4056e8d68dd2258dd8722d0c SHA256: 58a96e41203a6210d6bc3cfcb4d42542f64e0c8a27fb47e4ccf27e869a4cdc88 SSDeep: 96:rbjbkJZp/+LtY4RQBsXkHQp7bB7ycDOI/FSpNR7Whe:r4pWtVRM5HQxBpDOBSU |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\wk7e2LGGFK8X0Z.lnk | 1.00 KB |
MD5:
476a07dac17bc619b232f30c19a4875a
SHA1: 761cbf6c840a455f18935bd7091c07d079bcd56d SHA256: 8e665ef0d8b9d13d23147d4a87d34ee78f86ecdbd476556fbdce06d752a173df SSDeep: 24:Y7na8K2GPIqfC3cqVaWxswhi5Ld69aEszJO:Ye2YfCMqVxswX9Ps4 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\L0VH.lnk | 1.20 KB |
MD5:
bcf2e4677ffef2e513b7751f4fff8b0f
SHA1: 8069782deb8074f4cf5cc3e185d535be660f6027 SHA256: 5ca68d1fca394e97d722d8f11acec73f97feccea98f4f3aa90f6b6ba9d1faefe SSDeep: 24:Tp8e8I9sJT/6I+7Sy5C7sLCB0r3Ey1ntrHV9xHqdh5DRyt5ji2x47Ad1I0:GeCJT/6I+my7pttbVPHq+XuEN |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\a3QnHpY8WxK1ea.lnk | 1.17 KB |
MD5:
31bc059d7c1105476606be1f3b9a9833
SHA1: dd40f9990e7bccc0623d69c4295e2126695596cb SHA256: 001be53d8f775d369d8e526af5a5db8fed59657bc76bca9de069eac36744f882 SSDeep: 24:bD+CSdFqc+zpJ9r/rmXSCQ4C0vNc4zc3T8IXARfJEwp/8em:bBSqc+zpJMPQ4Cgzc3TpXARfJ7/8em |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\JcAiiI7bq.avi | 81.04 KB |
MD5:
7ef798fbcf2a66e0acdac67a440d6489
SHA1: ca19fcbd5fbfa5b56e2f97633fc4fa1f12ade4bb SHA256: 9ee45e9204dfbbcef9cfe93c3ed62f9bf85d126c8d7c5dd8d3f1497ce181b45e SSDeep: 1536:PZO4OyAE/CaWN81rqsUSFxHSkTljpbo8/e6UGz8C/oSNYZMk:hO4OyAEqv89sbkD8mTfz8aoSNYKk |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\d2H7a-tYhvZsdzV7Kw0T.lnk | 1.16 KB |
MD5:
5d27a0f16b14b01d344aada3b2e93c61
SHA1: 0f09dbee2dec876dd6c7eaf90adc9137a154e57f SHA256: c1a837b076f91c873b5345c11ea3c5d75975e04307df44b54d8459d572457fbb SSDeep: 24:E1Kp4yh5H+aAoIUcPwEaSJK8Sd0Z2BVTu6mlFH:cKayzeasIEaSA8KDipd |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\9m4LOZ8HMX8jF_V_h.mp3 | 81.80 KB |
MD5:
3f9a8c20e585bb6f4dab4742f827a32e
SHA1: 63203e227b3abaf0078292f1b09d769843f3524d SHA256: e575f5b8d7d5f04f916a10b190a81e911bc6cdb41f498577c5110b9feb91b32b SSDeep: 1536:oDzsgXOodnro4Ne9Rw7kkRKJIWHfuphnkn0ozwynZ+ItbrX:oDl+odBwlkRcIWWpxkPzwxIt/ |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\d2H7a-tYhvZsdzV7Kw0T\1UEZKTO5 S.mp4 | 78.99 KB |
MD5:
8c5e14cc424b0b40b83c88984979915a
SHA1: bb80745e5c778eec54c63d0bdfa7b2661968286e SHA256: 6326157fef8f484a7f858dcd35f4b42a3a0f90b3b7a1918816a3348466bb9138 SSDeep: 1536:NTT/+TZCZMuMucnVp6uNrOoCEQM/zXiqGy6/wzOh6S0ZH9lNqQ7:F0fDlS8QM7SL5Yf0Q7 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\gf2Xpstl-3SsWOQBl (2).lnk | 1.02 KB |
MD5:
d426bf650673d64293917919f7dde404
SHA1: 23beb46e971251426077e814b8f16174d3bce7bc SHA256: d5e7257aff26700a7e83ffe1793b1c1fabbcb0f9a83e074ee39e870b5bea5dc3 SSDeep: 24:KNNvj4nAoq5j9SH6dsm7dvdO5M60giIUlhGBS7G:KNNVQRoM50XlhGBS7G |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\6d2bac8f1edf6668.automaticDestinations-ms | 2.52 KB |
MD5:
b17a6cb87973823d5eb28b7ce71c8a8b
SHA1: 07249f80e8f3bf4b110df09b95151117f57be5d6 SHA256: a7f9c270e0d057dc501c2ea98d7caa0d7872264c9215dc261bcb4026a33bdb6f SSDeep: 48:osg+zUYrVrpCu1u5tYQs6t5vpU4Pc0BlyIWUZHyiu+I2BHKERx/n7GpcFmZC+zU:r1VrwUu5WQs4vpU4XLxyN+I2/PyfCP |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\8MQwAP0_D5NFG dD.lnk | 1.31 KB |
MD5:
a5dff7943e0f81e1c0e4fd3a6520b796
SHA1: 007abc85a6dcc53cd92b7eca938d06cf8b3d94fb SHA256: 7c372717d72e6e2fb166a25089786bdbaf36aa2286894908f4e8237cb4c317d9 SSDeep: 24:ayGLSpaVGo3sN3AWZ8ej6p5SAGl/dCxziGOJqTT7fBazjGEuU/czjJngTgQtM1TR:aD+aQo3sBpjyEAyAxzTvjBa2EuWcRQMv |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\G--uCJBQv6-u-.lnk | 1.06 KB |
MD5:
1890d747dfeecbd9864d89a54cff4a17
SHA1: 9fbd654eec23d1d79bdb91805358aeaa587614d8 SHA256: b03ea9f297aac62b153b46af5437f9b2e92b8a1e4eef2089c130820174ca6013 SSDeep: 24:d+cmIEqtfDPsTu86GmucTe+YgLTbblIf/yU1w+6qAxfaIphQ7TJmbkn:d+hIVJYkuCU1RmTpGqkn |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\HFrGs.lnk | 1.25 KB |
MD5:
f545d0d42434b8e7cd9ae3a1f1f97134
SHA1: e82187e6665c4302d95fdd533570a9ac5c17efa9 SHA256: 4e368fd51c9fbe8ed0c023a33ee3f1a5fd9eb5bb62358a99d2606c09465d78de SSDeep: 24:qFziqNwSyuhxAjnb+ZUGAKGo46kIpNYHwRyxDgvalShpIK+1XzAt:seJSyv+4zX9IpKQODDSTIbqt |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\sYRXyP3UmUCc7I mkd_\NJULNohQzh.gif | 45.05 KB |
MD5:
27f77c6053ecb0700278444602d41e6c
SHA1: a8fc7d507c4dc4f1cb7dddd69b706d779121ecd0 SHA256: 4f97e21186e7d09b62818679bbaead6dbfe33811f3d4ad17b73df9b36c7c279f SSDeep: 768:HAAvVCdgkBg5nGZYr7r6uzMFrOQYuETtudsxIVZAK4:HAuVCdTa6Yfr68MQQHETAdGIzA9 |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\qrA9hvnxQuIXrz-kBi\DZwan0p.m4a | 32.98 KB |
MD5:
ddfd3a21ebd51f48a5a9e3dbff3e97eb
SHA1: 28f7e8b428236791a44fd6fb6b142eb0576a24c2 SHA256: 09289858560da60db5822e14957859f4943683ca1a7376210f7f7eabf6ef5453 SSDeep: 768:SJrAMrcswM3v53Ruza7JKQoT6vhLEV/HKu66:YrBrcNMlwzCJroT6qVfKl6 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\xFZ3UgkUHNIW.lnk | 1.02 KB |
MD5:
01c9cb7f9d6a6601dda55976e4a97dbf
SHA1: cd3aefd8e5095c1e024072ebd2ef0c6af3e99cf9 SHA256: 67f0dbe38080571d17b7b1ee0a70a4781209855438b2feb16f3c41af4cde760c SSDeep: 24:fm9RT1tv2v6jmdMLvKyWP8bnbpCbV3cSqs1uL/YXvdbbH0+:+JJG6jm3yJb9a+DJLwFbY+ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\7e4dca80246863e3.automaticDestinations-ms | 8.00 KB |
MD5:
d140e80404c2e18d93a30b1427c043e7
SHA1: 5e2f6a10525a53fdca2efdb7ddcf1e013c176566 SHA256: df62a8b757c4f082868ede8c72aba7482fcdd83a63dc00ac2333bfd2262e4f51 SSDeep: 96:r1VrwtF6DSlpczp9y4hkpJ+4OXDLd24IOJEvamASHpdAM9EE0mlO:RtwwS4i4qJtiE7jHpO |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\az88pgn.lnk | 0.64 KB |
MD5:
1ea4bb7b6e2e0b41ed1786a3cba18a94
SHA1: 2107f3bf662856334868d1b799abbc772917c425 SHA256: c5a521efd2db37dce2ff0f18ba514d1475a1f7e05485f129bab9a7608fb18ff5 SSDeep: 12:vqFFt8NMsXh4XTQHFR7Fvho7IxaKNa60AYxqAtQfRK:06NMsR4sFl4h6cqAtmRK |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\n_6iIbpL-Dw.lnk | 1.09 KB |
MD5:
2ca7c442f5f7c608450127cf68a1d4ac
SHA1: 0f45be507c61cad6380413a3311807bf1df0496f SHA256: 3bb5e9d07f44b09d25ce82f25d009d888dc85969861c9ff24913da2a3c9e6fc0 SSDeep: 24:pPdUb3a9wmBzCWJsaAUOQgWzCjisUR4oRhY6XRY0/ZnlU5aMn:pVUDKwgJIhYzrZk4ZU5ak |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\EB784XEVaS0_dY.bmp | 71.77 KB |
MD5:
be693cbfeb99fba51b2fe82ebfc7500a
SHA1: 0808069f3e857f6222dcf07dc1f015e32e414bff SHA256: 1c53c981a00d9f52dfc5c4798864c09064df39b98f4ad870df177fb83754348d SSDeep: 1536:LkaNKvp4chQy5b/4L0dCaj0y6p2Y8MFRM24:LkaMvWO5b/dCajrIbC |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\UELEI-EgHa.lnk | 0.97 KB |
MD5:
b3ac0ed5f49a5573228f99e093aa42e6
SHA1: 08395a8b5d404945da195dbff80f461235006f9f SHA256: 83d4f2451e2a115771043e6577a54daf05b224732dfb2a6bde057b3071ae139f SSDeep: 24:n6t/JInXTmYxdxhl2Ur5EnGfH9x+tRU6CL2vRONHcN:nU/JInXTb7x+M5aGFx+tF22Jgi |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\a3QnHpY8WxK1ea.wav | 26.86 KB |
MD5:
a0a70af54d8e075024822a4924fb6669
SHA1: 36f68088b89d80237b4c0825522af8dcaee6c7d9 SHA256: 0fca36b4a0eb07f79dbd332453cfb8f4299b977bba6d1f3c7c0ab7a54cec81ac SSDeep: 384:ZU7iohBY4p+FycB7D9f8eoafPKBmO5Iajh7oPSFL/gNAFGAt/Gyy3io+iGIe:ZUNCF/BeafSthsSFL/giGyy3Bre |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Roaming.lnk | 0.78 KB |
MD5:
936dcc171e2d0ca04c973b6857d7fb39
SHA1: 592a8cd313bfdc6768574dbb4b2f9e4ab686d4f7 SHA256: 4f8a63f3312764c4f07708e7efd7d302db3a2a40b952f7e32e149b4273417d30 SSDeep: 24:NzxxlhwGsVTUkcvpy1lkFAfJrsXP/Cv+43Iucj4i6UP:NzxxlqGsVJcRy16RivH9cjL6q |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\ODTY47iV0R.lnk | 1.08 KB |
MD5:
c4bae989f5190da1f20ddbde9a4f6204
SHA1: 199f30bdc133538e445db84094571668939ad69c SHA256: 8ef3ac9a056d905f79663816ef423c243a46e0702735617db619c58bd5da8680 SSDeep: 24:EtZ500HGeSrQgRhsf7o9K3Eig0v6x6tut3nSfAIiHoeX1n:EtZFHwrji/UiAtXwCF |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Fh0-0-tlk.lnk | 0.97 KB |
MD5:
688a0054ab541e347bfa2c7f2ea31906
SHA1: b4d600ca7be163e2006d541eb5eba803e6fc1a20 SHA256: 5db13a59aceabd5371d83c428b6012e6b330aec276de1c3af420de12f79a9b1c SSDeep: 24:+mv0Aj5UBYjGjPI31c7EDhKRNiFTHmTMSqIFG+/mf:f+YjGMc7mhuN8SqSGsmf |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\A-6CfSPMROK0fG74g-Zj.lnk | 0.70 KB |
MD5:
1335ec6d2366947ec9778dc52304c22c
SHA1: e4772a16d1c2997fad57c76db7326d69201d4625 SHA256: 35896ab966c4afe2f391aaa5bfb4c4c52f5f5c58ebc91fa56974013864357bbf SSDeep: 12:vs5QmPkArShY4rRVsUo57ajWmb8vZeu661h9+ZGNlGXjVCuAJoOH25coxCY:IPkArShYSto4CmYv99n8Z2s5CdAxN |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\cLzrBwI9ELH8EUl_mr.lnk | 0.92 KB |
MD5:
01209d0459c5a6f53a735ad325c55fcf
SHA1: 8c523a1310d3658da5879f54d965f4d30727999d SHA256: 8327b3a496081046bf781393cd94538f7ef67491dfa9e85807429866e3d1abe4 SSDeep: 24:n4APz9ysG5lbcGfc2AlzaB9KxzWJudaVJy+9IJ8I41:flG5lNBKxzvwVcC5 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\L5g5B6.lnk | 0.98 KB |
MD5:
421bf38066e1f1cda1312b668539b1b9
SHA1: af0c877e74d63b3ebb110b8fea24b48eb95a2e2b SHA256: 96302f75915b6421f98c01db4b82bae53e15fbaf3f4f21fb5b6a41ee955d1daf SSDeep: 24:J+fD1SsiMjdhgvYjfhCaTJQlGyvpCV/YKapEos6:J+f9dhgvw9QlGyvsV/YN |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\8JP_fHn2fAsy.lnk | 1.39 KB |
MD5:
1ceb30c433bff6b44a347b65cbb5f5ad
SHA1: 204f511f2966a58b87f87d42540e4d4741304889 SHA256: 07123f5c5bd7768ba485a49125d2928ae4ccba6d3e3faee61a3e0220e420946f SSDeep: 24:k1He3HZkH5sSGU2SxOmhKTHQH20zMneqiqDyzQUE4DYAqzrLJvNMEWqrqbX:28ZEuS3nhKTHHUMneqiqukj4D8fJv3WR |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Dt9dhKb.lnk | 0.97 KB |
MD5:
ce7183e029e87ff413749a5e07b1be86
SHA1: 67a82d92cf001c104671d1c20dc83d4e42ac7d06 SHA256: 0fb0666165607a4566f93ce8f1f311371fe4031718bd9933674e694c505ae10f SSDeep: 24:I5FT5gqDu/X0xqMQIePSZPG9KqCLrBduWwBzBH3ibV:I5FT2LXuqMQI+SU9CLrBduby |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\wHS8C.lnk | 0.64 KB |
MD5:
4c4e8b5a58cc93e1c74de3d62055e550
SHA1: 15f099fa6f783c00dcba83bf1b0b16e4d52d544c SHA256: 4773e89e7900426998a88ddbf45fa51b47e6e3ca0927ecfab91347faa729803b SSDeep: 12:v2L6/BwsbU/YtI2nfzcrvmGBLvKZQ3/b1kC/hSixha1410td2TK4s:1Zw6U/b2grJBLKy/Bptx417As |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\JJSZ6n05wI.lnk | 1.14 KB |
MD5:
d6e7936c32d02458a283c5d82acdb3f5
SHA1: 51201fba4268053b5296a7a2534d3df785d73bed SHA256: f6d1f49848b1bac85cb2516c21b808e7749e776876c8f3d74e74be6ad8a46187 SSDeep: 24:xYFIRqw2aWOs3BQ8eyFlEhDEZUOD5oXo2MtA2rM0RxqV:ximqvjQMU5oU452o2Evrb+V |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms | 59.00 KB |
MD5:
47d6e89591344c231155ee764e2324ce
SHA1: 5c165005f45c7479f30e04615300c95f6cc6610d SHA256: 34d5ba6c5abd8195d7a315fc0729013cf79c0458beb84b1173f8a1a1ec7e84f7 SSDeep: 384:0zafRcM7QubrzimgPess9qJ9YVGHy0d9sQgLRl8:Qafz4PesxoGHy0d9s5LR |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\rGxJ8R0.lnk | 0.80 KB |
MD5:
73c9e8f1ae8809c156c54fa16742ca69
SHA1: cc3d91931802570a5708a0e3374385f03909f1fe SHA256: b38841da9f3a28eac4854bccc666b4a983b37dc36f9a374e5f585090a3022e77 SSDeep: 24:c5mcHSLUTyuU2oAZuOf9UuFLZO7LLMBIrKsX:c5mrLUmfOfSuFNfru |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\e6huRO7 BfdOE JzK.lnk | 1.12 KB |
MD5:
57a2ca58d58139131c89e4931edc3d48
SHA1: 3b79832500eecfaee997689695dd954bec19e02d SHA256: 2f49a2b2f08060cba9c47ec69203eeb426706970c7733aa2dc7d2a7856d54ee7 SSDeep: 24:zpUfxz91j8yUYSR4TJXqPEavsKvAh8gw3jpDQlr:z0z95zUYSiTQEalvAhpw3NYr |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\V4M4Zk zJ0onUYJXIl.lnk | 0.91 KB |
MD5:
f8deb35e45297e3e9ca51718786eac58
SHA1: 7f9a26716633e71a0954b6023dca090d81f545be SHA256: 84a510b517da89d22c9981eb8033e44799c31a6fc83e63ec3e123b0476997157 SSDeep: 24:uhrtwUAslPcJaVLu6nq08v4YQVQnt2XdSXsE7Kfk1uMMI2Mb:iwWcJaVLuUq05968XksE2sgMb2s |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\xeKWFIddBHaEN67 iC.lnk | 1.48 KB |
MD5:
2a6d5ec35eb4eb5a8589b3a2fa7b071c
SHA1: e89cdda9391be5259c80dfcb45275c7db00b2460 SHA256: 0aa068f8949649d7617ae2ce9413f0cc7690ba02a9d5c6cd21ec9eebe6a8822c SSDeep: 24:6TKwfzrlKJvGNDAtfQRgb1tofdDxWoglIiQBJX/xk9Qwzu7VFpaGYxFUD:UREG86gb1tOdDcFSnJX/lJRYxuD |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\ag70uOVMAZyHaepYdjne.lnk | 1.59 KB |
MD5:
323c5b837030be2c4dcaaba3ae9970ef
SHA1: eb08e11b0c2beb6c7b8e9147261c8935a59851ec SHA256: 8dbbb0d30e617df876da3220cccebd4e7774ea6a7143be0122d3889244d41fe8 SSDeep: 24:2Mf3w/Hvcg4vNmniZ8BH5cXeJMbv7Lc/qHrpPIPj4IZTHnVkFFKPWaPwVu7/gKqb:2F/HUhvAiZQLyfzdCNHWLSWaom/gPbXH |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\-42tUE1gV2.lnk | 1.16 KB |
MD5:
e751e5ff646d1e2b3137fa90ecbe64e0
SHA1: 5e25323bca020bde52ed35bddbd173ceece1cda0 SHA256: db68de48bf69fc51e64f1557cdda19175055d7948bad50f99a3688867b84b042 SSDeep: 24:XyIG4RaLbLBxEeYlSmKy+Qn847A4pP4UHfxO2x2RZmmwMNZhWYgf/n:CIG4Ra3tAZ+4/A4pP5x2RZmmLtWJHn |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\R6lD7xHD8T-ubO3-rd\zz0GoIZI_KNNIh4a\gVhnkpA.bmp | 8.00 KB |
MD5:
1be8e1f2cd378c89b9bcb687334ee70e
SHA1: 1653f9d2b21db9c775f6a43cb86a8c440487c135 SHA256: 5ea84f5ab1d543f61f380a38dd656a509c370af3974bf3a5b4191e0826ba8a5a SSDeep: 96:nZJYw45Pw0+Fy6zXej2y+i+W+f2JlPNfSjoM:ZJuwbycFHxR6lPk |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\_xN12rPpzNlGEeUEq29.m4a | 98.66 KB |
MD5:
26c53f9f1df0f3ef680577484e53eba9
SHA1: 39763975eaaec9b65f1c52941597835d7be468e9 SHA256: 24509f439fbaeca72d57c3a57a8f38e8488d499438927576e791bcb6a858c35f SSDeep: 1536:o9wBfhByCQ2S2/oG+eYr/9As2dRSYsV7/pqi5nn+Zhn/YHX6ofbKjFFlFHkA0v2:JhSwYr/9j24/pd4/utzu0v2 |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\m-GVKfYhXB6T.mp3 | 30.33 KB |
MD5:
0fa2807741203749455ac8866eb55a78
SHA1: d8235758f4671b6b82a3fe73495bc90f17a898ee SHA256: cda29e3607d40c75482f119b7da1ee4851f04791d44847bd3d124d580152f3a0 SSDeep: 768:EwK8L4isrKoPnweWRZuyzHsv77x2/JIBl2:958iKPwtMv7F6SBM |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\969252ce11249fdd.customDestinations-ms | 20.36 KB |
MD5:
6b09ab39dc321779e14f91c2280ab621
SHA1: e6c77ba9da751bc5b0cfed78d03c288436ef1113 SHA256: a5e64f2b32c0fb04e6a413a7fdb6f7f629bee3b4bc4654b66a363b5b884fcfc3 SSDeep: 192:aOxOYjZy0T9VeJlIBRlopb+72cI+72cNlJzlieNI2bDnDnvlmzn:asOaZX9VejIBRlo472672sNp7lO |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\UELEI-EgHa.jpg | 79.29 KB |
MD5:
8d14a093cd65aec661444daa4fe164aa
SHA1: b4977b5753995b371f5c922c1ebde0e4a2465901 SHA256: 2c1b9f9c49f42973cafd38b03ee487df603d2a047009085623d190a32debff81 SSDeep: 1536:01EGQg+p5o1Fo3+C+4R+okOC1vF5NZrgiOaCQ+0EyBhFD:0q35Oo3+C+hVOC1vpZrgibCOfb |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\b8ab77100df80ab2.automaticDestinations-ms | 2.52 KB |
MD5:
b2eec53ef65244dbcc56b357d6601f1a
SHA1: e02c9b08a5907d30784850c07edc74a7e64f5d90 SHA256: 321097d2c2d22a60acb6572e5bbab91df40b36278ed5b3804c176cec8d34c84c SSDeep: 48:osg+zUYrVrpCu1u5tYQs6t5vpUGBED7EmpcfubO5gcJ/O9+Kf4mbQkjC:r1VrwUu5WQs4vpUGKD7EmufOOWcJ/i47 |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\NGHgpHRGY\n_6iIbpL-Dw.mp3 | 18.17 KB |
MD5:
5341de6c7aea3804053a8d2e2673e776
SHA1: 46c23f3aa51e903a04fd3a7d6b12916226c7e0e6 SHA256: 9545b06b501e374d2b08c33949939b5a93f250688114cb7d9dd8a108c064a0aa SSDeep: 384:mKPBC5F4em9UPo1+xa+G8yHIv1k61b9oL1guqXYdvI3GD9MoBNp:xPBC5rm9UwIx5GvIve67WgroFk5oPp |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\ElxEIJtu-_rA.swf | 96.45 KB |
MD5:
1986082caf031f03129bd8bdad3dbec7
SHA1: f2e1f24a24fc81d64b4c94a58bf7e4fb85d64ea4 SHA256: 2f882330b676f07b64b44bfc9da5bfcc3b5d534f0a228e7fb98f25a022874b53 SSDeep: 3072:q1Xk4mnFA7KQaN/5NeIjhLFGCqCbci0bung:q1Up6aNR7hLIHCbybung |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\xeKWFIddBHaEN67 iC.wav | 63.05 KB |
MD5:
b5555879ab0e4c853f390913b4b38667
SHA1: c70c11c2f18ae0b541a26c3591721bcf4873b62f SHA256: 71e6f79bbf5f4b6dc5c74768728180c468fd09a7069b1a76d50465422ef99b9a SSDeep: 1536:ISE5PFGNdyqkGPhxre+RnDHEDKLfwUrGJUNXHfjrcD8dd4gv:COdyqrZrEDKLfwYXH0Dqdtv |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\phsoFQ.lnk | 1.19 KB |
MD5:
159031de68ed7f7c8afff71334a32b34
SHA1: 14429a19fb154d0a619b1c12ee2f3b0437aad5ed SHA256: 360b04ce1c9157f0fbeac83be733fc04f985a3009fc985d39638bc3831874215 SSDeep: 24:STWSo4KyjRdyyfRej5fFfBA2FeGGa9dbo8UAItp9UniBzaZodT69j+g2nvGfbm:SLKyc1fdqVSPUj9tBzaZ069jL2nufK |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\qTWuqh N53NYZck\gjO 73rZ M4.bmp | 86.12 KB |
MD5:
2aad6cec1e7e432d8e955d2f2fcd98ca
SHA1: 5226b591a9ca8f9751fb225c42ba1f4cb0c7c4f9 SHA256: ecad5cfacc3bfd04af1e085fe7f2b59c6d091fecea2feecfb10acdd6fc3cfa2d SSDeep: 1536:J33dQ4V2SUStsYwxMQulgGx91iTHS9SKrOZvCphIONzre3MxPAvuq9y:J9Qx7XogGATH+SKrKv2IOK38Amq9y |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CNfRGDwaADTpS.flv.lnk | 1.02 KB |
MD5:
14c3c46c80d3282e1e9b84c81028bed8
SHA1: 7b301e32793f22d65ffb3695981d534695caa4f8 SHA256: 5feebe6fd06fda1d6cdbb98d1c41698cb748363f10d9b0f28af00eef60e98403 SSDeep: 24:roJOgjNmD+IWQszK4DyYiTM9OfEXFuNlpEDoX0k/T10eljR:rorPIHszKcyYX5uNl1FT104jR |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\fBwW7 r5N\e_d9d.mp3 | 59.93 KB |
MD5:
3cf58a88268cf7e84227e9560ec63f02
SHA1: 76cd8a77772614a4ffe5eaf10402eae32e633f32 SHA256: 9c3287217d7930700c8c8dbe337966370030f895a850f83ec57b88cad2ed9b63 SSDeep: 1536:Eox8/GqbqpxHxS5YkUhIVAn4TPkewZbkIhjLq:tG/GqbqpPSWOVDSOujLq |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\R6lD7xHD8T-ubO3-rd\zz0GoIZI_KNNIh4a\vRQ5tUuEKHqkKPnnz.jpg | 32.86 KB |
MD5:
a9e73e2a6f9ac048838ae7d094a42dd0
SHA1: 4354b6fb36a13d584974214612b22f5df5b962d7 SHA256: d545760f143edbb9b2e62d778301501d2163b491bd9c0c8adb87036c42f417a8 SSDeep: 768:fjxu+hM/EetjRHK8IYfb/FYFNPZDab0EVsAz0:rs+a8et9HK7kjSxSbZY |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\9P5vIWV3lOKAM.swf | 68.52 KB |
MD5:
2ccd4b9eb6aaee96162a60e51e36f778
SHA1: e2ad5a802c4cef0704eaa90e9af6b645eb6612a4 SHA256: 6efc32c74496fb18b1da8de8ac6b61279e0092c04c383c91ff1e155ff3f05431 SSDeep: 1536:RG+A0hi9N05HcZ/MKVXvXhQ8SOhnv1mE0lgx:RG+Di9S5CMKd5RSOzPtx |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\d2H7a-tYhvZsdzV7Kw0T\El 5h qHBzdQQuQ0y63p.avi | 30.87 KB |
MD5:
32f202f1a58e85ef51ba13fb7ff5b79b
SHA1: 241e8c6345f2d8320bd31b441919d325abc0b55c SHA256: fa19a41c1a4308a5476252030d5c651b44dc77c34600f65873f4cb5a380e1bd7 SSDeep: 768:VlUstbFU1vup+2JN0eLN04uC+bOfYT0iXBK:VlRtJwup+Y0epuXbOfi0YU |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\HzbGRo6Y.lnk | 0.66 KB |
MD5:
109e424e025b02ccd785964255c38e25
SHA1: 8ae554e733eac73ff9acece9b6bf798cc681ed8e SHA256: 9e1ea1fa690173763e36bdf8f8d2b53da28ed807eca017dd42c68defd2f3d7dc SSDeep: 12:vJo4oKdCpN8c0WWl3QidcK6AXaQbptp0ZDP4UO6w/KMrZH5rpJVI16HfhsnK7Nuk:hlo/09NQi76AXlbDpWTNiSIHmA5snMok |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | 8.00 KB |
MD5:
e07999afbe4ceb648723b8369a6f5e4f
SHA1: 4b7d8e1d9ffc6f777bd039771aa722f9d1a1ca1b SHA256: f369f3378441ed50ac5b60de2b603c111d1acff7528f5a9b346111b46ce0bfd6 SSDeep: 96:rbjbkJZp/+LtY4RQBsXkHQpZCPPBkmD8fqOclrNlxd:r4pWtVRM5HQDCRZp |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\_QpPI0V9w7jmp.lnk | 0.67 KB |
MD5:
e76444df7c3136a7b45c982a097de095
SHA1: 876847b4051147ebff63ad42ff3155e0a5c9373d SHA256: 1c3a415f4a5e6e82f3bd0d5f606c6a9a7afbe765b3578992e91aa122f404c6dd SSDeep: 12:v2b1Tkgkkvw6t/oAVIBNBxfJ0ZFBzFOndNjAlOV52QpN2CdWU1CKP7SPL2I7IPEJ:ABkg7vw6tiBXxfJeBz8dNjEekQpHWp2A |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\xvc5X_EuKq.lnk | 1.39 KB |
MD5:
f6b4358f176f277361583509a518fb37
SHA1: 6caab65cecd8a0e11761f3b4c2107a3d3b90d327 SHA256: 0dfc62a9ed986cbef14b53272640fd578c15ac7215c1fd0c17089d83cfeac235 SSDeep: 24:t245zsjnEidv7naBU9/l5TMtpkIvjm3GAUubNMCWag+wQi4jUNgS4CY3Y:tXzsjnEid/9/C/vUXUCNbg+wVJOu |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\qrA9hvnxQuIXrz-kBi.lnk | 1.08 KB |
MD5:
389c26cbcd49853221af13450ae9df6b
SHA1: 0ce3f6a37bc5cfdf810149c3871003d9c71c8a54 SHA256: 5b2cbb79b9015971be2ef9e8a56a5ef3b37b9db6d59e652f647624a663bcc53d SSDeep: 24:ZoXeCCL2wBA0p/vSmTQD9LpfdGZ8FBvaiSwzCRYAFoXlpLEWe:ZouCCL2w6i/vSmTQDPFGZ8fvai5VpLEX |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\LzxPE9bRZsj0N\-HzS\L0VH.bmp | 32.65 KB |
MD5:
62006607b81f52c2e729dcd918013ecb
SHA1: e0abdb0e9b35cf7a9198bc1e1a52dc58f95cee84 SHA256: 7718b8e3b2dac8a7e6caa2b6faa20605b37a512ba72c2f89cd7c6e29e23b167d SSDeep: 768:0KMuGg2RcLyp1wSNpdfLpMBAPTQqGibqQ:PMQ2RcY1pLTpWAPlGiWQ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\pkc6AG_LpRlnu-9-.lnk | 1.39 KB |
MD5:
f90ecdc212cf2e3e8a4579c3b7a9960b
SHA1: f795e47d0defd340150eff7b02ee22cdb6b2bfc6 SHA256: e641ad4eff6e78e100d281b65af7deb45efc746d39bd1fe8c5bd1dd73bd4ea6d SSDeep: 24:FkD9LoSrYcbIu2d8LfhdW8FKrKoD/G7O+Q7irefEFZroU1QGJ/ngiSm/fZogXp:FSTM/2JdnKeoYzScFxow7gVm3Zow |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Videos.lnk | 0.75 KB |
MD5:
fadb37dedacd3ab086557478ed47465f
SHA1: 2fda87afc04cb618e3892d52790f495b70ad5759 SHA256: 026c6580d07aa68a7812c38709187899fb4cdd69b76f2c01f5d6ff8b1cede471 SSDeep: 12:v9QNTgu4XFN+WXh0OX2BNRlrA+GwvZYvG7HdniFpdf3FXjYHOvkiRcklS7kP8b:mTP41Njh0Ou0wiv7FpjX8eL2x |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\7qmJucxrSVDQh7.lnk | 0.83 KB |
MD5:
7015df3563666ddd4114d76e5a606529
SHA1: 37d696db3d31e2206ae5a1caf484babbe4b22ee8 SHA256: 3bbc6e5e29cb5bce7294c350e1504d7c186605f6a2bc68069e148dc5959fe44c SSDeep: 12:v01WFXw+/JQja3wAcbXubR2ZBRlAiArorEz376PM+lfUVGHBp9hesjmdTuaMa+:c1mVRmiNYRW8G8MefRhp9jj2TuaMa+ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1bc9bbbe61f14501.automaticDestinations-ms | 2.52 KB |
MD5:
393b893655f3d83a6d2c7580afd66ff4
SHA1: a5fb93e8478bdeb1a413f043bab2ddfee6015726 SHA256: 9096af7f816bc192b6cd2d38ae86a533bcab3a425ae63ee068a60136b73fa8d2 SSDeep: 48:osg+zUYrVrpCu1u5tYQs6t5vpUIlfohOY1H4muWJT6bQsveem9hi26:r1VrwUu5WQs4vpU23AOOT6bQsFmPid |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Music.lnk | 0.75 KB |
MD5:
b9fec41d6a23003f0ed98ba20569b74a
SHA1: c5bf8d7f379c4de7994dd1b13fdefd0872437089 SHA256: 93233b225c2a46c5f36375f421d22c67dd2f0389e9695efd1f1cd53e2913561b SSDeep: 12:v9QjBEgZ0ATF+Y5E1gr7a+s4M7vsNqeEmL7NMD3mh6pNK7EoFkgzOeAlL2ZqTTwU:W9JAY2Cq4avmqeEmLCzmY7noFkguR+oD |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\NGHgpHRGY\iwRTQe8_.m4a | 1.44 KB |
MD5:
68a6cff9af08f03ab58c6f5fce7c7bc5
SHA1: 3eb13d89566130bd518c698278d825d69c7b5536 SHA256: f7bf083afb604df4f8d0c2b84f2b10a950b84fb392fd6a4f4d71292901394b2b SSDeep: 24:f+jwLyFoCzZeIMIdUjBlptl/vD0UBfLXWCEj/t0V4KVPzvA1zEZ158uzTf4s/xdL:fHLyysXMNVfboYf3EjV0+KhAZO5zzssn |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\vNVYUbOQ7x0Pi814.m4a | 95.69 KB |
MD5:
e126846601ddf09c8728b588ce1e02a8
SHA1: 1119f04a6b8dc50bd821bef2df5d3580d083237f SHA256: 3820bd38bd2352f818005d450038327e64ad5f043afc115c0a6ce036f01d4adb SSDeep: 1536:tmYTxpUSGSuuEogH2KryPsun6Hdn40C5Hl4dzk7JYOumFZSYKOBrS5zETA2aVYXJ:tmmp9nP8HK0m17fucSYKWW5QM2FyeprV |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\y3K K0vmpn.lnk | 0.97 KB |
MD5:
e2306139139a8dbffc5314534c2955f8
SHA1: 21d920a2f4b154e5ca598e85b9907d1959a20e20 SHA256: 4f0145d6e1bfbc329e62dbec8a7c9aaabf15452b57f8d11ac5ebabf9e6276a2d SSDeep: 24:q/rlAcO7b4z5ywYdOJVs6cMVgdcLyAzv4/uBs:ErPA4z5ytOzsZfc5va |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f01b4d95cf55d32a.customDestinations-ms | 0.03 KB |
MD5:
dafd6548c73ef617a4c0bc54122590b7
SHA1: 87f45041ee54ed7e233d7e8c4215e70353ee0952 SHA256: 87c4f1fdb5a3a3feba1a3cd89a152ef83de7f5b8661a7e467aeb6be1f59a9108 SSDeep: 3:ZOpkvz:hvz |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\y3K K0vmpn\3zrj1.avi | 81.80 KB |
MD5:
22c10a1494c0d7316dae63ba771f9031
SHA1: 2a7d7a9a438933e8b0a4fae45d83afb881dfe404 SHA256: f71964accd3bafc3f517f527ac9891445b422c7fe54665a7308f7eaf10efa23f SSDeep: 1536:7/jT/yi2j3hKbAg/DDBKdInnbzTjlUyjFBLjigH1iNLZw9phx66nwRZ:7Ki2hoAModInH3amjjii1iNLt6wr |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\-cvcX Qn.lnk | 0.66 KB |
MD5:
cef92f8339d1bbd209d8ac7f8b6dfd43
SHA1: 470dafe4798a387efca9a43c71cb2ae7c236f0a0 SHA256: ff019468eed95c7d86b2e4ea8885447f784dda9fd7cf12093c48d6dbe0115e81 SSDeep: 12:vxOFvf8pyLI2z+dzDshdcgSWrocdxHCnjTpoRTuX1QMfZ2OjSQXcEl4o5u62oDa:ZOFvkYLI2z+kdbS8tdVkj9oRiX1QgLS7 |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\y3K K0vmpn\FGbApjzVzIlNW.mp4 | 8.00 KB |
MD5:
92fb8bf4cf75cf9fd32de8c0cfc3725c
SHA1: 36367ffa169df8e382d412427afd2e75e83556ca SHA256: 91108bdfd9503e3aefe8731dfbc0dfeb66e049e595fc849780fe9d9fc865dae5 SSDeep: 96:ESsQ6neOB6vvxngJHtuyWrnJr0L2cCKU5XgTkrtRPruRJOTS:65nGHxnIzUnJAaKcgqRPUkS |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\B4a3CXGZxiUO-YbN51.swf | 26.81 KB |
MD5:
827915ff95147363e23c515fb3dd0988
SHA1: c88478720876e50335686655573ff17322ecac64 SHA256: ec6a1d67517291a9dfac7ed5f8852574b11a849871d0611e8f90652f14e5d68d SSDeep: 384:GXqLC/5S3mAf+oATf4BzM8ghyFI6uXTeNjJK7ataPUBZOibp5DH32dd7dJDfFOT9:qqQ5S3mTwQxgjJygaPUBZ35zEd7LMn9 |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\fBwW7 r5N\kqPHTpgPgkFex.mp3 | 8.00 KB |
MD5:
54b7985a69f96cb26434f24a3a71c990
SHA1: 1537601b516a66ad8e124c60764df97d25f4ec9c SHA256: 9b71057cc81d4ff021abe5fdd07f146c9c88216e5fbd0fec0a7d051693559d50 SSDeep: 96:kjKOUePXyQcQ7BNWwE41bEmnkQmmPmhZDjN0gDTVoF:oKeKbwBUdmE4kQmthZDjN0gD |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\y8reS6m.lnk | 1.05 KB |
MD5:
82308767c6b7653cea61e6436c41dc89
SHA1: 4ad47e86e42d067488e5d3df8a33f44450135a77 SHA256: ef6c691148c09dc06cca30de8728f1f4c0c3d94db93b3ea587bdec32f656b17b SSDeep: 24:haK0iD7s3MmLFzBV6mSvD7RGfOiZBhutP8WJKjQFkw988IvtgJF:1Y7zr4vDEfOiZbi0WJuZvMF |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\qrA9hvnxQuIXrz-kBi\y sfavt_6-uR zUfBzh.mp3 | 8.00 KB |
MD5:
2ec69e336dd95c91236012935cb34631
SHA1: 97b4d0597b8da4d5b2a0e8e8cca82286b11a49ce SHA256: 915cfcdb3b8da02b62ed3d3481a2fc7acbad35b72026bbc459433b365d782326 SSDeep: 96:6gHqSzFP9Mr5Js1ynnqP3sfA4JFV7CS1M1li9Rqpf:FHq4+XskqP3ePL1Mvi2 |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\qTWuqh N53NYZck\uItrk_jbFDkZ5N6T.png | 60.00 KB |
MD5:
19d4ac4f676ae672f5b161c235ee6edc
SHA1: b12a7b652bbca82d9f7232eb7a6969a25d5e83e7 SHA256: 13ad7ee054ff8c57a4756ca786dc6a51c01578c7d1fd7e8d0b672469e4e3e7f2 SSDeep: 1536:Cq7sd8WWktdhtebEYPG+pLcoo91IrzLneOoQSb:CKmXXXh4bEYPRo1IrzLnh12 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\y sfavt_6-uR zUfBzh.lnk | 1.39 KB |
MD5:
20098c9d04a0170ed341440c9bcadf0c
SHA1: 494af9e881937d28f033ef0d4122f41c93b0780f SHA256: 724e5038fbff5d1165ca93131fd26f5daa4452d110fe5aedc3312957735c3e14 SSDeep: 24:5jQbD5PPaxk0XoJBthtLE/kyhEDq/FK9FaA1ND/arFF4kmIr0kAlkM4cnPwELiIq:5jSDdyu0XobthtI/kyODqoTJ9/KFqN9w |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AZC2.lnk | 0.97 KB |
MD5:
c0d60d1cde36689286c5816d78fd0d73
SHA1: 5447305627ffbea2e3516c95c8cd6f6bc0b4ff61 SHA256: 31b9ad4977ee8e854a4a7a6b3574e228b217b2560652775f53c2c16c32faef09 SSDeep: 24:EMke8e59J2xGz0lLGd+YulS3bmOnt5mIZH0GT5Uyck:Ele8etJzP+YSS3DtQ/Zyck |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\A4ItiusytGvu1_7.lnk | 1.03 KB |
MD5:
207b9b77c18b608ecf40983983cfc02e
SHA1: 9dcb400565ba8040a40e4468bccab1acb87305f7 SHA256: d6f1ef402ef4010b245e83d1581b19f9b2b2487e89d82e7f8870fb3cdab150f0 SSDeep: 24:RF0as4/ukXvmVB+uOlzVLiKsr2UKpEW3DIhcIjVlpqTo:jZs4xfmUlZKyGrhRWo |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\y1a4kAzLHPnL4SoS O_.lnk | 1.05 KB |
MD5:
9189d5de602efa9e7de94a73e1ce6fff
SHA1: 83ec03657486a77824b2dc4b3b5fa8a8fd291f10 SHA256: 8af0b1b19df202f35275623078ea07b722eee53d842323368043b75ff1058a64 SSDeep: 24:pOJxpIb0IbOx9jwEEDRhGJt/E9u9VaxvZdRyTNdlH0R+x/3p4Q:pOJxpIb0ISxir/K/E9u9VwvZdWbqah |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\969252ce11249fdd.automaticDestinations-ms | 2.52 KB |
MD5:
0db21856c18d043fcafa6dfdeb4f2319
SHA1: c6b2f7bae16b83f2a3c7ec3949ee7a0e8addc50a SHA256: 93d272d41dc1dbccb8bc75d190fd1bf279b1daa76779284f7d97285bb98e49b2 SSDeep: 48:osg+zUYrVrpCu1u5tYQs6t5vpUAV7EV9Q12HzYA5YHGQnQ4JCU72tvW5W:r1VrwUu5WQs4vpUY7HSzHeHZJXqtvW5W |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\HE1R.lnk | 1.25 KB |
MD5:
31bfece49952924b13bfa746f62bd6b9
SHA1: 83d3675c70b8046fe62a5c195eacc5acc015ae82 SHA256: 48a58c64e4b375df7cec535b81268c60cc3b663f7b24d255f62752b6df784612 SSDeep: 24:maQ7C6HnWryEEopQY6AvstVL5FzlWBGYWi6kUIe+ZzHTi5EE4Gd0L6:maENWG7o96A0tlzls6Nj+lzO74Gd0L6 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\00_yfQNqHGFuHt64v1.lnk | 0.70 KB |
MD5:
7c145dda3c6c3e28aa6e4771ba58efd3
SHA1: 84e823ebf0e93b7a22935acb5ecfe607dcc19b70 SHA256: 6aa7392f9b44260311091820d53a999892056159f12407d800b225d185a17edf SSDeep: 12:vJYXLYNZ26w1KgObfTF+p51WHQ9xATZs3tmRNyT7+oeWgJ5TwoHfoUJzNQSoD:hYXe0KgaTq51Ww9eTZsDTk5hHfo+Wf |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\eb282ead62b4db87.automaticDestinations-ms | 3.52 KB |
MD5:
a5dc239395dfb0ef9d3506789b6fd4d4
SHA1: da107ef35d7c3cec90a462f16a1a0bad14bedaac SHA256: 4232e6ec90c08512ba6eac94851dd8533afbb01237b6da79115cf67143b8564e SSDeep: 96:r1VrwC2ZTfaym+leGkmJ/rx3LltuaKxcU:RtwC2awBVLlQaKxcU |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\sasJA6VrgSyC4AEc.lnk | 0.98 KB |
MD5:
bac8446adc2d3a9e1ac9f7fff36e4353
SHA1: 5d63a43e972b1eed354d9cbcb4d08e99d11a45e4 SHA256: 1c1ac5ec4b2e668237175d349d466ac4bb98db833ae7a3ddb800cd8c1b4121d4 SSDeep: 24:7SNx9YcPPQZR4bNlvdRm2PhN8mxOFch4z1yL0p3Twy5BFS6xAc:7SNxmcPPyGN7m2ZaDcqsYwyzd |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\GHXa.lnk | 0.62 KB |
MD5:
4c978ed55ff59a0660222536eefdd2f1
SHA1: fa6cfb1710c16e98ba14d46ef52bf1c0fb26ce26 SHA256: 52a20f38709be8ff884aa91f0d3a5167558b8e88454fea59c3b0f2416656502a SSDeep: 12:vxEUcKWbb9JNBEeVWgQuk3vzNwEd9jaOX8JhauaeYlpcV998O/I:ZEUW95EL9/mEyQ8Ouatpc3eO/I |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\dEwwga9gIHgP7bGKwR36.lnk | 1.12 KB |
MD5:
e1f26cbd47807d2240f72f436befaf90
SHA1: 7205c8e9adadf8a0de53e284be49bed90522c990 SHA256: 50b79a0aa8596ea5a6133f7b37b24f60b777ff1e2f11715a5b8cc4bbd764cfb2 SSDeep: 24:pJXMEPNYEEhlcf5vlgJpLlZNSadUh19Y3BmOFl0t2:XXME4lcBtQldg125FH |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\_xN12rPpzNlGEeUEq29.lnk | 1.34 KB |
MD5:
a67bdff8bf3200ea1afa0b4aeb914382
SHA1: b0c797a49101271ea126af3a09340b013287145f SHA256: 86e7d4ca7eaf71b3362dd690c7866f4554d13fba7108d82ebb9e054e2cee7127 SSDeep: 24:ECF6BoZ7IuhIDrB0iAn3DgclkuJYA7SwmmhWrJql4P86VC8Jz:CoZEuhr3DMuJVSpPnCOz |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\B05_T\W5vUQUjzm.m4a | 22.67 KB |
MD5:
ec6631bc7249c458634e317033ed6ee4
SHA1: 4b390b9eab9d8f91d3102c7aef4dd577af111178 SHA256: f13d4cde326a58c0e7164dff825a7c86f5a855ec54457f444b3252b4fd3b2683 SSDeep: 384:AyVrQ6JIVvR+yVsZH67rkwInGFbJCG2G7RMXq6:f5JIVvR+/QA1WqG7RT6 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\zz0GoIZI_KNNIh4a.lnk | 1.25 KB |
MD5:
a0de0c5004f74adc799f763a8bbd3ae0
SHA1: 07ba3b458756f078e066e646665ff153dffc9458 SHA256: 2744b1c849dc3023de6fb21b419a5554f38daa85233e49efbfe38f02f2a7e809 SSDeep: 24:tLcLiye4EhTZnnXH0Qn+gkgiudCMqvfsmDhoW4QSaC6ZwjMMkL:tLcLiyBEhTlXRn+2uZfSaCyWML |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\KeUJ5oCueYQJJFzt.lnk | 1.02 KB |
MD5:
593f9b73b8cd3df8ff8487eb82ef0b4b
SHA1: 2dc42d0baf822b9bb923ee1232b39a42fdf474cc SHA256: f01ac79d7f3aff5fddf2c373baf8eae85b7e2f6e1c8cde247278c4b958ad5898 SSDeep: 24:MM+dZB3i8AEtQfW/s6n/Qnxn3OY0rWK/xqyF6LDO0kz1:MtZryWE6Ynx3bGqy6DE1 |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\d2H7a-tYhvZsdzV7Kw0T\F925j.mp4 | 52.65 KB |
MD5:
70c74197d73cb16f30d97203546855b0
SHA1: ced69a9de6f90ef0324031838284dc5d6d65a115 SHA256: 846310444ad8a101c746759ab71eb7633d220ffe8531e9393524552e4ce22005 SSDeep: 768:VwFliipsGQk4pLNXP95SEYmfazpzYPKzd+iYIxCUkoFMBx:yXrLSLNzS1mfazlNd+MxX4 |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\B05_T\vg-2sbVgxsUfL6fnj8H.mp3 | 19.92 KB |
MD5:
498b97705fdba3c76c5fd41d5fa2672b
SHA1: ddf243b04fc8874c87b278cf490bb7e1e0c833c1 SHA256: e5dbee5e3bb74f692c226ec1dc2290079d47167489c9d96be581a877d1011117 SSDeep: 384:qUaLKDCA5LNd0x00ACzO+ePR/S9qQ6jke5CaZzx4qC:qU4KDCA5xd0r1zONJ/sqQqHRVx7C |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\9-jMlK1J06Z.swf | 75.57 KB |
MD5:
a2dbaf30110679a5bd3e053d9f074665
SHA1: 92f852a3212c5e0e17a4bf7cc3b554603ae69452 SHA256: bd6e1e227b044e6add8b1f7018c0457ccda7d539d402fbd15db0e07da4fc8fdf SSDeep: 1536:Wtb5GCtL6z/B59GiIaMJy5AAp+VScwnQstxYM71Qs3Y:kezJuiIaMJjK+VScwnQixvvY |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\fBwW7 r5N\MWDD3fMVUTnRZA.m4a | 21.93 KB |
MD5:
3f05c7fd1cbd1e0437d10e6bac513546
SHA1: 4443ce3535df129eb346f51e86ef65ae89e365bf SHA256: a61c57f374926fbdbdc431a5d008cef08f255f9e71fc5cdddfb3297d2bcfd6bd SSDeep: 384:J4PEjlvZ7uqQqhLsOKQgVinuPPN1Hw3sE2wrbuf0p:J44lv1QGgOKfiAPNBw3sEvrbn |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\RrmS7r.lnk | 0.98 KB |
MD5:
68da95ed87b5e457c0235f3ba08038d3
SHA1: 7d8bdbfcd624a7c89c25a0625c49d5d1f721120b SHA256: e3bbd7836c898a98058c043694cd17df151b08fa242baacaf351a88b5edabefe SSDeep: 24:+m9v/91rl/keRLNlWeai0KHMfAiAtDcBY8UIdjQhNW1:Ppl1rWmlAivi8cBvUIdOI |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\B05_T\qbEo.wav | 87.48 KB |
MD5:
17cde2c160d04a8ba40fa5b73259a3e3
SHA1: aa87968a78dd81e151980fbc88878dcd39f8aebd SHA256: f28ae3f3ed61bdba476ef5cc3e64c47ed733cb68b18fbadd2ec08a0abcd4a33d SSDeep: 1536:ad2Uv1W5xqxsQuGYadR91bCHZ7/NjpM2+bi1oBcwEEOb9ZbsZ3/W8gCh3vXDrrN:aVWiCQ1T91kZ3M2+bi1tFb9ZwZrdLN |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\lN-gSBVjXH7S4Quo.lnk | 1.11 KB |
MD5:
c86129f6ec9fa1e3e3beeb4b5da16e38
SHA1: cc6a9411c0b162bc2e2e17098c6eb2878f059745 SHA256: 265eb8db593a4201033b547bfbba71a68c4ad78e59b75a982e4b4027f7b5e443 SSDeep: 24:5aS0ZZ06qGyKgq9gpzuzqyLxcxYRW0IADBMsPwUm/yXQz/K/WP:5gZ06VTJl5RzIUmaXQzieP |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\kscbOO.lnk | 0.86 KB |
MD5:
0e539e428a3f8ad741a4a74f9d7ed1fa
SHA1: 1998ab70f1fc8988bf9659758daaad91ec11c5f6 SHA256: 6d8dab7495523317d8541c5aae61d929339a438b8e220ff8098123fcc76e89b1 SSDeep: 24:3/qDIfs9UPnfIvuvKIKiD6dsTZ0DexuGuYJyh:mks6PfLUscqZ0Duu8wh |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\9m4LOZ8HMX8jF_V_h.lnk | 1.47 KB |
MD5:
7df02c4aed25d863ded8517fa1fa77d5
SHA1: a0b5d3a9a5411ce78783d1641caccf2faee84efc SHA256: be343115b5fa9c41454d9cf3e7481295c4d34a9d7b73a23abf78371a827f7390 SSDeep: 24:1AXDr2Jii3jWF7jH4CcMXSr1oJ2s+MQsm6m1uoxMKGiAJAZNLWYrwWen7:1Js3aWSrKV5Qsjm17AJqNLWBVn7 |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\rspzeeQ4w0Au.mp4 | 67.98 KB |
MD5:
a168bce92dec45d5731341d0ff997e76
SHA1: 16a3e18ad3445dc444fec36277b51c9ca4f4e67a SHA256: 6d8f8f22434471488cb6a9ef11c3abb7779da5c214e9bc4933a150d4b8c573c9 SSDeep: 1536:4CctGQIV8mQjBva+P0+yVXlbyVo5bqWVT73:itG3+mQtJjAly5WVT73 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Pictures.lnk | 0.77 KB |
MD5:
31f4641533d34671e45503aa5651747f
SHA1: f5aff31e26c800884e5670ae4b52e082599f86b0 SHA256: 287c9835b6692c2974f1e6812cb711a91e618ff38844f0d04df8b3229c8961a8 SSDeep: 24:SP6ogGfH/woTlWKxJHlogQfCwZUUV0D8q:SPbPfHxZhxJi9qnUuD8q |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\rxFiw9U9bm6LyT9g\MVmj7hQl- u hjKWdH.mkv | 45.81 KB |
MD5:
2010f4060d973abdca54431c02fa4be1
SHA1: dfd6638a7b67f5c72f8372c6ed9ee2da04704bc7 SHA256: f296913f9d77b574e00ee0ae640aaa9eecced1e832101d489a0156be522cf00a SSDeep: 768:TLUnxaJK9JfL4Wwnbmrt5hVqf8dIRFqTWRlEhpvQvzsTiYqxYY/llTyu89:TAxaJK9pvwnyrCBFqTW/IvQvIWD1Ti |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\EH77pChgN.lnk | 1.34 KB |
MD5:
cf0183e68d4f46ad53459da51c5fa75e
SHA1: 9ba78bac67869bc9e0f8fd22683dbface0a3fba4 SHA256: 0ca7765f5b2c15fc236f9306e1e09494c82eb04695903c07f696ade4dd0ec562 SSDeep: 24:kdLoeTjxrZdSpMqq2q1xHU8sTQo7Dk1/wcSmLpm4UXC+IvHRhC:k5ZnlZYp7OzHU8Vo7KcmIvIRhC |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms | 8.00 KB |
MD5:
171149033b4e7f54e5a78b00c9af1f2b
SHA1: b90ae07b5fd45a3d1dc03ec227b8d8443b989a38 SHA256: 7421bd412ac03c3a4b9388c09e56a689383c2d73ba51f35dab978198f2a87d86 SSDeep: 96:39yTHbzISt9FeFFDJPoYgG2cM0fxHZy4ZE7gw17Xm6KC:4fISvuVod7QxHZy4ZQ1Jm6 |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\MzwZZ.mkv | 55.96 KB |
MD5:
e82815c04348418980f60c52d409c79b
SHA1: f4daf6b277190cf3053d2464762f958699a49fcf SHA256: db37cae91fb8ee7a71f68ad4c87a92a6b85aac8876bdde54a0bf9690da062dca SSDeep: 1536:h3JsGHxcR/gNvuMSOAAikD0hKlXhsoSMe:JJsacqtuMSPY0Uu3Me |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\319f01bf9fe00f2d.automaticDestinations-ms | 3.52 KB |
MD5:
230b89fe50b48e7bec0c59a1e36080d8
SHA1: 67f0d316ca25e02b7eb5c21eaf274fcac313796b SHA256: 2ee3021d5aaec00b54e0833faff8a423793c3c4cdade1219d6aaea49c3d9ce64 SSDeep: 96:r1VrwC2ZTfaymk+vl1ywGGMB0+MkkbwtEmvyqVQcL:RtwC2ajPywVMB0+Nk8amvtLL |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\q9PB6-.lnk | 1.27 KB |
MD5:
efd30de0e59fea22c2d97ee24eaa9420
SHA1: 7818b9dd346a6912d7170b1f9b3c111ad7158bb1 SHA256: 5bb694d1d1af8ff84c44824a508ce2132c4894f687139f2e809003abfc0d21b8 SSDeep: 24:HfI2iHeDLbXqkDB8rXER1yD1CCRYtH0S8GeF513yMUeERRvHzmq:HAUDLbVDB8LER1ZCRYZp8G213yMUbRRb |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\e_d9d.lnk | 1.06 KB |
MD5:
ec149940e8d3c2d70e4c7041b55087a0
SHA1: d50994f5aaeebdd6055af8fe738ccd9e6f9150d6 SHA256: 3c4fceaf14ed21f66f881c7386676120b35488be42abbcfb280a4a748a560e86 SSDeep: 24:AU7ewnERFW4spcxA6LZk9gTKLqmFeDSKr8+P2gcZmqWGwM7Am5s:PHnytwcxzZk9gCoG7+PKGZ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CtG65B.lnk | 1.25 KB |
MD5:
6aaa11bf56451cee6ceeeb9156a53035
SHA1: 3500a4fbbcb75007cbaf0779fd92dea78462f782 SHA256: a7f6cbdf343a55e7707cb3eaefdf70a99dac4ca00636c832c225ec63adeec87f SSDeep: 24:LNbKrf1eTuczTP/pqCpZDCrEESj3mcwLuA1+ApeTF20d8yyzsr:J2rfifXAilCW7mzuA1XpewCxr |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\qTWuqh N53NYZck\pkc6AG_LpRlnu-9-.bmp | 10.35 KB |
MD5:
e5a8786a53ee1d3297d15cbd4179e436
SHA1: c6bea1510fbfd72108a513bb59954beabbcafcd1 SHA256: 556cad924c15c843fd8315c5a780e384ccb0abe03978068d2f382f2d36209419 SSDeep: 192:TZs38UmvPSQKYTH6K3nGa7AJo94+TA0hceOLl:TZs3roSQKvSfqE4+TJyZJ |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\J1Ku s.mkv | 94.07 KB |
MD5:
225a64527c9b6ed158aba9dd16312a5a
SHA1: 975dbee96748f5ae2688d610fea5e90b657782ae SHA256: 1cb849ac3c157f26bed96a0dfc18b01062184a94414c3785320cb4f987c86dd9 SSDeep: 1536:fQZsDoahQQoh5XGpPAUcu8LkNqPYoxC3Z7+NgWkUJogqYAxvj:oZsx6bX6hcune/xpiWkU8YAxL |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Sl1P.lnk | 1.25 KB |
MD5:
fe34012568e62c9d7f4f261d15b24dc5
SHA1: 6dfdf116d91b0b843432eb8e568a265b35e5bd83 SHA256: a6f232c4b158b7f190a3d782a54108bf48ffd0e35cefa52cce5e3ca8e6a69041 SSDeep: 24:Yk5Y80w87yaMpb+yyk2RY10MZ9qHi2xnLNcorw7GoQ8nQzJlIh:YJ80J7ynbx2qOMeHVpLNcorA/QMQVg |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\hih.lnk | 0.62 KB |
MD5:
a0c44f27454f0f3fdfb2c994847af2a4
SHA1: 3dfd080c92aa38c6494a607798dc7102faae5466 SHA256: a49f9af70d4e1bf20031353ca448744eb3bd709a28099f819385904fea251c81 SSDeep: 12:v9IH3OMwVCiRZswasxa6/L2xC++XiQh8zRJr9E+M/shXXuYE+TbJuQn:iH34VVsXsxbD2aXT8dJrm+MquYPTduQn |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\uItrk_jbFDkZ5N6T.lnk | 1.39 KB |
MD5:
c49de5d87f7cdf20f2f5000ac0397a17
SHA1: 0230c3ccf3d109ac8c6ee1f9745a05e9c804f549 SHA256: b7988e608c867e7ba1bd7acec7a0b976b8ad6f062cfbe5376e7a4dc0685460e3 SSDeep: 24:3gb1+iKoAAdfTMdBD7C1/V/pDAgXKsA5GY5E8gQEoiV52n9fjmXIWEY4B8ztB:3gfKafTMdR7m/pcgtA5vaToO5y9rmXIa |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\QOCXNrR-FN44qxjyc2.lnk | 0.70 KB |
MD5:
e28adb3acb69a6e48c657f1cbb0b81e9
SHA1: 4ec62886f38695aafbd337ebc5a82c5e780a8ebf SHA256: b893846d1d5ae4490bf2f13988b597d527af4ac4422e0bb2bc7faddcbdb276a1 SSDeep: 12:vNvpxGFMok1MohqaSNSr8IJ+qUictO5a85UcKsYbKdZ47HcfceBC045LfZ:FhxGHFmzEqUNscAUJsYbK8TglXWLfZ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\JcAiiI7bq.lnk | 1.23 KB |
MD5:
c6f7f3f3c960a57c40d49ad475cc264c
SHA1: 9a94b1a6f0678e940cd392dae34225ac1f2eb3d8 SHA256: a2b7d1053afd7bf787897863927bcac06b85b20da28fb07eaf6b088ba5858174 SSDeep: 24:eewOfb4pNJRgeF5552T3k9BgY2+CyGFN1vh2Wzqs5Jo5G8:xwOj4pNngeRoTggeCyGVTz7565G8 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\2JQ1gX.lnk | 0.98 KB |
MD5:
674209a3e7f8a1752bb7ee4d9387975c
SHA1: 801ad8daf84622f281cf4557eef1fb8f45470234 SHA256: e6569d71862ad00f69ff928fa6b1cf7cefe76593a7181a02bb2a17a1f1be3ce8 SSDeep: 24:PUqt1B44Jn/0fHBxtmf9bHDLd3zkF4gxxr0FqAbXFjZVVX:8qtLhSBjmfJHnpzkFIRbXpZV1 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\aA1x 4cIy.lnk | 1.06 KB |
MD5:
3a9e2587ce16b10fa3b345a979ea36a0
SHA1: db9e917501828c5b4d558c53a1d4f88366b83a21 SHA256: cd02e0bd456c32e05d335bb53502aaf81d25994b009967072f7d2dbed8c01ff1 SSDeep: 24:wQFycwbtKOxZQzWD2dYnSV960U/jJA+/VIWjD9PM3:wQIbJLZQzWDI5cdAqVj6 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms | 3.38 KB |
MD5:
1aace0999ed5134ef3528fe1ff7f9d80
SHA1: c918c9ac19d5b33e2e1ecd1ae9da92c671e17365 SHA256: f45ab9aa549c25d96521646c358361100b38773d10d04790cd277b484906bd9c SSDeep: 96:bRLWwhQz5n/TQSAL8+/Ec5JSqapI7q0tg5SuI1XRXBI4yu+:bUwWz5/TvAw+EaJ517q8KSuId5243+ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\hvsxSLFjGgIvWh.lnk | 0.67 KB |
MD5:
98103f91a1bf2a275a15223a663a37ef
SHA1: e337d03362f7f28894f6e699977e4a3889671bae SHA256: 7bab342222356f39ee6eee80f32eb96a8885cbe880cce573969083146cf47bb5 SSDeep: 12:vC/C8meDWzGRQuzxa3cnzvLH5lEFCqwvd9XKt/5A2A8OS8x5Z:6OeizGRQuz0szvLH5k3Q9XKtxA2dOPL |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\B05_T\iPQyt.m4a | 64.49 KB |
MD5:
bfa42efb789f3f14c5ffba98d17f71fa
SHA1: 35f4d7e3612bbbaa01c36a85378693d5d7d21626 SHA256: 360d3377ab7f262a07fe33a25506ccefc457ab2ea23be608810b30def0255beb SSDeep: 1536:Gg0ky0W0DtQbDDXkhIMpTRclnDE4XTR30xuR3nD8b4m:GZ0WaCbDzkSmTanDE4X93934b4m |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\qrA9hvnxQuIXrz-kBi\EH77pChgN.wav | 60.86 KB |
MD5:
d32792470d1d72f45441d14112037b84
SHA1: b747fab23e6bc53818d37f1ea7139eee4beed27e SHA256: 2fa4bde29b322f8a41a81d291cefc57bfaf576ea0992d81f6e566779b6d1c629 SSDeep: 1536:MOfZ8ISA2BbF4DS/pBG0PfRKKTixkp/6uM8lUdiujgiKTDTGGp5:nfZ8Zb5k0PfTexkt6yUd9jgi+DL5 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\YWlhp1_r1Xzl.lnk | 1.00 KB |
MD5:
77cbd78eb6c19614255500565940a4b1
SHA1: 52027a529c0d7888fac3daee5ec06911883112fd SHA256: 6c2f7795291bd86d3519d7d9aa0889be228f07751ec052987a1304076379b82f SSDeep: 24:L37ozz65uUi2xBXc5nUMAheDLkJSQEOkrOoVH:L3sz25Ti8W5nO9DEOuOoh |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\1E9x6o.lnk | 0.97 KB |
MD5:
bfc948537e40a2b2b0d79c335b4a48d7
SHA1: f9479b48c155e4affd928d4cd4d03b78de73dfb9 SHA256: 50f710833d2c95e5ccab461761acdb69e51ba021078bf5d8cf2aa5a6147f6d39 SSDeep: 24:q7euuie93NV+XJZ5pSOUSXBRy8YtimaKG+qZe:qCuy3y3pRUSy8MimaKb |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\6ukdx.lnk | 0.97 KB |
MD5:
162d47a94d898ca6ac8336439a72e107
SHA1: a9dbf196de094390de8c657422fed786200f46a1 SHA256: 41af13d1c3664ba6ae12832ba32f3fb8c2e42c925042c70acb920ba96a7cf709 SSDeep: 24:xe1/KfJC2qWrQbbcyvSP0rkN9SKdpayj4Tv5SDENMl7:xe1ShC2YcR0r2E8MKEN8 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\RL8XNe9oHqfUA86p.lnk | 1.09 KB |
MD5:
627e7ee6451220ec9ef60e884d796ec0
SHA1: 992ba35323878ea7430fa1e536532a318475d3ad SHA256: 3d50d09f0f653b65d7c59054882249b6ba00f11fff79a6ed01299fa3d47c7bdf SSDeep: 24:8NNXd4vcwFpGfxCxTr+DxRc7cy0Iz5Dd4JPZ7ButyCXe:8rXd4vcLZCxvIa7cdY5Ch4tyt |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\fBwW7 r5N\stCGxWNbc5wFp.wav | 91.20 KB |
MD5:
182070863866a5106d787740d2c570b9
SHA1: 2f7138db5512cb95e9f2f8e1c4b5bbadad0a5d57 SHA256: 8a8a66e9226b3a1863aaf340967c808a6869651ca2d0fef5a4a78dba3c04e7b6 SSDeep: 1536:wywLGnL6E5q44p8awfHELw1o9Iqhqr6MRYmPJXi65iI9KBedPA0wmxFSmms:wVyn8dpAfyn9pqXYyX95ruqPA0plms |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\d2H7a-tYhvZsdzV7Kw0T\aWjCPF5VCvkE.flv | 84.94 KB |
MD5:
96f2405decb0c1d57757aabf98f1f7c7
SHA1: 90ffc04ac92c1706f2eeeb35104002b269fa6894 SHA256: cab7867b228b5c30386cb5a167d5c31fb2c01ba061f7de764d2cccca6eae4754 SSDeep: 1536:FJniN1494WVHHX9td+sLBqEUCGKM8ePJ8GdbqDykDLWiHT5d2L7cA5zVK:HnwMHIqBqEry8eB8GR0tz5A7cUU |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\uwQJ\dEwwga9gIHgP7bGKwR36.bmp | 82.39 KB |
MD5:
1a69f9c6dadcc5ca0690dc6df4e46654
SHA1: 6febd89ed402b403ef513d97b1949d588e571333 SHA256: 649e6b1ac3a313e1b72db37a91c2716abfa400578484df1d55583da474974291 SSDeep: 1536:rDeKsVg+LhDIU+7QcpK/gOyNgMYxzM0Ud4JX:+KSg+JIrUPy2nzM1i |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\sYRXyP3UmUCc7I mkd_\xvc5X_EuKq.gif | 9.71 KB |
MD5:
dbaeadc2f70a7dc3317fdbc58e3bab70
SHA1: 5700e366f8896c885a6ed0de1ede323e159f2307 SHA256: 96c3629c4e59b26d9c10b54e2dbdc00a21b8a0244493f2564767ecb65a4fe823 SSDeep: 192:i0O6LSjn6IK7OLj45pYjEQWjsuSIR1BHAX:i09o6Isc0ntSIRoX |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\kd_M3jN.lnk | 0.98 KB |
MD5:
f2154ee88a69acda10c160063aa79dac
SHA1: 3b9189512b8c180236cbd31f81be2e3ebef36a32 SHA256: 259de32c0dee89906d6b6e92c156e21ca1352435ba452e9db157f2202a665219 SSDeep: 24:NkE3EOmtKuIjHRJDab+7aUSr4r955odD8iefgMbLq:K9pYN5ab+7aZr4r955oB8igS |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\uwQJ\aA1x 4cIy.jpg | 61.74 KB |
MD5:
a294725b3986dd4e6a13a71afdbf6697
SHA1: a73ab1cc78c23e74ec8fd5d6fc25c429ec2eec31 SHA256: 9320220d86628ca87bb263248041551ede8720a036159c9b979f32fdf3ef2e71 SSDeep: 1536:JfDUVE7qbSv7aa6QX2WkXCqjQcyB+iq62CWnYVcfqUzfW4kSew:eVCZ7aFQXxVqjQf+f6GaUkkew |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Hn-6.lnk | 0.84 KB |
MD5:
3449ebd32a6a2229357ab55404ea40aa
SHA1: 965f474f47703a4afd20d6a4700701bc2a8ceaae SHA256: 96f68102dd58be75cd7bcee7b90ec131d2b067ce36a81e3d6ca898774ca9da52 SSDeep: 24:T8lQ7A6QQR0gDy7cofUS4ZZeaXJvm2//hEa:4u7leGMcofd4ZZeaM6/hEa |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\B05_T\08m7p4.m4a | 98.62 KB |
MD5:
418c618f77411cac1ca27519d9dc6353
SHA1: 9a9ed89b20b78c9f19b345ebb29e464c103d69cf SHA256: 385471caf0d6d71bb3baa288b1128813605d03e4e5c9e1f8904e876f1428577c SSDeep: 1536:yXq6kmJPydOkS7VxtrPTCz4jv4oHpgHN1aeRxhCjtcN39g5jtg:yOmlydQ7VHe4jQdmeqtg |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\E6zmnTMjp.lnk | 0.66 KB |
MD5:
9bebb92924d879c1701a74dc54ab24a8
SHA1: d4760993dd4f75af739dec9dcfecf2dfafec5b6b SHA256: c2465286d4269e84f17423986dadb0a33ec551afa588f150ad2a1629359237a4 SSDeep: 12:vGyjjckfCprhrz3eSZ4er6UQCFCMdJjez9RX4ANBiP/ftiW8Ixp4T0WdWjMRKo:OuCPH3xzwmJo9VHGfI1C4Tbd1Ao |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\y8reS6m.avi | 40.44 KB |
MD5:
f73261d6dc35d26b3335f32be272c5f3
SHA1: 32aed29a4dc9d8ca98b47d456b917f671118541d SHA256: 4ce225d747c7e8f72b3bfc3c0d19f62db49e3196f127efba1418b008a4571d88 SSDeep: 768:HQh0WHkdPWTLzDwt8vuh+vs/tgDuQivR7uVvBoEe2uUfZDby8:HQ0dPWTjwt8vJU+vKR7uVO6ZDby8 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\rxFiw9U9bm6LyT9g.lnk | 1.00 KB |
MD5:
bbc127134e18831bd126df43ff8f718a
SHA1: 590b5ca88739306416f9def4f033d1d128a68c05 SHA256: 446d4417134f03efa963e0326db76dcb9b200866b983e4350cee4ba427219fe1 SSDeep: 24:4FXlOJczZapYzYXVe6lsLQWMixx7YzL4LKUsWqoXIpbZLY:4FXOc9KYz4e6jrq7YzL4LPsHoX2ZLY |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\61ebb1e65cfcb8da.automaticDestinations-ms | 2.52 KB |
MD5:
aa3d9285d90216a9712e0e3885dd567b
SHA1: 7d453432a4b2d9e3b4b2096a996d1122e51e4dc2 SHA256: c871337e7d62cf521bf47c11922aa71c506fe17582e9954a27d16468c8f12c74 SSDeep: 48:osg+zUYrVrpCu1u5tYQs6t5vpUDIEJK2wyc/oZLEnNgeaJNwkm21Dtj6zzMjNx4a:r1VrwUu5WQs4vpUNE20GgnN0NK21Dtg+ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\vRQ5tUuEKHqkKPnnz.lnk | 1.59 KB |
MD5:
62da0d2989f55b251f3aa8fd16855db9
SHA1: db8d758bcd217fe552b39aff0c40addb8a5ca780 SHA256: 7696619f2a36d4448d055511b7f6be9a9271887ba352188f8a84ab3878c727ce SSDeep: 48:rEfO5FWGdqPlGTqB2EyIcclxNDGtfxteuin:gfOHWWqPluG+Rpin |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\qTWuqh N53NYZck\fwMACd.png | 76.61 KB |
MD5:
ed362d2f1a33313d21f270b32fd5e8cf
SHA1: 80f2b6e6ce5382cd526d69b445bf27475bc8748a SHA256: 8257045c8d5a2024236d1dbb62a4dc837ccbfb47ae2a9722f266d19157122680 SSDeep: 1536:fa+1mvT5Ana/4UKIFw2XQQdOgnajaBJeu+CKCQ74OPQSi8J0+FLQf6a+PjQxftK:yXyc4PUw2AQ4POKx748Qh8/FLQCa+PKQ |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\-e3Mp2d-PI.m4a | 34.90 KB |
MD5:
440b3dd8506a3b6e420e0bdd96311eb9
SHA1: 7e997f4a7201d47f0b0e500ca849da445a66f157 SHA256: 340623eb01dc7e741b49ae9e598effa5fd9ebb353ca01f9eaddb9c5a8e0f2c9d SSDeep: 768:axK4PbrWi4fzA884cBgRu2xoPH8ZLllptqaQ:xgydfzA5sp2Ubte |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\fb3b0dbfee58fac8.automaticDestinations-ms | 2.52 KB |
MD5:
1171aeaed19421bfd73553b3bec2baeb
SHA1: 371203135e1e10250ca7e573fd4ad04fefcb6ab3 SHA256: a1a3deafb0e8d92ae426687e6f2cb8f269f76291767c3685189ca9eaada76ee4 SSDeep: 48:osg+zUYrVrpCu1u5tYQs6t5vpUWOrJ3F0EmI9uN7xAFV1UdVuH8zUh:r1VrwUu5WQs4vpUb1F0EmI9uEx1H8zUh |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\zozaK-qF 9YEvt.lnk | 1.02 KB |
MD5:
a870728a8de1c63de45a181b29610300
SHA1: 82eed2cd29f849d260427de0ec13b5b64ce7cad2 SHA256: 6f6cdda2f7b78f582bd8981dc9f11671d43c2c8cf9622960a735126d197b95c7 SSDeep: 24:ze5j/xCSFo4HctbDE+LRGJmRUHjg4qcz11YDnU9:G/x/FH8pDE+LgJOUHSCXsK |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\LzxPE9bRZsj0N\QlEnlER.jpg | 82.32 KB |
MD5:
4d70e739bb828c9ba37cef56de9ca0c0
SHA1: 9a066522b2792cf16dbbd4aa0c5ca099c189ad91 SHA256: f5e4162f59b325c40eca243bae141ed5108fc9a4142d9242cccce43dd87ea5ba SSDeep: 1536:yNJUHPhIhisy5ijNsp3ubR3L1AOLQF5dkySb3DT0bL0faIEtyjsJA9LKqy1In+pu:QJU0i3ixsI3RjLm5dkT0bL0faxRvInaa |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Fe7T5WvwX3mnv_7K.lnk | 0.69 KB |
MD5:
b86453240d3dc241569e12ade9e3ceae
SHA1: af882cb36e9fc9f55b2139e74a6b4472ef5f42cb SHA256: 2cb0f981cbe1dbd6ff74aefd256112904a341a18af82564ad941ea3f8bf3702a SSDeep: 12:vFN/+xdwtrrT+LP00WafauFNfVMnTvP4+/fp+XtPFCo/cCszZIBIDty24B1qd40S:zKdwtn200WZu3fVMnE+/g39/cCszZIuO |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\WlBenJ.lnk | 1.36 KB |
MD5:
70842e0b72327209dd99ae4070bda09c
SHA1: 1d315ce06eea0b198bb83d9da94fa6aae25888aa SHA256: 267c62d8db1b00ea950d73d1705bccd414402b342263ac8058fdbf98f3246ecf SSDeep: 24:iKnNYvOMwhlDg9OJWJG0UE+BrtmCO5U/os5SgOlFogh8bnYSC4Wdz5KkI/aT7JCV:iKNYWthFggJkUFrtI35lau99z5KkIeJM |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\qTWuqh N53NYZck.lnk | 1.08 KB |
MD5:
7455abee1ab2ffdb3bf1824049e7c742
SHA1: d0f2663b453673914b595e53d006d205cea85ce4 SHA256: cb6ca6390e83af20ab4458e83194d6c089b2729c48214469c0992ad4c9a77edb SSDeep: 24:UxRrsVrxZ4i1ufrBel/4GnliH0OuC1jiy/tIApdnI8gSHw:Ux1sVl+rIN4H0OuCxigSmnI8G |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\mSFbzT.lnk | 0.80 KB |
MD5:
2c7216ec2c7e6b2f3de58b1e57ea7af1
SHA1: 15fd6ccbad2d2059417821154eae8b6966d6a7c6 SHA256: 9cf50d68ead681116a03e93a9faea3a043dffd4de79b3384f8f42eaad5cb0d94 SSDeep: 12:vKPcTlHSzBV0m6NrqepT7h7VBO2bdaAKHISvCL1P6pgyGXKpss1OiYqkeXCnQuX:CP1qqCxHOuaqL1yrGXKe+YqtCnQY |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\SQa8 vvXUjp_g5d.lnk | 0.98 KB |
MD5:
104d5046bd5252a6dfb7bec41905a2bb
SHA1: 7755d17c9191f2d51931b37408199e93b192c3e9 SHA256: b966308df9f211672e966e6e34acee510804cf8e878436f36d8840c192962f20 SSDeep: 24:OLmhLuHQ/9oMMoEynNjm+SB1drMeg7j2r6Aunp1WIVmPsDRc:jMu9/MornNa+SHOt7UbNPsNc |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\B05_T.lnk | 1.25 KB |
MD5:
068f8bc1bd1e1f203cb27efa9cb9be24
SHA1: ded5a367cc6a28bf8831700b4b16a431860bb4b8 SHA256: 0bc0a170c1d628cc58f8daf64009f21378ace4bdb184340d7f271bfa67da6378 SSDeep: 24:+2FTYoaeJoJG+fl+RwDVE0pHAd1ZxHe0DHJ41A0+pYn4n94awUpsD/:+KYoawol9DV1+ZRe0DHJSF494Br |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\sasJA6VrgSyC4AEc.mkv | 45.49 KB |
MD5:
f9dbd9efd599d3c22cf85cc2d192b882
SHA1: b4947f56a92d0ea4285a4bf93e9468b5f4751682 SHA256: b2f90511f7941971c357c983445e08bc133bc86361f83728f7dafc88d818ac4a SSDeep: 768:up1eydaigmEyn0mZcMrWmj59fZEzKpDzP/kpm064/jUlbqhM:O/domsmZJymjPfZWKZzPcpI4/499 |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\jKcWe03_Z1ou wMT.m4a | 73.89 KB |
MD5:
9e8a442628c8f901ae0e71e6151e81d6
SHA1: 4d92e772b444b150809309250fa0c993cbd897bd SHA256: 748ee523831ee4b2d94dc0b23f1b8b0f840cd0aa857b1fa689cbc188c3048566 SSDeep: 1536:OlQA7gwPTgOthlB6lnpHRaYi4ITCdVDcS65W8:OGAMw0mhlBIn5RvxIubASAW8 |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\uwQJ\-n0RC1h1KI_sm3.png | 98.44 KB |
MD5:
66936349295aaaefb2204ac349837293
SHA1: e884e3a9abd02f2926e4dc8d26374d0a1a8fc635 SHA256: 04b3d0d312027a1036d88ba943a276a6203104ce54a3f64076a6ec002ffc0550 SSDeep: 1536:sSk7hLPPoHpGSGCAXzilWgqc8TRpgYLe2FbbE6JXBcC0W1Ikyx6EPV0aMZT5YaC:HJjyzilZMRpzVFbI0RcIjy1mPMN |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\R6lD7xHD8T-ubO3-rd\pv2DdR40ou-b2B8evhuj.gif | 1.48 KB |
MD5:
bbea3761c3483003e744e0cdec78f840
SHA1: 7fee89d75b65c87b507d38b76891f3ffb4d2a25f SHA256: 8857c7159aebe14d60ecac9be169754edf2038026665e5d9ebee49c4abeff716 SSDeep: 24:q86GwEk4TeEzzbBwcvpAnc48fAGjb5wXrx3FxCrtCyUu8L0lr:q86GjdzmVA5832rtCAvr |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\NiAQ3VHp8Zu.png | 79.54 KB |
MD5:
301acae13f92e718a46bc49859763066
SHA1: 645f222315f041738adf1a845160965be6373eae SHA256: 5a1e0cf74018a24aa8c265e88eb1ad225ba6464b2eb35deb2adb03c9ed540018 SSDeep: 1536:apgSvVElFYDI1DrPGgnShwLFiu935f2tKbPVZNDTqZHoLqu+bjxO7o:sgStUFY8tvH392tKzpSH/u+HsM |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\kqPHTpgPgkFex.lnk | 1.09 KB |
MD5:
db82601432f492b3c4156e70db1d4ace
SHA1: bf12541043cc9c44c31044118a27655fb819658e SHA256: 361e8893c4f3c3b8389b33b96111067fce58c533cedcc828e45173a53f4d2af1 SSDeep: 24:9l3gC2Hka9JqPAOjkV4s9WhNmTyM2buZ1Ws4CA3EB+9:9lwCmT9JqI4LNfQZ1W/X3j9 |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\qrA9hvnxQuIXrz-kBi\PYe7\g5O83QgO-v7.mp3 | 79.18 KB |
MD5:
ee9ab91383c849fbc31ca884d95ad679
SHA1: f38ea1bf3298c5afc851abacae07f1d78ccfdde2 SHA256: dec613ae37347cfa4d77a3a9a805036be9e78e2457f5d06dcace3cabf14d0489 SSDeep: 1536:fg+kI163YqM9KVaVA2sUeP8PdPfjP3Al/JjE01Mqkip3AfaUFZtAybxv:fgyAvMZ5suNj3gRY0KqX3AfDZ2ylv |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\1UEZKTO5 S.lnk | 1.45 KB |
MD5:
e085b71deb0ce7762310aa3ec232b3ab
SHA1: 44c8add157404e7c32b35ec93b8dc7a200a75093 SHA256: d3a60bbc3990870914a5786124893956cbe1774ac93efa2198e87044c32614dc SSDeep: 24:BUekgHoy4coHCx0ndX1PtgZPwPaRwOMJNmSYnl2MZG1ZCEeRYsysYWu3DAD:xHHoy4RHCOdFFSCaG10hl2YVRyJK |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Enw1.lnk | 0.62 KB |
MD5:
1e93bea7787c0db677da6356314bf171
SHA1: 485a780ca5eddd73a089b953600abb9c5ede2bab SHA256: e6d5cc61420ef6f9dbccbc799ab3c1500156e8ce01bddeada3dcfc68420436a8 SSDeep: 12:vBsX3GXG4EoV6yptTryk1XtxxWcVyMH1rAgTENy1bvNvMcg:yXBuVBpLdnpVhlA8Wvz |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\l0MLmWCXjKZ.lnk | 0.58 KB |
MD5:
79aba260be855cf47dcb7ecd876c485f
SHA1: b82be2c75cef39a88af5a3fb131b75dfadbd0b55 SHA256: f0d4c210f39eaa01f7411ba3b0a4584a1c0def070c78d71569014a4dd2bca447 SSDeep: 12:vqWixb8iKg4SCbKfyTr6kkgzp0PQbTmsFzTemQ2daWN9rl:Eb8ylCbKoPXt0oTmSK2H9rl |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\25vyla9KzJI9nEe.flv | 15.22 KB |
MD5:
294a6ce5ab91aa2e87cb38e5869a27ed
SHA1: 70accaef193a837f7823da3f031f828ba3f457cb SHA256: 3b6b6617b5dc42e81cf6dae02e95bfbd4bf6c3e86174ed0f6d9674c545983078 SSDeep: 192:FlYCG2W/5LeLnOs+E9NoxWL7rRV5BSimWK75Ag1Nu7F2N+vPbqkdy:FlYRhxs+E9NwWL7rRVvQ7b+v+kdy |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7e4dca80246863e3.customDestinations-ms | 0.03 KB |
MD5:
506d9062645451219305abf4f55f091c
SHA1: 69587c84712e1e96d3fed35aaa41f5d93fb0abef SHA256: 580755d6ed19d81ef955d8e0dc13021b76dcb544204bd1319501f28d02d9123e SSDeep: 3:ZOxyNrNwo8n:nd8n |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\0RAKtw47d.lnk | 1.00 KB |
MD5:
61894e5f2b9ce1436b9421fcd273919b
SHA1: 622a65eeaf888ab1665fd61835bae66836185a4c SHA256: 2badc77bb286b1353d4690ae55af18db486dd3334f8885bef0130559a1f387af SSDeep: 24:tWUnE/wRzdqVMO6vZHaYW4pni5wUcXGeZKufMZTBTloWlo8tP:A+EOqCNHY4piUXUTZTBTywrd |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\9mRe9.lnk | 1.25 KB |
MD5:
5c34db257370776df9b614610f351433
SHA1: d3eadce88dddaf1424a8d5422b268e50ce3705f0 SHA256: 6070df06db33365ecacdff72a62a48411393aa62195d68c5722d252180c81f5a SSDeep: 24:R4q83Oex1peIG58z/O/ECUg859QRt66CeNPUydVpmldu2fovgukOYqYfK:2XDxTDG5AZpf59QSQzVpcrovgwMfK |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\08m7p4.lnk | 1.53 KB |
MD5:
e1218bd3cdaf9a5e70a84b290f2657ca
SHA1: 914ae576a739121963614b9463b6f629c440c295 SHA256: a707cc7ad4e6576e8607432f1890ee27de41fbfed972ae53c9620938109132a1 SSDeep: 48:em+W7/k95P4/rfLdKcXg5VC9WmJHi7wha/wV9rswAlq:em+W7/k9+rh83WWmJHiUkIV9rv5 |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\R6lD7xHD8T-ubO3-rd\WlBenJ.bmp | 44.14 KB |
MD5:
44b6cb5717f7d5edd54ebca69ef67f3d
SHA1: f755af44bb23bf27c4efd0c805b5a1a876d5d4e9 SHA256: 636bf9a9854354308497a749941511db49ef48c79aa7181fb38d67f549746236 SSDeep: 768:as0tzdo8qOT25h0I3EqIzzx+wF8TPZne3RHJSwyWIJ8qd4Ib8Q1dwSATnRnILDQ:r0t0OT25h0bj+wiTP85mWIJ8qd4sFAxV |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\MGnZQV1D.avi | 28.12 KB |
MD5:
82d5237f7bcb281accf50d3a38d4ae8e
SHA1: f62add4e4824fbbc6bba2fd39d498ab983b6c5b0 SHA256: 98d312c1390eae843971ea16f6b51982b19a3541284565f7f509bf33606312e5 SSDeep: 768:9ARbw57tEhIqcgVmVRz0xQcUNrB6CQ2yr:9tqIgAJ0xQcULNjo |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\QlEnlER.lnk | 1.12 KB |
MD5:
02f9a78e42f133428817865de8d6c4ac
SHA1: 317317b8934f1fec57330656f2633eaabbee1abe SHA256: 39f957f0d52f2eed6203972e7dd313f5065f40b5f1728601398aab257e32cfbb SSDeep: 24:CG/lRT/DVWXPgIy2byaQak5LT9Qjc743Vq5eofAxelr/gA/sMD9Tlb0:CG7/DVWXJyx/acOnVq5lAYtMMZq |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\d00655d2aa12ff6d.automaticDestinations-ms | 2.52 KB |
MD5:
79e4aae04ae730578e0cfff252f81eae
SHA1: 330a283fbe3a0d419c39942635d9d610665074f1 SHA256: 0f7079e0b75d584ae6c6cdcb89012d044df6a62db178932abaeed345c7be7b5d SSDeep: 48:osg+zUYrVrpCu1u5tYQs6t5vpU9JeAEldnVhQuivlSdalB4YnUVln7B:r1VrwUu5WQs4vpUPPGhvivIIhnq7B |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\MGnZQV1D.lnk | 1.22 KB |
MD5:
7ca347c94ac9769f318b2017efa3bc0b
SHA1: 331625482f2c1a64e8dd1fc430adac262388e4e8 SHA256: 89a79ca2c679bf21db8cd5ebab4428c4f125b70bfedb8a63264d9139e7f31525 SSDeep: 24:7oqSAOK6ajXHROQ1UW+zwDrNANG5ceGCFnQRm7c+lD85Gu3ZpreM0jXay:7tunahOQqVz0A4OZg7RiGu3TreMQay |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\OMrih.lnk | 0.86 KB |
MD5:
e1cfd42381eeba03282823916f20210b
SHA1: e9b0a57ef814355c30cda10a3db20309576ae6c4 SHA256: 6d877e7e756af4fdb48c11deb8b58025983a7e93b3b86f8b783c979f5a18adb0 SSDeep: 12:vT0PByxCf1FTTXI4LFc6Jx168+KMBC9qBMQVGyO1A24An7zGVyZmFLp+yxlMZMbp:70PExCHPcGnnzqBayO1AjAn7iYAFLKY |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\v6afBXu2KwQML_bnz2.lnk | 0.70 KB |
MD5:
a590683987cf25801196a355b5ad8a59
SHA1: eff081721dd5397c595209d4e096d55869ed7f90 SHA256: 00053d8e265271053a53fe04dafc3dd23cfb7c604e869377d082b3b73bda34ab SSDeep: 12:vpCPNwbsV2nzbjXV/+aSIYXHK8l2HkF5o0pJIF4epChG5EJ4Sp2GzLIHm:RCPMnjXZoIYXh2HkF/3IhCQGEELIHm |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\cLzrBwI9ELH8EUl_mr\7ZO5muiNIGYzs1.jpg | 71.60 KB |
MD5:
d4e30e35346adb690dc97a7408387cdb
SHA1: 32f75f5796bbc8a51b3f94c8241bd2aea2e8d0d1 SHA256: 027165ad4f4ab1b73d09203689acadc741c01f13968a1cdf02cfa1cefd1291ee SSDeep: 1536:d1CFPrBP0Z8bEd2l+JyrW1yWGTOxE5/8YL3i+hqVxEsbXBabCppw:arbQG+JlyUxE50j+0VxjbXBT2 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\g5O83QgO-v7.lnk | 1.45 KB |
MD5:
7091570547d2dadc3ee9f30044274106
SHA1: 9b2d13c0062afd2bd2b064116dd66e38a7624a07 SHA256: 9a0fc047e88821fc37746cdd44b5862640f3098459485467a7c5820ff5df42d8 SSDeep: 24:hmyMKxaLUh5wVFV2gZWvoTR8n2aBiaFaWwTEvllOYe5gOXINohqIUyWZReMgeiqQ:7M7A/47GS89zQTEvWYSbzvUvZpgH |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\qrA9hvnxQuIXrz-kBi\PYe7\TIn_ARo-MEx1p.wav | 55.65 KB |
MD5:
f3dd2dbe53a2b4a22f2fba8bb1951528
SHA1: f552bef2482eea64f5bee821531e2e511735d1a4 SHA256: 6c22c73f02e13d4985a862e4d1e8f290b0d5665e4866869655c45cb81817374f SSDeep: 768:9cGwv+Dyr7CnT3Mo34DWgrDNYBgWlmnSFD8CdxhUua5zQE5AZ0W5Sv9/vv+1wfii:9tDyr2YWBBgW40Y4xLak0WElvG1q1PD |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\rxFiw9U9bm6LyT9g\negNC64LftvX.swf | 83.66 KB |
MD5:
d478770b99df0ce20bb9682103ed9cb2
SHA1: f38e3567e2fab5eea39a089261caa51e3a1800aa SHA256: 1dade84532b22450e6c3320e1c001d80d3a32e26f4f5785bd1931fe20d602cb3 SSDeep: 1536:doZl4AmuLhn9ZklcxShFtwQmIz4FNMJ/Nq56Hl2L:dBuLhnTF82QiPI/fFM |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\maZWJw8hU.lnk | 0.94 KB |
MD5:
c10fb1a71461a4bdf4ac322aed81a7d4
SHA1: c4befb235086c03de474c428bf8f3c51c346aa93 SHA256: eb4ad6a5da761c35c48834ec8afe095b84260d7b378085d6bfd167c5f7350a7b SSDeep: 24:x09797qHhalz8jKwHGHwZVxEfPkf1dZwc6YEgr7uUOKz:xkB7ecCFXVxcUD6NA7Hz |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\IJE5Cqpv5XA2m3m.lnk | 0.83 KB |
MD5:
b8abef438432ca35f0090f5ceebca197
SHA1: f7c869c59ea8433e6eb59dd3c08c5acc598615ca SHA256: e5216974f63b77b414aa3feebd3e51369366c4e86a2736151680586309cecf5c SSDeep: 12:vlb7jRSMyXlrBFx+ZSDI5wsv5BSzAS0kU+iavh4oUVx3TYSHlM0qvj4xgLL4vFAP:6NHFxJUL5BSzAS0kJ3hVUfz2740L4vIJ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\R7 9VVQ_Ob5C3PHQ.lnk | 0.97 KB |
MD5:
2fda5c7b5f4ac85870773f70a2812a25
SHA1: d81ca44d24bffbfaeafcba6e13c6ec3e32074165 SHA256: ef7e0489f2df61d6fd16c71bf32e35537f5020043156f5c423c4b52baeb921ca SSDeep: 24:3Km6any/MfY1HP71/yictb9dTXSEebOz/EJuf:3KmE/MA5P7Qtx9S3aca |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\4M9GNaeWOnw2HrFq.lnk | 1.03 KB |
MD5:
5ad2dcabb41df162857e929127d63365
SHA1: 67d2ab341c8e1dfa6523a25bd93e59aea19dd8b5 SHA256: 2c23529787733f1d58c69c79c9c3b1723cb99e049c87612cdbd72603797c44f4 SSDeep: 24:jXGbJYBtbJL0Whe/fkwzYD6u8KZfUxz4gxEKaml:jGetbq/rGVXkEa |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Qa7KN-vTbOI6h.lnk | 1.02 KB |
MD5:
b6d5fb40d53f5b0ec93db8c4e0180777
SHA1: 73e2904027e845a3a77172ed5952d596804fea44 SHA256: dcfff49eb28443de847fc5f73f3ecc1d07e2c4a6196f5d3428de865cd57957b8 SSDeep: 12:vy6dCjhSqw2AkBOK6dVQ2cBmUTWBTiE+Q+VD8a6xY2sJdZU3ZqMaFYtXU65IcZgu:a6dCdVikYK6dxrOZLypo8qFYt/Kjt1EX |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\stCGxWNbc5wFp.lnk | 1.09 KB |
MD5:
bc81b5a40054c9982e750e253da54a39
SHA1: 857976911abaf24470ecbf46297fab8fa21128ad SHA256: 8997c3b55924d230dab303d2f6ff5d500eac732fca11a6161d535c5b89f4e681 SSDeep: 24:tzWMatQHzqtDXheyYkiztQh1Nmaz6yyDqLqh4jSVU40OoIvfEj:tyMatkzq5YZQhnz63DBh4mV70OXvfw |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\IsjTI.flv.lnk | 0.97 KB |
MD5:
ee579a2a5abfb840f71a5208fe1d3f9c
SHA1: 0329623a5af3fce70a7ed160b2bbbba54d0bc645 SHA256: c19967851a0bb79b35273efa970f594bcc6005c4400ea8a1d12d0fa099ff4d65 SSDeep: 24:LKVQTEUkvA7tHAhiBPgCtbvAaVAc1BfBeou4PqF0ONp95Jrz:GifhHAhiBPzhvkc1BfBV2l93 |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\kscbOO\l4gbd3wQGAh.flv | 61.75 KB |
MD5:
7410be60821fa840f8df28312c4a17b3
SHA1: 1292f139e3374852bb3367eb20ec5ba9f1539ab6 SHA256: c97415de57483927d592f6a0ca85b1e42dca42c7108ddebd166f3926a9e51131 SSDeep: 1536:FM9mWRn+ZcqvP1ECcrUcVsnuXB8UBBfoYabvVzpC1bvzSB1GGVM:u9m4IcMP1fcrUC+UBBQYcmtSB1GaM |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\R6lD7xHD8T-ubO3-rd.lnk | 1.09 KB |
MD5:
0dd001ee2c274ca643f10d4b257beea4
SHA1: b83a9d6a265e6f61e842128f5cc3a300fd64e71a SHA256: ff8b62f1ebbf3e13b6b09af8096bc0e0cac6e371daaa18c2d91eb62da639c3d0 SSDeep: 24:Z3cqJ7IKydelY3rvyNuC6a3N2OSYjc7T5U5yeJhucfACG+b/ydq1:Z3R7IKyl3r1C6a3wOY5U5FJhuyA8bqI1 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\okHmUs.lnk | 0.98 KB |
MD5:
acaf76d28ba7890435a473ed720260ac
SHA1: fcc8992939171d0cc6e186885d9a17e444dd92f8 SHA256: d2b31063afb3a4c90533eb13caa93ab77baa5c28de420f1ebe582577b897ace6 SSDeep: 24:NcmnGrmastHY6D/draejvLhgP8r7MzxW3kN:XGrtsVYcjq8rixWUN |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\fwMACd.lnk | 1.34 KB |
MD5:
deca6007db3a24bf61406bd898408521
SHA1: 213a084a220984d234194c55ad49a6ded693d04c SHA256: f40252fd79d189f91935c63bf16d235e9f4d88ce74f2a4ce150c70fd6a853c91 SSDeep: 24:J0S8K5Klu/cOIZUeK7u9mJUI2sMw1yMtYhlx/gcQhDnVdNl:Jcu/qZUeKi9CD2sH1yMuLx4cQJVfl |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\3zrj1.lnk | 1.17 KB |
MD5:
247c0fe0237a878db89945e25dbd24b0
SHA1: 95ca5ee89ae6dc7324227fa4535a2fd0d21481fd SHA256: 2be524b39b521a2fe70c7362075363ea287cbacc87865d944c9db00dca349609 SSDeep: 24:rBpmegNx4nGe70lZqLsa8BnDEKn3T6ccy5LlBBgTV7e88m2k:5gr4n/4Zws9DPn3TLcyR3IVe8bH |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\F925j.lnk | 1.42 KB |
MD5:
5abbd9d5ecaf80dd6b2d8aaa2e7f0778
SHA1: a790f8072c9285d2110e0cce4303b96c1b20f2b0 SHA256: bb02dd4407d7423b9513a37c5b7d71fcc8a5adfaf681efe0c1feb81c508fd652 SSDeep: 24:5kB55bG3Ksk6PZAiO3fxicSsr67Mky30OKWKWYxxro/B2aD3+4Vju698GhN:5kBb05AiuJ27IRPuxpq5aGu6CGb |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\qTWuqh N53NYZck\zMTJW8Dsc.png | 68.17 KB |
MD5:
67df070543f83c07a80dc67217ddac75
SHA1: e8e40c7044fb992622349dec19abba455186cf3b SHA256: d82c21c33251b3fa3901331cc2d3d48d09afe0eda35f916854852a3b53ba5a58 SSDeep: 1536:vJC4YbLuIRP9tgtm5jZ3P7YLjTK2juzf8vxoYI7c5gv8jj+khGfxj8tdg:hD+xPamtZ3WjTKce85Wv8/+MG8+ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\oSqIZuo5iz2iuOqFR.lnk | 1.02 KB |
MD5:
2a2c92f8686bffb963631a278e918036
SHA1: 2aa0d4f2c77fea1e913204c72a970cd61f715c4c SHA256: 6b945c89170eecd28300caeb472d48673e6197e4b69690082bde78140e6c6395 SSDeep: 24:4cd78DG08f+yHKXNc7+wr0cKl0vyvzvb+9ly:h8SqXNc7vgcKloyLvT |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\pptfNpe1BfneOLa.lnk | 1.00 KB |
MD5:
15ba82eb11c6ae39542e2a4fd8ee5114
SHA1: 87d878901e58d2fe77983fa5936611c4834491bb SHA256: 9896c7af497282b09823c90a6c2742ba9515f68c1217ea205782622e48a0d95e SSDeep: 24:OjrU67HhAImzikHRP7kACYJksYGrPhuiOTjWs1cN7CDb2KhjT4G2ZD4f:Ojrl7BAImGkxwRYJzYGNuws1uCDbFQ1A |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\R6lD7xHD8T-ubO3-rd\8JP_fHn2fAsy.jpg | 11.42 KB |
MD5:
6dad892d3d2479325e1bb6e6249067b3
SHA1: 10cea107ab999e1721f1e953e932a2d3a287208b SHA256: 0942c5c39e4d6c26588dc653e9c70624a51b4925beaf390aab21bed34e3c5d20 SSDeep: 192:FaGJn+qA7eBUkrQpdqLpUbBUfMMoqEHHlri8Hke33SmcW:F/JnPayDQfqLGUfMdqg9i8HLwW |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\XVz99OD38.lnk | 1.27 KB |
MD5:
29e8247e89fa8829df06d5517f40e22b
SHA1: 06f48d4447568eb720db2ddb36d217dc78df657a SHA256: fd3e02d6249c06bb2724df792b17d993afb313f3fdc545f50e2a8df0b809e56c SSDeep: 24:WdFzCwpHFJn5iHe/ooUNP3L6BBnOxcyjbsRjcBRDMMwx850Th6:WdFzTpFJn5iAVSfLAOrCjcBNqh6 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\rspzeeQ4w0Au.lnk | 1.25 KB |
MD5:
205bac50e33f55b2a6c1f1d6c17552d0
SHA1: ebcb04628e2db557a6aba30b9b534b7aded561a8 SHA256: ac2dc6cf199c576ed95bf5a1c3039627840412ab9d36a34574105fcb6c7c6729 SSDeep: 24:6D2Ng9Uh7mqxqaNiHbSREjgh6NCCwlswie/EE+9uS6q4RydKop/kGNknL:kqge7mqxJNUbSKjD0lswie/Gtt4NI/k3 |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\uwQJ\RL8XNe9oHqfUA86p.jpg | 86.55 KB |
MD5:
41fc5061248842509dc31230a39e5748
SHA1: 88c2cb2ab974805d54b3de03af950b9aafa0d1fe SHA256: 4368a39c746169d1e3e6e7407e6027e39604780d8ccd7d27e1fe3660209aa4a4 SSDeep: 1536:zH8N+vvCf5cijuOuHUCaI4V0jOyJPBc39ge8Vbis1PKE3IQhoijlgymXlrTUBCEC:oevCSVpIwOylk9gl132WgzrYoR |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\y3K K0vmpn\9r86svUYxeIc.swf | 75.65 KB |
MD5:
645419f29e56abd8f1f974a700a71e61
SHA1: 9beae3913fdda7ba76521974b3d903ffe2656842 SHA256: 1b83fbaeb62845703776544958be69adbca11b615187a654a5d775f92e33286b SSDeep: 1536:ObFWN6VU7e3C5i+Mcaka47S1cfxtczg5PYr:OcwTykPv+S1cfLPE |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\PYe7.lnk | 1.16 KB |
MD5:
580634fd144a2580479378410bc20eab
SHA1: 52556330215e9e88ea67a0bb4dffe9b49f2b9772 SHA256: 4b147a7189e75a9f2fdc59e61c554c868d77b8000bea7d4029005b752456843c SSDeep: 24:MUOlvxPM8jr5cobbhSDInPcTsWnkjVKY8y9zC1jXhaPAvK:M/tdM8jtcobNSWPkkfL9zcVaAvK |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\y3K K0vmpn\phsoFQ.mkv | 55.93 KB |
MD5:
ac4f11908fe39e1ed86cd4d77f7335ed
SHA1: 3e167ee097782197d2c4ab294d122cce21617000 SHA256: 828db33a46ed1643cb68e465a66a8771383c3073d667a05bf20bdc1320cd2db5 SSDeep: 768:FTyRJ6HpJUJXce4bh+M3sV5Q4B7FPD4iYXjAHom91e+xBJag2DBr9LtCV:FLOeossVzlGjAIke+xLaTVZg |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\gHZm.lnk | 0.62 KB |
MD5:
06b18db49c3f9bd79d3f78e4cff8e541
SHA1: 50f7d5123a5140c024b04626420f616c0cd6e674 SHA256: 084356943ef56ec76e06cb20f363da9f5e842702d847500beb1e864bf722db39 SSDeep: 12:v9MNLANaFaPus9uTYR4gmWYTotGXtg4Eh+FLJVFAXK32UWkH2tLzZXzR1yIIld:u+Na0ussTYCgmW3inLJVFQKjH2tLlV1u |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\ZyJPALqhGX4Hsp7.lnk | 0.69 KB |
MD5:
201eb4c82595c8c3cbfe2fa16107b317
SHA1: 28d137fa177c8438931619a3194a1a42d35261a9 SHA256: f136b4527ea4549c302ded71eadad450057b046cd051c9c1727f39b7c1a4e293 SSDeep: 12:vCTsYzcuT7KyZ8YOAvWSF8rVCs7sCzXfPzomPS64kAXSl/OsxqN6:6sYguTm28YOAvW48BCas+Ti64kftOg |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Gk8oY7c.lnk | 0.98 KB |
MD5:
4958e15aa95b48444868f73cac01cab9
SHA1: 54592dc0fe1a7a56f957be2860d3cef4ebfd6363 SHA256: 40198190419cc16a07137535429c0793c4430f444f3ebf92a9b7d2a762a69e84 SSDeep: 24:S4LvE4N9Vpx8kK6xLKJWR/eqyoAZLBOTxNKw:1BND7LKJo/eqyogVO/Kw |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\R6lD7xHD8T-ubO3-rd\Z_MokPYp K.gif | 47.24 KB |
MD5:
b7f6408cd2b2aec2c1db77cdd5cd645d
SHA1: ecd777cc4c3881dbe53eb99a35b7a1f26372fc1e SHA256: 4def04ae5df64ca6936cf68186a42ab90a4979bd21bc3b46bb21604b1938af5f SSDeep: 768:qlMVtcz5xICEX+yN0tgybr7ivqNfvxRq2FH/3ZThIZKY8LszLy93nnKE:qlMEzoxutgSsqdxRq2FHP8U2+1j |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\uwQJ.lnk | 0.86 KB |
MD5:
b32d67886710cd4823e4a0d2f1d432c9
SHA1: 0f6540fa262f692661874aadad56a3c01454485a SHA256: f1aabd39dc234fd993145168e51b7f1c43755edca44ae12952579e7df6f52443 SSDeep: 24:Ru+XqvwM8jraHop6ixHpkuPOKSN1xPI2lUEaXw:3Mti6WPrSN1JTcXw |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\fBwW7 r5N (2).lnk | 0.86 KB |
MD5:
0cf32bc83b224d33f5cb96071dffaf68
SHA1: 0d8291f01601e2f4fde85ec948f9902fb04a426e SHA256: f759480acb9c313facf8cb956836884eabab6e2c0a5d92b94ccec8f2a6ee3e20 SSDeep: 12:vy45yI7L+PrSymN23uNOs/IAWKC4LA+1jRFH5D0zZK7QBeHm6Hf6D6lZ:6UMrSymQts/IAWgzdgPrD6lZ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Gqr Olni3uCq.lnk | 1.00 KB |
MD5:
1f80149573141ea18d7f4906686f5d6a
SHA1: 271d2763b5371a0e3448602d9860e62d56dc45c5 SHA256: 3ea231fbea61332349940b860c89edb39b4deb5f1852410af9f68f4a2d42e815 SSDeep: 24:ZJ5T6opZASURt6DU4ZU5pLierY46lGCrteAhsFcLn1:ZJ5T6CiFRMg4MUVlGghuu |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\PRFX.lnk | 0.78 KB |
MD5:
1231cd8bea60acfc88da9c6c70437143
SHA1: 4bbdaf6d7a8c965998551a4e00ef8097a4312f51 SHA256: 42564485d286b8a16057281aa5cb25eaabd8a3c3dae9d5b7b018120eb5668a12 SSDeep: 24:YP2Ywan2gkDOYlY72jNH8bXT6rkGdbHAmpmNe:Nybml+21yCkGh2Ne |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\aWky26OAlQ8f6r.lnk | 0.67 KB |
MD5:
4a23424d8ce1fe7e8a267f5d21e6ba6f
SHA1: f43dc7676a3f5219dc33e313821dc62f3aa22b35 SHA256: a17b0eb8748dbd990ac3d666b1ae1e0b2db15921ad8fd9993c1cd966dd8bdffb SSDeep: 12:vvvZRLJMeY3wLc25gz1lcXoYsFe43oLZm8/h5HQTUl+Po9N9VEKmtJNaQ7GW9:nfLJA3wZ5w1lcXmFloLvacmo9N0KmtDN |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\3hK fW-nhuzGhzCyF.lnk | 1.38 KB |
MD5:
a132dd392312b1a786dabf388cee2105
SHA1: d0cabbede8ac31270a0352f7c4f04bdc091411e0 SHA256: ded3d7a8a3845e233260188654113e6526d7c53f9382858ad7c66273d42848e4 SSDeep: 24:eXzjJSgWvDz44dvVQHe2S7b7X65nxjS+zXP0FFoMY7Q8GVaBx:aAgWLzF2rsbD65dM9YcXC |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\-e3Mp2d-PI.lnk | 1.14 KB |
MD5:
058a1fb76da9a861a2968610e79f00c9
SHA1: 701f9175df02cb7c66bf40b40df29c9e93b7d545 SHA256: 7611ede1abefba264da47bf36aad70ff20053d5e9012f3f92b1a8931d389a0fd SSDeep: 24:JbV0BM4NenW/6Em0kIQVcFAHoPJ6POgKDsOg8CaWj8oS3OzRU4:7wxm0kbcF5ZLPgvvSz4 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\XILJaPf2QbTSe0.lnk | 1.30 KB |
MD5:
7f1c0309b60dc53513545cb811fa6a51
SHA1: 73bbfe63df1c5a52354c6b447c39eac1ef2274ec SHA256: 287647cb4b50ae163dfb7b19c5fce7ecb47ec2606be77c22e96733ce39ec25cf SSDeep: 24:6b1yoZUqv6hKEn+oQlWwYkvo9MYp9F6NaokU5Yajn/YZBvJdfr2Ajvqo43Q2jPIv:6bSNf+oeYyajGabU3zYZFbXqo43bjPIv |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\YjGHp.mp4 | 57.16 KB |
MD5:
06a4f3437e65cff654c0450c8ba9cd01
SHA1: 58d879fe9608e524a66cb81d3cd8700cfac56c1a SHA256: 91314fa363a3d5557d3c95bbd87f705e007b06c3b63f40f2fb6e3a7d427f0193 SSDeep: 1536:akyljqmCwN3mOtqyQmnO2MeCpIUFBvIC4+fL8bYZSYt:akylWO3mO3QmO7LFfoZE |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\VVjOWuzx8w8tLEluosA.lnk | 1.03 KB |
MD5:
e7bad7e8e6f9c648d8e64c65bc3416c9
SHA1: 0cbd2ec152567002f8ae971944ee141305697c63 SHA256: e0a2856604678cdb98074d4edf8f11fd9e7dfa5d2a0b34cefd9921f7fd9d6de0 SSDeep: 24:RyZXGId8nM1Kn0BPTdF1ZvZK7sdMyb3t2MOc4o3g:EGQKn0dQ7Rybdazow |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\R7 9VVQ_Ob5C3PHQ.mp3 | 89.22 KB |
MD5:
fa2a01208d67942fca45621abb7e028a
SHA1: 30dcd7ef194f21f990933f3934dc3c21a967b21a SHA256: 6a4ccfdac3b75e464594f12a8dfeb71e853f9909966d2792904ac8c4ebdaaef7 SSDeep: 1536:yLRghqVQkkOYiiTp4jPEThQjCepFi2kUJZkeNMzk2MAReqqM2BS33nr:yLRgCltCLQjCmFrkUJZkoX2Merq9EXr |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\LzxPE9bRZsj0N.lnk | 0.91 KB |
MD5:
49669f451711b46e8b38f5285a7012bd
SHA1: 24689be4e74cfda35f380721e3a8d3d2e08c3310 SHA256: 54d2e2a31786407245831bc0aef0abfbd9f7afd0455e4ed4ea04e0c055cebc05 SSDeep: 24:1ju83lSKgvz1s9+N/ZAik9M0g4u8438asQRO3Ez7:1aUKh8+NhAjMb4u843dRO3Ev |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\maZWJw8hU.mp3 | 29.04 KB |
MD5:
693086cb8abfc588c4f307d2df282610
SHA1: 7c072466ac4c2138dd417917b4f810fe795e21ea SHA256: 0af8af89e41e35ffbd35b5e2ce735cf084ec798f1f78414a2d3eff823288b2ed SSDeep: 384:tUXkCiD7CeJGj1etmAPOrLVXII0nryX4tE5V8j6qfb1SkiBukouybM4:OXJiHCewRubPO/VEnuXAE5SfABuhuyh |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\jiLoP1s77mzUlK6iOG4A.lnk | 0.70 KB |
MD5:
1e179148932c6c3be2667572d3d66de4
SHA1: 2c75f284d539b9a39b1a6272fd4f0b93e9c36ffe SHA256: a1d1af0b8b768c6b184a4ab960a6a068c150e1aa2d156bfeaec1b5aaab7212fe SSDeep: 12:vtWCar25lpPnHuJg/GSeX5gFXz8PqTA3iF2UsGdG7rtiY:raOP2JgwXipIv3iFAGdG75D |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\4UQKtgpXFhDlO9QReM.lnk | 1.05 KB |
MD5:
efce4f0f24026136a0f4c2d4d2fb9418
SHA1: ac39339297556f69dbfc496db21bdd9f6e02b49f SHA256: 9fb65504a14dc52a9d3caf6c5d462ebf2de217d7daabe32fc6fa8df00c235fb6 SSDeep: 24:e4jDuZbYs1eCbmHZEpqN5JQQOzwVKcVw+yfnOuJXU0mvEmilnJ:b+r1VbmHZ9NVYgKtflk5vY |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\LzxPE9bRZsj0N\JJSZ6n05wI.png | 9.93 KB |
MD5:
b8ef233f8927968d9c716a2877747647
SHA1: 8713643846f4837e9485e7ef328ed675ea490b77 SHA256: 58f8e852379e4e28acb6bb100ae92217d64b3e6eb10a2ae1a6d580586621f9fb SSDeep: 96:ZY3pU1oimtdBZDWJT7XYqV8f9FkFLNGYWrWoN1R7m5d3c7yM3dEK0HxOP6s++b:K3pU1ovZaJdi9FlD1lm3cW8Pb/ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms | 284.54 KB |
MD5:
becebc8dd637cf3f3e82332ad3a725f1
SHA1: 9fc9ff1fe70947cca90f16ab6f5d4dd980989039 SHA256: 64421d698fac5993d47921f36a6cbc9f96571bc2b7c21997a8395cea96fb72e0 SSDeep: 1536:ASffFLwYFIM7dN4vErFHypZRvaKuZ6e7W1KuJ23XZJu671TFl4cPaqWKNJ1ub4ca:ASPjr0pPKhWyY9cP/gcjNP |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\-n0RC1h1KI_sm3.lnk | 1.09 KB |
MD5:
ea704ff1e01731c5eed6afd676494b1d
SHA1: 6da74a55654d9c8e4982ec9577840e02308c6b9f SHA256: 8348a7fe931e0f5e88e2533260d2b9914908a36fe900fae33a08d807ab16c369 SSDeep: 24:gfD2HLlKljoXfgRSrdK5GnjnS5VktkS3tqSQgsXvg:C2rlk04tGWctk1SaXvg |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\h5ZE6cD5v9t tme A-G.lnk | 1.05 KB |
MD5:
9001429edc85793f476aa415b58de304
SHA1: 5ff8c8fb60d88c3cd2898c7e5516e4cd92053471 SHA256: e7249ad0e4aab88578879f8d8c1ad2a5f9880e32974d9f8c6c6df512b4304672 SSDeep: 24:xYZQXPpCFnaSOJQPF2ae+7XvAyH4doTCuk+3cgz:/P0FnaJQPPe+7XRHTCeNz |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\rxFiw9U9bm6LyT9g\9yWpLzjHOCpe.flv | 3.81 KB |
MD5:
fd0b146db94ff24428efe84beb2a7599
SHA1: 6df091b41531d4d23aad093d68f9fff107520e6d SHA256: 7d682f897f0bf2fb0418453bda8846216207d000f55e324b48cd313214a21341 SSDeep: 96:FlFYIRiQjWjuU3meOTKIcwf766rB+NjXj03HUjBeX7W:FlFYI4QpgmTOG766rsDj03O |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\NGHgpHRGY\5-kIDp8-bzm7egwPyy.mp3 | 60.36 KB |
MD5:
b0b351236c5bcb436695e8dd35e55a8b
SHA1: ef1590a220f5cea6eb29f44d26c9cf925c548fe3 SHA256: a14ad1b6bc095c35fab9f69ac65df6b4b9c34419eea74314b51e87556fa21da0 SSDeep: 768:2RuwcKnJ4KeKaycrVv7jCS1aWOqh4wLVNvZS6qleolW5Ya/c1Lr0jzzS5GwBDgCA:SJZeKayA57WS1aWOc7taIQ0wZgCktDR |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\zaD3n7 mmqSGIGhEu.flv | 27.25 KB |
MD5:
212aca1ebc4fde81425bcddae9e751f1
SHA1: cbc6d82b1478d0c9a8e990fce9ad2c47006c154b SHA256: e15853b9b173931a0a9313c513af6c9b783da918dffc7cda287c87c8fcdb120e SSDeep: 768:Fo/UL2Te84urVN2Pm86tudN75rkYJquGrl:FYULh8zN2PHXN75rnJquGZ |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\kscbOO\2vlWto.swf | 96.22 KB |
MD5:
00951e1279592cfeeb5a87dbd45942a6
SHA1: f19e2b5acb8b2f160615d1e02a65b63432db31a2 SHA256: 109eff231aa2b88451690efcacf128dcf1fd0a09798e0b886328f10eb78e7be6 SSDeep: 1536:26IbJDHbJh4ZWPTyDM7+Ay+OPC98ZdBrWCJODKvb+M/GhODdGhNS:26UDHbJ6W7b+ALOPC60lmbVuhNhNS |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\QYqp7ps5mB.lnk | 1.03 KB |
MD5:
b9b0ddba908b376496c71281d52c1962
SHA1: 969ac223ebf30add198f239d3acf22cf2889fb6c SHA256: 093152d5432735935d3f4732e15c23161b28dbca1825c1ef57816cc27a64610c SSDeep: 24:J93DXxsT1xd+Hs/Pz79O259KQNv70CajjLK8t3L:ThaTdtXzw299ACkLK8tb |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\00p5vLt xbX.lnk | 0.66 KB |
MD5:
af73621fd8793d77342f09f6641bdec6
SHA1: 868fd8e151501152e47e00080ff0af39bb9114c3 SHA256: cb27a4d758dd0e3c073273bbf834ef6ffe900f71212b95e58169da3486d88ed8 SSDeep: 12:vD8TG8mUfUbdH/Jguvaz1zMTbqoE9YohO4fmZ1WYSgXtK5bg+LqWktVOvT0zc9:rShmnJryZguoE9YhcmZpSg+LqttVfA |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\K9_BFKsm6gjrGpCU.lnk | 0.84 KB |
MD5:
5ee24067646ac4bae5b4fd9a781e9cbe
SHA1: 3d63502217cdf1f4c4f2047fc3a81e3cf562d54d SHA256: b721411fc554b364745307e58082f37f20481b2a5f51fa2948323a14a2e24300 SSDeep: 24:vFU7k6cTO9Ht49Hc76cd708XM2MWWKtJp:vFU7k6Flt49ut0ksKrp |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\zMTJW8Dsc.lnk | 1.36 KB |
MD5:
7504e34924e8cb74b5068c0e6a3c5ea5
SHA1: 41cf1ea3314bbd68aea273c491df0df2e93b7122 SHA256: bf9d2cd500ec394eef1a91555c4e1a3c83f9851bab2b835eaa1e7297c7869c75 SSDeep: 24:gIXwU4Lv5bPo/s8WXv+lsxoJMrGzQVFzqPSFimEqCau3jeitQ9+YIHBC3lxn:gmwUuv5bPo0DvSJIGzLPSFi9au3KQQAg |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\poXHT9xhAcrp0Yo.lnk | 1.03 KB |
MD5:
3f7655d1340b26b022696627b26da2cc
SHA1: e6f52599cbd21be1af4d5ff3c40cc91de068e592 SHA256: 9176efcaccfe5c7ec4e7da2f5810ff273f6bc88995a73d128df67817554cc6da SSDeep: 24:pCzQG/DtJrYcEG6LFTDKo8ICdm8KfYhHjD5m+DiI0d2xc:6bpJzo5DK1dm8Kw18lI0d2C |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\FMnZT7MP3TB0L3.lnk | 1.02 KB |
MD5:
d171fb99aba222fa1ad8c69beabe3f17
SHA1: 59e938a3ad89592d3a4be6e8c7c6b048bdd91578 SHA256: cde7705955af094cfb9d007467c6d37f6cfd965cf7d658b76807c9dc3b6933cc SSDeep: 24:Ey8mEqpbfedZHacsASSUjE/7CP0pke5hjhuj5iDvGdLbwBxwSD4:QbqpzedOhw/7Crohjhuj54vjjwS0 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Gat4ii3taiw.lnk | 0.98 KB |
MD5:
ae7845aa6732556c84213c24d6254d70
SHA1: ff062310283f1c68659aedbd2404672f8bae7f51 SHA256: e97498ec4b3731917a889a7bc1fa22122ae66763cc2efcc40b52ee284e98a3ca SSDeep: 24:xk5pvp7jjtUTLv1AVMir1TS41Q/MKNO7iwY+ZHlh9/z:aTpPjtUTLdXirVSV0KmYg |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\LzxPE9bRZsj0N\Zyo85Jd4gSHjAVsjV.gif | 71.22 KB |
MD5:
78e29f53a0a01cc884868f6cb5267b76
SHA1: 6805d195fa3d9dc18a079bd7d7a4035abdc1c7b2 SHA256: e6f581bce7bc7dbb37ff347b5be1dae7e076b31ce57e6f7f8b9eff33609fa5a5 SSDeep: 1536:qZQGobWl8D2l7sDw0TflkadBkrB7F4SojAW5hrX:KobrD2SE0DlfBkFxoX5X |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\G--uCJBQv6-u-\3hK fW-nhuzGhzCyF.jpg | 27.91 KB |
MD5:
0d5c4757a11345386b936bc5f8b60527
SHA1: ecc668dbc05bfeeb277d1977965232bc4c39df7a SHA256: eddacb33fd8f6c72476859ad2fa33a23afbcb374880c1662cb5e992b70668c19 SSDeep: 384:dFzFaLsOZ9z0D2IgNMEMenu5iHiljo6HlJbrQsz8DlcVqMp3/Lh8v7qg:PRNI9z06997Wj9nXXqcqQ/L075 |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\2FqWk.lnk | 0.95 KB |
MD5:
e77a798d70edc98d3885e5cf553e73da
SHA1: 65cbadcde1a5e54e1a16c9d03ada6abaf67fc9ba SHA256: ad32def6a3ce39ee7824b83a7fe506c06d5b26004bb412f89284e483a9d11b0b SSDeep: 24:CGRrs4W2l2fbLv/huTkWu5wpC13Hxwtk/vQf:FRrZlqbLv/huTkt5wpC13HKtg0 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\JPgSFw.lnk | 0.64 KB |
MD5:
a78196beec17df68ca77a2b88e1c2c34
SHA1: 2633324c3b92b83cb149467c528a9ed826c0ab63 SHA256: 31b0e95d77a85da1244f6cdc5452c25a0371945f7e71d4f36e747138fc87df75 SSDeep: 12:v7AqHaaYLtpBOCaachwg5CuijZkZ3fdpT/qPoLO55PuRVyQq/opiowbrBkYBQ7:zAqHaZVaac+gwuijZkRfdpWkPkQq/o0S |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\4TX0WLVzI0D.lnk | 1.02 KB |
MD5:
280a8e499ca3bb487d37f9cd9e8e8d75
SHA1: 1e0b69e4c5d14b2032a88ff7b79f44968d94f2a0 SHA256: 9dcff5bc05e88bd5e311a0ad4b6ca4e9ef2cfb5d9486766d6406fd8d3a03ff2e SSDeep: 24:BkkEWWd4q06OeLqlyTz4XrN6WbeX0vRCb2Hvsg+KxuNvTwuxeVuCS0ObkiNVXjxR:/Wd4t6OSvMNdbeX0vRCaUg5oNvWVhUBb |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Z_MokPYp K.lnk | 1.38 KB |
MD5:
22d8f7a2753cc14dddc79db3b3f9140c
SHA1: 7d01b5bab18b8716fff8abdcc1d3050886109a76 SHA256: a5925760639f8521d4772045bf4cc37e541fd55863918b4b6cddede336780bfc SSDeep: 24:ywbu0zr/FpCFO1LbSCpPPTv1aBz7qHY76RMaHYzhSNepJEhFs69h:ywbVvNkO1LhHTv1gq4mVrAEhFs69h |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\-HzS.lnk | 1.00 KB |
MD5:
98fbff721a62ade94cffd882ede41114
SHA1: c0226729b18d05e58c256c2ae10020ad0cdcbdae SHA256: ee437bd69dde15484175bc897b8af25c11ac58dd6d5677e4000d5a0ea8835603 SSDeep: 24:GbJ2j7cZpfWHG5AeOLZfrGcVcHTZ/KlEAHVm+J3d+QYA:Gb8j2fWHwAZfNyHd/KhVJ3UlA |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\vg-2sbVgxsUfL6fnj8H.lnk | 1.59 KB |
MD5:
b81dd881d4c1e43d96d0dd9449e2fad7
SHA1: 94372994fe85ccbf4274fe9e4f16953de4b5c96e SHA256: 73a4b30e7932fa6db6a150130eb7d138d79c8d503d96eee0007575a1ea6a1d19 SSDeep: 48:0Y9WYTFoBO36Zw67Q1PpPmY8OxoPg+StyFGARO:bi0mYLxggXb |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\B05_T\ag70uOVMAZyHaepYdjne.wav | 97.62 KB |
MD5:
79633eb3ed838f148139e9b0db8b63d8
SHA1: 3a11caf76580e24cb72f3e67934e1fc8605f4c56 SHA256: c1a07013b294eec15b774939ddc0857ba0108fa5cd3d7c82cdae8688367730b0 SSDeep: 1536:z1LZVStkZjF34pZmKbBeOxB5mzPisc07U3Xh6TDPURA42Jyq1QXzdGl/:JTTZjd/K1FbmhPoX2DuMbOXy/ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\shyNwC.lnk | 0.98 KB |
MD5:
427e3f8e479bbda2067adc2224ea7657
SHA1: 5b8049db8c3bc93d4ec42d71888421b3b0ed3eb7 SHA256: fbbc39140283ff2ebf714c0f873997a32b122d09c284d2f53b707c564ed721a3 SSDeep: 12:vTsFWnC2J45aqqa64lilQlok1XjCnrRf5HLRYbnS+eDwc6T2TIR1JisejM7fNyzP:rNs7TeQlG5LRYbZesc6T0IR1hewwsj8X |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\sYRXyP3UmUCc7I mkd_.lnk | 1.09 KB |
MD5:
c8370998d1f681673ec6d3f41fd7bdc9
SHA1: 8e724754e47c53b2e321586fc7d96a7a2a2e1ea4 SHA256: 68e975931b101b28ae5ceae151cffd6cefe2a16a224ee64b7e3d5297e7d0fd74 SSDeep: 24:e1qqcqKziyN6U43ex4cOTJI2kY23VwgQSFjEACeabKzvghWeO9ng+3:sUqw6H31NI263Vwrp3eaWjg1O9ngi |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\NGHgpHRGY.lnk | 0.86 KB |
MD5:
6f2a5ba720e8d6c39c6e8178131a7452
SHA1: 5cdfab1768125948e32f9ac66769b51800353c2e SHA256: b3deec5ad2572fa6270c429d42c28b808d7aad0bf3fd036be3503c71a9d997a2 SSDeep: 12:vsF0NoQdRoKfHxxgGuh+0kVtXCuQT5Z5fZ4PURpEEgy06xF3Hj2DN/uIjap+4Wt0:5oQQgHXgVKXK08RpfLPXIjI+/t0n |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\pLIymR0ZfD9imcx8V2H.lnk | 0.86 KB |
MD5:
5a66ea6de5d9522f622e4952424972d4
SHA1: 1fe2861c82bb638669af230f952963363cbe3fdb SHA256: 81f40ed3711fa282ebff237a080b0afb02e5a6ccbe5b58e088d224a0924db8c9 SSDeep: 24:UVQMQIxlVZUqn5192+zXcgd3MNetrVnEV2JwbDj7osG:AwIxl7j192+7d3M8tdEVywbDj3G |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\TllDAUU2CxF.lnk | 1.28 KB |
MD5:
d9640efd9c350d6c19bce328281ea7c7
SHA1: 830bc548826d698b686794c806121abe6e853443 SHA256: 07a3775e7586e2683be8f1ace163334876b7f511cd40d588ffd720a454d27a45 SSDeep: 24:+VrfFPeDHcU49BmiDtRHEuOg4ECf4k1Ztyr/3gowrV0l7arHJa9DP:gBegDtRHHOg46Dp1f |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\6nnSA.lnk | 0.95 KB |
MD5:
5c76e5a056d6ce23571cf560e0081960
SHA1: 1272d4c6d37fdaa6e43c6752e0a119fb27d33ed3 SHA256: 8f1df438c6307ae29c62d2bc3b9b3e41ec4de710efa9cb12ed7104669c445c73 SSDeep: 24:7GxyaClxrtWOGLoNOiJ1NISl6xn+kholRy6rlAThVNdcm/:wy/lZtBOi/RIxLolzCThx/ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Zyo85Jd4gSHjAVsjV.lnk | 1.17 KB |
MD5:
087bfccc2c888ec302a960a7e28e22a2
SHA1: 562a9df273b40258aa6c7510990cd48f0a95ec41 SHA256: ca9519a218f9e1183d22e75a9e85748968fbf6e57907fdfb4ac8a84ccbf6af0f SSDeep: 24:dMQE/OuL9YLPcS+ZMCWy2Os0uKAsbSO74LRQHr5fTOPLR8imV9JDC2hxrAZ:PE/zJYL2OvNrKAdEGRkOPLs9JDC2hxry |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\d Y_MLHa.lnk | 1.08 KB |
MD5:
f9c50adbeb726454db91ade883e18fd0
SHA1: 036548d4d8664c3679c34fac24f33dd3d8585d38 SHA256: 760c13306a6cb6f3753331f69df420bd8d62247bb3faf0e80eb3ef7df09285ff SSDeep: 24:H01Owgv7whm4OGRTZA30DVcLPlV01lLFjRJedj9blxvH0ZOF6LxQBcnMJ:H01OxE9bo30VlB9cdhz7GxJS |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9cfafb05ce914942.automaticDestinations-ms | 2.52 KB |
MD5:
d95398344d5b599a4146d13cc964147f
SHA1: d660043071c990faf051d58496ebbfdb0ea0435b SHA256: e333eb88c4b597728e70a715e816d9f26178222c534d3eaa1120fb976a4a34a8 SSDeep: 48:osg+zUYrVrpCu1u5tYQs6t5vpUajDkUmrvK7WoOr3q6uopi5yAHZwN/A+U:r1VrwUu5WQs4vpUeQUMSKmyAHCBrU |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | 8.00 KB |
MD5:
736712c52c687f26406987a43adafbad
SHA1: 8e7bea1e5391177f4056e8d68dd2258dd8722d0c SHA256: 58a96e41203a6210d6bc3cfcb4d42542f64e0c8a27fb47e4ccf27e869a4cdc88 SSDeep: 96:rbjbkJZp/+LtY4RQBsXkHQp7bB7ycDOI/FSpNR7Whe:r4pWtVRM5HQxBpDOBSU |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\wk7e2LGGFK8X0Z.lnk | 1.00 KB |
MD5:
476a07dac17bc619b232f30c19a4875a
SHA1: 761cbf6c840a455f18935bd7091c07d079bcd56d SHA256: 8e665ef0d8b9d13d23147d4a87d34ee78f86ecdbd476556fbdce06d752a173df SSDeep: 24:Y7na8K2GPIqfC3cqVaWxswhi5Ld69aEszJO:Ye2YfCMqVxswX9Ps4 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\L0VH.lnk | 1.20 KB |
MD5:
bcf2e4677ffef2e513b7751f4fff8b0f
SHA1: 8069782deb8074f4cf5cc3e185d535be660f6027 SHA256: 5ca68d1fca394e97d722d8f11acec73f97feccea98f4f3aa90f6b6ba9d1faefe SSDeep: 24:Tp8e8I9sJT/6I+7Sy5C7sLCB0r3Ey1ntrHV9xHqdh5DRyt5ji2x47Ad1I0:GeCJT/6I+my7pttbVPHq+XuEN |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\a3QnHpY8WxK1ea.lnk | 1.17 KB |
MD5:
31bc059d7c1105476606be1f3b9a9833
SHA1: dd40f9990e7bccc0623d69c4295e2126695596cb SHA256: 001be53d8f775d369d8e526af5a5db8fed59657bc76bca9de069eac36744f882 SSDeep: 24:bD+CSdFqc+zpJ9r/rmXSCQ4C0vNc4zc3T8IXARfJEwp/8em:bBSqc+zpJMPQ4Cgzc3TpXARfJ7/8em |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\JcAiiI7bq.avi | 81.04 KB |
MD5:
7ef798fbcf2a66e0acdac67a440d6489
SHA1: ca19fcbd5fbfa5b56e2f97633fc4fa1f12ade4bb SHA256: 9ee45e9204dfbbcef9cfe93c3ed62f9bf85d126c8d7c5dd8d3f1497ce181b45e SSDeep: 1536:PZO4OyAE/CaWN81rqsUSFxHSkTljpbo8/e6UGz8C/oSNYZMk:hO4OyAEqv89sbkD8mTfz8aoSNYKk |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\d2H7a-tYhvZsdzV7Kw0T.lnk | 1.16 KB |
MD5:
5d27a0f16b14b01d344aada3b2e93c61
SHA1: 0f09dbee2dec876dd6c7eaf90adc9137a154e57f SHA256: c1a837b076f91c873b5345c11ea3c5d75975e04307df44b54d8459d572457fbb SSDeep: 24:E1Kp4yh5H+aAoIUcPwEaSJK8Sd0Z2BVTu6mlFH:cKayzeasIEaSA8KDipd |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\9m4LOZ8HMX8jF_V_h.mp3 | 81.80 KB |
MD5:
3f9a8c20e585bb6f4dab4742f827a32e
SHA1: 63203e227b3abaf0078292f1b09d769843f3524d SHA256: e575f5b8d7d5f04f916a10b190a81e911bc6cdb41f498577c5110b9feb91b32b SSDeep: 1536:oDzsgXOodnro4Ne9Rw7kkRKJIWHfuphnkn0ozwynZ+ItbrX:oDl+odBwlkRcIWWpxkPzwxIt/ |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\d2H7a-tYhvZsdzV7Kw0T\1UEZKTO5 S.mp4 | 78.99 KB |
MD5:
8c5e14cc424b0b40b83c88984979915a
SHA1: bb80745e5c778eec54c63d0bdfa7b2661968286e SHA256: 6326157fef8f484a7f858dcd35f4b42a3a0f90b3b7a1918816a3348466bb9138 SSDeep: 1536:NTT/+TZCZMuMucnVp6uNrOoCEQM/zXiqGy6/wzOh6S0ZH9lNqQ7:F0fDlS8QM7SL5Yf0Q7 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\gf2Xpstl-3SsWOQBl (2).lnk | 1.02 KB |
MD5:
d426bf650673d64293917919f7dde404
SHA1: 23beb46e971251426077e814b8f16174d3bce7bc SHA256: d5e7257aff26700a7e83ffe1793b1c1fabbcb0f9a83e074ee39e870b5bea5dc3 SSDeep: 24:KNNvj4nAoq5j9SH6dsm7dvdO5M60giIUlhGBS7G:KNNVQRoM50XlhGBS7G |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\6d2bac8f1edf6668.automaticDestinations-ms | 2.52 KB |
MD5:
b17a6cb87973823d5eb28b7ce71c8a8b
SHA1: 07249f80e8f3bf4b110df09b95151117f57be5d6 SHA256: a7f9c270e0d057dc501c2ea98d7caa0d7872264c9215dc261bcb4026a33bdb6f SSDeep: 48:osg+zUYrVrpCu1u5tYQs6t5vpU4Pc0BlyIWUZHyiu+I2BHKERx/n7GpcFmZC+zU:r1VrwUu5WQs4vpU4XLxyN+I2/PyfCP |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\8MQwAP0_D5NFG dD.lnk | 1.31 KB |
MD5:
a5dff7943e0f81e1c0e4fd3a6520b796
SHA1: 007abc85a6dcc53cd92b7eca938d06cf8b3d94fb SHA256: 7c372717d72e6e2fb166a25089786bdbaf36aa2286894908f4e8237cb4c317d9 SSDeep: 24:ayGLSpaVGo3sN3AWZ8ej6p5SAGl/dCxziGOJqTT7fBazjGEuU/czjJngTgQtM1TR:aD+aQo3sBpjyEAyAxzTvjBa2EuWcRQMv |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\G--uCJBQv6-u-.lnk | 1.06 KB |
MD5:
1890d747dfeecbd9864d89a54cff4a17
SHA1: 9fbd654eec23d1d79bdb91805358aeaa587614d8 SHA256: b03ea9f297aac62b153b46af5437f9b2e92b8a1e4eef2089c130820174ca6013 SSDeep: 24:d+cmIEqtfDPsTu86GmucTe+YgLTbblIf/yU1w+6qAxfaIphQ7TJmbkn:d+hIVJYkuCU1RmTpGqkn |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\HFrGs.lnk | 1.25 KB |
MD5:
f545d0d42434b8e7cd9ae3a1f1f97134
SHA1: e82187e6665c4302d95fdd533570a9ac5c17efa9 SHA256: 4e368fd51c9fbe8ed0c023a33ee3f1a5fd9eb5bb62358a99d2606c09465d78de SSDeep: 24:qFziqNwSyuhxAjnb+ZUGAKGo46kIpNYHwRyxDgvalShpIK+1XzAt:seJSyv+4zX9IpKQODDSTIbqt |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\sYRXyP3UmUCc7I mkd_\NJULNohQzh.gif | 45.05 KB |
MD5:
27f77c6053ecb0700278444602d41e6c
SHA1: a8fc7d507c4dc4f1cb7dddd69b706d779121ecd0 SHA256: 4f97e21186e7d09b62818679bbaead6dbfe33811f3d4ad17b73df9b36c7c279f SSDeep: 768:HAAvVCdgkBg5nGZYr7r6uzMFrOQYuETtudsxIVZAK4:HAuVCdTa6Yfr68MQQHETAdGIzA9 |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\qrA9hvnxQuIXrz-kBi\DZwan0p.m4a | 32.98 KB |
MD5:
ddfd3a21ebd51f48a5a9e3dbff3e97eb
SHA1: 28f7e8b428236791a44fd6fb6b142eb0576a24c2 SHA256: 09289858560da60db5822e14957859f4943683ca1a7376210f7f7eabf6ef5453 SSDeep: 768:SJrAMrcswM3v53Ruza7JKQoT6vhLEV/HKu66:YrBrcNMlwzCJroT6qVfKl6 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\xFZ3UgkUHNIW.lnk | 1.02 KB |
MD5:
01c9cb7f9d6a6601dda55976e4a97dbf
SHA1: cd3aefd8e5095c1e024072ebd2ef0c6af3e99cf9 SHA256: 67f0dbe38080571d17b7b1ee0a70a4781209855438b2feb16f3c41af4cde760c SSDeep: 24:fm9RT1tv2v6jmdMLvKyWP8bnbpCbV3cSqs1uL/YXvdbbH0+:+JJG6jm3yJb9a+DJLwFbY+ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\7e4dca80246863e3.automaticDestinations-ms | 8.00 KB |
MD5:
d140e80404c2e18d93a30b1427c043e7
SHA1: 5e2f6a10525a53fdca2efdb7ddcf1e013c176566 SHA256: df62a8b757c4f082868ede8c72aba7482fcdd83a63dc00ac2333bfd2262e4f51 SSDeep: 96:r1VrwtF6DSlpczp9y4hkpJ+4OXDLd24IOJEvamASHpdAM9EE0mlO:RtwwS4i4qJtiE7jHpO |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\az88pgn.lnk | 0.64 KB |
MD5:
1ea4bb7b6e2e0b41ed1786a3cba18a94
SHA1: 2107f3bf662856334868d1b799abbc772917c425 SHA256: c5a521efd2db37dce2ff0f18ba514d1475a1f7e05485f129bab9a7608fb18ff5 SSDeep: 12:vqFFt8NMsXh4XTQHFR7Fvho7IxaKNa60AYxqAtQfRK:06NMsR4sFl4h6cqAtmRK |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\n_6iIbpL-Dw.lnk | 1.09 KB |
MD5:
2ca7c442f5f7c608450127cf68a1d4ac
SHA1: 0f45be507c61cad6380413a3311807bf1df0496f SHA256: 3bb5e9d07f44b09d25ce82f25d009d888dc85969861c9ff24913da2a3c9e6fc0 SSDeep: 24:pPdUb3a9wmBzCWJsaAUOQgWzCjisUR4oRhY6XRY0/ZnlU5aMn:pVUDKwgJIhYzrZk4ZU5ak |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\EB784XEVaS0_dY.bmp | 71.77 KB |
MD5:
be693cbfeb99fba51b2fe82ebfc7500a
SHA1: 0808069f3e857f6222dcf07dc1f015e32e414bff SHA256: 1c53c981a00d9f52dfc5c4798864c09064df39b98f4ad870df177fb83754348d SSDeep: 1536:LkaNKvp4chQy5b/4L0dCaj0y6p2Y8MFRM24:LkaMvWO5b/dCajrIbC |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\UELEI-EgHa.lnk | 0.97 KB |
MD5:
b3ac0ed5f49a5573228f99e093aa42e6
SHA1: 08395a8b5d404945da195dbff80f461235006f9f SHA256: 83d4f2451e2a115771043e6577a54daf05b224732dfb2a6bde057b3071ae139f SSDeep: 24:n6t/JInXTmYxdxhl2Ur5EnGfH9x+tRU6CL2vRONHcN:nU/JInXTb7x+M5aGFx+tF22Jgi |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\a3QnHpY8WxK1ea.wav | 26.86 KB |
MD5:
a0a70af54d8e075024822a4924fb6669
SHA1: 36f68088b89d80237b4c0825522af8dcaee6c7d9 SHA256: 0fca36b4a0eb07f79dbd332453cfb8f4299b977bba6d1f3c7c0ab7a54cec81ac SSDeep: 384:ZU7iohBY4p+FycB7D9f8eoafPKBmO5Iajh7oPSFL/gNAFGAt/Gyy3io+iGIe:ZUNCF/BeafSthsSFL/giGyy3Bre |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Roaming.lnk | 0.78 KB |
MD5:
936dcc171e2d0ca04c973b6857d7fb39
SHA1: 592a8cd313bfdc6768574dbb4b2f9e4ab686d4f7 SHA256: 4f8a63f3312764c4f07708e7efd7d302db3a2a40b952f7e32e149b4273417d30 SSDeep: 24:NzxxlhwGsVTUkcvpy1lkFAfJrsXP/Cv+43Iucj4i6UP:NzxxlqGsVJcRy16RivH9cjL6q |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\ODTY47iV0R.lnk | 1.08 KB |
MD5:
c4bae989f5190da1f20ddbde9a4f6204
SHA1: 199f30bdc133538e445db84094571668939ad69c SHA256: 8ef3ac9a056d905f79663816ef423c243a46e0702735617db619c58bd5da8680 SSDeep: 24:EtZ500HGeSrQgRhsf7o9K3Eig0v6x6tut3nSfAIiHoeX1n:EtZFHwrji/UiAtXwCF |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Fh0-0-tlk.lnk | 0.97 KB |
MD5:
688a0054ab541e347bfa2c7f2ea31906
SHA1: b4d600ca7be163e2006d541eb5eba803e6fc1a20 SHA256: 5db13a59aceabd5371d83c428b6012e6b330aec276de1c3af420de12f79a9b1c SSDeep: 24:+mv0Aj5UBYjGjPI31c7EDhKRNiFTHmTMSqIFG+/mf:f+YjGMc7mhuN8SqSGsmf |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\A-6CfSPMROK0fG74g-Zj.lnk | 0.70 KB |
MD5:
1335ec6d2366947ec9778dc52304c22c
SHA1: e4772a16d1c2997fad57c76db7326d69201d4625 SHA256: 35896ab966c4afe2f391aaa5bfb4c4c52f5f5c58ebc91fa56974013864357bbf SSDeep: 12:vs5QmPkArShY4rRVsUo57ajWmb8vZeu661h9+ZGNlGXjVCuAJoOH25coxCY:IPkArShYSto4CmYv99n8Z2s5CdAxN |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\cLzrBwI9ELH8EUl_mr.lnk | 0.92 KB |
MD5:
01209d0459c5a6f53a735ad325c55fcf
SHA1: 8c523a1310d3658da5879f54d965f4d30727999d SHA256: 8327b3a496081046bf781393cd94538f7ef67491dfa9e85807429866e3d1abe4 SSDeep: 24:n4APz9ysG5lbcGfc2AlzaB9KxzWJudaVJy+9IJ8I41:flG5lNBKxzvwVcC5 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\L5g5B6.lnk | 0.98 KB |
MD5:
421bf38066e1f1cda1312b668539b1b9
SHA1: af0c877e74d63b3ebb110b8fea24b48eb95a2e2b SHA256: 96302f75915b6421f98c01db4b82bae53e15fbaf3f4f21fb5b6a41ee955d1daf SSDeep: 24:J+fD1SsiMjdhgvYjfhCaTJQlGyvpCV/YKapEos6:J+f9dhgvw9QlGyvsV/YN |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\8JP_fHn2fAsy.lnk | 1.39 KB |
MD5:
1ceb30c433bff6b44a347b65cbb5f5ad
SHA1: 204f511f2966a58b87f87d42540e4d4741304889 SHA256: 07123f5c5bd7768ba485a49125d2928ae4ccba6d3e3faee61a3e0220e420946f SSDeep: 24:k1He3HZkH5sSGU2SxOmhKTHQH20zMneqiqDyzQUE4DYAqzrLJvNMEWqrqbX:28ZEuS3nhKTHHUMneqiqukj4D8fJv3WR |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Dt9dhKb.lnk | 0.97 KB |
MD5:
ce7183e029e87ff413749a5e07b1be86
SHA1: 67a82d92cf001c104671d1c20dc83d4e42ac7d06 SHA256: 0fb0666165607a4566f93ce8f1f311371fe4031718bd9933674e694c505ae10f SSDeep: 24:I5FT5gqDu/X0xqMQIePSZPG9KqCLrBduWwBzBH3ibV:I5FT2LXuqMQI+SU9CLrBduby |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\wHS8C.lnk | 0.64 KB |
MD5:
4c4e8b5a58cc93e1c74de3d62055e550
SHA1: 15f099fa6f783c00dcba83bf1b0b16e4d52d544c SHA256: 4773e89e7900426998a88ddbf45fa51b47e6e3ca0927ecfab91347faa729803b SSDeep: 12:v2L6/BwsbU/YtI2nfzcrvmGBLvKZQ3/b1kC/hSixha1410td2TK4s:1Zw6U/b2grJBLKy/Bptx417As |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\JJSZ6n05wI.lnk | 1.14 KB |
MD5:
d6e7936c32d02458a283c5d82acdb3f5
SHA1: 51201fba4268053b5296a7a2534d3df785d73bed SHA256: f6d1f49848b1bac85cb2516c21b808e7749e776876c8f3d74e74be6ad8a46187 SSDeep: 24:xYFIRqw2aWOs3BQ8eyFlEhDEZUOD5oXo2MtA2rM0RxqV:ximqvjQMU5oU452o2Evrb+V |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms | 59.00 KB |
MD5:
47d6e89591344c231155ee764e2324ce
SHA1: 5c165005f45c7479f30e04615300c95f6cc6610d SHA256: 34d5ba6c5abd8195d7a315fc0729013cf79c0458beb84b1173f8a1a1ec7e84f7 SSDeep: 384:0zafRcM7QubrzimgPess9qJ9YVGHy0d9sQgLRl8:Qafz4PesxoGHy0d9s5LR |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\rGxJ8R0.lnk | 0.80 KB |
MD5:
73c9e8f1ae8809c156c54fa16742ca69
SHA1: cc3d91931802570a5708a0e3374385f03909f1fe SHA256: b38841da9f3a28eac4854bccc666b4a983b37dc36f9a374e5f585090a3022e77 SSDeep: 24:c5mcHSLUTyuU2oAZuOf9UuFLZO7LLMBIrKsX:c5mrLUmfOfSuFNfru |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\e6huRO7 BfdOE JzK.lnk | 1.12 KB |
MD5:
57a2ca58d58139131c89e4931edc3d48
SHA1: 3b79832500eecfaee997689695dd954bec19e02d SHA256: 2f49a2b2f08060cba9c47ec69203eeb426706970c7733aa2dc7d2a7856d54ee7 SSDeep: 24:zpUfxz91j8yUYSR4TJXqPEavsKvAh8gw3jpDQlr:z0z95zUYSiTQEalvAhpw3NYr |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\V4M4Zk zJ0onUYJXIl.lnk | 0.91 KB |
MD5:
f8deb35e45297e3e9ca51718786eac58
SHA1: 7f9a26716633e71a0954b6023dca090d81f545be SHA256: 84a510b517da89d22c9981eb8033e44799c31a6fc83e63ec3e123b0476997157 SSDeep: 24:uhrtwUAslPcJaVLu6nq08v4YQVQnt2XdSXsE7Kfk1uMMI2Mb:iwWcJaVLuUq05968XksE2sgMb2s |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\xeKWFIddBHaEN67 iC.lnk | 1.48 KB |
MD5:
2a6d5ec35eb4eb5a8589b3a2fa7b071c
SHA1: e89cdda9391be5259c80dfcb45275c7db00b2460 SHA256: 0aa068f8949649d7617ae2ce9413f0cc7690ba02a9d5c6cd21ec9eebe6a8822c SSDeep: 24:6TKwfzrlKJvGNDAtfQRgb1tofdDxWoglIiQBJX/xk9Qwzu7VFpaGYxFUD:UREG86gb1tOdDcFSnJX/lJRYxuD |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\ag70uOVMAZyHaepYdjne.lnk | 1.59 KB |
MD5:
323c5b837030be2c4dcaaba3ae9970ef
SHA1: eb08e11b0c2beb6c7b8e9147261c8935a59851ec SHA256: 8dbbb0d30e617df876da3220cccebd4e7774ea6a7143be0122d3889244d41fe8 SSDeep: 24:2Mf3w/Hvcg4vNmniZ8BH5cXeJMbv7Lc/qHrpPIPj4IZTHnVkFFKPWaPwVu7/gKqb:2F/HUhvAiZQLyfzdCNHWLSWaom/gPbXH |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\-42tUE1gV2.lnk | 1.16 KB |
MD5:
e751e5ff646d1e2b3137fa90ecbe64e0
SHA1: 5e25323bca020bde52ed35bddbd173ceece1cda0 SHA256: db68de48bf69fc51e64f1557cdda19175055d7948bad50f99a3688867b84b042 SSDeep: 24:XyIG4RaLbLBxEeYlSmKy+Qn847A4pP4UHfxO2x2RZmmwMNZhWYgf/n:CIG4Ra3tAZ+4/A4pP5x2RZmmLtWJHn |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\R6lD7xHD8T-ubO3-rd\zz0GoIZI_KNNIh4a\gVhnkpA.bmp | 8.00 KB |
MD5:
1be8e1f2cd378c89b9bcb687334ee70e
SHA1: 1653f9d2b21db9c775f6a43cb86a8c440487c135 SHA256: 5ea84f5ab1d543f61f380a38dd656a509c370af3974bf3a5b4191e0826ba8a5a SSDeep: 96:nZJYw45Pw0+Fy6zXej2y+i+W+f2JlPNfSjoM:ZJuwbycFHxR6lPk |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\_xN12rPpzNlGEeUEq29.m4a | 98.66 KB |
MD5:
26c53f9f1df0f3ef680577484e53eba9
SHA1: 39763975eaaec9b65f1c52941597835d7be468e9 SHA256: 24509f439fbaeca72d57c3a57a8f38e8488d499438927576e791bcb6a858c35f SSDeep: 1536:o9wBfhByCQ2S2/oG+eYr/9As2dRSYsV7/pqi5nn+Zhn/YHX6ofbKjFFlFHkA0v2:JhSwYr/9j24/pd4/utzu0v2 |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\m-GVKfYhXB6T.mp3 | 30.33 KB |
MD5:
0fa2807741203749455ac8866eb55a78
SHA1: d8235758f4671b6b82a3fe73495bc90f17a898ee SHA256: cda29e3607d40c75482f119b7da1ee4851f04791d44847bd3d124d580152f3a0 SSDeep: 768:EwK8L4isrKoPnweWRZuyzHsv77x2/JIBl2:958iKPwtMv7F6SBM |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\969252ce11249fdd.customDestinations-ms | 20.36 KB |
MD5:
6b09ab39dc321779e14f91c2280ab621
SHA1: e6c77ba9da751bc5b0cfed78d03c288436ef1113 SHA256: a5e64f2b32c0fb04e6a413a7fdb6f7f629bee3b4bc4654b66a363b5b884fcfc3 SSDeep: 192:aOxOYjZy0T9VeJlIBRlopb+72cI+72cNlJzlieNI2bDnDnvlmzn:asOaZX9VejIBRlo472672sNp7lO |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\UELEI-EgHa.jpg | 79.29 KB |
MD5:
8d14a093cd65aec661444daa4fe164aa
SHA1: b4977b5753995b371f5c922c1ebde0e4a2465901 SHA256: 2c1b9f9c49f42973cafd38b03ee487df603d2a047009085623d190a32debff81 SSDeep: 1536:01EGQg+p5o1Fo3+C+4R+okOC1vF5NZrgiOaCQ+0EyBhFD:0q35Oo3+C+hVOC1vpZrgibCOfb |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\b8ab77100df80ab2.automaticDestinations-ms | 2.52 KB |
MD5:
b2eec53ef65244dbcc56b357d6601f1a
SHA1: e02c9b08a5907d30784850c07edc74a7e64f5d90 SHA256: 321097d2c2d22a60acb6572e5bbab91df40b36278ed5b3804c176cec8d34c84c SSDeep: 48:osg+zUYrVrpCu1u5tYQs6t5vpUGBED7EmpcfubO5gcJ/O9+Kf4mbQkjC:r1VrwUu5WQs4vpUGKD7EmufOOWcJ/i47 |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\NGHgpHRGY\n_6iIbpL-Dw.mp3 | 18.17 KB |
MD5:
5341de6c7aea3804053a8d2e2673e776
SHA1: 46c23f3aa51e903a04fd3a7d6b12916226c7e0e6 SHA256: 9545b06b501e374d2b08c33949939b5a93f250688114cb7d9dd8a108c064a0aa SSDeep: 384:mKPBC5F4em9UPo1+xa+G8yHIv1k61b9oL1guqXYdvI3GD9MoBNp:xPBC5rm9UwIx5GvIve67WgroFk5oPp |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\ElxEIJtu-_rA.swf | 96.45 KB |
MD5:
1986082caf031f03129bd8bdad3dbec7
SHA1: f2e1f24a24fc81d64b4c94a58bf7e4fb85d64ea4 SHA256: 2f882330b676f07b64b44bfc9da5bfcc3b5d534f0a228e7fb98f25a022874b53 SSDeep: 3072:q1Xk4mnFA7KQaN/5NeIjhLFGCqCbci0bung:q1Up6aNR7hLIHCbybung |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\xeKWFIddBHaEN67 iC.wav | 63.05 KB |
MD5:
b5555879ab0e4c853f390913b4b38667
SHA1: c70c11c2f18ae0b541a26c3591721bcf4873b62f SHA256: 71e6f79bbf5f4b6dc5c74768728180c468fd09a7069b1a76d50465422ef99b9a SSDeep: 1536:ISE5PFGNdyqkGPhxre+RnDHEDKLfwUrGJUNXHfjrcD8dd4gv:COdyqrZrEDKLfwYXH0Dqdtv |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\phsoFQ.lnk | 1.19 KB |
MD5:
159031de68ed7f7c8afff71334a32b34
SHA1: 14429a19fb154d0a619b1c12ee2f3b0437aad5ed SHA256: 360b04ce1c9157f0fbeac83be733fc04f985a3009fc985d39638bc3831874215 SSDeep: 24:STWSo4KyjRdyyfRej5fFfBA2FeGGa9dbo8UAItp9UniBzaZodT69j+g2nvGfbm:SLKyc1fdqVSPUj9tBzaZ069jL2nufK |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\qTWuqh N53NYZck\gjO 73rZ M4.bmp | 86.12 KB |
MD5:
2aad6cec1e7e432d8e955d2f2fcd98ca
SHA1: 5226b591a9ca8f9751fb225c42ba1f4cb0c7c4f9 SHA256: ecad5cfacc3bfd04af1e085fe7f2b59c6d091fecea2feecfb10acdd6fc3cfa2d SSDeep: 1536:J33dQ4V2SUStsYwxMQulgGx91iTHS9SKrOZvCphIONzre3MxPAvuq9y:J9Qx7XogGATH+SKrKv2IOK38Amq9y |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CNfRGDwaADTpS.flv.lnk | 1.02 KB |
MD5:
14c3c46c80d3282e1e9b84c81028bed8
SHA1: 7b301e32793f22d65ffb3695981d534695caa4f8 SHA256: 5feebe6fd06fda1d6cdbb98d1c41698cb748363f10d9b0f28af00eef60e98403 SSDeep: 24:roJOgjNmD+IWQszK4DyYiTM9OfEXFuNlpEDoX0k/T10eljR:rorPIHszKcyYX5uNl1FT104jR |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\fBwW7 r5N\e_d9d.mp3 | 59.93 KB |
MD5:
3cf58a88268cf7e84227e9560ec63f02
SHA1: 76cd8a77772614a4ffe5eaf10402eae32e633f32 SHA256: 9c3287217d7930700c8c8dbe337966370030f895a850f83ec57b88cad2ed9b63 SSDeep: 1536:Eox8/GqbqpxHxS5YkUhIVAn4TPkewZbkIhjLq:tG/GqbqpPSWOVDSOujLq |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\R6lD7xHD8T-ubO3-rd\zz0GoIZI_KNNIh4a\vRQ5tUuEKHqkKPnnz.jpg | 32.86 KB |
MD5:
a9e73e2a6f9ac048838ae7d094a42dd0
SHA1: 4354b6fb36a13d584974214612b22f5df5b962d7 SHA256: d545760f143edbb9b2e62d778301501d2163b491bd9c0c8adb87036c42f417a8 SSDeep: 768:fjxu+hM/EetjRHK8IYfb/FYFNPZDab0EVsAz0:rs+a8et9HK7kjSxSbZY |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\9P5vIWV3lOKAM.swf | 68.52 KB |
MD5:
2ccd4b9eb6aaee96162a60e51e36f778
SHA1: e2ad5a802c4cef0704eaa90e9af6b645eb6612a4 SHA256: 6efc32c74496fb18b1da8de8ac6b61279e0092c04c383c91ff1e155ff3f05431 SSDeep: 1536:RG+A0hi9N05HcZ/MKVXvXhQ8SOhnv1mE0lgx:RG+Di9S5CMKd5RSOzPtx |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\d2H7a-tYhvZsdzV7Kw0T\El 5h qHBzdQQuQ0y63p.avi | 30.87 KB |
MD5:
32f202f1a58e85ef51ba13fb7ff5b79b
SHA1: 241e8c6345f2d8320bd31b441919d325abc0b55c SHA256: fa19a41c1a4308a5476252030d5c651b44dc77c34600f65873f4cb5a380e1bd7 SSDeep: 768:VlUstbFU1vup+2JN0eLN04uC+bOfYT0iXBK:VlRtJwup+Y0epuXbOfi0YU |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\HzbGRo6Y.lnk | 0.66 KB |
MD5:
109e424e025b02ccd785964255c38e25
SHA1: 8ae554e733eac73ff9acece9b6bf798cc681ed8e SHA256: 9e1ea1fa690173763e36bdf8f8d2b53da28ed807eca017dd42c68defd2f3d7dc SSDeep: 12:vJo4oKdCpN8c0WWl3QidcK6AXaQbptp0ZDP4UO6w/KMrZH5rpJVI16HfhsnK7Nuk:hlo/09NQi76AXlbDpWTNiSIHmA5snMok |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | 8.00 KB |
MD5:
e07999afbe4ceb648723b8369a6f5e4f
SHA1: 4b7d8e1d9ffc6f777bd039771aa722f9d1a1ca1b SHA256: f369f3378441ed50ac5b60de2b603c111d1acff7528f5a9b346111b46ce0bfd6 SSDeep: 96:rbjbkJZp/+LtY4RQBsXkHQpZCPPBkmD8fqOclrNlxd:r4pWtVRM5HQDCRZp |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\_QpPI0V9w7jmp.lnk | 0.67 KB |
MD5:
e76444df7c3136a7b45c982a097de095
SHA1: 876847b4051147ebff63ad42ff3155e0a5c9373d SHA256: 1c3a415f4a5e6e82f3bd0d5f606c6a9a7afbe765b3578992e91aa122f404c6dd SSDeep: 12:v2b1Tkgkkvw6t/oAVIBNBxfJ0ZFBzFOndNjAlOV52QpN2CdWU1CKP7SPL2I7IPEJ:ABkg7vw6tiBXxfJeBz8dNjEekQpHWp2A |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\xvc5X_EuKq.lnk | 1.39 KB |
MD5:
f6b4358f176f277361583509a518fb37
SHA1: 6caab65cecd8a0e11761f3b4c2107a3d3b90d327 SHA256: 0dfc62a9ed986cbef14b53272640fd578c15ac7215c1fd0c17089d83cfeac235 SSDeep: 24:t245zsjnEidv7naBU9/l5TMtpkIvjm3GAUubNMCWag+wQi4jUNgS4CY3Y:tXzsjnEid/9/C/vUXUCNbg+wVJOu |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\qrA9hvnxQuIXrz-kBi.lnk | 1.08 KB |
MD5:
389c26cbcd49853221af13450ae9df6b
SHA1: 0ce3f6a37bc5cfdf810149c3871003d9c71c8a54 SHA256: 5b2cbb79b9015971be2ef9e8a56a5ef3b37b9db6d59e652f647624a663bcc53d SSDeep: 24:ZoXeCCL2wBA0p/vSmTQD9LpfdGZ8FBvaiSwzCRYAFoXlpLEWe:ZouCCL2w6i/vSmTQDPFGZ8fvai5VpLEX |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\LzxPE9bRZsj0N\-HzS\L0VH.bmp | 32.65 KB |
MD5:
62006607b81f52c2e729dcd918013ecb
SHA1: e0abdb0e9b35cf7a9198bc1e1a52dc58f95cee84 SHA256: 7718b8e3b2dac8a7e6caa2b6faa20605b37a512ba72c2f89cd7c6e29e23b167d SSDeep: 768:0KMuGg2RcLyp1wSNpdfLpMBAPTQqGibqQ:PMQ2RcY1pLTpWAPlGiWQ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\pkc6AG_LpRlnu-9-.lnk | 1.39 KB |
MD5:
f90ecdc212cf2e3e8a4579c3b7a9960b
SHA1: f795e47d0defd340150eff7b02ee22cdb6b2bfc6 SHA256: e641ad4eff6e78e100d281b65af7deb45efc746d39bd1fe8c5bd1dd73bd4ea6d SSDeep: 24:FkD9LoSrYcbIu2d8LfhdW8FKrKoD/G7O+Q7irefEFZroU1QGJ/ngiSm/fZogXp:FSTM/2JdnKeoYzScFxow7gVm3Zow |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Videos.lnk | 0.75 KB |
MD5:
fadb37dedacd3ab086557478ed47465f
SHA1: 2fda87afc04cb618e3892d52790f495b70ad5759 SHA256: 026c6580d07aa68a7812c38709187899fb4cdd69b76f2c01f5d6ff8b1cede471 SSDeep: 12:v9QNTgu4XFN+WXh0OX2BNRlrA+GwvZYvG7HdniFpdf3FXjYHOvkiRcklS7kP8b:mTP41Njh0Ou0wiv7FpjX8eL2x |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\7qmJucxrSVDQh7.lnk | 0.83 KB |
MD5:
7015df3563666ddd4114d76e5a606529
SHA1: 37d696db3d31e2206ae5a1caf484babbe4b22ee8 SHA256: 3bbc6e5e29cb5bce7294c350e1504d7c186605f6a2bc68069e148dc5959fe44c SSDeep: 12:v01WFXw+/JQja3wAcbXubR2ZBRlAiArorEz376PM+lfUVGHBp9hesjmdTuaMa+:c1mVRmiNYRW8G8MefRhp9jj2TuaMa+ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1bc9bbbe61f14501.automaticDestinations-ms | 2.52 KB |
MD5:
393b893655f3d83a6d2c7580afd66ff4
SHA1: a5fb93e8478bdeb1a413f043bab2ddfee6015726 SHA256: 9096af7f816bc192b6cd2d38ae86a533bcab3a425ae63ee068a60136b73fa8d2 SSDeep: 48:osg+zUYrVrpCu1u5tYQs6t5vpUIlfohOY1H4muWJT6bQsveem9hi26:r1VrwUu5WQs4vpU23AOOT6bQsFmPid |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Music.lnk | 0.75 KB |
MD5:
b9fec41d6a23003f0ed98ba20569b74a
SHA1: c5bf8d7f379c4de7994dd1b13fdefd0872437089 SHA256: 93233b225c2a46c5f36375f421d22c67dd2f0389e9695efd1f1cd53e2913561b SSDeep: 12:v9QjBEgZ0ATF+Y5E1gr7a+s4M7vsNqeEmL7NMD3mh6pNK7EoFkgzOeAlL2ZqTTwU:W9JAY2Cq4avmqeEmLCzmY7noFkguR+oD |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\NGHgpHRGY\iwRTQe8_.m4a | 1.44 KB |
MD5:
68a6cff9af08f03ab58c6f5fce7c7bc5
SHA1: 3eb13d89566130bd518c698278d825d69c7b5536 SHA256: f7bf083afb604df4f8d0c2b84f2b10a950b84fb392fd6a4f4d71292901394b2b SSDeep: 24:f+jwLyFoCzZeIMIdUjBlptl/vD0UBfLXWCEj/t0V4KVPzvA1zEZ158uzTf4s/xdL:fHLyysXMNVfboYf3EjV0+KhAZO5zzssn |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\vNVYUbOQ7x0Pi814.m4a | 95.69 KB |
MD5:
e126846601ddf09c8728b588ce1e02a8
SHA1: 1119f04a6b8dc50bd821bef2df5d3580d083237f SHA256: 3820bd38bd2352f818005d450038327e64ad5f043afc115c0a6ce036f01d4adb SSDeep: 1536:tmYTxpUSGSuuEogH2KryPsun6Hdn40C5Hl4dzk7JYOumFZSYKOBrS5zETA2aVYXJ:tmmp9nP8HK0m17fucSYKWW5QM2FyeprV |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\y3K K0vmpn.lnk | 0.97 KB |
MD5:
e2306139139a8dbffc5314534c2955f8
SHA1: 21d920a2f4b154e5ca598e85b9907d1959a20e20 SHA256: 4f0145d6e1bfbc329e62dbec8a7c9aaabf15452b57f8d11ac5ebabf9e6276a2d SSDeep: 24:q/rlAcO7b4z5ywYdOJVs6cMVgdcLyAzv4/uBs:ErPA4z5ytOzsZfc5va |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f01b4d95cf55d32a.customDestinations-ms | 0.03 KB |
MD5:
dafd6548c73ef617a4c0bc54122590b7
SHA1: 87f45041ee54ed7e233d7e8c4215e70353ee0952 SHA256: 87c4f1fdb5a3a3feba1a3cd89a152ef83de7f5b8661a7e467aeb6be1f59a9108 SSDeep: 3:ZOpkvz:hvz |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\y3K K0vmpn\3zrj1.avi | 81.80 KB |
MD5:
22c10a1494c0d7316dae63ba771f9031
SHA1: 2a7d7a9a438933e8b0a4fae45d83afb881dfe404 SHA256: f71964accd3bafc3f517f527ac9891445b422c7fe54665a7308f7eaf10efa23f SSDeep: 1536:7/jT/yi2j3hKbAg/DDBKdInnbzTjlUyjFBLjigH1iNLZw9phx66nwRZ:7Ki2hoAModInH3amjjii1iNLt6wr |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\-cvcX Qn.lnk | 0.66 KB |
MD5:
cef92f8339d1bbd209d8ac7f8b6dfd43
SHA1: 470dafe4798a387efca9a43c71cb2ae7c236f0a0 SHA256: ff019468eed95c7d86b2e4ea8885447f784dda9fd7cf12093c48d6dbe0115e81 SSDeep: 12:vxOFvf8pyLI2z+dzDshdcgSWrocdxHCnjTpoRTuX1QMfZ2OjSQXcEl4o5u62oDa:ZOFvkYLI2z+kdbS8tdVkj9oRiX1QgLS7 |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\y3K K0vmpn\FGbApjzVzIlNW.mp4 | 8.00 KB |
MD5:
92fb8bf4cf75cf9fd32de8c0cfc3725c
SHA1: 36367ffa169df8e382d412427afd2e75e83556ca SHA256: 91108bdfd9503e3aefe8731dfbc0dfeb66e049e595fc849780fe9d9fc865dae5 SSDeep: 96:ESsQ6neOB6vvxngJHtuyWrnJr0L2cCKU5XgTkrtRPruRJOTS:65nGHxnIzUnJAaKcgqRPUkS |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\B4a3CXGZxiUO-YbN51.swf | 26.81 KB |
MD5:
827915ff95147363e23c515fb3dd0988
SHA1: c88478720876e50335686655573ff17322ecac64 SHA256: ec6a1d67517291a9dfac7ed5f8852574b11a849871d0611e8f90652f14e5d68d SSDeep: 384:GXqLC/5S3mAf+oATf4BzM8ghyFI6uXTeNjJK7ataPUBZOibp5DH32dd7dJDfFOT9:qqQ5S3mTwQxgjJygaPUBZ35zEd7LMn9 |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\fBwW7 r5N\kqPHTpgPgkFex.mp3 | 8.00 KB |
MD5:
54b7985a69f96cb26434f24a3a71c990
SHA1: 1537601b516a66ad8e124c60764df97d25f4ec9c SHA256: 9b71057cc81d4ff021abe5fdd07f146c9c88216e5fbd0fec0a7d051693559d50 SSDeep: 96:kjKOUePXyQcQ7BNWwE41bEmnkQmmPmhZDjN0gDTVoF:oKeKbwBUdmE4kQmthZDjN0gD |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\y8reS6m.lnk | 1.05 KB |
MD5:
82308767c6b7653cea61e6436c41dc89
SHA1: 4ad47e86e42d067488e5d3df8a33f44450135a77 SHA256: ef6c691148c09dc06cca30de8728f1f4c0c3d94db93b3ea587bdec32f656b17b SSDeep: 24:haK0iD7s3MmLFzBV6mSvD7RGfOiZBhutP8WJKjQFkw988IvtgJF:1Y7zr4vDEfOiZbi0WJuZvMF |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\qrA9hvnxQuIXrz-kBi\y sfavt_6-uR zUfBzh.mp3 | 8.00 KB |
MD5:
2ec69e336dd95c91236012935cb34631
SHA1: 97b4d0597b8da4d5b2a0e8e8cca82286b11a49ce SHA256: 915cfcdb3b8da02b62ed3d3481a2fc7acbad35b72026bbc459433b365d782326 SSDeep: 96:6gHqSzFP9Mr5Js1ynnqP3sfA4JFV7CS1M1li9Rqpf:FHq4+XskqP3ePL1Mvi2 |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\qTWuqh N53NYZck\uItrk_jbFDkZ5N6T.png | 60.00 KB |
MD5:
19d4ac4f676ae672f5b161c235ee6edc
SHA1: b12a7b652bbca82d9f7232eb7a6969a25d5e83e7 SHA256: 13ad7ee054ff8c57a4756ca786dc6a51c01578c7d1fd7e8d0b672469e4e3e7f2 SSDeep: 1536:Cq7sd8WWktdhtebEYPG+pLcoo91IrzLneOoQSb:CKmXXXh4bEYPRo1IrzLnh12 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\y sfavt_6-uR zUfBzh.lnk | 1.39 KB |
MD5:
20098c9d04a0170ed341440c9bcadf0c
SHA1: 494af9e881937d28f033ef0d4122f41c93b0780f SHA256: 724e5038fbff5d1165ca93131fd26f5daa4452d110fe5aedc3312957735c3e14 SSDeep: 24:5jQbD5PPaxk0XoJBthtLE/kyhEDq/FK9FaA1ND/arFF4kmIr0kAlkM4cnPwELiIq:5jSDdyu0XobthtI/kyODqoTJ9/KFqN9w |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AZC2.lnk | 0.97 KB |
MD5:
c0d60d1cde36689286c5816d78fd0d73
SHA1: 5447305627ffbea2e3516c95c8cd6f6bc0b4ff61 SHA256: 31b9ad4977ee8e854a4a7a6b3574e228b217b2560652775f53c2c16c32faef09 SSDeep: 24:EMke8e59J2xGz0lLGd+YulS3bmOnt5mIZH0GT5Uyck:Ele8etJzP+YSS3DtQ/Zyck |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\A4ItiusytGvu1_7.lnk | 1.03 KB |
MD5:
207b9b77c18b608ecf40983983cfc02e
SHA1: 9dcb400565ba8040a40e4468bccab1acb87305f7 SHA256: d6f1ef402ef4010b245e83d1581b19f9b2b2487e89d82e7f8870fb3cdab150f0 SSDeep: 24:RF0as4/ukXvmVB+uOlzVLiKsr2UKpEW3DIhcIjVlpqTo:jZs4xfmUlZKyGrhRWo |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\y1a4kAzLHPnL4SoS O_.lnk | 1.05 KB |
MD5:
9189d5de602efa9e7de94a73e1ce6fff
SHA1: 83ec03657486a77824b2dc4b3b5fa8a8fd291f10 SHA256: 8af0b1b19df202f35275623078ea07b722eee53d842323368043b75ff1058a64 SSDeep: 24:pOJxpIb0IbOx9jwEEDRhGJt/E9u9VaxvZdRyTNdlH0R+x/3p4Q:pOJxpIb0ISxir/K/E9u9VwvZdWbqah |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\969252ce11249fdd.automaticDestinations-ms | 2.52 KB |
MD5:
0db21856c18d043fcafa6dfdeb4f2319
SHA1: c6b2f7bae16b83f2a3c7ec3949ee7a0e8addc50a SHA256: 93d272d41dc1dbccb8bc75d190fd1bf279b1daa76779284f7d97285bb98e49b2 SSDeep: 48:osg+zUYrVrpCu1u5tYQs6t5vpUAV7EV9Q12HzYA5YHGQnQ4JCU72tvW5W:r1VrwUu5WQs4vpUY7HSzHeHZJXqtvW5W |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\HE1R.lnk | 1.25 KB |
MD5:
31bfece49952924b13bfa746f62bd6b9
SHA1: 83d3675c70b8046fe62a5c195eacc5acc015ae82 SHA256: 48a58c64e4b375df7cec535b81268c60cc3b663f7b24d255f62752b6df784612 SSDeep: 24:maQ7C6HnWryEEopQY6AvstVL5FzlWBGYWi6kUIe+ZzHTi5EE4Gd0L6:maENWG7o96A0tlzls6Nj+lzO74Gd0L6 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\00_yfQNqHGFuHt64v1.lnk | 0.70 KB |
MD5:
7c145dda3c6c3e28aa6e4771ba58efd3
SHA1: 84e823ebf0e93b7a22935acb5ecfe607dcc19b70 SHA256: 6aa7392f9b44260311091820d53a999892056159f12407d800b225d185a17edf SSDeep: 12:vJYXLYNZ26w1KgObfTF+p51WHQ9xATZs3tmRNyT7+oeWgJ5TwoHfoUJzNQSoD:hYXe0KgaTq51Ww9eTZsDTk5hHfo+Wf |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\eb282ead62b4db87.automaticDestinations-ms | 3.52 KB |
MD5:
a5dc239395dfb0ef9d3506789b6fd4d4
SHA1: da107ef35d7c3cec90a462f16a1a0bad14bedaac SHA256: 4232e6ec90c08512ba6eac94851dd8533afbb01237b6da79115cf67143b8564e SSDeep: 96:r1VrwC2ZTfaym+leGkmJ/rx3LltuaKxcU:RtwC2awBVLlQaKxcU |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\sasJA6VrgSyC4AEc.lnk | 0.98 KB |
MD5:
bac8446adc2d3a9e1ac9f7fff36e4353
SHA1: 5d63a43e972b1eed354d9cbcb4d08e99d11a45e4 SHA256: 1c1ac5ec4b2e668237175d349d466ac4bb98db833ae7a3ddb800cd8c1b4121d4 SSDeep: 24:7SNx9YcPPQZR4bNlvdRm2PhN8mxOFch4z1yL0p3Twy5BFS6xAc:7SNxmcPPyGN7m2ZaDcqsYwyzd |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\GHXa.lnk | 0.62 KB |
MD5:
4c978ed55ff59a0660222536eefdd2f1
SHA1: fa6cfb1710c16e98ba14d46ef52bf1c0fb26ce26 SHA256: 52a20f38709be8ff884aa91f0d3a5167558b8e88454fea59c3b0f2416656502a SSDeep: 12:vxEUcKWbb9JNBEeVWgQuk3vzNwEd9jaOX8JhauaeYlpcV998O/I:ZEUW95EL9/mEyQ8Ouatpc3eO/I |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\dEwwga9gIHgP7bGKwR36.lnk | 1.12 KB |
MD5:
e1f26cbd47807d2240f72f436befaf90
SHA1: 7205c8e9adadf8a0de53e284be49bed90522c990 SHA256: 50b79a0aa8596ea5a6133f7b37b24f60b777ff1e2f11715a5b8cc4bbd764cfb2 SSDeep: 24:pJXMEPNYEEhlcf5vlgJpLlZNSadUh19Y3BmOFl0t2:XXME4lcBtQldg125FH |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\_xN12rPpzNlGEeUEq29.lnk | 1.34 KB |
MD5:
a67bdff8bf3200ea1afa0b4aeb914382
SHA1: b0c797a49101271ea126af3a09340b013287145f SHA256: 86e7d4ca7eaf71b3362dd690c7866f4554d13fba7108d82ebb9e054e2cee7127 SSDeep: 24:ECF6BoZ7IuhIDrB0iAn3DgclkuJYA7SwmmhWrJql4P86VC8Jz:CoZEuhr3DMuJVSpPnCOz |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\B05_T\W5vUQUjzm.m4a | 22.67 KB |
MD5:
ec6631bc7249c458634e317033ed6ee4
SHA1: 4b390b9eab9d8f91d3102c7aef4dd577af111178 SHA256: f13d4cde326a58c0e7164dff825a7c86f5a855ec54457f444b3252b4fd3b2683 SSDeep: 384:AyVrQ6JIVvR+yVsZH67rkwInGFbJCG2G7RMXq6:f5JIVvR+/QA1WqG7RT6 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\zz0GoIZI_KNNIh4a.lnk | 1.25 KB |
MD5:
a0de0c5004f74adc799f763a8bbd3ae0
SHA1: 07ba3b458756f078e066e646665ff153dffc9458 SHA256: 2744b1c849dc3023de6fb21b419a5554f38daa85233e49efbfe38f02f2a7e809 SSDeep: 24:tLcLiye4EhTZnnXH0Qn+gkgiudCMqvfsmDhoW4QSaC6ZwjMMkL:tLcLiyBEhTlXRn+2uZfSaCyWML |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\KeUJ5oCueYQJJFzt.lnk | 1.02 KB |
MD5:
593f9b73b8cd3df8ff8487eb82ef0b4b
SHA1: 2dc42d0baf822b9bb923ee1232b39a42fdf474cc SHA256: f01ac79d7f3aff5fddf2c373baf8eae85b7e2f6e1c8cde247278c4b958ad5898 SSDeep: 24:MM+dZB3i8AEtQfW/s6n/Qnxn3OY0rWK/xqyF6LDO0kz1:MtZryWE6Ynx3bGqy6DE1 |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\d2H7a-tYhvZsdzV7Kw0T\F925j.mp4 | 52.65 KB |
MD5:
70c74197d73cb16f30d97203546855b0
SHA1: ced69a9de6f90ef0324031838284dc5d6d65a115 SHA256: 846310444ad8a101c746759ab71eb7633d220ffe8531e9393524552e4ce22005 SSDeep: 768:VwFliipsGQk4pLNXP95SEYmfazpzYPKzd+iYIxCUkoFMBx:yXrLSLNzS1mfazlNd+MxX4 |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\B05_T\vg-2sbVgxsUfL6fnj8H.mp3 | 19.92 KB |
MD5:
498b97705fdba3c76c5fd41d5fa2672b
SHA1: ddf243b04fc8874c87b278cf490bb7e1e0c833c1 SHA256: e5dbee5e3bb74f692c226ec1dc2290079d47167489c9d96be581a877d1011117 SSDeep: 384:qUaLKDCA5LNd0x00ACzO+ePR/S9qQ6jke5CaZzx4qC:qU4KDCA5xd0r1zONJ/sqQqHRVx7C |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\9-jMlK1J06Z.swf | 75.57 KB |
MD5:
a2dbaf30110679a5bd3e053d9f074665
SHA1: 92f852a3212c5e0e17a4bf7cc3b554603ae69452 SHA256: bd6e1e227b044e6add8b1f7018c0457ccda7d539d402fbd15db0e07da4fc8fdf SSDeep: 1536:Wtb5GCtL6z/B59GiIaMJy5AAp+VScwnQstxYM71Qs3Y:kezJuiIaMJjK+VScwnQixvvY |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\fBwW7 r5N\MWDD3fMVUTnRZA.m4a | 21.93 KB |
MD5:
3f05c7fd1cbd1e0437d10e6bac513546
SHA1: 4443ce3535df129eb346f51e86ef65ae89e365bf SHA256: a61c57f374926fbdbdc431a5d008cef08f255f9e71fc5cdddfb3297d2bcfd6bd SSDeep: 384:J4PEjlvZ7uqQqhLsOKQgVinuPPN1Hw3sE2wrbuf0p:J44lv1QGgOKfiAPNBw3sEvrbn |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\RrmS7r.lnk | 0.98 KB |
MD5:
68da95ed87b5e457c0235f3ba08038d3
SHA1: 7d8bdbfcd624a7c89c25a0625c49d5d1f721120b SHA256: e3bbd7836c898a98058c043694cd17df151b08fa242baacaf351a88b5edabefe SSDeep: 24:+m9v/91rl/keRLNlWeai0KHMfAiAtDcBY8UIdjQhNW1:Ppl1rWmlAivi8cBvUIdOI |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\B05_T\qbEo.wav | 87.48 KB |
MD5:
17cde2c160d04a8ba40fa5b73259a3e3
SHA1: aa87968a78dd81e151980fbc88878dcd39f8aebd SHA256: f28ae3f3ed61bdba476ef5cc3e64c47ed733cb68b18fbadd2ec08a0abcd4a33d SSDeep: 1536:ad2Uv1W5xqxsQuGYadR91bCHZ7/NjpM2+bi1oBcwEEOb9ZbsZ3/W8gCh3vXDrrN:aVWiCQ1T91kZ3M2+bi1tFb9ZwZrdLN |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\lN-gSBVjXH7S4Quo.lnk | 1.11 KB |
MD5:
c86129f6ec9fa1e3e3beeb4b5da16e38
SHA1: cc6a9411c0b162bc2e2e17098c6eb2878f059745 SHA256: 265eb8db593a4201033b547bfbba71a68c4ad78e59b75a982e4b4027f7b5e443 SSDeep: 24:5aS0ZZ06qGyKgq9gpzuzqyLxcxYRW0IADBMsPwUm/yXQz/K/WP:5gZ06VTJl5RzIUmaXQzieP |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\kscbOO.lnk | 0.86 KB |
MD5:
0e539e428a3f8ad741a4a74f9d7ed1fa
SHA1: 1998ab70f1fc8988bf9659758daaad91ec11c5f6 SHA256: 6d8dab7495523317d8541c5aae61d929339a438b8e220ff8098123fcc76e89b1 SSDeep: 24:3/qDIfs9UPnfIvuvKIKiD6dsTZ0DexuGuYJyh:mks6PfLUscqZ0Duu8wh |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\9m4LOZ8HMX8jF_V_h.lnk | 1.47 KB |
MD5:
7df02c4aed25d863ded8517fa1fa77d5
SHA1: a0b5d3a9a5411ce78783d1641caccf2faee84efc SHA256: be343115b5fa9c41454d9cf3e7481295c4d34a9d7b73a23abf78371a827f7390 SSDeep: 24:1AXDr2Jii3jWF7jH4CcMXSr1oJ2s+MQsm6m1uoxMKGiAJAZNLWYrwWen7:1Js3aWSrKV5Qsjm17AJqNLWBVn7 |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\rspzeeQ4w0Au.mp4 | 67.98 KB |
MD5:
a168bce92dec45d5731341d0ff997e76
SHA1: 16a3e18ad3445dc444fec36277b51c9ca4f4e67a SHA256: 6d8f8f22434471488cb6a9ef11c3abb7779da5c214e9bc4933a150d4b8c573c9 SSDeep: 1536:4CctGQIV8mQjBva+P0+yVXlbyVo5bqWVT73:itG3+mQtJjAly5WVT73 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Pictures.lnk | 0.77 KB |
MD5:
31f4641533d34671e45503aa5651747f
SHA1: f5aff31e26c800884e5670ae4b52e082599f86b0 SHA256: 287c9835b6692c2974f1e6812cb711a91e618ff38844f0d04df8b3229c8961a8 SSDeep: 24:SP6ogGfH/woTlWKxJHlogQfCwZUUV0D8q:SPbPfHxZhxJi9qnUuD8q |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\rxFiw9U9bm6LyT9g\MVmj7hQl- u hjKWdH.mkv | 45.81 KB |
MD5:
2010f4060d973abdca54431c02fa4be1
SHA1: dfd6638a7b67f5c72f8372c6ed9ee2da04704bc7 SHA256: f296913f9d77b574e00ee0ae640aaa9eecced1e832101d489a0156be522cf00a SSDeep: 768:TLUnxaJK9JfL4Wwnbmrt5hVqf8dIRFqTWRlEhpvQvzsTiYqxYY/llTyu89:TAxaJK9pvwnyrCBFqTW/IvQvIWD1Ti |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\EH77pChgN.lnk | 1.34 KB |
MD5:
cf0183e68d4f46ad53459da51c5fa75e
SHA1: 9ba78bac67869bc9e0f8fd22683dbface0a3fba4 SHA256: 0ca7765f5b2c15fc236f9306e1e09494c82eb04695903c07f696ade4dd0ec562 SSDeep: 24:kdLoeTjxrZdSpMqq2q1xHU8sTQo7Dk1/wcSmLpm4UXC+IvHRhC:k5ZnlZYp7OzHU8Vo7KcmIvIRhC |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms | 8.00 KB |
MD5:
171149033b4e7f54e5a78b00c9af1f2b
SHA1: b90ae07b5fd45a3d1dc03ec227b8d8443b989a38 SHA256: 7421bd412ac03c3a4b9388c09e56a689383c2d73ba51f35dab978198f2a87d86 SSDeep: 96:39yTHbzISt9FeFFDJPoYgG2cM0fxHZy4ZE7gw17Xm6KC:4fISvuVod7QxHZy4ZQ1Jm6 |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\MzwZZ.mkv | 55.96 KB |
MD5:
e82815c04348418980f60c52d409c79b
SHA1: f4daf6b277190cf3053d2464762f958699a49fcf SHA256: db37cae91fb8ee7a71f68ad4c87a92a6b85aac8876bdde54a0bf9690da062dca SSDeep: 1536:h3JsGHxcR/gNvuMSOAAikD0hKlXhsoSMe:JJsacqtuMSPY0Uu3Me |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\319f01bf9fe00f2d.automaticDestinations-ms | 3.52 KB |
MD5:
230b89fe50b48e7bec0c59a1e36080d8
SHA1: 67f0d316ca25e02b7eb5c21eaf274fcac313796b SHA256: 2ee3021d5aaec00b54e0833faff8a423793c3c4cdade1219d6aaea49c3d9ce64 SSDeep: 96:r1VrwC2ZTfaymk+vl1ywGGMB0+MkkbwtEmvyqVQcL:RtwC2ajPywVMB0+Nk8amvtLL |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\q9PB6-.lnk | 1.27 KB |
MD5:
efd30de0e59fea22c2d97ee24eaa9420
SHA1: 7818b9dd346a6912d7170b1f9b3c111ad7158bb1 SHA256: 5bb694d1d1af8ff84c44824a508ce2132c4894f687139f2e809003abfc0d21b8 SSDeep: 24:HfI2iHeDLbXqkDB8rXER1yD1CCRYtH0S8GeF513yMUeERRvHzmq:HAUDLbVDB8LER1ZCRYZp8G213yMUbRRb |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\e_d9d.lnk | 1.06 KB |
MD5:
ec149940e8d3c2d70e4c7041b55087a0
SHA1: d50994f5aaeebdd6055af8fe738ccd9e6f9150d6 SHA256: 3c4fceaf14ed21f66f881c7386676120b35488be42abbcfb280a4a748a560e86 SSDeep: 24:AU7ewnERFW4spcxA6LZk9gTKLqmFeDSKr8+P2gcZmqWGwM7Am5s:PHnytwcxzZk9gCoG7+PKGZ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CtG65B.lnk | 1.25 KB |
MD5:
6aaa11bf56451cee6ceeeb9156a53035
SHA1: 3500a4fbbcb75007cbaf0779fd92dea78462f782 SHA256: a7f6cbdf343a55e7707cb3eaefdf70a99dac4ca00636c832c225ec63adeec87f SSDeep: 24:LNbKrf1eTuczTP/pqCpZDCrEESj3mcwLuA1+ApeTF20d8yyzsr:J2rfifXAilCW7mzuA1XpewCxr |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\qTWuqh N53NYZck\pkc6AG_LpRlnu-9-.bmp | 10.35 KB |
MD5:
e5a8786a53ee1d3297d15cbd4179e436
SHA1: c6bea1510fbfd72108a513bb59954beabbcafcd1 SHA256: 556cad924c15c843fd8315c5a780e384ccb0abe03978068d2f382f2d36209419 SSDeep: 192:TZs38UmvPSQKYTH6K3nGa7AJo94+TA0hceOLl:TZs3roSQKvSfqE4+TJyZJ |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\J1Ku s.mkv | 94.07 KB |
MD5:
225a64527c9b6ed158aba9dd16312a5a
SHA1: 975dbee96748f5ae2688d610fea5e90b657782ae SHA256: 1cb849ac3c157f26bed96a0dfc18b01062184a94414c3785320cb4f987c86dd9 SSDeep: 1536:fQZsDoahQQoh5XGpPAUcu8LkNqPYoxC3Z7+NgWkUJogqYAxvj:oZsx6bX6hcune/xpiWkU8YAxL |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Sl1P.lnk | 1.25 KB |
MD5:
fe34012568e62c9d7f4f261d15b24dc5
SHA1: 6dfdf116d91b0b843432eb8e568a265b35e5bd83 SHA256: a6f232c4b158b7f190a3d782a54108bf48ffd0e35cefa52cce5e3ca8e6a69041 SSDeep: 24:Yk5Y80w87yaMpb+yyk2RY10MZ9qHi2xnLNcorw7GoQ8nQzJlIh:YJ80J7ynbx2qOMeHVpLNcorA/QMQVg |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\hih.lnk | 0.62 KB |
MD5:
a0c44f27454f0f3fdfb2c994847af2a4
SHA1: 3dfd080c92aa38c6494a607798dc7102faae5466 SHA256: a49f9af70d4e1bf20031353ca448744eb3bd709a28099f819385904fea251c81 SSDeep: 12:v9IH3OMwVCiRZswasxa6/L2xC++XiQh8zRJr9E+M/shXXuYE+TbJuQn:iH34VVsXsxbD2aXT8dJrm+MquYPTduQn |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\uItrk_jbFDkZ5N6T.lnk | 1.39 KB |
MD5:
c49de5d87f7cdf20f2f5000ac0397a17
SHA1: 0230c3ccf3d109ac8c6ee1f9745a05e9c804f549 SHA256: b7988e608c867e7ba1bd7acec7a0b976b8ad6f062cfbe5376e7a4dc0685460e3 SSDeep: 24:3gb1+iKoAAdfTMdBD7C1/V/pDAgXKsA5GY5E8gQEoiV52n9fjmXIWEY4B8ztB:3gfKafTMdR7m/pcgtA5vaToO5y9rmXIa |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\QOCXNrR-FN44qxjyc2.lnk | 0.70 KB |
MD5:
e28adb3acb69a6e48c657f1cbb0b81e9
SHA1: 4ec62886f38695aafbd337ebc5a82c5e780a8ebf SHA256: b893846d1d5ae4490bf2f13988b597d527af4ac4422e0bb2bc7faddcbdb276a1 SSDeep: 12:vNvpxGFMok1MohqaSNSr8IJ+qUictO5a85UcKsYbKdZ47HcfceBC045LfZ:FhxGHFmzEqUNscAUJsYbK8TglXWLfZ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\JcAiiI7bq.lnk | 1.23 KB |
MD5:
c6f7f3f3c960a57c40d49ad475cc264c
SHA1: 9a94b1a6f0678e940cd392dae34225ac1f2eb3d8 SHA256: a2b7d1053afd7bf787897863927bcac06b85b20da28fb07eaf6b088ba5858174 SSDeep: 24:eewOfb4pNJRgeF5552T3k9BgY2+CyGFN1vh2Wzqs5Jo5G8:xwOj4pNngeRoTggeCyGVTz7565G8 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\2JQ1gX.lnk | 0.98 KB |
MD5:
674209a3e7f8a1752bb7ee4d9387975c
SHA1: 801ad8daf84622f281cf4557eef1fb8f45470234 SHA256: e6569d71862ad00f69ff928fa6b1cf7cefe76593a7181a02bb2a17a1f1be3ce8 SSDeep: 24:PUqt1B44Jn/0fHBxtmf9bHDLd3zkF4gxxr0FqAbXFjZVVX:8qtLhSBjmfJHnpzkFIRbXpZV1 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\aA1x 4cIy.lnk | 1.06 KB |
MD5:
3a9e2587ce16b10fa3b345a979ea36a0
SHA1: db9e917501828c5b4d558c53a1d4f88366b83a21 SHA256: cd02e0bd456c32e05d335bb53502aaf81d25994b009967072f7d2dbed8c01ff1 SSDeep: 24:wQFycwbtKOxZQzWD2dYnSV960U/jJA+/VIWjD9PM3:wQIbJLZQzWDI5cdAqVj6 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms | 3.38 KB |
MD5:
1aace0999ed5134ef3528fe1ff7f9d80
SHA1: c918c9ac19d5b33e2e1ecd1ae9da92c671e17365 SHA256: f45ab9aa549c25d96521646c358361100b38773d10d04790cd277b484906bd9c SSDeep: 96:bRLWwhQz5n/TQSAL8+/Ec5JSqapI7q0tg5SuI1XRXBI4yu+:bUwWz5/TvAw+EaJ517q8KSuId5243+ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\hvsxSLFjGgIvWh.lnk | 0.67 KB |
MD5:
98103f91a1bf2a275a15223a663a37ef
SHA1: e337d03362f7f28894f6e699977e4a3889671bae SHA256: 7bab342222356f39ee6eee80f32eb96a8885cbe880cce573969083146cf47bb5 SSDeep: 12:vC/C8meDWzGRQuzxa3cnzvLH5lEFCqwvd9XKt/5A2A8OS8x5Z:6OeizGRQuz0szvLH5k3Q9XKtxA2dOPL |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\B05_T\iPQyt.m4a | 64.49 KB |
MD5:
bfa42efb789f3f14c5ffba98d17f71fa
SHA1: 35f4d7e3612bbbaa01c36a85378693d5d7d21626 SHA256: 360d3377ab7f262a07fe33a25506ccefc457ab2ea23be608810b30def0255beb SSDeep: 1536:Gg0ky0W0DtQbDDXkhIMpTRclnDE4XTR30xuR3nD8b4m:GZ0WaCbDzkSmTanDE4X93934b4m |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\qrA9hvnxQuIXrz-kBi\EH77pChgN.wav | 60.86 KB |
MD5:
d32792470d1d72f45441d14112037b84
SHA1: b747fab23e6bc53818d37f1ea7139eee4beed27e SHA256: 2fa4bde29b322f8a41a81d291cefc57bfaf576ea0992d81f6e566779b6d1c629 SSDeep: 1536:MOfZ8ISA2BbF4DS/pBG0PfRKKTixkp/6uM8lUdiujgiKTDTGGp5:nfZ8Zb5k0PfTexkt6yUd9jgi+DL5 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\YWlhp1_r1Xzl.lnk | 1.00 KB |
MD5:
77cbd78eb6c19614255500565940a4b1
SHA1: 52027a529c0d7888fac3daee5ec06911883112fd SHA256: 6c2f7795291bd86d3519d7d9aa0889be228f07751ec052987a1304076379b82f SSDeep: 24:L37ozz65uUi2xBXc5nUMAheDLkJSQEOkrOoVH:L3sz25Ti8W5nO9DEOuOoh |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\1E9x6o.lnk | 0.97 KB |
MD5:
bfc948537e40a2b2b0d79c335b4a48d7
SHA1: f9479b48c155e4affd928d4cd4d03b78de73dfb9 SHA256: 50f710833d2c95e5ccab461761acdb69e51ba021078bf5d8cf2aa5a6147f6d39 SSDeep: 24:q7euuie93NV+XJZ5pSOUSXBRy8YtimaKG+qZe:qCuy3y3pRUSy8MimaKb |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\6ukdx.lnk | 0.97 KB |
MD5:
162d47a94d898ca6ac8336439a72e107
SHA1: a9dbf196de094390de8c657422fed786200f46a1 SHA256: 41af13d1c3664ba6ae12832ba32f3fb8c2e42c925042c70acb920ba96a7cf709 SSDeep: 24:xe1/KfJC2qWrQbbcyvSP0rkN9SKdpayj4Tv5SDENMl7:xe1ShC2YcR0r2E8MKEN8 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\RL8XNe9oHqfUA86p.lnk | 1.09 KB |
MD5:
627e7ee6451220ec9ef60e884d796ec0
SHA1: 992ba35323878ea7430fa1e536532a318475d3ad SHA256: 3d50d09f0f653b65d7c59054882249b6ba00f11fff79a6ed01299fa3d47c7bdf SSDeep: 24:8NNXd4vcwFpGfxCxTr+DxRc7cy0Iz5Dd4JPZ7ButyCXe:8rXd4vcLZCxvIa7cdY5Ch4tyt |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\fBwW7 r5N\stCGxWNbc5wFp.wav | 91.20 KB |
MD5:
182070863866a5106d787740d2c570b9
SHA1: 2f7138db5512cb95e9f2f8e1c4b5bbadad0a5d57 SHA256: 8a8a66e9226b3a1863aaf340967c808a6869651ca2d0fef5a4a78dba3c04e7b6 SSDeep: 1536:wywLGnL6E5q44p8awfHELw1o9Iqhqr6MRYmPJXi65iI9KBedPA0wmxFSmms:wVyn8dpAfyn9pqXYyX95ruqPA0plms |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\d2H7a-tYhvZsdzV7Kw0T\aWjCPF5VCvkE.flv | 84.94 KB |
MD5:
96f2405decb0c1d57757aabf98f1f7c7
SHA1: 90ffc04ac92c1706f2eeeb35104002b269fa6894 SHA256: cab7867b228b5c30386cb5a167d5c31fb2c01ba061f7de764d2cccca6eae4754 SSDeep: 1536:FJniN1494WVHHX9td+sLBqEUCGKM8ePJ8GdbqDykDLWiHT5d2L7cA5zVK:HnwMHIqBqEry8eB8GR0tz5A7cUU |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\uwQJ\dEwwga9gIHgP7bGKwR36.bmp | 82.39 KB |
MD5:
1a69f9c6dadcc5ca0690dc6df4e46654
SHA1: 6febd89ed402b403ef513d97b1949d588e571333 SHA256: 649e6b1ac3a313e1b72db37a91c2716abfa400578484df1d55583da474974291 SSDeep: 1536:rDeKsVg+LhDIU+7QcpK/gOyNgMYxzM0Ud4JX:+KSg+JIrUPy2nzM1i |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\sYRXyP3UmUCc7I mkd_\xvc5X_EuKq.gif | 9.71 KB |
MD5:
dbaeadc2f70a7dc3317fdbc58e3bab70
SHA1: 5700e366f8896c885a6ed0de1ede323e159f2307 SHA256: 96c3629c4e59b26d9c10b54e2dbdc00a21b8a0244493f2564767ecb65a4fe823 SSDeep: 192:i0O6LSjn6IK7OLj45pYjEQWjsuSIR1BHAX:i09o6Isc0ntSIRoX |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\kd_M3jN.lnk | 0.98 KB |
MD5:
f2154ee88a69acda10c160063aa79dac
SHA1: 3b9189512b8c180236cbd31f81be2e3ebef36a32 SHA256: 259de32c0dee89906d6b6e92c156e21ca1352435ba452e9db157f2202a665219 SSDeep: 24:NkE3EOmtKuIjHRJDab+7aUSr4r955odD8iefgMbLq:K9pYN5ab+7aZr4r955oB8igS |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\uwQJ\aA1x 4cIy.jpg | 61.74 KB |
MD5:
a294725b3986dd4e6a13a71afdbf6697
SHA1: a73ab1cc78c23e74ec8fd5d6fc25c429ec2eec31 SHA256: 9320220d86628ca87bb263248041551ede8720a036159c9b979f32fdf3ef2e71 SSDeep: 1536:JfDUVE7qbSv7aa6QX2WkXCqjQcyB+iq62CWnYVcfqUzfW4kSew:eVCZ7aFQXxVqjQf+f6GaUkkew |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Hn-6.lnk | 0.84 KB |
MD5:
3449ebd32a6a2229357ab55404ea40aa
SHA1: 965f474f47703a4afd20d6a4700701bc2a8ceaae SHA256: 96f68102dd58be75cd7bcee7b90ec131d2b067ce36a81e3d6ca898774ca9da52 SSDeep: 24:T8lQ7A6QQR0gDy7cofUS4ZZeaXJvm2//hEa:4u7leGMcofd4ZZeaM6/hEa |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\B05_T\08m7p4.m4a | 98.62 KB |
MD5:
418c618f77411cac1ca27519d9dc6353
SHA1: 9a9ed89b20b78c9f19b345ebb29e464c103d69cf SHA256: 385471caf0d6d71bb3baa288b1128813605d03e4e5c9e1f8904e876f1428577c SSDeep: 1536:yXq6kmJPydOkS7VxtrPTCz4jv4oHpgHN1aeRxhCjtcN39g5jtg:yOmlydQ7VHe4jQdmeqtg |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\E6zmnTMjp.lnk | 0.66 KB |
MD5:
9bebb92924d879c1701a74dc54ab24a8
SHA1: d4760993dd4f75af739dec9dcfecf2dfafec5b6b SHA256: c2465286d4269e84f17423986dadb0a33ec551afa588f150ad2a1629359237a4 SSDeep: 12:vGyjjckfCprhrz3eSZ4er6UQCFCMdJjez9RX4ANBiP/ftiW8Ixp4T0WdWjMRKo:OuCPH3xzwmJo9VHGfI1C4Tbd1Ao |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\y8reS6m.avi | 40.44 KB |
MD5:
f73261d6dc35d26b3335f32be272c5f3
SHA1: 32aed29a4dc9d8ca98b47d456b917f671118541d SHA256: 4ce225d747c7e8f72b3bfc3c0d19f62db49e3196f127efba1418b008a4571d88 SSDeep: 768:HQh0WHkdPWTLzDwt8vuh+vs/tgDuQivR7uVvBoEe2uUfZDby8:HQ0dPWTjwt8vJU+vKR7uVO6ZDby8 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\rxFiw9U9bm6LyT9g.lnk | 1.00 KB |
MD5:
bbc127134e18831bd126df43ff8f718a
SHA1: 590b5ca88739306416f9def4f033d1d128a68c05 SHA256: 446d4417134f03efa963e0326db76dcb9b200866b983e4350cee4ba427219fe1 SSDeep: 24:4FXlOJczZapYzYXVe6lsLQWMixx7YzL4LKUsWqoXIpbZLY:4FXOc9KYz4e6jrq7YzL4LPsHoX2ZLY |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\61ebb1e65cfcb8da.automaticDestinations-ms | 2.52 KB |
MD5:
aa3d9285d90216a9712e0e3885dd567b
SHA1: 7d453432a4b2d9e3b4b2096a996d1122e51e4dc2 SHA256: c871337e7d62cf521bf47c11922aa71c506fe17582e9954a27d16468c8f12c74 SSDeep: 48:osg+zUYrVrpCu1u5tYQs6t5vpUDIEJK2wyc/oZLEnNgeaJNwkm21Dtj6zzMjNx4a:r1VrwUu5WQs4vpUNE20GgnN0NK21Dtg+ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\vRQ5tUuEKHqkKPnnz.lnk | 1.59 KB |
MD5:
62da0d2989f55b251f3aa8fd16855db9
SHA1: db8d758bcd217fe552b39aff0c40addb8a5ca780 SHA256: 7696619f2a36d4448d055511b7f6be9a9271887ba352188f8a84ab3878c727ce SSDeep: 48:rEfO5FWGdqPlGTqB2EyIcclxNDGtfxteuin:gfOHWWqPluG+Rpin |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\qTWuqh N53NYZck\fwMACd.png | 76.61 KB |
MD5:
ed362d2f1a33313d21f270b32fd5e8cf
SHA1: 80f2b6e6ce5382cd526d69b445bf27475bc8748a SHA256: 8257045c8d5a2024236d1dbb62a4dc837ccbfb47ae2a9722f266d19157122680 SSDeep: 1536:fa+1mvT5Ana/4UKIFw2XQQdOgnajaBJeu+CKCQ74OPQSi8J0+FLQf6a+PjQxftK:yXyc4PUw2AQ4POKx748Qh8/FLQCa+PKQ |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\-e3Mp2d-PI.m4a | 34.90 KB |
MD5:
440b3dd8506a3b6e420e0bdd96311eb9
SHA1: 7e997f4a7201d47f0b0e500ca849da445a66f157 SHA256: 340623eb01dc7e741b49ae9e598effa5fd9ebb353ca01f9eaddb9c5a8e0f2c9d SSDeep: 768:axK4PbrWi4fzA884cBgRu2xoPH8ZLllptqaQ:xgydfzA5sp2Ubte |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\fb3b0dbfee58fac8.automaticDestinations-ms | 2.52 KB |
MD5:
1171aeaed19421bfd73553b3bec2baeb
SHA1: 371203135e1e10250ca7e573fd4ad04fefcb6ab3 SHA256: a1a3deafb0e8d92ae426687e6f2cb8f269f76291767c3685189ca9eaada76ee4 SSDeep: 48:osg+zUYrVrpCu1u5tYQs6t5vpUWOrJ3F0EmI9uN7xAFV1UdVuH8zUh:r1VrwUu5WQs4vpUb1F0EmI9uEx1H8zUh |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\zozaK-qF 9YEvt.lnk | 1.02 KB |
MD5:
a870728a8de1c63de45a181b29610300
SHA1: 82eed2cd29f849d260427de0ec13b5b64ce7cad2 SHA256: 6f6cdda2f7b78f582bd8981dc9f11671d43c2c8cf9622960a735126d197b95c7 SSDeep: 24:ze5j/xCSFo4HctbDE+LRGJmRUHjg4qcz11YDnU9:G/x/FH8pDE+LgJOUHSCXsK |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\LzxPE9bRZsj0N\QlEnlER.jpg | 82.32 KB |
MD5:
4d70e739bb828c9ba37cef56de9ca0c0
SHA1: 9a066522b2792cf16dbbd4aa0c5ca099c189ad91 SHA256: f5e4162f59b325c40eca243bae141ed5108fc9a4142d9242cccce43dd87ea5ba SSDeep: 1536:yNJUHPhIhisy5ijNsp3ubR3L1AOLQF5dkySb3DT0bL0faIEtyjsJA9LKqy1In+pu:QJU0i3ixsI3RjLm5dkT0bL0faxRvInaa |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Fe7T5WvwX3mnv_7K.lnk | 0.69 KB |
MD5:
b86453240d3dc241569e12ade9e3ceae
SHA1: af882cb36e9fc9f55b2139e74a6b4472ef5f42cb SHA256: 2cb0f981cbe1dbd6ff74aefd256112904a341a18af82564ad941ea3f8bf3702a SSDeep: 12:vFN/+xdwtrrT+LP00WafauFNfVMnTvP4+/fp+XtPFCo/cCszZIBIDty24B1qd40S:zKdwtn200WZu3fVMnE+/g39/cCszZIuO |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\WlBenJ.lnk | 1.36 KB |
MD5:
70842e0b72327209dd99ae4070bda09c
SHA1: 1d315ce06eea0b198bb83d9da94fa6aae25888aa SHA256: 267c62d8db1b00ea950d73d1705bccd414402b342263ac8058fdbf98f3246ecf SSDeep: 24:iKnNYvOMwhlDg9OJWJG0UE+BrtmCO5U/os5SgOlFogh8bnYSC4Wdz5KkI/aT7JCV:iKNYWthFggJkUFrtI35lau99z5KkIeJM |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\qTWuqh N53NYZck.lnk | 1.08 KB |
MD5:
7455abee1ab2ffdb3bf1824049e7c742
SHA1: d0f2663b453673914b595e53d006d205cea85ce4 SHA256: cb6ca6390e83af20ab4458e83194d6c089b2729c48214469c0992ad4c9a77edb SSDeep: 24:UxRrsVrxZ4i1ufrBel/4GnliH0OuC1jiy/tIApdnI8gSHw:Ux1sVl+rIN4H0OuCxigSmnI8G |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\mSFbzT.lnk | 0.80 KB |
MD5:
2c7216ec2c7e6b2f3de58b1e57ea7af1
SHA1: 15fd6ccbad2d2059417821154eae8b6966d6a7c6 SHA256: 9cf50d68ead681116a03e93a9faea3a043dffd4de79b3384f8f42eaad5cb0d94 SSDeep: 12:vKPcTlHSzBV0m6NrqepT7h7VBO2bdaAKHISvCL1P6pgyGXKpss1OiYqkeXCnQuX:CP1qqCxHOuaqL1yrGXKe+YqtCnQY |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\SQa8 vvXUjp_g5d.lnk | 0.98 KB |
MD5:
104d5046bd5252a6dfb7bec41905a2bb
SHA1: 7755d17c9191f2d51931b37408199e93b192c3e9 SHA256: b966308df9f211672e966e6e34acee510804cf8e878436f36d8840c192962f20 SSDeep: 24:OLmhLuHQ/9oMMoEynNjm+SB1drMeg7j2r6Aunp1WIVmPsDRc:jMu9/MornNa+SHOt7UbNPsNc |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\B05_T.lnk | 1.25 KB |
MD5:
068f8bc1bd1e1f203cb27efa9cb9be24
SHA1: ded5a367cc6a28bf8831700b4b16a431860bb4b8 SHA256: 0bc0a170c1d628cc58f8daf64009f21378ace4bdb184340d7f271bfa67da6378 SSDeep: 24:+2FTYoaeJoJG+fl+RwDVE0pHAd1ZxHe0DHJ41A0+pYn4n94awUpsD/:+KYoawol9DV1+ZRe0DHJSF494Br |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\sasJA6VrgSyC4AEc.mkv | 45.49 KB |
MD5:
f9dbd9efd599d3c22cf85cc2d192b882
SHA1: b4947f56a92d0ea4285a4bf93e9468b5f4751682 SHA256: b2f90511f7941971c357c983445e08bc133bc86361f83728f7dafc88d818ac4a SSDeep: 768:up1eydaigmEyn0mZcMrWmj59fZEzKpDzP/kpm064/jUlbqhM:O/domsmZJymjPfZWKZzPcpI4/499 |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\jKcWe03_Z1ou wMT.m4a | 73.89 KB |
MD5:
9e8a442628c8f901ae0e71e6151e81d6
SHA1: 4d92e772b444b150809309250fa0c993cbd897bd SHA256: 748ee523831ee4b2d94dc0b23f1b8b0f840cd0aa857b1fa689cbc188c3048566 SSDeep: 1536:OlQA7gwPTgOthlB6lnpHRaYi4ITCdVDcS65W8:OGAMw0mhlBIn5RvxIubASAW8 |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\uwQJ\-n0RC1h1KI_sm3.png | 98.44 KB |
MD5:
66936349295aaaefb2204ac349837293
SHA1: e884e3a9abd02f2926e4dc8d26374d0a1a8fc635 SHA256: 04b3d0d312027a1036d88ba943a276a6203104ce54a3f64076a6ec002ffc0550 SSDeep: 1536:sSk7hLPPoHpGSGCAXzilWgqc8TRpgYLe2FbbE6JXBcC0W1Ikyx6EPV0aMZT5YaC:HJjyzilZMRpzVFbI0RcIjy1mPMN |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\R6lD7xHD8T-ubO3-rd\pv2DdR40ou-b2B8evhuj.gif | 1.48 KB |
MD5:
bbea3761c3483003e744e0cdec78f840
SHA1: 7fee89d75b65c87b507d38b76891f3ffb4d2a25f SHA256: 8857c7159aebe14d60ecac9be169754edf2038026665e5d9ebee49c4abeff716 SSDeep: 24:q86GwEk4TeEzzbBwcvpAnc48fAGjb5wXrx3FxCrtCyUu8L0lr:q86GjdzmVA5832rtCAvr |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\NiAQ3VHp8Zu.png | 79.54 KB |
MD5:
301acae13f92e718a46bc49859763066
SHA1: 645f222315f041738adf1a845160965be6373eae SHA256: 5a1e0cf74018a24aa8c265e88eb1ad225ba6464b2eb35deb2adb03c9ed540018 SSDeep: 1536:apgSvVElFYDI1DrPGgnShwLFiu935f2tKbPVZNDTqZHoLqu+bjxO7o:sgStUFY8tvH392tKzpSH/u+HsM |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\kqPHTpgPgkFex.lnk | 1.09 KB |
MD5:
db82601432f492b3c4156e70db1d4ace
SHA1: bf12541043cc9c44c31044118a27655fb819658e SHA256: 361e8893c4f3c3b8389b33b96111067fce58c533cedcc828e45173a53f4d2af1 SSDeep: 24:9l3gC2Hka9JqPAOjkV4s9WhNmTyM2buZ1Ws4CA3EB+9:9lwCmT9JqI4LNfQZ1W/X3j9 |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\qrA9hvnxQuIXrz-kBi\PYe7\g5O83QgO-v7.mp3 | 79.18 KB |
MD5:
ee9ab91383c849fbc31ca884d95ad679
SHA1: f38ea1bf3298c5afc851abacae07f1d78ccfdde2 SHA256: dec613ae37347cfa4d77a3a9a805036be9e78e2457f5d06dcace3cabf14d0489 SSDeep: 1536:fg+kI163YqM9KVaVA2sUeP8PdPfjP3Al/JjE01Mqkip3AfaUFZtAybxv:fgyAvMZ5suNj3gRY0KqX3AfDZ2ylv |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\1UEZKTO5 S.lnk | 1.45 KB |
MD5:
e085b71deb0ce7762310aa3ec232b3ab
SHA1: 44c8add157404e7c32b35ec93b8dc7a200a75093 SHA256: d3a60bbc3990870914a5786124893956cbe1774ac93efa2198e87044c32614dc SSDeep: 24:BUekgHoy4coHCx0ndX1PtgZPwPaRwOMJNmSYnl2MZG1ZCEeRYsysYWu3DAD:xHHoy4RHCOdFFSCaG10hl2YVRyJK |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Enw1.lnk | 0.62 KB |
MD5:
1e93bea7787c0db677da6356314bf171
SHA1: 485a780ca5eddd73a089b953600abb9c5ede2bab SHA256: e6d5cc61420ef6f9dbccbc799ab3c1500156e8ce01bddeada3dcfc68420436a8 SSDeep: 12:vBsX3GXG4EoV6yptTryk1XtxxWcVyMH1rAgTENy1bvNvMcg:yXBuVBpLdnpVhlA8Wvz |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\l0MLmWCXjKZ.lnk | 0.58 KB |
MD5:
79aba260be855cf47dcb7ecd876c485f
SHA1: b82be2c75cef39a88af5a3fb131b75dfadbd0b55 SHA256: f0d4c210f39eaa01f7411ba3b0a4584a1c0def070c78d71569014a4dd2bca447 SSDeep: 12:vqWixb8iKg4SCbKfyTr6kkgzp0PQbTmsFzTemQ2daWN9rl:Eb8ylCbKoPXt0oTmSK2H9rl |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\25vyla9KzJI9nEe.flv | 15.22 KB |
MD5:
294a6ce5ab91aa2e87cb38e5869a27ed
SHA1: 70accaef193a837f7823da3f031f828ba3f457cb SHA256: 3b6b6617b5dc42e81cf6dae02e95bfbd4bf6c3e86174ed0f6d9674c545983078 SSDeep: 192:FlYCG2W/5LeLnOs+E9NoxWL7rRV5BSimWK75Ag1Nu7F2N+vPbqkdy:FlYRhxs+E9NwWL7rRVvQ7b+v+kdy |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7e4dca80246863e3.customDestinations-ms | 0.03 KB |
MD5:
506d9062645451219305abf4f55f091c
SHA1: 69587c84712e1e96d3fed35aaa41f5d93fb0abef SHA256: 580755d6ed19d81ef955d8e0dc13021b76dcb544204bd1319501f28d02d9123e SSDeep: 3:ZOxyNrNwo8n:nd8n |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\0RAKtw47d.lnk | 1.00 KB |
MD5:
61894e5f2b9ce1436b9421fcd273919b
SHA1: 622a65eeaf888ab1665fd61835bae66836185a4c SHA256: 2badc77bb286b1353d4690ae55af18db486dd3334f8885bef0130559a1f387af SSDeep: 24:tWUnE/wRzdqVMO6vZHaYW4pni5wUcXGeZKufMZTBTloWlo8tP:A+EOqCNHY4piUXUTZTBTywrd |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\9mRe9.lnk | 1.25 KB |
MD5:
5c34db257370776df9b614610f351433
SHA1: d3eadce88dddaf1424a8d5422b268e50ce3705f0 SHA256: 6070df06db33365ecacdff72a62a48411393aa62195d68c5722d252180c81f5a SSDeep: 24:R4q83Oex1peIG58z/O/ECUg859QRt66CeNPUydVpmldu2fovgukOYqYfK:2XDxTDG5AZpf59QSQzVpcrovgwMfK |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\08m7p4.lnk | 1.53 KB |
MD5:
e1218bd3cdaf9a5e70a84b290f2657ca
SHA1: 914ae576a739121963614b9463b6f629c440c295 SHA256: a707cc7ad4e6576e8607432f1890ee27de41fbfed972ae53c9620938109132a1 SSDeep: 48:em+W7/k95P4/rfLdKcXg5VC9WmJHi7wha/wV9rswAlq:em+W7/k9+rh83WWmJHiUkIV9rv5 |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\R6lD7xHD8T-ubO3-rd\WlBenJ.bmp | 44.14 KB |
MD5:
44b6cb5717f7d5edd54ebca69ef67f3d
SHA1: f755af44bb23bf27c4efd0c805b5a1a876d5d4e9 SHA256: 636bf9a9854354308497a749941511db49ef48c79aa7181fb38d67f549746236 SSDeep: 768:as0tzdo8qOT25h0I3EqIzzx+wF8TPZne3RHJSwyWIJ8qd4Ib8Q1dwSATnRnILDQ:r0t0OT25h0bj+wiTP85mWIJ8qd4sFAxV |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\MGnZQV1D.avi | 28.12 KB |
MD5:
82d5237f7bcb281accf50d3a38d4ae8e
SHA1: f62add4e4824fbbc6bba2fd39d498ab983b6c5b0 SHA256: 98d312c1390eae843971ea16f6b51982b19a3541284565f7f509bf33606312e5 SSDeep: 768:9ARbw57tEhIqcgVmVRz0xQcUNrB6CQ2yr:9tqIgAJ0xQcULNjo |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\QlEnlER.lnk | 1.12 KB |
MD5:
02f9a78e42f133428817865de8d6c4ac
SHA1: 317317b8934f1fec57330656f2633eaabbee1abe SHA256: 39f957f0d52f2eed6203972e7dd313f5065f40b5f1728601398aab257e32cfbb SSDeep: 24:CG/lRT/DVWXPgIy2byaQak5LT9Qjc743Vq5eofAxelr/gA/sMD9Tlb0:CG7/DVWXJyx/acOnVq5lAYtMMZq |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\d00655d2aa12ff6d.automaticDestinations-ms | 2.52 KB |
MD5:
79e4aae04ae730578e0cfff252f81eae
SHA1: 330a283fbe3a0d419c39942635d9d610665074f1 SHA256: 0f7079e0b75d584ae6c6cdcb89012d044df6a62db178932abaeed345c7be7b5d SSDeep: 48:osg+zUYrVrpCu1u5tYQs6t5vpU9JeAEldnVhQuivlSdalB4YnUVln7B:r1VrwUu5WQs4vpUPPGhvivIIhnq7B |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\MGnZQV1D.lnk | 1.22 KB |
MD5:
7ca347c94ac9769f318b2017efa3bc0b
SHA1: 331625482f2c1a64e8dd1fc430adac262388e4e8 SHA256: 89a79ca2c679bf21db8cd5ebab4428c4f125b70bfedb8a63264d9139e7f31525 SSDeep: 24:7oqSAOK6ajXHROQ1UW+zwDrNANG5ceGCFnQRm7c+lD85Gu3ZpreM0jXay:7tunahOQqVz0A4OZg7RiGu3TreMQay |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\OMrih.lnk | 0.86 KB |
MD5:
e1cfd42381eeba03282823916f20210b
SHA1: e9b0a57ef814355c30cda10a3db20309576ae6c4 SHA256: 6d877e7e756af4fdb48c11deb8b58025983a7e93b3b86f8b783c979f5a18adb0 SSDeep: 12:vT0PByxCf1FTTXI4LFc6Jx168+KMBC9qBMQVGyO1A24An7zGVyZmFLp+yxlMZMbp:70PExCHPcGnnzqBayO1AjAn7iYAFLKY |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\v6afBXu2KwQML_bnz2.lnk | 0.70 KB |
MD5:
a590683987cf25801196a355b5ad8a59
SHA1: eff081721dd5397c595209d4e096d55869ed7f90 SHA256: 00053d8e265271053a53fe04dafc3dd23cfb7c604e869377d082b3b73bda34ab SSDeep: 12:vpCPNwbsV2nzbjXV/+aSIYXHK8l2HkF5o0pJIF4epChG5EJ4Sp2GzLIHm:RCPMnjXZoIYXh2HkF/3IhCQGEELIHm |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\cLzrBwI9ELH8EUl_mr\7ZO5muiNIGYzs1.jpg | 71.60 KB |
MD5:
d4e30e35346adb690dc97a7408387cdb
SHA1: 32f75f5796bbc8a51b3f94c8241bd2aea2e8d0d1 SHA256: 027165ad4f4ab1b73d09203689acadc741c01f13968a1cdf02cfa1cefd1291ee SSDeep: 1536:d1CFPrBP0Z8bEd2l+JyrW1yWGTOxE5/8YL3i+hqVxEsbXBabCppw:arbQG+JlyUxE50j+0VxjbXBT2 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\g5O83QgO-v7.lnk | 1.45 KB |
MD5:
7091570547d2dadc3ee9f30044274106
SHA1: 9b2d13c0062afd2bd2b064116dd66e38a7624a07 SHA256: 9a0fc047e88821fc37746cdd44b5862640f3098459485467a7c5820ff5df42d8 SSDeep: 24:hmyMKxaLUh5wVFV2gZWvoTR8n2aBiaFaWwTEvllOYe5gOXINohqIUyWZReMgeiqQ:7M7A/47GS89zQTEvWYSbzvUvZpgH |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\qrA9hvnxQuIXrz-kBi\PYe7\TIn_ARo-MEx1p.wav | 55.65 KB |
MD5:
f3dd2dbe53a2b4a22f2fba8bb1951528
SHA1: f552bef2482eea64f5bee821531e2e511735d1a4 SHA256: 6c22c73f02e13d4985a862e4d1e8f290b0d5665e4866869655c45cb81817374f SSDeep: 768:9cGwv+Dyr7CnT3Mo34DWgrDNYBgWlmnSFD8CdxhUua5zQE5AZ0W5Sv9/vv+1wfii:9tDyr2YWBBgW40Y4xLak0WElvG1q1PD |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\rxFiw9U9bm6LyT9g\negNC64LftvX.swf | 83.66 KB |
MD5:
d478770b99df0ce20bb9682103ed9cb2
SHA1: f38e3567e2fab5eea39a089261caa51e3a1800aa SHA256: 1dade84532b22450e6c3320e1c001d80d3a32e26f4f5785bd1931fe20d602cb3 SSDeep: 1536:doZl4AmuLhn9ZklcxShFtwQmIz4FNMJ/Nq56Hl2L:dBuLhnTF82QiPI/fFM |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\maZWJw8hU.lnk | 0.94 KB |
MD5:
c10fb1a71461a4bdf4ac322aed81a7d4
SHA1: c4befb235086c03de474c428bf8f3c51c346aa93 SHA256: eb4ad6a5da761c35c48834ec8afe095b84260d7b378085d6bfd167c5f7350a7b SSDeep: 24:x09797qHhalz8jKwHGHwZVxEfPkf1dZwc6YEgr7uUOKz:xkB7ecCFXVxcUD6NA7Hz |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\IJE5Cqpv5XA2m3m.lnk | 0.83 KB |
MD5:
b8abef438432ca35f0090f5ceebca197
SHA1: f7c869c59ea8433e6eb59dd3c08c5acc598615ca SHA256: e5216974f63b77b414aa3feebd3e51369366c4e86a2736151680586309cecf5c SSDeep: 12:vlb7jRSMyXlrBFx+ZSDI5wsv5BSzAS0kU+iavh4oUVx3TYSHlM0qvj4xgLL4vFAP:6NHFxJUL5BSzAS0kJ3hVUfz2740L4vIJ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\R7 9VVQ_Ob5C3PHQ.lnk | 0.97 KB |
MD5:
2fda5c7b5f4ac85870773f70a2812a25
SHA1: d81ca44d24bffbfaeafcba6e13c6ec3e32074165 SHA256: ef7e0489f2df61d6fd16c71bf32e35537f5020043156f5c423c4b52baeb921ca SSDeep: 24:3Km6any/MfY1HP71/yictb9dTXSEebOz/EJuf:3KmE/MA5P7Qtx9S3aca |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\4M9GNaeWOnw2HrFq.lnk | 1.03 KB |
MD5:
5ad2dcabb41df162857e929127d63365
SHA1: 67d2ab341c8e1dfa6523a25bd93e59aea19dd8b5 SHA256: 2c23529787733f1d58c69c79c9c3b1723cb99e049c87612cdbd72603797c44f4 SSDeep: 24:jXGbJYBtbJL0Whe/fkwzYD6u8KZfUxz4gxEKaml:jGetbq/rGVXkEa |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Qa7KN-vTbOI6h.lnk | 1.02 KB |
MD5:
b6d5fb40d53f5b0ec93db8c4e0180777
SHA1: 73e2904027e845a3a77172ed5952d596804fea44 SHA256: dcfff49eb28443de847fc5f73f3ecc1d07e2c4a6196f5d3428de865cd57957b8 SSDeep: 12:vy6dCjhSqw2AkBOK6dVQ2cBmUTWBTiE+Q+VD8a6xY2sJdZU3ZqMaFYtXU65IcZgu:a6dCdVikYK6dxrOZLypo8qFYt/Kjt1EX |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\stCGxWNbc5wFp.lnk | 1.09 KB |
MD5:
bc81b5a40054c9982e750e253da54a39
SHA1: 857976911abaf24470ecbf46297fab8fa21128ad SHA256: 8997c3b55924d230dab303d2f6ff5d500eac732fca11a6161d535c5b89f4e681 SSDeep: 24:tzWMatQHzqtDXheyYkiztQh1Nmaz6yyDqLqh4jSVU40OoIvfEj:tyMatkzq5YZQhnz63DBh4mV70OXvfw |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\IsjTI.flv.lnk | 0.97 KB |
MD5:
ee579a2a5abfb840f71a5208fe1d3f9c
SHA1: 0329623a5af3fce70a7ed160b2bbbba54d0bc645 SHA256: c19967851a0bb79b35273efa970f594bcc6005c4400ea8a1d12d0fa099ff4d65 SSDeep: 24:LKVQTEUkvA7tHAhiBPgCtbvAaVAc1BfBeou4PqF0ONp95Jrz:GifhHAhiBPzhvkc1BfBV2l93 |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\kscbOO\l4gbd3wQGAh.flv | 61.75 KB |
MD5:
7410be60821fa840f8df28312c4a17b3
SHA1: 1292f139e3374852bb3367eb20ec5ba9f1539ab6 SHA256: c97415de57483927d592f6a0ca85b1e42dca42c7108ddebd166f3926a9e51131 SSDeep: 1536:FM9mWRn+ZcqvP1ECcrUcVsnuXB8UBBfoYabvVzpC1bvzSB1GGVM:u9m4IcMP1fcrUC+UBBQYcmtSB1GaM |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\R6lD7xHD8T-ubO3-rd.lnk | 1.09 KB |
MD5:
0dd001ee2c274ca643f10d4b257beea4
SHA1: b83a9d6a265e6f61e842128f5cc3a300fd64e71a SHA256: ff8b62f1ebbf3e13b6b09af8096bc0e0cac6e371daaa18c2d91eb62da639c3d0 SSDeep: 24:Z3cqJ7IKydelY3rvyNuC6a3N2OSYjc7T5U5yeJhucfACG+b/ydq1:Z3R7IKyl3r1C6a3wOY5U5FJhuyA8bqI1 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\okHmUs.lnk | 0.98 KB |
MD5:
acaf76d28ba7890435a473ed720260ac
SHA1: fcc8992939171d0cc6e186885d9a17e444dd92f8 SHA256: d2b31063afb3a4c90533eb13caa93ab77baa5c28de420f1ebe582577b897ace6 SSDeep: 24:NcmnGrmastHY6D/draejvLhgP8r7MzxW3kN:XGrtsVYcjq8rixWUN |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\fwMACd.lnk | 1.34 KB |
MD5:
deca6007db3a24bf61406bd898408521
SHA1: 213a084a220984d234194c55ad49a6ded693d04c SHA256: f40252fd79d189f91935c63bf16d235e9f4d88ce74f2a4ce150c70fd6a853c91 SSDeep: 24:J0S8K5Klu/cOIZUeK7u9mJUI2sMw1yMtYhlx/gcQhDnVdNl:Jcu/qZUeKi9CD2sH1yMuLx4cQJVfl |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\3zrj1.lnk | 1.17 KB |
MD5:
247c0fe0237a878db89945e25dbd24b0
SHA1: 95ca5ee89ae6dc7324227fa4535a2fd0d21481fd SHA256: 2be524b39b521a2fe70c7362075363ea287cbacc87865d944c9db00dca349609 SSDeep: 24:rBpmegNx4nGe70lZqLsa8BnDEKn3T6ccy5LlBBgTV7e88m2k:5gr4n/4Zws9DPn3TLcyR3IVe8bH |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\F925j.lnk | 1.42 KB |
MD5:
5abbd9d5ecaf80dd6b2d8aaa2e7f0778
SHA1: a790f8072c9285d2110e0cce4303b96c1b20f2b0 SHA256: bb02dd4407d7423b9513a37c5b7d71fcc8a5adfaf681efe0c1feb81c508fd652 SSDeep: 24:5kB55bG3Ksk6PZAiO3fxicSsr67Mky30OKWKWYxxro/B2aD3+4Vju698GhN:5kBb05AiuJ27IRPuxpq5aGu6CGb |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\qTWuqh N53NYZck\zMTJW8Dsc.png | 68.17 KB |
MD5:
67df070543f83c07a80dc67217ddac75
SHA1: e8e40c7044fb992622349dec19abba455186cf3b SHA256: d82c21c33251b3fa3901331cc2d3d48d09afe0eda35f916854852a3b53ba5a58 SSDeep: 1536:vJC4YbLuIRP9tgtm5jZ3P7YLjTK2juzf8vxoYI7c5gv8jj+khGfxj8tdg:hD+xPamtZ3WjTKce85Wv8/+MG8+ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\oSqIZuo5iz2iuOqFR.lnk | 1.02 KB |
MD5:
2a2c92f8686bffb963631a278e918036
SHA1: 2aa0d4f2c77fea1e913204c72a970cd61f715c4c SHA256: 6b945c89170eecd28300caeb472d48673e6197e4b69690082bde78140e6c6395 SSDeep: 24:4cd78DG08f+yHKXNc7+wr0cKl0vyvzvb+9ly:h8SqXNc7vgcKloyLvT |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\pptfNpe1BfneOLa.lnk | 1.00 KB |
MD5:
15ba82eb11c6ae39542e2a4fd8ee5114
SHA1: 87d878901e58d2fe77983fa5936611c4834491bb SHA256: 9896c7af497282b09823c90a6c2742ba9515f68c1217ea205782622e48a0d95e SSDeep: 24:OjrU67HhAImzikHRP7kACYJksYGrPhuiOTjWs1cN7CDb2KhjT4G2ZD4f:Ojrl7BAImGkxwRYJzYGNuws1uCDbFQ1A |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\R6lD7xHD8T-ubO3-rd\8JP_fHn2fAsy.jpg | 11.42 KB |
MD5:
6dad892d3d2479325e1bb6e6249067b3
SHA1: 10cea107ab999e1721f1e953e932a2d3a287208b SHA256: 0942c5c39e4d6c26588dc653e9c70624a51b4925beaf390aab21bed34e3c5d20 SSDeep: 192:FaGJn+qA7eBUkrQpdqLpUbBUfMMoqEHHlri8Hke33SmcW:F/JnPayDQfqLGUfMdqg9i8HLwW |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\XVz99OD38.lnk | 1.27 KB |
MD5:
29e8247e89fa8829df06d5517f40e22b
SHA1: 06f48d4447568eb720db2ddb36d217dc78df657a SHA256: fd3e02d6249c06bb2724df792b17d993afb313f3fdc545f50e2a8df0b809e56c SSDeep: 24:WdFzCwpHFJn5iHe/ooUNP3L6BBnOxcyjbsRjcBRDMMwx850Th6:WdFzTpFJn5iAVSfLAOrCjcBNqh6 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\rspzeeQ4w0Au.lnk | 1.25 KB |
MD5:
205bac50e33f55b2a6c1f1d6c17552d0
SHA1: ebcb04628e2db557a6aba30b9b534b7aded561a8 SHA256: ac2dc6cf199c576ed95bf5a1c3039627840412ab9d36a34574105fcb6c7c6729 SSDeep: 24:6D2Ng9Uh7mqxqaNiHbSREjgh6NCCwlswie/EE+9uS6q4RydKop/kGNknL:kqge7mqxJNUbSKjD0lswie/Gtt4NI/k3 |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\uwQJ\RL8XNe9oHqfUA86p.jpg | 86.55 KB |
MD5:
41fc5061248842509dc31230a39e5748
SHA1: 88c2cb2ab974805d54b3de03af950b9aafa0d1fe SHA256: 4368a39c746169d1e3e6e7407e6027e39604780d8ccd7d27e1fe3660209aa4a4 SSDeep: 1536:zH8N+vvCf5cijuOuHUCaI4V0jOyJPBc39ge8Vbis1PKE3IQhoijlgymXlrTUBCEC:oevCSVpIwOylk9gl132WgzrYoR |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\y3K K0vmpn\9r86svUYxeIc.swf | 75.65 KB |
MD5:
645419f29e56abd8f1f974a700a71e61
SHA1: 9beae3913fdda7ba76521974b3d903ffe2656842 SHA256: 1b83fbaeb62845703776544958be69adbca11b615187a654a5d775f92e33286b SSDeep: 1536:ObFWN6VU7e3C5i+Mcaka47S1cfxtczg5PYr:OcwTykPv+S1cfLPE |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\PYe7.lnk | 1.16 KB |
MD5:
580634fd144a2580479378410bc20eab
SHA1: 52556330215e9e88ea67a0bb4dffe9b49f2b9772 SHA256: 4b147a7189e75a9f2fdc59e61c554c868d77b8000bea7d4029005b752456843c SSDeep: 24:MUOlvxPM8jr5cobbhSDInPcTsWnkjVKY8y9zC1jXhaPAvK:M/tdM8jtcobNSWPkkfL9zcVaAvK |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\y3K K0vmpn\phsoFQ.mkv | 55.93 KB |
MD5:
ac4f11908fe39e1ed86cd4d77f7335ed
SHA1: 3e167ee097782197d2c4ab294d122cce21617000 SHA256: 828db33a46ed1643cb68e465a66a8771383c3073d667a05bf20bdc1320cd2db5 SSDeep: 768:FTyRJ6HpJUJXce4bh+M3sV5Q4B7FPD4iYXjAHom91e+xBJag2DBr9LtCV:FLOeossVzlGjAIke+xLaTVZg |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\gHZm.lnk | 0.62 KB |
MD5:
06b18db49c3f9bd79d3f78e4cff8e541
SHA1: 50f7d5123a5140c024b04626420f616c0cd6e674 SHA256: 084356943ef56ec76e06cb20f363da9f5e842702d847500beb1e864bf722db39 SSDeep: 12:v9MNLANaFaPus9uTYR4gmWYTotGXtg4Eh+FLJVFAXK32UWkH2tLzZXzR1yIIld:u+Na0ussTYCgmW3inLJVFQKjH2tLlV1u |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\ZyJPALqhGX4Hsp7.lnk | 0.69 KB |
MD5:
201eb4c82595c8c3cbfe2fa16107b317
SHA1: 28d137fa177c8438931619a3194a1a42d35261a9 SHA256: f136b4527ea4549c302ded71eadad450057b046cd051c9c1727f39b7c1a4e293 SSDeep: 12:vCTsYzcuT7KyZ8YOAvWSF8rVCs7sCzXfPzomPS64kAXSl/OsxqN6:6sYguTm28YOAvW48BCas+Ti64kftOg |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Gk8oY7c.lnk | 0.98 KB |
MD5:
4958e15aa95b48444868f73cac01cab9
SHA1: 54592dc0fe1a7a56f957be2860d3cef4ebfd6363 SHA256: 40198190419cc16a07137535429c0793c4430f444f3ebf92a9b7d2a762a69e84 SSDeep: 24:S4LvE4N9Vpx8kK6xLKJWR/eqyoAZLBOTxNKw:1BND7LKJo/eqyogVO/Kw |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\R6lD7xHD8T-ubO3-rd\Z_MokPYp K.gif | 47.24 KB |
MD5:
b7f6408cd2b2aec2c1db77cdd5cd645d
SHA1: ecd777cc4c3881dbe53eb99a35b7a1f26372fc1e SHA256: 4def04ae5df64ca6936cf68186a42ab90a4979bd21bc3b46bb21604b1938af5f SSDeep: 768:qlMVtcz5xICEX+yN0tgybr7ivqNfvxRq2FH/3ZThIZKY8LszLy93nnKE:qlMEzoxutgSsqdxRq2FHP8U2+1j |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\uwQJ.lnk | 0.86 KB |
MD5:
b32d67886710cd4823e4a0d2f1d432c9
SHA1: 0f6540fa262f692661874aadad56a3c01454485a SHA256: f1aabd39dc234fd993145168e51b7f1c43755edca44ae12952579e7df6f52443 SSDeep: 24:Ru+XqvwM8jraHop6ixHpkuPOKSN1xPI2lUEaXw:3Mti6WPrSN1JTcXw |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\fBwW7 r5N (2).lnk | 0.86 KB |
MD5:
0cf32bc83b224d33f5cb96071dffaf68
SHA1: 0d8291f01601e2f4fde85ec948f9902fb04a426e SHA256: f759480acb9c313facf8cb956836884eabab6e2c0a5d92b94ccec8f2a6ee3e20 SSDeep: 12:vy45yI7L+PrSymN23uNOs/IAWKC4LA+1jRFH5D0zZK7QBeHm6Hf6D6lZ:6UMrSymQts/IAWgzdgPrD6lZ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Gqr Olni3uCq.lnk | 1.00 KB |
MD5:
1f80149573141ea18d7f4906686f5d6a
SHA1: 271d2763b5371a0e3448602d9860e62d56dc45c5 SHA256: 3ea231fbea61332349940b860c89edb39b4deb5f1852410af9f68f4a2d42e815 SSDeep: 24:ZJ5T6opZASURt6DU4ZU5pLierY46lGCrteAhsFcLn1:ZJ5T6CiFRMg4MUVlGghuu |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\PRFX.lnk | 0.78 KB |
MD5:
1231cd8bea60acfc88da9c6c70437143
SHA1: 4bbdaf6d7a8c965998551a4e00ef8097a4312f51 SHA256: 42564485d286b8a16057281aa5cb25eaabd8a3c3dae9d5b7b018120eb5668a12 SSDeep: 24:YP2Ywan2gkDOYlY72jNH8bXT6rkGdbHAmpmNe:Nybml+21yCkGh2Ne |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\aWky26OAlQ8f6r.lnk | 0.67 KB |
MD5:
4a23424d8ce1fe7e8a267f5d21e6ba6f
SHA1: f43dc7676a3f5219dc33e313821dc62f3aa22b35 SHA256: a17b0eb8748dbd990ac3d666b1ae1e0b2db15921ad8fd9993c1cd966dd8bdffb SSDeep: 12:vvvZRLJMeY3wLc25gz1lcXoYsFe43oLZm8/h5HQTUl+Po9N9VEKmtJNaQ7GW9:nfLJA3wZ5w1lcXmFloLvacmo9N0KmtDN |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\3hK fW-nhuzGhzCyF.lnk | 1.38 KB |
MD5:
a132dd392312b1a786dabf388cee2105
SHA1: d0cabbede8ac31270a0352f7c4f04bdc091411e0 SHA256: ded3d7a8a3845e233260188654113e6526d7c53f9382858ad7c66273d42848e4 SSDeep: 24:eXzjJSgWvDz44dvVQHe2S7b7X65nxjS+zXP0FFoMY7Q8GVaBx:aAgWLzF2rsbD65dM9YcXC |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\-e3Mp2d-PI.lnk | 1.14 KB |
MD5:
058a1fb76da9a861a2968610e79f00c9
SHA1: 701f9175df02cb7c66bf40b40df29c9e93b7d545 SHA256: 7611ede1abefba264da47bf36aad70ff20053d5e9012f3f92b1a8931d389a0fd SSDeep: 24:JbV0BM4NenW/6Em0kIQVcFAHoPJ6POgKDsOg8CaWj8oS3OzRU4:7wxm0kbcF5ZLPgvvSz4 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\XILJaPf2QbTSe0.lnk | 1.30 KB |
MD5:
7f1c0309b60dc53513545cb811fa6a51
SHA1: 73bbfe63df1c5a52354c6b447c39eac1ef2274ec SHA256: 287647cb4b50ae163dfb7b19c5fce7ecb47ec2606be77c22e96733ce39ec25cf SSDeep: 24:6b1yoZUqv6hKEn+oQlWwYkvo9MYp9F6NaokU5Yajn/YZBvJdfr2Ajvqo43Q2jPIv:6bSNf+oeYyajGabU3zYZFbXqo43bjPIv |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\YjGHp.mp4 | 57.16 KB |
MD5:
06a4f3437e65cff654c0450c8ba9cd01
SHA1: 58d879fe9608e524a66cb81d3cd8700cfac56c1a SHA256: 91314fa363a3d5557d3c95bbd87f705e007b06c3b63f40f2fb6e3a7d427f0193 SSDeep: 1536:akyljqmCwN3mOtqyQmnO2MeCpIUFBvIC4+fL8bYZSYt:akylWO3mO3QmO7LFfoZE |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\VVjOWuzx8w8tLEluosA.lnk | 1.03 KB |
MD5:
e7bad7e8e6f9c648d8e64c65bc3416c9
SHA1: 0cbd2ec152567002f8ae971944ee141305697c63 SHA256: e0a2856604678cdb98074d4edf8f11fd9e7dfa5d2a0b34cefd9921f7fd9d6de0 SSDeep: 24:RyZXGId8nM1Kn0BPTdF1ZvZK7sdMyb3t2MOc4o3g:EGQKn0dQ7Rybdazow |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\R7 9VVQ_Ob5C3PHQ.mp3 | 89.22 KB |
MD5:
fa2a01208d67942fca45621abb7e028a
SHA1: 30dcd7ef194f21f990933f3934dc3c21a967b21a SHA256: 6a4ccfdac3b75e464594f12a8dfeb71e853f9909966d2792904ac8c4ebdaaef7 SSDeep: 1536:yLRghqVQkkOYiiTp4jPEThQjCepFi2kUJZkeNMzk2MAReqqM2BS33nr:yLRgCltCLQjCmFrkUJZkoX2Merq9EXr |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\LzxPE9bRZsj0N.lnk | 0.91 KB |
MD5:
49669f451711b46e8b38f5285a7012bd
SHA1: 24689be4e74cfda35f380721e3a8d3d2e08c3310 SHA256: 54d2e2a31786407245831bc0aef0abfbd9f7afd0455e4ed4ea04e0c055cebc05 SSDeep: 24:1ju83lSKgvz1s9+N/ZAik9M0g4u8438asQRO3Ez7:1aUKh8+NhAjMb4u843dRO3Ev |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\maZWJw8hU.mp3 | 29.04 KB |
MD5:
693086cb8abfc588c4f307d2df282610
SHA1: 7c072466ac4c2138dd417917b4f810fe795e21ea SHA256: 0af8af89e41e35ffbd35b5e2ce735cf084ec798f1f78414a2d3eff823288b2ed SSDeep: 384:tUXkCiD7CeJGj1etmAPOrLVXII0nryX4tE5V8j6qfb1SkiBukouybM4:OXJiHCewRubPO/VEnuXAE5SfABuhuyh |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\jiLoP1s77mzUlK6iOG4A.lnk | 0.70 KB |
MD5:
1e179148932c6c3be2667572d3d66de4
SHA1: 2c75f284d539b9a39b1a6272fd4f0b93e9c36ffe SHA256: a1d1af0b8b768c6b184a4ab960a6a068c150e1aa2d156bfeaec1b5aaab7212fe SSDeep: 12:vtWCar25lpPnHuJg/GSeX5gFXz8PqTA3iF2UsGdG7rtiY:raOP2JgwXipIv3iFAGdG75D |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\4UQKtgpXFhDlO9QReM.lnk | 1.05 KB |
MD5:
efce4f0f24026136a0f4c2d4d2fb9418
SHA1: ac39339297556f69dbfc496db21bdd9f6e02b49f SHA256: 9fb65504a14dc52a9d3caf6c5d462ebf2de217d7daabe32fc6fa8df00c235fb6 SSDeep: 24:e4jDuZbYs1eCbmHZEpqN5JQQOzwVKcVw+yfnOuJXU0mvEmilnJ:b+r1VbmHZ9NVYgKtflk5vY |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\LzxPE9bRZsj0N\JJSZ6n05wI.png | 9.93 KB |
MD5:
b8ef233f8927968d9c716a2877747647
SHA1: 8713643846f4837e9485e7ef328ed675ea490b77 SHA256: 58f8e852379e4e28acb6bb100ae92217d64b3e6eb10a2ae1a6d580586621f9fb SSDeep: 96:ZY3pU1oimtdBZDWJT7XYqV8f9FkFLNGYWrWoN1R7m5d3c7yM3dEK0HxOP6s++b:K3pU1ovZaJdi9FlD1lm3cW8Pb/ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms | 284.54 KB |
MD5:
becebc8dd637cf3f3e82332ad3a725f1
SHA1: 9fc9ff1fe70947cca90f16ab6f5d4dd980989039 SHA256: 64421d698fac5993d47921f36a6cbc9f96571bc2b7c21997a8395cea96fb72e0 SSDeep: 1536:ASffFLwYFIM7dN4vErFHypZRvaKuZ6e7W1KuJ23XZJu671TFl4cPaqWKNJ1ub4ca:ASPjr0pPKhWyY9cP/gcjNP |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\-n0RC1h1KI_sm3.lnk | 1.09 KB |
MD5:
ea704ff1e01731c5eed6afd676494b1d
SHA1: 6da74a55654d9c8e4982ec9577840e02308c6b9f SHA256: 8348a7fe931e0f5e88e2533260d2b9914908a36fe900fae33a08d807ab16c369 SSDeep: 24:gfD2HLlKljoXfgRSrdK5GnjnS5VktkS3tqSQgsXvg:C2rlk04tGWctk1SaXvg |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\h5ZE6cD5v9t tme A-G.lnk | 1.05 KB |
MD5:
9001429edc85793f476aa415b58de304
SHA1: 5ff8c8fb60d88c3cd2898c7e5516e4cd92053471 SHA256: e7249ad0e4aab88578879f8d8c1ad2a5f9880e32974d9f8c6c6df512b4304672 SSDeep: 24:xYZQXPpCFnaSOJQPF2ae+7XvAyH4doTCuk+3cgz:/P0FnaJQPPe+7XRHTCeNz |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\rxFiw9U9bm6LyT9g\9yWpLzjHOCpe.flv | 3.81 KB |
MD5:
fd0b146db94ff24428efe84beb2a7599
SHA1: 6df091b41531d4d23aad093d68f9fff107520e6d SHA256: 7d682f897f0bf2fb0418453bda8846216207d000f55e324b48cd313214a21341 SSDeep: 96:FlFYIRiQjWjuU3meOTKIcwf766rB+NjXj03HUjBeX7W:FlFYI4QpgmTOG766rsDj03O |
|
|
| C:\Users\CIiHmnxMn6Ps\Music\NGHgpHRGY\5-kIDp8-bzm7egwPyy.mp3 | 60.36 KB |
MD5:
b0b351236c5bcb436695e8dd35e55a8b
SHA1: ef1590a220f5cea6eb29f44d26c9cf925c548fe3 SHA256: a14ad1b6bc095c35fab9f69ac65df6b4b9c34419eea74314b51e87556fa21da0 SSDeep: 768:2RuwcKnJ4KeKaycrVv7jCS1aWOqh4wLVNvZS6qleolW5Ya/c1Lr0jzzS5GwBDgCA:SJZeKayA57WS1aWOc7taIQ0wZgCktDR |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\zaD3n7 mmqSGIGhEu.flv | 27.25 KB |
MD5:
212aca1ebc4fde81425bcddae9e751f1
SHA1: cbc6d82b1478d0c9a8e990fce9ad2c47006c154b SHA256: e15853b9b173931a0a9313c513af6c9b783da918dffc7cda287c87c8fcdb120e SSDeep: 768:Fo/UL2Te84urVN2Pm86tudN75rkYJquGrl:FYULh8zN2PHXN75rnJquGZ |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos\kscbOO\2vlWto.swf | 96.22 KB |
MD5:
00951e1279592cfeeb5a87dbd45942a6
SHA1: f19e2b5acb8b2f160615d1e02a65b63432db31a2 SHA256: 109eff231aa2b88451690efcacf128dcf1fd0a09798e0b886328f10eb78e7be6 SSDeep: 1536:26IbJDHbJh4ZWPTyDM7+Ay+OPC98ZdBrWCJODKvb+M/GhODdGhNS:26UDHbJ6W7b+ALOPC60lmbVuhNhNS |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\QYqp7ps5mB.lnk | 1.03 KB |
MD5:
b9b0ddba908b376496c71281d52c1962
SHA1: 969ac223ebf30add198f239d3acf22cf2889fb6c SHA256: 093152d5432735935d3f4732e15c23161b28dbca1825c1ef57816cc27a64610c SSDeep: 24:J93DXxsT1xd+Hs/Pz79O259KQNv70CajjLK8t3L:ThaTdtXzw299ACkLK8tb |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\00p5vLt xbX.lnk | 0.66 KB |
MD5:
af73621fd8793d77342f09f6641bdec6
SHA1: 868fd8e151501152e47e00080ff0af39bb9114c3 SHA256: cb27a4d758dd0e3c073273bbf834ef6ffe900f71212b95e58169da3486d88ed8 SSDeep: 12:vD8TG8mUfUbdH/Jguvaz1zMTbqoE9YohO4fmZ1WYSgXtK5bg+LqWktVOvT0zc9:rShmnJryZguoE9YhcmZpSg+LqttVfA |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\K9_BFKsm6gjrGpCU.lnk | 0.84 KB |
MD5:
5ee24067646ac4bae5b4fd9a781e9cbe
SHA1: 3d63502217cdf1f4c4f2047fc3a81e3cf562d54d SHA256: b721411fc554b364745307e58082f37f20481b2a5f51fa2948323a14a2e24300 SSDeep: 24:vFU7k6cTO9Ht49Hc76cd708XM2MWWKtJp:vFU7k6Flt49ut0ksKrp |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\zMTJW8Dsc.lnk | 1.36 KB |
MD5:
7504e34924e8cb74b5068c0e6a3c5ea5
SHA1: 41cf1ea3314bbd68aea273c491df0df2e93b7122 SHA256: bf9d2cd500ec394eef1a91555c4e1a3c83f9851bab2b835eaa1e7297c7869c75 SSDeep: 24:gIXwU4Lv5bPo/s8WXv+lsxoJMrGzQVFzqPSFimEqCau3jeitQ9+YIHBC3lxn:gmwUuv5bPo0DvSJIGzLPSFi9au3KQQAg |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\poXHT9xhAcrp0Yo.lnk | 1.03 KB |
MD5:
3f7655d1340b26b022696627b26da2cc
SHA1: e6f52599cbd21be1af4d5ff3c40cc91de068e592 SHA256: 9176efcaccfe5c7ec4e7da2f5810ff273f6bc88995a73d128df67817554cc6da SSDeep: 24:pCzQG/DtJrYcEG6LFTDKo8ICdm8KfYhHjD5m+DiI0d2xc:6bpJzo5DK1dm8Kw18lI0d2C |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\FMnZT7MP3TB0L3.lnk | 1.02 KB |
MD5:
d171fb99aba222fa1ad8c69beabe3f17
SHA1: 59e938a3ad89592d3a4be6e8c7c6b048bdd91578 SHA256: cde7705955af094cfb9d007467c6d37f6cfd965cf7d658b76807c9dc3b6933cc SSDeep: 24:Ey8mEqpbfedZHacsASSUjE/7CP0pke5hjhuj5iDvGdLbwBxwSD4:QbqpzedOhw/7Crohjhuj54vjjwS0 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Gat4ii3taiw.lnk | 0.98 KB |
MD5:
ae7845aa6732556c84213c24d6254d70
SHA1: ff062310283f1c68659aedbd2404672f8bae7f51 SHA256: e97498ec4b3731917a889a7bc1fa22122ae66763cc2efcc40b52ee284e98a3ca SSDeep: 24:xk5pvp7jjtUTLv1AVMir1TS41Q/MKNO7iwY+ZHlh9/z:aTpPjtUTLdXirVSV0KmYg |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\LzxPE9bRZsj0N\Zyo85Jd4gSHjAVsjV.gif | 71.22 KB |
MD5:
78e29f53a0a01cc884868f6cb5267b76
SHA1: 6805d195fa3d9dc18a079bd7d7a4035abdc1c7b2 SHA256: e6f581bce7bc7dbb37ff347b5be1dae7e076b31ce57e6f7f8b9eff33609fa5a5 SSDeep: 1536:qZQGobWl8D2l7sDw0TflkadBkrB7F4SojAW5hrX:KobrD2SE0DlfBkFxoX5X |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\G--uCJBQv6-u-\3hK fW-nhuzGhzCyF.jpg | 27.91 KB |
MD5:
0d5c4757a11345386b936bc5f8b60527
SHA1: ecc668dbc05bfeeb277d1977965232bc4c39df7a SHA256: eddacb33fd8f6c72476859ad2fa33a23afbcb374880c1662cb5e992b70668c19 SSDeep: 384:dFzFaLsOZ9z0D2IgNMEMenu5iHiljo6HlJbrQsz8DlcVqMp3/Lh8v7qg:PRNI9z06997Wj9nXXqcqQ/L075 |
|
|
Host Behavior
File (7322)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\-42tUE1gV2.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\-42tUE1gV2.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\-cvcX Qn.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\-cvcX Qn.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\-e3Mp2d-PI.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\-e3Mp2d-PI.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\-HzS.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\-HzS.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\-n0RC1h1KI_sm3.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\-n0RC1h1KI_sm3.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\00p5vLt xbX.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\00p5vLt xbX.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\00_yfQNqHGFuHt64v1.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\00_yfQNqHGFuHt64v1.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\08m7p4.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\08m7p4.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\0RAKtw47d.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\0RAKtw47d.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\1E9x6o.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\1E9x6o.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\1UEZKTO5 S.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\1UEZKTO5 S.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\2FqWk.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\2FqWk.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\2JQ1gX.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\2JQ1gX.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\3hK fW-nhuzGhzCyF.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\3hK fW-nhuzGhzCyF.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\3zrj1.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\3zrj1.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\4M9GNaeWOnw2HrFq.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\4M9GNaeWOnw2HrFq.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\4TX0WLVzI0D.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\4TX0WLVzI0D.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\4UQKtgpXFhDlO9QReM.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\4UQKtgpXFhDlO9QReM.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\6nnSA.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\6nnSA.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\6ukdx.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\6ukdx.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\7qmJucxrSVDQh7.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\7qmJucxrSVDQh7.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\8JP_fHn2fAsy.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\8JP_fHn2fAsy.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\8MQwAP0_D5NFG dD.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\8MQwAP0_D5NFG dD.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\9m4LOZ8HMX8jF_V_h.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\9m4LOZ8HMX8jF_V_h.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\9mRe9.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\9mRe9.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\A-6CfSPMROK0fG74g-Zj.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\A-6CfSPMROK0fG74g-Zj.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\a3QnHpY8WxK1ea.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\a3QnHpY8WxK1ea.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\A4ItiusytGvu1_7.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\A4ItiusytGvu1_7.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\aA1x 4cIy.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\aA1x 4cIy.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\ag70uOVMAZyHaepYdjne.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\ag70uOVMAZyHaepYdjne.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\aWky26OAlQ8f6r.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\aWky26OAlQ8f6r.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\az88pgn.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\az88pgn.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AZC2.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AZC2.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\B05_T.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\B05_T.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\cLzrBwI9ELH8EUl_mr.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\cLzrBwI9ELH8EUl_mr.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CNfRGDwaADTpS.flv.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CNfRGDwaADTpS.flv.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CtG65B.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CtG65B.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\d Y_MLHa.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\d Y_MLHa.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\d2H7a-tYhvZsdzV7Kw0T.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\d2H7a-tYhvZsdzV7Kw0T.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
4 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\dEwwga9gIHgP7bGKwR36.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\dEwwga9gIHgP7bGKwR36.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Dt9dhKb.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Dt9dhKb.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\e6huRO7 BfdOE JzK.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\e6huRO7 BfdOE JzK.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\E6zmnTMjp.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\E6zmnTMjp.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\EH77pChgN.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\EH77pChgN.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Enw1.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Enw1.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\e_d9d.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\e_d9d.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\F925j.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\F925j.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\fBwW7 r5N (2).lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\fBwW7 r5N (2).lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\fBwW7 r5N.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\fBwW7 r5N.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Fe7T5WvwX3mnv_7K.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Fe7T5WvwX3mnv_7K.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Fh0-0-tlk.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Fh0-0-tlk.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\FMnZT7MP3TB0L3.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\FMnZT7MP3TB0L3.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\fwMACd.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\fwMACd.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\G--uCJBQv6-u-.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\G--uCJBQv6-u-.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\g5O83QgO-v7.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\g5O83QgO-v7.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Gat4ii3taiw.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Gat4ii3taiw.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\gf2Xpstl-3SsWOQBl (2).lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\gf2Xpstl-3SsWOQBl (2).lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\gf2Xpstl-3SsWOQBl.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\gf2Xpstl-3SsWOQBl.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\GHXa.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\GHXa.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\gHZm.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\gHZm.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Gk8oY7c.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Gk8oY7c.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Gqr Olni3uCq.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Gqr Olni3uCq.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\h5ZE6cD5v9t tme A-G.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\h5ZE6cD5v9t tme A-G.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\HE1R.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\HE1R.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\HFrGs.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\HFrGs.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\hih.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\hih.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Hn-6.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Hn-6.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\hvsxSLFjGgIvWh.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\hvsxSLFjGgIvWh.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\HzbGRo6Y.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\HzbGRo6Y.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\IJE5Cqpv5XA2m3m.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\IJE5Cqpv5XA2m3m.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\IsjTI.flv.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\IsjTI.flv.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\JcAiiI7bq.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\JcAiiI7bq.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\jiLoP1s77mzUlK6iOG4A.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\jiLoP1s77mzUlK6iOG4A.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\JJSZ6n05wI.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\JJSZ6n05wI.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\JPgSFw.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\JPgSFw.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\K9_BFKsm6gjrGpCU.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\K9_BFKsm6gjrGpCU.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\kd_M3jN.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\kd_M3jN.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\KeUJ5oCueYQJJFzt.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\KeUJ5oCueYQJJFzt.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\kqPHTpgPgkFex.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\kqPHTpgPgkFex.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\kscbOO.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\kscbOO.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\l0MLmWCXjKZ.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\l0MLmWCXjKZ.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\L0VH.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\L0VH.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\L5g5B6.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\L5g5B6.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\lN-gSBVjXH7S4Quo.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\lN-gSBVjXH7S4Quo.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\LzxPE9bRZsj0N.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\LzxPE9bRZsj0N.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\maZWJw8hU.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\maZWJw8hU.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\MGnZQV1D.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\MGnZQV1D.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\mSFbzT.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\mSFbzT.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Music.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Music.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\NGHgpHRGY.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\NGHgpHRGY.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\n_6iIbpL-Dw.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\n_6iIbpL-Dw.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\ODTY47iV0R.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\ODTY47iV0R.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\okHmUs.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\okHmUs.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\OMrih.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\OMrih.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\oSqIZuo5iz2iuOqFR.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\oSqIZuo5iz2iuOqFR.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\phsoFQ.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\phsoFQ.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Pictures.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Pictures.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\pkc6AG_LpRlnu-9-.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\pkc6AG_LpRlnu-9-.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\pLIymR0ZfD9imcx8V2H.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\pLIymR0ZfD9imcx8V2H.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\poXHT9xhAcrp0Yo.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\poXHT9xhAcrp0Yo.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\pptfNpe1BfneOLa.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\pptfNpe1BfneOLa.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\PRFX.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\PRFX.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\PYe7.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\PYe7.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\q9PB6-.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\q9PB6-.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Qa7KN-vTbOI6h.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Qa7KN-vTbOI6h.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\QlEnlER.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\QlEnlER.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\QOCXNrR-FN44qxjyc2.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\QOCXNrR-FN44qxjyc2.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\qrA9hvnxQuIXrz-kBi.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\qrA9hvnxQuIXrz-kBi.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\qTWuqh N53NYZck.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\qTWuqh N53NYZck.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\QYqp7ps5mB.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\QYqp7ps5mB.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\R6lD7xHD8T-ubO3-rd.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\R6lD7xHD8T-ubO3-rd.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\R7 9VVQ_Ob5C3PHQ.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\R7 9VVQ_Ob5C3PHQ.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\rGxJ8R0.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\rGxJ8R0.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\RL8XNe9oHqfUA86p.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\RL8XNe9oHqfUA86p.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Roaming.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Roaming.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\RrmS7r.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\RrmS7r.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\rspzeeQ4w0Au.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\rspzeeQ4w0Au.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\rxFiw9U9bm6LyT9g.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\rxFiw9U9bm6LyT9g.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\sasJA6VrgSyC4AEc.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\sasJA6VrgSyC4AEc.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\shyNwC.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\shyNwC.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Sl1P.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Sl1P.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\SQa8 vvXUjp_g5d.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\SQa8 vvXUjp_g5d.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\stCGxWNbc5wFp.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\stCGxWNbc5wFp.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\sYRXyP3UmUCc7I mkd_.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\sYRXyP3UmUCc7I mkd_.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\TllDAUU2CxF.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\TllDAUU2CxF.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\UELEI-EgHa.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\UELEI-EgHa.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\uItrk_jbFDkZ5N6T.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\uItrk_jbFDkZ5N6T.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\uwQJ.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\uwQJ.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\V4M4Zk zJ0onUYJXIl.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\V4M4Zk zJ0onUYJXIl.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\v6afBXu2KwQML_bnz2.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\v6afBXu2KwQML_bnz2.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\vg-2sbVgxsUfL6fnj8H.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\vg-2sbVgxsUfL6fnj8H.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Videos.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Videos.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\vRQ5tUuEKHqkKPnnz.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\vRQ5tUuEKHqkKPnnz.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\VVjOWuzx8w8tLEluosA.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\VVjOWuzx8w8tLEluosA.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\wHS8C.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\wHS8C.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\wk7e2LGGFK8X0Z.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\wk7e2LGGFK8X0Z.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\WlBenJ.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\WlBenJ.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\xeKWFIddBHaEN67 iC.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\xeKWFIddBHaEN67 iC.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\xFZ3UgkUHNIW.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\xFZ3UgkUHNIW.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\XILJaPf2QbTSe0.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\XILJaPf2QbTSe0.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\xvc5X_EuKq.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\xvc5X_EuKq.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\XVz99OD38.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\XVz99OD38.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\y sfavt_6-uR zUfBzh.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\y sfavt_6-uR zUfBzh.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\y1a4kAzLHPnL4SoS O_.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\y1a4kAzLHPnL4SoS O_.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\y3K K0vmpn.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\y3K K0vmpn.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\y8reS6m.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\y8reS6m.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\YWlhp1_r1Xzl.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\YWlhp1_r1Xzl.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\zMTJW8Dsc.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\zMTJW8Dsc.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\zozaK-qF 9YEvt.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\zozaK-qF 9YEvt.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\ZyJPALqhGX4Hsp7.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\ZyJPALqhGX4Hsp7.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Zyo85Jd4gSHjAVsjV.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Zyo85Jd4gSHjAVsjV.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\zz0GoIZI_KNNIh4a.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\zz0GoIZI_KNNIh4a.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Z_MokPYp K.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\Z_MokPYp K.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\_QpPI0V9w7jmp.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\_QpPI0V9w7jmp.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\_xN12rPpzNlGEeUEq29.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\_xN12rPpzNlGEeUEq29.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1bc9bbbe61f14501.automaticDestinations-ms | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1bc9bbbe61f14501.automaticDestinations-ms | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\319f01bf9fe00f2d.automaticDestinations-ms | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\319f01bf9fe00f2d.automaticDestinations-ms | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\61ebb1e65cfcb8da.automaticDestinations-ms | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\61ebb1e65cfcb8da.automaticDestinations-ms | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\6d2bac8f1edf6668.automaticDestinations-ms | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\6d2bac8f1edf6668.automaticDestinations-ms | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\7e4dca80246863e3.automaticDestinations-ms | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\969252ce11249fdd.automaticDestinations-ms | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\969252ce11249fdd.automaticDestinations-ms | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9cfafb05ce914942.automaticDestinations-ms | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9cfafb05ce914942.automaticDestinations-ms | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\b8ab77100df80ab2.automaticDestinations-ms | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\b8ab77100df80ab2.automaticDestinations-ms | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\d00655d2aa12ff6d.automaticDestinations-ms | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\d00655d2aa12ff6d.automaticDestinations-ms | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\eb282ead62b4db87.automaticDestinations-ms | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\eb282ead62b4db87.automaticDestinations-ms | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\fb3b0dbfee58fac8.automaticDestinations-ms | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\fb3b0dbfee58fac8.automaticDestinations-ms | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7e4dca80246863e3.customDestinations-ms | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7e4dca80246863e3.customDestinations-ms | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\969252ce11249fdd.customDestinations-ms | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f01b4d95cf55d32a.customDestinations-ms | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f01b4d95cf55d32a.customDestinations-ms | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\EB784XEVaS0_dY.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\UELEI-EgHa.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\Camera Roll\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\Camera Roll\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\cLzrBwI9ELH8EUl_mr\7ZO5muiNIGYzs1.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\NiAQ3VHp8Zu.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\G--uCJBQv6-u-\3hK fW-nhuzGhzCyF.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\qTWuqh N53NYZck\fwMACd.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\qTWuqh N53NYZck\gjO 73rZ M4.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\qTWuqh N53NYZck\pkc6AG_LpRlnu-9-.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\qTWuqh N53NYZck\uItrk_jbFDkZ5N6T.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\qTWuqh N53NYZck\zMTJW8Dsc.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\R6lD7xHD8T-ubO3-rd\8JP_fHn2fAsy.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\R6lD7xHD8T-ubO3-rd\pv2DdR40ou-b2B8evhuj.gif | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\R6lD7xHD8T-ubO3-rd\pv2DdR40ou-b2B8evhuj.gif | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\R6lD7xHD8T-ubO3-rd\WlBenJ.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\R6lD7xHD8T-ubO3-rd\Z_MokPYp K.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\R6lD7xHD8T-ubO3-rd\zz0GoIZI_KNNIh4a\gVhnkpA.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\R6lD7xHD8T-ubO3-rd\zz0GoIZI_KNNIh4a\vRQ5tUuEKHqkKPnnz.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\sYRXyP3UmUCc7I mkd_\NJULNohQzh.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\hIWbt-R5mJ Llke0xho\sYRXyP3UmUCc7I mkd_\xvc5X_EuKq.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\LzxPE9bRZsj0N\JJSZ6n05wI.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\LzxPE9bRZsj0N\QlEnlER.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\LzxPE9bRZsj0N\Zyo85Jd4gSHjAVsjV.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\LzxPE9bRZsj0N\-HzS\L0VH.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\Saved Pictures\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\Saved Pictures\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\uwQJ\-n0RC1h1KI_sm3.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\uwQJ\aA1x 4cIy.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\uwQJ\dEwwga9gIHgP7bGKwR36.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\uwQJ\RL8XNe9oHqfUA86p.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\maZWJw8hU.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\R7 9VVQ_Ob5C3PHQ.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\fBwW7 r5N\e_d9d.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\fBwW7 r5N\kqPHTpgPgkFex.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\fBwW7 r5N\MWDD3fMVUTnRZA.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\fBwW7 r5N\stCGxWNbc5wFp.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\NGHgpHRGY\5-kIDp8-bzm7egwPyy.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\NGHgpHRGY\iwRTQe8_.m4a | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\NGHgpHRGY\iwRTQe8_.m4a | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\NGHgpHRGY\n_6iIbpL-Dw.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\-e3Mp2d-PI.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\a3QnHpY8WxK1ea.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\jKcWe03_Z1ou wMT.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\qrA9hvnxQuIXrz-kBi\DZwan0p.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\qrA9hvnxQuIXrz-kBi\EH77pChgN.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\qrA9hvnxQuIXrz-kBi\y sfavt_6-uR zUfBzh.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\qrA9hvnxQuIXrz-kBi\PYe7\g5O83QgO-v7.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\qrA9hvnxQuIXrz-kBi\PYe7\TIn_ARo-MEx1p.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\_xN12rPpzNlGEeUEq29.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\9m4LOZ8HMX8jF_V_h.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\m-GVKfYhXB6T.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\vNVYUbOQ7x0Pi814.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\xeKWFIddBHaEN67 iC.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\B05_T\08m7p4.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\B05_T\ag70uOVMAZyHaepYdjne.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\B05_T\iPQyt.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\B05_T\qbEo.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\B05_T\vg-2sbVgxsUfL6fnj8H.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\QYqp7ps5mB\-42tUE1gV2\B05_T\W5vUQUjzm.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\9-jMlK1J06Z.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\sasJA6VrgSyC4AEc.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\ElxEIJtu-_rA.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\J1Ku s.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\MzwZZ.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\y8reS6m.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\zaD3n7 mmqSGIGhEu.flv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\rxFiw9U9bm6LyT9g\9yWpLzjHOCpe.flv | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\rxFiw9U9bm6LyT9g\9yWpLzjHOCpe.flv | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\rxFiw9U9bm6LyT9g\MVmj7hQl- u hjKWdH.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\rxFiw9U9bm6LyT9g\negNC64LftvX.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\25vyla9KzJI9nEe.flv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\9P5vIWV3lOKAM.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\B4a3CXGZxiUO-YbN51.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\JcAiiI7bq.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\MGnZQV1D.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\rspzeeQ4w0Au.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\YjGHp.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\d2H7a-tYhvZsdzV7Kw0T\1UEZKTO5 S.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\d2H7a-tYhvZsdzV7Kw0T\aWjCPF5VCvkE.flv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\d2H7a-tYhvZsdzV7Kw0T\El 5h qHBzdQQuQ0y63p.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\SQa8 vvXUjp_g5d\d2H7a-tYhvZsdzV7Kw0T\F925j.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\y3K K0vmpn\3zrj1.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\y3K K0vmpn\9r86svUYxeIc.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\y3K K0vmpn\FGbApjzVzIlNW.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\Hn-6\y3K K0vmpn\phsoFQ.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\kscbOO\2vlWto.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\kscbOO\l4gbd3wQGAh.flv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos\kscbOO\ODTY47iV0R.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\1E9x6o.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\2FqWk.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\6nnSA.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\DlWnE.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\Dt9dhKb.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\DUii1j9HuykgCRKk.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\FCiMOpjqGPmFU0.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\Fh0-0-tlk.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\Gat4ii3taiw.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\Gqr Olni3uCq.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\NuBo6HPNg.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\oSqIZuo5iz2iuOqFR.pps | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\pptfNpe1BfneOLa.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\tdVdq4X0JYdL.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\Tjz3tMJZz8.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\VVjOWuzx8w8tLEluosA.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\wk7e2LGGFK8X0Z.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\YWlhp1_r1Xzl.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\Favorites.vssx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\Favorites.vssx | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\_private\folder.ico | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OMrih\0NTVcp BTflcPWN7FCj.ots | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OMrih\4Z-bQL1 kRLVzZ8r.ots | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OMrih\d Y_MLHa.odp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OMrih\e6huRO7 BfdOE JzK.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OMrih\lN-gSBVjXH7S4Quo.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OMrih\rOLZ.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OMrih\gf2Xpstl-3SsWOQBl\8MQwAP0_D5NFG dD.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OMrih\gf2Xpstl-3SsWOQBl\9mRe9.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OMrih\gf2Xpstl-3SsWOQBl\9pdaonXHjn.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OMrih\gf2Xpstl-3SsWOQBl\blgtot1emYp.ots | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OMrih\gf2Xpstl-3SsWOQBl\f9CNAAX-CCQjG-zrLuqx.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OMrih\gf2Xpstl-3SsWOQBl\IoYP1j58wJWdG.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OMrih\gf2Xpstl-3SsWOQBl\q9PB6-.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OMrih\gf2Xpstl-3SsWOQBl\Sl1P.csv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OMrih\gf2Xpstl-3SsWOQBl\TllDAUU2CxF.csv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OMrih\gf2Xpstl-3SsWOQBl\wcIk.doc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OMrih\gf2Xpstl-3SsWOQBl\XILJaPf2QbTSe0.ppt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OMrih\KeUJ5oCueYQJJFzt\CtG65B.ppt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OMrih\KeUJ5oCueYQJJFzt\HE1R.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OMrih\KeUJ5oCueYQJJFzt\HFrGs.pps | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OMrih\KeUJ5oCueYQJJFzt\IxrnmACj9Vmjcevb.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OMrih\KeUJ5oCueYQJJFzt\lR01HU4Lr.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OMrih\KeUJ5oCueYQJJFzt\XVz99OD38.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OneNote Notebooks\My Notebook\Quick Notes.one | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Favorites\Bing.url | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Favorites\Bing.url | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Favorites\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Favorites\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Favorites\Links\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Favorites\Links\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\Public\Documents\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\Public\Documents\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\Public\Pictures\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\Public\Pictures\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\Public\Music\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\Public\Music\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\Public\Videos\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\Public\Videos\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\Public\Desktop\Acrobat Reader DC.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Desktop\Acrobat Reader DC.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Desktop\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\Public\Desktop\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\Public\Desktop\Google Chrome.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Desktop\Google Chrome.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Desktop\Mozilla Firefox.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Desktop\Mozilla Firefox.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\-cvcX Qn.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\00p5vLt xbX.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\00_yfQNqHGFuHt64v1.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\2A5pVv5N.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\4GlynYCXpbRyePe.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\A-6CfSPMROK0fG74g-Zj.xls | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\aWky26OAlQ8f6r.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\az88pgn.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
4 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\E6zmnTMjp.odp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\Enw1.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\Fe7T5WvwX3mnv_7K.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\fwSMGY 8T1_Vmp.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\GHXa.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\gHZm.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\hih.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\hvsxSLFjGgIvWh.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\HzbGRo6Y.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\jiLoP1s77mzUlK6iOG4A.ppt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\JPgSFw.csv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\lbz uIFWEPpxo2ZVx6wj.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\lkYPcxH85KgpwT8.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\nLT0.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\Oo1FL c-lsQI 20dpg.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\QNw8RivG2FdzDoT6w.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\QOCXNrR-FN44qxjyc2.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\uKpxUuYO1PkhihtOk.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\v6afBXu2KwQML_bnz2.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\wHS8C.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\XyuEncrypt.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
4 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\YmyQuKCa6uf.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\ZR1kbnnjKcwkhC4U3Z.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\ZyJPALqhGX4Hsp7.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\_QpPI0V9w7jmp.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\l0MLmWCXjKZ\7qmJucxrSVDQh7.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\l0MLmWCXjKZ\h La5PakbEMKVp.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\l0MLmWCXjKZ\IJE5Cqpv5XA2m3m.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\l0MLmWCXjKZ\K9_BFKsm6gjrGpCU.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\l0MLmWCXjKZ\mqeKy-XpKEgFY8AjHJ.ots | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\l0MLmWCXjKZ\mSFbzT.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\l0MLmWCXjKZ\pLIymR0ZfD9imcx8V2H.ppt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\l0MLmWCXjKZ\PRFX.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\l0MLmWCXjKZ\rGxJ8R0.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\l0MLmWCXjKZ\sI-BFCbljwWDcLW5.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\l0MLmWCXjKZ\taGJFoA0OzRId.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\l0MLmWCXjKZ\VJwX.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\0RAKtw47d.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\2JQ1gX.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\3CZFOoupTGQXIb.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\4M9GNaeWOnw2HrFq.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\4TX0WLVzI0D.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\4UQKtgpXFhDlO9QReM.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6ukdx.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\75-wgqXSdjOxU.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\A4ItiusytGvu1_7.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\arCRFTwnP.pps | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\AZC2.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\cDYYopjyW.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CNfRGDwaADTpS.flv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FMnZT7MP3TB0L3.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Gk8oY7c.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\h5ZE6cD5v9t tme A-G.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\I4d51v 16zFbNtlE.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\IsjTI.flv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\kd_M3jN.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\L5g5B6.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\N2k0nehPI_DPwMxo.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\NpFxNoNsr7bqD.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\okHmUs.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\pFxvyS9.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\poXHT9xhAcrp0Yo.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Qa7KN-vTbOI6h.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\rK5x2F.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\RrmS7r.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\shyNwC.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\TnDnwlmA_OOl7YS8W.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\wEoyHQta_w7GziWd r.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\xFZ3UgkUHNIW.odp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\xIhOWl6rJBF 6ak.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\y1a4kAzLHPnL4SoS O_.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Yme L49sGIAxefbQ-c.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\zozaK-qF 9YEvt.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\zYbO.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\NativeCache.directory | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\NativeCache.directory | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Access\AccessCache.accdb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Access\System.mdw | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1462094071-1423818996-289466292-1000\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1462094071-1423818996-289466292-1000\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1462094071-1423818996-289466292-1000\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1462094071-1423818996-289466292-1000\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Excel 2016.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Excel 2016.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\OneNote 2016.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\OneNote 2016.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Outlook 2016.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Outlook 2016.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\PowerPoint 2016.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\PowerPoint 2016.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Project 2016.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Project 2016.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Visio 2016.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Visio 2016.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Word 2016.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Word 2016.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\MS Project\16\en-US\Global.MPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\MSO1033.acl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\Recent\Database1.LNK | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\Recent\Database1.LNK | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\Recent\Documents.LNK | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\Recent\Documents.LNK | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\Recent\Global.LNK | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\Recent\Global.LNK | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\Recent\index.dat | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\Recent\index.dat | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\OneNote\16.0\Preferences.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\Outlook.srs | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\Outlook.srs | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\Outlook.xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Outlook\Outlook.xml | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\CREDHIST | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\CREDHIST | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\SYNCHIST | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\SYNCHIST | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\S-1-5-21-1462094071-1423818996-289466292-1000\04cd465a-248d-4abd-853a-5cb67fe43510 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\S-1-5-21-1462094071-1423818996-289466292-1000\04cd465a-248d-4abd-853a-5cb67fe43510 | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\S-1-5-21-1462094071-1423818996-289466292-1000\15d22704-736b-416f-a36b-857f2a5d2a7e | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\S-1-5-21-1462094071-1423818996-289466292-1000\15d22704-736b-416f-a36b-857f2a5d2a7e | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\S-1-5-21-1462094071-1423818996-289466292-1000\496f2c5b-a90f-4380-b805-3bf6ac63451b | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\S-1-5-21-1462094071-1423818996-289466292-1000\496f2c5b-a90f-4380-b805-3bf6ac63451b | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\S-1-5-21-1462094071-1423818996-289466292-1000\5b8a3202-35dc-4437-b5d7-374f5e872415 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\S-1-5-21-1462094071-1423818996-289466292-1000\5b8a3202-35dc-4437-b5d7-374f5e872415 | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\S-1-5-21-1462094071-1423818996-289466292-1000\d7746ecf-458e-4e71-8557-8ac80457022a | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\S-1-5-21-1462094071-1423818996-289466292-1000\d7746ecf-458e-4e71-8557-8ac80457022a | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\S-1-5-21-1462094071-1423818996-289466292-1000\Preferred | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Protect\S-1-5-21-1462094071-1423818996-289466292-1000\Preferred | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Calendar insights.xltm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Email Insights.xltm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Normal.dotm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Process Map for Basic Flowchart.xltx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Process Map for Cross-Functional Flowchart.xltx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Stock symbols comparison.xltm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\Welcome to Excel.xltx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001103[[fn=Headlines]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001104[[fn=Feathered]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001105[[fn=Crop]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001106[[fn=Badge]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Libraries\CameraRoll.library-ms | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Libraries\CameraRoll.library-ms | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Libraries\SavedPictures.library-ms | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Libraries\SavedPictures.library-ms | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\SendTo\Compressed (zipped) Folder.ZFSendToTarget | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\SendTo\Compressed (zipped) Folder.ZFSendToTarget | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\SendTo\Desktop (create shortcut).DeskLink | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\SendTo\Desktop (create shortcut).DeskLink | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\SendTo\Documents.mydocs | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\SendTo\Documents.mydocs | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\SendTo\Mail Recipient.MAPIMail | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\SendTo\Mail Recipient.MAPIMail | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Default Apps.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Default Apps.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Devices.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Devices.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Windows Defender.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Windows Defender.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell ISE (x86).lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell ISE (x86).lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell ISE.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell ISE.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1440_900_POS4.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20170518000419 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20170518000419 | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\addons.json | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-addons.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-gfx.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist-plugins.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\blocklist.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\compatibility.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\containers.json | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\extensions.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\mimeTypes.rdf | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\mimeTypes.rdf | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\pluginreg.dat | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\pluginreg.dat | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\revocations.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\search.json.mozlz4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionCheckpoints.json | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionCheckpoints.json | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SiteSecurityServiceState.txt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SiteSecurityServiceState.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\times.json | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\xulstore.json | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4 | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\crashes\store.json.mozlz4 | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\session-state.json | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\state.json | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\previous.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\sessionstore-backups\upgrade.js-20170518000419 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2 | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2 | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Skype\RootTools\roottools.conf | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Skype\RootTools\roottools.conf | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt15.lst | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt15.lst | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt17.lst | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt17.lst | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt15.lst | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt17.lst | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\UserCache.bin | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt15.lst | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt17.lst | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_0 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_2 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\index | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cookie\Cookies | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cookie\Cookies-journal | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cookie\Cookies-journal | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Color\ACECache11.lst | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Color\ACECache11.lst | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Color\Profiles\wscRGB.icc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Color\Profiles\wsRGB.icc | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Color\Profiles\wsRGB.icc | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Comms\Temp\CalendarCache.dat | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Comms\Temp\CalendarCache.dat | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Comms\UnistoreDB\store.vol | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Comms\UnistoreDB\USS.chk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Comms\UnistoreDB\USS.log | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Comms\UnistoreDB\USSres00001.jrs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Comms\UnistoreDB\USSres00002.jrs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Comms\UnistoreDB\USStmp.log | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\First Run | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\First Run | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Local State | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom Prefix Set | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs-journal | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs-journal | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing Csd Whitelist | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing Download | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing Download Whitelist | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing Extension Blacklist | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing IP Blacklist | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing IP Blacklist | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing Module Whitelist | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing Resource Blacklist | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing Resource Blacklist | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List Prefix Set | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Crashpad\metadata | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Crashpad\metadata | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Move | C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\qrA9hvnxQuIXrz-kBi\EH77pChgN.wav.xuy | source_filename = C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\qrA9hvnxQuIXrz-kBi\EH77pChgN.wav |
|
1 | |
| Move | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk.xuy | source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk |
|
1 | |
| Move | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite.xuy | source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite |
|
1 | |
| Move | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies.xuy | source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies |
|
1 | |
| Move | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal.xuy | source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal |
|
1 | |
| Move | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies.xuy | source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies |
|
1 | |
| Move | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal.xuy | source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\History | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\History Provider Cache | size = 4096, size_out = 1412 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\History-journal | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000001 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000002 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000003 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000004 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000005 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000006 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000007 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000008 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000009 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000a | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000b | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000c | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000d | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000e | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000f | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000010 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000011 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000012 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000013 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000014 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000015 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000016 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000017 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000018 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001a | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001b | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001c | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001d | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001e | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001f | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\index | size = 4096, size_out = 4096 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Music\V4M4Zk zJ0onUYJXIl\qrA9hvnxQuIXrz-kBi\EH77pChgN.wav | size = 8192 |
|
1 | |
|
For performance reasons, the remaining 4000 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | value_name = DbgJITDebugLaunchSetting, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | value_name = DbgManagedDebugger, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | schtasks.exe | show_window = SW_HIDE |
|
1 |
Module (44)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | comctl32.dll | base_address = 0x7ff8d1870000 |
|
1 | |
| Load | comctl32.dll | base_address = 0x7ff8e57b0000 |
|
1 | |
| Get Handle | comctl32.dll | base_address = 0x0 |
|
2 | |
| Get Handle | c:\windows\system32\user32.dll | base_address = 0x7ff8ebdc0000 |
|
1 | |
| Get Handle | c:\users\ciihmnxmn6ps\desktop\xyuencrypt.exe | base_address = 0x270000 |
|
10 | |
| Get Handle | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_0212ec7eba871e86\comctl32.dll | base_address = 0x7ff8d1870000 |
|
21 | |
| Get Handle | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\comctl32.dll | base_address = 0x7ff8e57b0000 |
|
7 | |
| Get Address | c:\windows\system32\user32.dll | function = DefWindowProcW, address_out = 0x7ff8ee413240 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
Window (6)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = WindowsForms10.Window.8.app.0.141b42a_r10_ad1, wndproc_parameter = 0 |
|
1 | |
| Create | .NET-BroadcastEventWindow.4.0.0.0.141b42a.0 | class_name = .NET-BroadcastEventWindow.4.0.0.0.141b42a.0, wndproc_parameter = 0 |
|
1 | |
| Create | XUYENCRYPT | class_name = WindowsForms10.Window.8.app.0.141b42a_r10_ad1, wndproc_parameter = 0 |
|
1 | |
| Create | luxenburg@cock.lu | class_name = WindowsForms10.EDIT.app.0.141b42a_r10_ad1, wndproc_parameter = 0 |
|
1 | |
| Create | 12ZhVHBfxdwsstomsT6mzz18jTKN7uTc2r | class_name = WindowsForms10.EDIT.app.0.141b42a_r10_ad1, wndproc_parameter = 0 |
|
1 | |
| Create | YOUR PC XUY BALLS xD "Works for XUY" Your personal files were encrypted. You have 12 hours to decrypt the files. For the interpretation of it came bitcoins for 400€ at this address: 12ZhVHBfxdwsstomsT6mzz18jTKN7uTc2r Send evidence photos to the address luxenburg@cock.lu Then we will send you the recovery tool via email! If there is no payment, all data will be merged into The Internet. Any attempt to destroy this program will destroy All your decryptions. Any attempt to decrypt files will damage your files. NOTICE. Even if you fix the MBR, your PC is dead. The whole registry is fucked and your files are infected. | class_name = WindowsForms10.STATIC.app.0.141b42a_r10_ad1, wndproc_parameter = 0 |
|
1 |
Keyboard (25)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
6 | |
| Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
4 | |
| Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
4 | |
| Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
4 | |
| Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
4 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
3 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
Environment (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = ProgramData, result_out = C:\ProgramData |
|
2 | |
| Get Environment String | name = AppData, result_out = C:\Users\CIiHmnxMn6Ps\AppData\Roaming |
|
1 | |
| Get Environment String | name = LocalAppData, result_out = C:\Users\CIiHmnxMn6Ps\AppData\Local |
|
1 |
Process #2: schtasks.exe
13
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\schtasks.exe |
| Command Line | "C:\Windows\System32\schtasks.exe" /create /tn \Windows\Startup /tr C:\Users\CIiHmnxMn6Ps\Desktop\XyuEncrypt.exe /st 00:00 /du 9999:59 /sc daily /ri 3 /f |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:44, Reason: Child Process |
| Unmonitor | End Time: 00:00:47, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe68 |
| Parent PID | 0xe08 (c:\users\ciihmnxmn6ps\desktop\xyuencrypt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E6C
0x
E84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000000132b60000 | 0x132b60000 | 0x132b7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000132b60000 | 0x132b60000 | 0x132b6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000132b70000 | 0x132b70000 | 0x132b76fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000132b80000 | 0x132b80000 | 0x132b93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000132ba0000 | 0x132ba0000 | 0x132c1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000132c20000 | 0x132c20000 | 0x132c23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000132c30000 | 0x132c30000 | 0x132c30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000132c40000 | 0x132c40000 | 0x132c41fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x132c50000 | 0x132d0dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000132d10000 | 0x132d10000 | 0x132d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000132d90000 | 0x132d90000 | 0x132d96fff | Private Memory | rw |
|
|
|
- |
| schtasks.exe.mui | 0x132da0000 | 0x132db2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000132dc0000 | 0x132dc0000 | 0x132dc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000132dd0000 | 0x132dd0000 | 0x132dd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000132e30000 | 0x132e30000 | 0x132f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000132fd0000 | 0x132fd0000 | 0x132fdffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x132fe0000 | 0x133316fff | Memory Mapped File | r |
|
|
|
- |
| rpcss.dll | 0x133320000 | 0x1333f5fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff8e0000 | 0x7df5ff8e0000 | 0x7ff5ff8dffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6aab90000 | 0x7ff6aab90000 | 0x7ff6aac8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6aac90000 | 0x7ff6aac90000 | 0x7ff6aacb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6aacbb000 | 0x7ff6aacbb000 | 0x7ff6aacbcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6aacbd000 | 0x7ff6aacbd000 | 0x7ff6aacbefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6aacbf000 | 0x7ff6aacbf000 | 0x7ff6aacbffff | Private Memory | rw |
|
|
|
- |
| schtasks.exe | 0x7ff6ab8c0000 | 0x7ff6ab8fcfff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ff8e6330000 | 0x7ff8e6365fff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x7ff8e7f80000 | 0x7ff8e803ffff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
COM (8)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, new_interface = ITaskFolder |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = NewTask, new_interface = ITaskDefinition |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Actions, new_interface = IActionCollection |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Triggers, new_interface = ITriggerCollection |
|
1 | |
| Execute | TaskScheduler | ITriggerCollection | method_name = Create, type = TASK_TRIGGER_DAILY, new_interface = IDailyTrigger |
|
1 | |
| Execute | TaskScheduler | IDailyTrigger | method_name = put_StartBoundary, start_boundary = 2018-11-11T00:00:00 |
|
1 |
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 78 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\schtasks.exe | base_address = 0x7ff6ab8c0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\schtasks.exe, file_name_orig = C:\Windows\System32\schtasks.exe, size = 260 |
|
2 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Local Time, time = 2018-11-11 01:38:20 (Local Time) |
|
3 |
Process #4: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:45, Reason: Created Scheduled Job |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:48 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x330 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
E50
0x
E4C
0x
E48
0x
E44
0x
E40
0x
E3C
0x
E38
0x
E34
0x
E30
0x
E2C
0x
E28
0x
C0C
0x
C08
0x
3A8
0x
968
0x
714
0x
A04
0x
A80
0x
A74
0x
A54
0x
14C
0x
760
0x
89C
0x
874
0x
870
0x
7E0
0x
7BC
0x
788
0x
764
0x
75C
0x
74C
0x
6F8
0x
6F0
0x
6E0
0x
6D8
0x
6D0
0x
6C0
0x
684
0x
678
0x
66C
0x
660
0x
64C
0x
648
0x
60C
0x
5F4
0x
5C4
0x
598
0x
528
0x
510
0x
280
0x
498
0x
494
0x
100
0x
138
0x
1E4
0x
168
0x
12C
0x
130
0x
124
0x
FC
0x
F8
0x
3F0
0x
3D8
0x
3D4
0x
3CC
0x
3C0
0x
39C
0x
334
0x
E88
0x
E8C
0x
E98
0x
F34
0x
F38
0x
EF0
0x
F4C
0x
F50
0x
F54
0x
F58
0x
F5C
0x
F6C
0x
F70
0x
F74
0x
F84
0x
F98
0x
F9C
0x
C3C
0x
C2C
0x
C28
0x
8E0
0x
4D4
0x
7DC
0x
718
0x
6B4
0x
A2C
0x
610
0x
A48
0x
84
0x
2EC
0x
B84
0x
594
0x
820
0x
A40
0x
AE8
0x
B0
0x
CEC
0x
C70
0x
5FC
0x
854
0x
834
0x
D1C
0x
D30
0x
D6C
0x
D40
0x
BEC
0x
8DC
0x
4F4
0x
D88
0x
DAC
0x
DE8
0x
DF0
0x
DF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000eaf3940000 | 0xeaf3940000 | 0xeaf394ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xeaf3950000 | 0xeaf3950fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000eaf3960000 | 0xeaf3960000 | 0xeaf3973fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000eaf3980000 | 0xeaf3980000 | 0xeaf39fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf3a00000 | 0xeaf3a00000 | 0xeaf3a03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000eaf3a10000 | 0xeaf3a10000 | 0xeaf3a10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000eaf3a20000 | 0xeaf3a20000 | 0xeaf3a21fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xeaf3a30000 | 0xeaf3aedfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf3af0000 | 0xeaf3af0000 | 0xeaf3b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf3b70000 | 0xeaf3b70000 | 0xeaf3b70fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf3b80000 | 0xeaf3b80000 | 0xeaf3b80fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf3b90000 | 0xeaf3b90000 | 0xeaf3b90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000eaf3ba0000 | 0xeaf3ba0000 | 0xeaf3ba0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000eaf3bb0000 | 0xeaf3bb0000 | 0xeaf3bb0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf3bc0000 | 0xeaf3bc0000 | 0xeaf3bc1fff | Pagefile Backed Memory | r |
|
|
|
- |
| iphlpsvc.dll.mui | 0xeaf3bd0000 | 0xeaf3bdcfff | Memory Mapped File | r |
|
|
|
- |
| gpsvc.dll.mui | 0xeaf3be0000 | 0xeaf3becfff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0xeaf3bf0000 | 0xeaf3bf3fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0xeaf3c00000 | 0xeaf3c03fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf3c10000 | 0xeaf3c10000 | 0xeaf3c16fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf3c20000 | 0xeaf3c20000 | 0xeaf3cdffff | Pagefile Backed Memory | r |
|
|
|
- |
| propsys.dll.mui | 0xeaf3ce0000 | 0xeaf3cf0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf3d00000 | 0xeaf3d00000 | 0xeaf3dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf3e00000 | 0xeaf3e00000 | 0xeaf3e7ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0xeaf3e80000 | 0xeaf3ec2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000eaf3ed0000 | 0xeaf3ed0000 | 0xeaf3ed1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000eaf3ee0000 | 0xeaf3ee0000 | 0xeaf3ee0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000eaf3ef0000 | 0xeaf3ef0000 | 0xeaf3ef6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf3f00000 | 0xeaf3f00000 | 0xeaf3ffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf4000000 | 0xeaf4000000 | 0xeaf4187fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000eaf4190000 | 0xeaf4190000 | 0xeaf4310fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000eaf4320000 | 0xeaf4320000 | 0xeaf441ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf4420000 | 0xeaf4420000 | 0xeaf451ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf4520000 | 0xeaf4520000 | 0xeaf4522fff | Pagefile Backed Memory | r |
|
|
|
- |
| vsstrace.dll.mui | 0xeaf4530000 | 0xeaf4538fff | Memory Mapped File | r |
|
|
|
- |
| activeds.dll.mui | 0xeaf4540000 | 0xeaf4541fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll | 0xeaf4550000 | 0xeaf4554fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000eaf4560000 | 0xeaf4560000 | 0xeaf4560fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf4570000 | 0xeaf4570000 | 0xeaf4570fff | Pagefile Backed Memory | rw |
|
|
|
- |
| winnlsres.dll.mui | 0xeaf4580000 | 0xeaf458ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf4590000 | 0xeaf4590000 | 0xeaf4596fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf45a0000 | 0xeaf45a0000 | 0xeaf45b7fff | Private Memory | rw |
|
|
|
- |
| usocore.dll.mui | 0xeaf45c0000 | 0xeaf45c0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000eaf45d0000 | 0xeaf45d0000 | 0xeaf45d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| mswsock.dll.mui | 0xeaf45e0000 | 0xeaf45e2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf4600000 | 0xeaf4600000 | 0xeaf46fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf4700000 | 0xeaf4700000 | 0xeaf47fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xeaf4800000 | 0xeaf4b36fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf4b40000 | 0xeaf4b40000 | 0xeaf4c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf4c40000 | 0xeaf4c40000 | 0xeaf4d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf4d40000 | 0xeaf4d40000 | 0xeaf4e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf4e40000 | 0xeaf4e40000 | 0xeaf4f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf4f40000 | 0xeaf4f40000 | 0xeaf503ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5070000 | 0xeaf5070000 | 0xeaf5076fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5080000 | 0xeaf5080000 | 0xeaf50fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5100000 | 0xeaf5100000 | 0xeaf51fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5200000 | 0xeaf5200000 | 0xeaf527ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5280000 | 0xeaf5280000 | 0xeaf52fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5300000 | 0xeaf5300000 | 0xeaf53fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5400000 | 0xeaf5400000 | 0xeaf54fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5500000 | 0xeaf5500000 | 0xeaf557ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5580000 | 0xeaf5580000 | 0xeaf55fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5600000 | 0xeaf5600000 | 0xeaf56fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5700000 | 0xeaf5700000 | 0xeaf57fffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0xeaf5800000 | 0xeaf588afff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf5890000 | 0xeaf5890000 | 0xeaf598ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5990000 | 0xeaf5990000 | 0xeaf5a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5a90000 | 0xeaf5a90000 | 0xeaf5b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5b90000 | 0xeaf5b90000 | 0xeaf5c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5c90000 | 0xeaf5c90000 | 0xeaf5d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5d90000 | 0xeaf5d90000 | 0xeaf5e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf5f00000 | 0xeaf5f00000 | 0xeaf5ffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6080000 | 0xeaf6080000 | 0xeaf617ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6180000 | 0xeaf6180000 | 0xeaf627ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6280000 | 0xeaf6280000 | 0xeaf637ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6430000 | 0xeaf6430000 | 0xeaf652ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6530000 | 0xeaf6530000 | 0xeaf662ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6690000 | 0xeaf6690000 | 0xeaf670ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6770000 | 0xeaf6770000 | 0xeaf6776fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6780000 | 0xeaf6780000 | 0xeaf687ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6900000 | 0xeaf6900000 | 0xeaf69fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6a00000 | 0xeaf6a00000 | 0xeaf6afffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6b00000 | 0xeaf6b00000 | 0xeaf6b7ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0xeaf6b80000 | 0xeaf6c5efff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eaf6c60000 | 0xeaf6c60000 | 0xeaf6d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6de0000 | 0xeaf6de0000 | 0xeaf6e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6e60000 | 0xeaf6e60000 | 0xeaf6f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf6f60000 | 0xeaf6f60000 | 0xeaf705ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7060000 | 0xeaf7060000 | 0xeaf715ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7160000 | 0xeaf7160000 | 0xeaf725ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7260000 | 0xeaf7260000 | 0xeaf735ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7360000 | 0xeaf7360000 | 0xeaf745ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7460000 | 0xeaf7460000 | 0xeaf755ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7560000 | 0xeaf7560000 | 0xeaf75dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf75e0000 | 0xeaf75e0000 | 0xeaf75e6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7600000 | 0xeaf7600000 | 0xeaf76fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7700000 | 0xeaf7700000 | 0xeaf77fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7800000 | 0xeaf7800000 | 0xeaf78fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7900000 | 0xeaf7900000 | 0xeaf79fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7a00000 | 0xeaf7a00000 | 0xeaf7afffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7b00000 | 0xeaf7b00000 | 0xeaf7bfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7c00000 | 0xeaf7c00000 | 0xeaf7cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7d00000 | 0xeaf7d00000 | 0xeaf7dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7e00000 | 0xeaf7e00000 | 0xeaf7efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7f00000 | 0xeaf7f00000 | 0xeaf7f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf7f80000 | 0xeaf7f80000 | 0xeaf807ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8080000 | 0xeaf8080000 | 0xeaf817ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8190000 | 0xeaf8190000 | 0xeaf8196fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8200000 | 0xeaf8200000 | 0xeaf82fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8300000 | 0xeaf8300000 | 0xeaf837ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8380000 | 0xeaf8380000 | 0xeaf847ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8480000 | 0xeaf8480000 | 0xeaf857ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8580000 | 0xeaf8580000 | 0xeaf867ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8770000 | 0xeaf8770000 | 0xeaf8776fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8810000 | 0xeaf8810000 | 0xeaf8816fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eaf8820000 | 0xeaf8820000 | 0xeaf891ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000eaf8920000 | 0xeaf8920000 | 0xeaf8a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8a20000 | 0xeaf8a20000 | 0xeaf8b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8b20000 | 0xeaf8b20000 | 0xeaf8c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8d00000 | 0xeaf8d00000 | 0xeaf8dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8e00000 | 0xeaf8e00000 | 0xeaf8efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf8f00000 | 0xeaf8f00000 | 0xeaf8ffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf9000000 | 0xeaf9000000 | 0xeaf90fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf9100000 | 0xeaf9100000 | 0xeaf91fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf9200000 | 0xeaf9200000 | 0xeaf92fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf9300000 | 0xeaf9300000 | 0xeaf93fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf9400000 | 0xeaf9400000 | 0xeaf94fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eaf9500000 | 0xeaf9500000 | 0xeaf95fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff1f0000 | 0x7df5ff1f0000 | 0x7ff5ff1effff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff672ee2000 | 0x7ff672ee2000 | 0x7ff672ee3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672ee4000 | 0x7ff672ee4000 | 0x7ff672ee5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672ee6000 | 0x7ff672ee6000 | 0x7ff672ee7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672ee8000 | 0x7ff672ee8000 | 0x7ff672ee9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672eea000 | 0x7ff672eea000 | 0x7ff672eebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672eec000 | 0x7ff672eec000 | 0x7ff672eedfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672eee000 | 0x7ff672eee000 | 0x7ff672eeffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672ef0000 | 0x7ff672ef0000 | 0x7ff672ef1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672ef2000 | 0x7ff672ef2000 | 0x7ff672ef3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672ef4000 | 0x7ff672ef4000 | 0x7ff672ef5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672ef6000 | 0x7ff672ef6000 | 0x7ff672ef7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672ef8000 | 0x7ff672ef8000 | 0x7ff672ef9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672efa000 | 0x7ff672efa000 | 0x7ff672efbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672efc000 | 0x7ff672efc000 | 0x7ff672efdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672efe000 | 0x7ff672efe000 | 0x7ff672efffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672f00000 | 0x7ff672f00000 | 0x7ff672f01fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672f02000 | 0x7ff672f02000 | 0x7ff672f03fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672f04000 | 0x7ff672f04000 | 0x7ff672f05fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672f06000 | 0x7ff672f06000 | 0x7ff672f07fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672f08000 | 0x7ff672f08000 | 0x7ff672f09fff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 382 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #5: taskeng.exe
0
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\taskeng.exe |
| Command Line | taskeng.exe {44452118-3584-4255-B3D4-11A946D6E1BB} S-1-5-21-1462094071-1423818996-289466292-1000:LHNIWSJ\CIiHmnxMn6Ps:Interactive:LUA[1] |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:24, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:09 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xff8 |
| Parent PID | 0x330 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
FFC
0x
374
0x
570
0x
88C
0x
8C4
0x
C10
0x
C38
0x
E04
0x
DEC
0x
DE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000ea43d90000 | 0xea43d90000 | 0xea43daffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ea43d90000 | 0xea43d90000 | 0xea43d9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ea43da0000 | 0xea43da0000 | 0xea43da6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ea43db0000 | 0xea43db0000 | 0xea43dc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ea43dd0000 | 0xea43dd0000 | 0xea43e4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ea43e50000 | 0xea43e50000 | 0xea43e53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ea43e60000 | 0xea43e60000 | 0xea43e60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ea43e70000 | 0xea43e70000 | 0xea43e71fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xea43e80000 | 0xea43f3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ea43f40000 | 0xea43f40000 | 0xea43fbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ea43fc0000 | 0xea43fc0000 | 0xea43fc6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ea43fd0000 | 0xea43fd0000 | 0xea43fd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ea43fe0000 | 0xea43fe0000 | 0xea43feffff | Private Memory | rw |
|
|
|
- |
| taskeng.exe.mui | 0xea43ff0000 | 0xea43ff0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ea44000000 | 0xea44000000 | 0xea44000fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ea44010000 | 0xea44010000 | 0xea44010fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ea44020000 | 0xea44020000 | 0xea4411ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ea44120000 | 0xea44120000 | 0xea4419ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ea441a0000 | 0xea441a0000 | 0xea4421ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ea44220000 | 0xea44220000 | 0xea4422ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ea44230000 | 0xea44230000 | 0xea44236fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ea44250000 | 0xea44250000 | 0xea4425ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ea44260000 | 0xea44260000 | 0xea4435ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xea44360000 | 0xea44696fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ea446a0000 | 0xea446a0000 | 0xea4471ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ea44720000 | 0xea44720000 | 0xea4479ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ea447a0000 | 0xea447a0000 | 0xea44927fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ea44930000 | 0xea44930000 | 0xea44ab0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ea44ac0000 | 0xea44ac0000 | 0xea45ebffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007df5ff720000 | 0x7df5ff720000 | 0x7ff5ff71ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7275ee000 | 0x7ff7275ee000 | 0x7ff7275effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7275f0000 | 0x7ff7275f0000 | 0x7ff7276effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7276f0000 | 0x7ff7276f0000 | 0x7ff727712fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff727714000 | 0x7ff727714000 | 0x7ff727715fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff727716000 | 0x7ff727716000 | 0x7ff727717fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff727718000 | 0x7ff727718000 | 0x7ff727719fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff72771a000 | 0x7ff72771a000 | 0x7ff72771bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff72771c000 | 0x7ff72771c000 | 0x7ff72771cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff72771e000 | 0x7ff72771e000 | 0x7ff72771ffff | Private Memory | rw |
|
|
|
- |
| taskeng.exe | 0x7ff727b80000 | 0x7ff727bccfff | Memory Mapped File | rwx |
|
|
|
- |
| tschannel.dll | 0x7ff8db900000 | 0x7ff8db908fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ff8e6330000 | 0x7ff8e6365fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ff8e9680000 | 0x7ff8e9715fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #6: xyuencrypt.exe
4
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\ciihmnxmn6ps\desktop\xyuencrypt.exe |
| Command Line | C:\Users\CIiHmnxMn6Ps\Desktop\XyuEncrypt.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:25, Reason: Child Process |
| Unmonitor | End Time: 00:01:50, Reason: Self Terminated |
| Monitor Duration | 00:00:25 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc04 |
| Parent PID | 0xff8 (c:\windows\system32\taskeng.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C44
0x
C50
0x
318
0x
53C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| xyuencrypt.exe | 0x000f0000 | 0x000f9fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000100000 | 0x00100000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x0010ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00116fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0023ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00243fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00250fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00261fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00276fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00286fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x003b0000 | 0x0046dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x00570fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x0058ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x0059ffff | Private Memory | - |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x00747fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x00750fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x00920fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x01d2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d30000 | 0x01d30000 | 0x01e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e30000 | 0x01e30000 | 0x01e3ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001e80000 | 0x01e80000 | 0x01e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e90000 | 0x01e90000 | 0x19e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000019e90000 | 0x19e90000 | 0x1a1fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001a200000 | 0x1a200000 | 0x1a30afff | Private Memory | rw |
|
|
|
- |
| private_0x000000001a310000 | 0x1a310000 | 0x1a40ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x1a410000 | 0x1a746fff | Memory Mapped File | r |
|
|
|
- |
| rpcss.dll | 0x1a750000 | 0x1a825fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000001a750000 | 0x1a750000 | 0x1a91ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00007ff5feef0000 | 0x7ff5feef0000 | 0x7ff5feefffff | Private Memory | rwx |
|
|
|
- |
| private_0x00007ff5fef00000 | 0x7ff5fef00000 | 0x7ff5fef9ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00007ff5fefa0000 | 0x7ff5fefa0000 | 0x7ff5ff09ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff5ff0a0000 | 0x7ff5ff0a0000 | 0x7ff5ff0c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff5ff0c3000 | 0x7ff5ff0c3000 | 0x7ff5ff0c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ff0c8000 | 0x7ff5ff0c8000 | 0x7ff5ff0c9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ff0ca000 | 0x7ff5ff0ca000 | 0x7ff5ff0cbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ff0cc000 | 0x7ff5ff0cc000 | 0x7ff5ff0cdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ff0ce000 | 0x7ff5ff0ce000 | 0x7ff5ff0cffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff875ae0000 | 0x7ff875ae0000 | 0x7ff875aeffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff875af0000 | 0x7ff875af0000 | 0x7ff875afffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff875b00000 | 0x7ff875b00000 | 0x7ff875b8ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff875b90000 | 0x7ff875b90000 | 0x7ff875bfffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff875c00000 | 0x7ff875c00000 | 0x7ff875c3ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff875c40000 | 0x7ff875c40000 | 0x7ff875c4ffff | Private Memory | - |
|
|
|
- |
| system.windows.forms.ni.dll | 0x7ff8d1ee0000 | 0x7ff8d2dbffff | Memory Mapped File | rwx |
|
|
|
- |
| system.drawing.ni.dll | 0x7ff8d2dc0000 | 0x7ff8d2fa9fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x7ff8d2fb0000 | 0x7ff8d3bc3fff | Memory Mapped File | rwx |
|
|
|
- |
| clrjit.dll | 0x7ff8d3bd0000 | 0x7ff8d3cd0fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x7ff8d3ce0000 | 0x7ff8d517afff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr120_clr0400.dll | 0x7ff8d5180000 | 0x7ff8d5276fff | Memory Mapped File | rwx |
|
|
|
- |
| clr.dll | 0x7ff8d5280000 | 0x7ff8d5bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7ff8d5f40000 | 0x7ff8d5fd6fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7ff8d5fe0000 | 0x7ff8d6047fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ff8e3a50000 | 0x7ff8e3a59fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ff8e9680000 | 0x7ff8e9715fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
Process #7: sc.exe
8
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\system32\sc.exe |
| Command Line | C:\Windows\system32\sc.exe start wuauserv |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:49, Reason: Child Process |
| Unmonitor | End Time: 00:01:54, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7a8 |
| Parent PID | 0x330 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
884
0x
AEC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000001e5b0b0000 | 0x1e5b0b0000 | 0x1e5b0cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001e5b0b0000 | 0x1e5b0b0000 | 0x1e5b0bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000001e5b0c0000 | 0x1e5b0c0000 | 0x1e5b0c6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001e5b0d0000 | 0x1e5b0d0000 | 0x1e5b0e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001e5b0f0000 | 0x1e5b0f0000 | 0x1e5b16ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001e5b170000 | 0x1e5b170000 | 0x1e5b173fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001e5b180000 | 0x1e5b180000 | 0x1e5b180fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001e5b190000 | 0x1e5b190000 | 0x1e5b191fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e5b1a0000 | 0x1e5b1a0000 | 0x1e5b1a6fff | Private Memory | rw |
|
|
|
- |
| sc.exe.mui | 0x1e5b1b0000 | 0x1e5b1c1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001e5b1f0000 | 0x1e5b1f0000 | 0x1e5b2effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x1e5b2f0000 | 0x1e5b3adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001e5b3b0000 | 0x1e5b3b0000 | 0x1e5b42ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e5b4c0000 | 0x1e5b4c0000 | 0x1e5b4cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff1c0000 | 0x7df5ff1c0000 | 0x7ff5ff1bffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7f7490000 | 0x7ff7f7490000 | 0x7ff7f758ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7f7590000 | 0x7ff7f7590000 | 0x7ff7f75b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7f75b3000 | 0x7ff7f75b3000 | 0x7ff7f75b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7f75bc000 | 0x7ff7f75bc000 | 0x7ff7f75bdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7f75be000 | 0x7ff7f75be000 | 0x7ff7f75bffff | Private Memory | rw |
|
|
|
- |
| sc.exe | 0x7ff7f7e40000 | 0x7ff7f7e55fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 425 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\sc.exe | base_address = 0x7ff7f7e40000 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | service_name = wuauserv |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Start | service_name = wuauserv |
|
1 |
Process #9: System
0
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | System |
| Command Line | - |
| Initial Working Directory | - |
| Monitor | Start Time: 00:01:50, Reason: Created Daemon |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:43 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4 |
| Parent PID | 0x10c (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
F48
0x
1C
0x
13C
0x
B4
0x
18
0x
CFC
0x
CF0
0x
884
0x
D0
0x
7A8
0x
768
0x
570
0x
80
0x
CC
0x
8C8
0x
2F8
0x
30
0x
640
0x
190
0x
564
0x
318
0x
87C
0x
888
0x
0
0x
BFC
0x
BF0
0x
BEC
0x
BE8
0x
B78
0x
B6C
0x
38
0x
99C
0x
990
0x
10
0x
900
0x
8E0
0x
8B8
0x
8B0
0x
6B4
0x
5FC
0x
6C
0x
E8
0x
C8
0x
664
0x
63C
0x
638
0x
624
0x
5EC
0x
59C
0x
58C
0x
584
0x
48
0x
178
0x
17C
0x
4DC
0x
4C0
0x
B0
0x
480
0x
474
0x
8C
0x
144
0x
74
0x
148
0x
358
0x
3C
0x
2C4
0x
84
0x
70
0x
14C
0x
44
0x
14
0x
64
0x
78
0x
1B4
0x
108
0x
180
0x
174
0x
170
0x
168
0x
20
0x
144
0x
12C
0x
7C
0x
F4
0x
34
0x
A8
0x
128
0x
124
0x
C4
0x
A4
0x
BC
0x
60
0x
114
0x
B8
0x
88
0x
C0
0x
F0
0x
8
0x
AE0
0x
4F0
0x
BE8
0x
2C
0x
994
0x
28
0x
5C
0x
E14
0x
DB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000006180000000 | 0x6180000000 | 0x6180000fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000006180010000 | 0x6180010000 | 0x6180010fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000006180020000 | 0x6180020000 | 0x6180020fff | Pagefile Backed Memory | rw |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #10: services.exe
0
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\system32\services.exe |
| Command Line | C:\Windows\system32\services.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:50, Reason: Created Daemon |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:43 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1e8 |
| Parent PID | 0x198 (c:\windows\system32\wininit.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
354
0x
324
0x
294
0x
260
0x
238
0x
630
0x
898
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000005df6210000 | 0x5df6210000 | 0x5df621ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| services.exe.mui | 0x5df6220000 | 0x5df6224fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005df6230000 | 0x5df6230000 | 0x5df6243fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005df62d0000 | 0x5df62d0000 | 0x5df62d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005df62e0000 | 0x5df62e0000 | 0x5df62e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x5df62f0000 | 0x5df63adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005df6430000 | 0x5df6430000 | 0x5df6430fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6460000 | 0x5df6460000 | 0x5df6466fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6470000 | 0x5df6470000 | 0x5df64effff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6500000 | 0x5df6500000 | 0x5df65fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df66e0000 | 0x5df66e0000 | 0x5df66e6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6700000 | 0x5df6700000 | 0x5df67fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6800000 | 0x5df6800000 | 0x5df687ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6880000 | 0x5df6880000 | 0x5df68fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6900000 | 0x5df6900000 | 0x5df697ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6b00000 | 0x5df6b00000 | 0x5df6b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005df6c00000 | 0x5df6c00000 | 0x5df6cfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff8d0000 | 0x7df5ff8d0000 | 0x7ff5ff8cffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff79a786000 | 0x7ff79a786000 | 0x7ff79a787fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79a78e000 | 0x7ff79a78e000 | 0x7ff79a78ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff79a790000 | 0x7ff79a790000 | 0x7ff79a88ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff79a890000 | 0x7ff79a890000 | 0x7ff79a8b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff79a8b3000 | 0x7ff79a8b3000 | 0x7ff79a8b4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79a8b5000 | 0x7ff79a8b5000 | 0x7ff79a8b6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79a8b7000 | 0x7ff79a8b7000 | 0x7ff79a8b7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79a8ba000 | 0x7ff79a8ba000 | 0x7ff79a8bbfff | Private Memory | rw |
|
|
|
- |
| services.exe | 0x7ff79a960000 | 0x7ff79a9cffff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrcli.dll | 0x7ff8e7d10000 | 0x7ff8e7d1ffff | Memory Mapped File | rwx |
|
|
|
- |
| authz.dll | 0x7ff8e9ec0000 | 0x7ff8e9f07fff | Memory Mapped File | rwx |
|
|
|
- |
| scesrv.dll | 0x7ff8e9f10000 | 0x7ff8e9f9dfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ff8ea010000 | 0x7ff8ea035fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ff8ea5c0000 | 0x7ff8ea61cfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| spinf.dll | 0x7ff8eab80000 | 0x7ff8eab9afff | Memory Mapped File | rwx |
|
|
|
- |
| eventaggregation.dll | 0x7ff8eaba0000 | 0x7ff8eabb9fff | Memory Mapped File | rwx |
|
|
|
- |
| dabapi.dll | 0x7ff8eabc0000 | 0x7ff8eabc7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ff8ee040000 | 0x7ff8ee0a8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ff8ee250000 | 0x7ff8ee257fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #11: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k DcomLaunch |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:43 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x248 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
FA0
0x
6B8
0x
A58
0x
A5C
0x
BD8
0x
8A0
0x
5D0
0x
484
0x
404
0x
424
0x
244
0x
578
0x
3DC
0x
328
0x
320
0x
2D4
0x
2D0
0x
2AC
0x
2A8
0x
288
0x
270
0x
25C
0x
24C
0x
AF0
0x
E00
0x
D0C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000082264c0000 | 0x82264c0000 | 0x82264cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000082264d0000 | 0x82264d0000 | 0x82264d4fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000082264e0000 | 0x82264e0000 | 0x82264f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008226500000 | 0x8226500000 | 0x822657ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008226580000 | 0x8226580000 | 0x8226583fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008226590000 | 0x8226590000 | 0x8226590fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000082265a0000 | 0x82265a0000 | 0x82265a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000082265b0000 | 0x82265b0000 | 0x822662ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008226630000 | 0x8226630000 | 0x8226630fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000008226640000 | 0x8226640000 | 0x8226640fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008226650000 | 0x8226650000 | 0x8226650fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008226660000 | 0x8226660000 | 0x8226666fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008226670000 | 0x8226670000 | 0x82266effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000082266f0000 | 0x82266f0000 | 0x82266f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000008226700000 | 0x8226700000 | 0x82267fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x8226800000 | 0x82268bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000082268c0000 | 0x82268c0000 | 0x82269bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000082269c0000 | 0x82269c0000 | 0x8226a3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008226a40000 | 0x8226a40000 | 0x8226abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008226ac0000 | 0x8226ac0000 | 0x8226ac0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008226ad0000 | 0x8226ad0000 | 0x8226ad0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008226ae0000 | 0x8226ae0000 | 0x8226ae0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008226af0000 | 0x8226af0000 | 0x8226af6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008226b00000 | 0x8226b00000 | 0x8226bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008226c00000 | 0x8226c00000 | 0x8226c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008226c80000 | 0x8226c80000 | 0x8226cfffff | Private Memory | rw |
|
|
|
- |
| lsm.dll.mui | 0x8226d00000 | 0x8226d02fff | Memory Mapped File | r |
|
|
|
- |
| svchost.exe.mui | 0x8226d10000 | 0x8226d10fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008226d20000 | 0x8226d20000 | 0x8226d20fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008226d30000 | 0x8226d30000 | 0x8226d30fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008226d40000 | 0x8226d40000 | 0x8226d40fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008226d50000 | 0x8226d50000 | 0x8226d50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008226d70000 | 0x8226d70000 | 0x8226d76fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008226d80000 | 0x8226d80000 | 0x8226dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008226e00000 | 0x8226e00000 | 0x8226efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008226f00000 | 0x8226f00000 | 0x8226ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008227000000 | 0x8227000000 | 0x82270fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008227100000 | 0x8227100000 | 0x82271fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008227200000 | 0x8227200000 | 0x82272fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008227300000 | 0x8227300000 | 0x82273fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008227400000 | 0x8227400000 | 0x82274fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008227520000 | 0x8227520000 | 0x8227526fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008227530000 | 0x8227530000 | 0x82275effff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008227600000 | 0x8227600000 | 0x82276fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x8227700000 | 0x8227a36fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008227a40000 | 0x8227a40000 | 0x8227b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008227b40000 | 0x8227b40000 | 0x8227bbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008227bc0000 | 0x8227bc0000 | 0x8227be9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000008227c00000 | 0x8227c00000 | 0x8227cfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008227d00000 | 0x8227d00000 | 0x8227e87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008227e90000 | 0x8227e90000 | 0x8228010fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008228020000 | 0x8228020000 | 0x822811ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008228120000 | 0x8228120000 | 0x822821ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008228220000 | 0x8228220000 | 0x822831ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008228320000 | 0x8228320000 | 0x822839ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000082283a0000 | 0x82283a0000 | 0x822841ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008228420000 | 0x8228420000 | 0x822849ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000082284a0000 | 0x82284a0000 | 0x822851ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffe00000 | 0x7df5ffe00000 | 0x7ff5ffdfffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff67319e000 | 0x7ff67319e000 | 0x7ff67319ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731a0000 | 0x7ff6731a0000 | 0x7ff6731a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731a2000 | 0x7ff6731a2000 | 0x7ff6731a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731a4000 | 0x7ff6731a4000 | 0x7ff6731a5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731a6000 | 0x7ff6731a6000 | 0x7ff6731a7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731a8000 | 0x7ff6731a8000 | 0x7ff6731a9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731aa000 | 0x7ff6731aa000 | 0x7ff6731abfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731ac000 | 0x7ff6731ac000 | 0x7ff6731adfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731ae000 | 0x7ff6731ae000 | 0x7ff6731affff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731b0000 | 0x7ff6731b0000 | 0x7ff6731b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731b2000 | 0x7ff6731b2000 | 0x7ff6731b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731b4000 | 0x7ff6731b4000 | 0x7ff6731b5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731b6000 | 0x7ff6731b6000 | 0x7ff6731b7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731b8000 | 0x7ff6731b8000 | 0x7ff6731b9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731ba000 | 0x7ff6731ba000 | 0x7ff6731bbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731bc000 | 0x7ff6731bc000 | 0x7ff6731bdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6731be000 | 0x7ff6731be000 | 0x7ff6731bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6731c0000 | 0x7ff6731c0000 | 0x7ff6732bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6732c0000 | 0x7ff6732c0000 | 0x7ff6732e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6732e3000 | 0x7ff6732e3000 | 0x7ff6732e4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6732e5000 | 0x7ff6732e5000 | 0x7ff6732e5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6732e6000 | 0x7ff6732e6000 | 0x7ff6732e7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6732e8000 | 0x7ff6732e8000 | 0x7ff6732e9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6732ea000 | 0x7ff6732ea000 | 0x7ff6732ebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6732ec000 | 0x7ff6732ec000 | 0x7ff6732edfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6732ee000 | 0x7ff6732ee000 | 0x7ff6732effff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff673b40000 | 0x7ff673b4cfff | Memory Mapped File | rwx |
|
|
|
- |
| capauthz.dll | 0x7ff8dee80000 | 0x7ff8dee95fff | Memory Mapped File | rwx |
|
|
|
- |
| licensemanagerapi.dll | 0x7ff8deea0000 | 0x7ff8deeabfff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelproxy.dll | 0x7ff8df190000 | 0x7ff8df1a4fff | Memory Mapped File | rwx |
|
|
|
- |
| sebbackgroundmanagerpolicy.dll | 0x7ff8df1b0000 | 0x7ff8df1bdfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.networking.backgroundtransfer.backgroundmanagerpolicy.dll | 0x7ff8df1c0000 | 0x7ff8df1d7fff | Memory Mapped File | rwx |
|
|
|
- |
| acpbackgroundmanagerpolicy.dll | 0x7ff8df1e0000 | 0x7ff8df1f6fff | Memory Mapped File | rwx |
|
|
|
- |
| cbtbackgroundmanagerpolicy.dll | 0x7ff8df200000 | 0x7ff8df20bfff | Memory Mapped File | rwx |
|
|
|
- |
| backgroundmediapolicy.dll | 0x7ff8df210000 | 0x7ff8df21ffff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelclient.dll | 0x7ff8df3b0000 | 0x7ff8df3f2fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp110_win.dll | 0x7ff8e60a0000 | 0x7ff8e6131fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ff8e79b0000 | 0x7ff8e7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ff8e7b40000 | 0x7ff8e7bb1fff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrcli.dll | 0x7ff8e7d10000 | 0x7ff8e7d1ffff | Memory Mapped File | rwx |
|
|
|
- |
| bi.dll | 0x7ff8e8040000 | 0x7ff8e804bfff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ff8e8ad0000 | 0x7ff8e8ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ff8e9060000 | 0x7ff8e9127fff | Memory Mapped File | rwx |
|
|
|
- |
| dab.dll | 0x7ff8e9580000 | 0x7ff8e95a0fff | Memory Mapped File | rwx |
|
|
|
- |
| brokerlib.dll | 0x7ff8e95b0000 | 0x7ff8e95eefff | Memory Mapped File | rwx |
|
|
|
- |
| systemeventsbrokerserver.dll | 0x7ff8e95f0000 | 0x7ff8e9651fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ff8e9720000 | 0x7ff8e9746fff | Memory Mapped File | rwx |
|
|
|
- |
| wmsgapi.dll | 0x7ff8e9770000 | 0x7ff8e9778fff | Memory Mapped File | rwx |
|
|
|
- |
| sysntfy.dll | 0x7ff8e9780000 | 0x7ff8e978bfff | Memory Mapped File | rwx |
|
|
|
- |
| lsm.dll | 0x7ff8e9790000 | 0x7ff8e9850fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ff8e9860000 | 0x7ff8e994dfff | Memory Mapped File | rwx |
|
|
|
- |
| psmserviceexthost.dll | 0x7ff8e9950000 | 0x7ff8e99d3fff | Memory Mapped File | rwx |
|
|
|
- |
| rmclient.dll | 0x7ff8e99e0000 | 0x7ff8e9a07fff | Memory Mapped File | rwx |
|
|
|
- |
| psmsrv.dll | 0x7ff8e9a10000 | 0x7ff8e9a41fff | Memory Mapped File | rwx |
|
|
|
- |
| bisrv.dll | 0x7ff8e9a50000 | 0x7ff8e9ad5fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcss.dll | 0x7ff8e9bf0000 | 0x7ff8e9ccafff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ff8e9cd0000 | 0x7ff8e9cf2fff | Memory Mapped File | rwx |
|
|
|
- |
| tdh.dll | 0x7ff8e9d00000 | 0x7ff8e9df7fff | Memory Mapped File | rwx |
|
|
|
- |
| hid.dll | 0x7ff8e9e00000 | 0x7ff8e9e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| umpoext.dll | 0x7ff8e9e10000 | 0x7ff8e9e25fff | Memory Mapped File | rwx |
|
|
|
- |
| umpo.dll | 0x7ff8e9e30000 | 0x7ff8e9e4afff | Memory Mapped File | rwx |
|
|
|
- |
| umpnpmgr.dll | 0x7ff8e9e50000 | 0x7ff8e9e6ffff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ff8ea820000 | 0x7ff8ea877fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| eventaggregation.dll | 0x7ff8eaba0000 | 0x7ff8eabb9fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| coml2.dll | 0x7ff8ee260000 | 0x7ff8ee2cefff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #12: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k RPCSS |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:43 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x268 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
278
0x
B10
0x
B68
0x
934
0x
8AC
0x
694
0x
3E0
0x
31C
0x
310
0x
2A4
0x
29C
0x
290
0x
28C
0x
284
0x
26C
0x
D44
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000007976fb0000 | 0x7976fb0000 | 0x7976fbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| mswsock.dll.mui | 0x7976fc0000 | 0x7976fc2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000007976fd0000 | 0x7976fd0000 | 0x7976fe3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007976ff0000 | 0x7976ff0000 | 0x797706ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007977070000 | 0x7977070000 | 0x7977073fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000007977080000 | 0x7977080000 | 0x7977080fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007977090000 | 0x7977090000 | 0x7977091fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x79770a0000 | 0x797715dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000007977160000 | 0x7977160000 | 0x7977160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007977170000 | 0x7977170000 | 0x7977176fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007977180000 | 0x7977180000 | 0x7977180fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000079771a0000 | 0x79771a0000 | 0x79771a6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000007977200000 | 0x7977200000 | 0x79772fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007977380000 | 0x7977380000 | 0x79773fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007977480000 | 0x7977480000 | 0x797757ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007977600000 | 0x7977600000 | 0x79776fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x7977700000 | 0x7977a36fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000007977a40000 | 0x7977a40000 | 0x7977b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007977b40000 | 0x7977b40000 | 0x7977c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007977c40000 | 0x7977c40000 | 0x7977d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007977d40000 | 0x7977d40000 | 0x7977e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007977e40000 | 0x7977e40000 | 0x7977f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007977f40000 | 0x7977f40000 | 0x797803ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007978040000 | 0x7978040000 | 0x797813ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007978200000 | 0x7978200000 | 0x79782fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007978300000 | 0x7978300000 | 0x79783fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007978400000 | 0x7978400000 | 0x79784fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007978500000 | 0x7978500000 | 0x79785fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007978600000 | 0x7978600000 | 0x79786fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007978700000 | 0x7978700000 | 0x79787fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff270000 | 0x7df5ff270000 | 0x7ff5ff26ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff672d0c000 | 0x7ff672d0c000 | 0x7ff672d0dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672d0e000 | 0x7ff672d0e000 | 0x7ff672d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672d10000 | 0x7ff672d10000 | 0x7ff672d11fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672d12000 | 0x7ff672d12000 | 0x7ff672d13fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672d14000 | 0x7ff672d14000 | 0x7ff672d15fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672d16000 | 0x7ff672d16000 | 0x7ff672d17fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672d18000 | 0x7ff672d18000 | 0x7ff672d19fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672d1a000 | 0x7ff672d1a000 | 0x7ff672d1bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672d1c000 | 0x7ff672d1c000 | 0x7ff672d1dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672d1e000 | 0x7ff672d1e000 | 0x7ff672d1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff672d20000 | 0x7ff672d20000 | 0x7ff672e1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff672e20000 | 0x7ff672e20000 | 0x7ff672e42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff672e44000 | 0x7ff672e44000 | 0x7ff672e45fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672e46000 | 0x7ff672e46000 | 0x7ff672e47fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672e48000 | 0x7ff672e48000 | 0x7ff672e49fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672e4a000 | 0x7ff672e4a000 | 0x7ff672e4afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672e4c000 | 0x7ff672e4c000 | 0x7ff672e4dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff672e4e000 | 0x7ff672e4e000 | 0x7ff672e4ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff673b40000 | 0x7ff673b4cfff | Memory Mapped File | rwx |
|
|
|
- |
| capauthz.dll | 0x7ff8dee80000 | 0x7ff8dee95fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7ff8e7160000 | 0x7ff8e71c7fff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrcli.dll | 0x7ff8e7d10000 | 0x7ff8e7d1ffff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ff8e8ad0000 | 0x7ff8e8ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| fwbase.dll | 0x7ff8e9ae0000 | 0x7ff8e9b11fff | Memory Mapped File | rwx |
|
|
|
- |
| firewallapi.dll | 0x7ff8e9b20000 | 0x7ff8e9ba1fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x7ff8e9bb0000 | 0x7ff8e9bc2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcepmap.dll | 0x7ff8e9bd0000 | 0x7ff8e9be6fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcss.dll | 0x7ff8e9bf0000 | 0x7ff8e9ccafff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ff8ea5c0000 | 0x7ff8ea61cfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ff8ea820000 | 0x7ff8ea877fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ff8ee040000 | 0x7ff8ee0a8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ff8ee250000 | 0x7ff8ee257fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #13: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:43 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x338 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
300
0x
C18
0x
8E8
0x
C1C
0x
DA8
0x
C90
0x
C84
0x
B44
0x
6FC
0x
B1C
0x
6A8
0x
490
0x
37C
0x
148
0x
8
0x
298
0x
258
0x
254
0x
11C
0x
3E4
0x
3BC
0x
3B8
0x
3B4
0x
398
0x
394
0x
33C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000008b3b4c0000 | 0x8b3b4c0000 | 0x8b3b4cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0x8b3b4d0000 | 0x8b3b4d0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000008b3b4e0000 | 0x8b3b4e0000 | 0x8b3b4f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008b3b500000 | 0x8b3b500000 | 0x8b3b57ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008b3b580000 | 0x8b3b580000 | 0x8b3b583fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008b3b590000 | 0x8b3b590000 | 0x8b3b590fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008b3b5a0000 | 0x8b3b5a0000 | 0x8b3b5a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x8b3b5b0000 | 0x8b3b66dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000008b3b670000 | 0x8b3b670000 | 0x8b3b670fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008b3b680000 | 0x8b3b680000 | 0x8b3b680fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3b6f0000 | 0x8b3b6f0000 | 0x8b3b6f6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3b700000 | 0x8b3b700000 | 0x8b3b7fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3b800000 | 0x8b3b800000 | 0x8b3b800fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3b810000 | 0x8b3b810000 | 0x8b3b810fff | Private Memory | rw |
|
|
|
- |
| wevtapi.dll | 0x8b3b820000 | 0x8b3b884fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008b3b890000 | 0x8b3b890000 | 0x8b3b896fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3b8a0000 | 0x8b3b8a0000 | 0x8b3b8bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3b8c0000 | 0x8b3b8c0000 | 0x8b3b8dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3b8e0000 | 0x8b3b8e0000 | 0x8b3b8fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3b900000 | 0x8b3b900000 | 0x8b3b9fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008b3ba00000 | 0x8b3ba00000 | 0x8b3bb87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008b3bb90000 | 0x8b3bb90000 | 0x8b3bd10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008b3bd20000 | 0x8b3bd20000 | 0x8b3bddffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008b3bde0000 | 0x8b3bde0000 | 0x8b3bedffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3bee0000 | 0x8b3bee0000 | 0x8b3bf5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3bf60000 | 0x8b3bf60000 | 0x8b3bfdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3bfe0000 | 0x8b3bfe0000 | 0x8b3c0dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c0e0000 | 0x8b3c0e0000 | 0x8b3c1dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008b3c1e0000 | 0x8b3c1e0000 | 0x8b3c1e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008b3c1f0000 | 0x8b3c1f0000 | 0x8b3c1f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008b3c200000 | 0x8b3c200000 | 0x8b3c200fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c210000 | 0x8b3c210000 | 0x8b3c216fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c220000 | 0x8b3c220000 | 0x8b3c29ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c2a0000 | 0x8b3c2a0000 | 0x8b3c2a0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008b3c2b0000 | 0x8b3c2b0000 | 0x8b3c2b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pcaevts.dll | 0x8b3c2c0000 | 0x8b3c2c4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008b3c300000 | 0x8b3c300000 | 0x8b3c3fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c400000 | 0x8b3c400000 | 0x8b3c47ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c480000 | 0x8b3c480000 | 0x8b3c4fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c500000 | 0x8b3c500000 | 0x8b3c57ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c580000 | 0x8b3c580000 | 0x8b3c5fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c600000 | 0x8b3c600000 | 0x8b3c6fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c700000 | 0x8b3c700000 | 0x8b3c7fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c800000 | 0x8b3c800000 | 0x8b3c8fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3c900000 | 0x8b3c900000 | 0x8b3c9fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x8b3ca00000 | 0x8b3cd36fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008b3cd40000 | 0x8b3cd40000 | 0x8b3ce3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3ce40000 | 0x8b3ce40000 | 0x8b3cebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3cf00000 | 0x8b3cf00000 | 0x8b3cffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3d000000 | 0x8b3d000000 | 0x8b3d0fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3d100000 | 0x8b3d100000 | 0x8b3d1fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3d200000 | 0x8b3d200000 | 0x8b3d2fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3d400000 | 0x8b3d400000 | 0x8b3d4fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3d500000 | 0x8b3d500000 | 0x8b3d5fffff | Private Memory | rw |
|
|
|
- |
| winlogon.exe | 0x8b3d600000 | 0x8b3d692fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008b3d700000 | 0x8b3d700000 | 0x8b3d7fffff | Private Memory | rw |
|
|
|
- |
| services.exe | 0x8b3d800000 | 0x8b3d86ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008b3d870000 | 0x8b3d870000 | 0x8b3d8effff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3d900000 | 0x8b3d900000 | 0x8b3d9fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3da00000 | 0x8b3da00000 | 0x8b3dafffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3db00000 | 0x8b3db00000 | 0x8b3dbfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3dc00000 | 0x8b3dc00000 | 0x8b3dcfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3dd00000 | 0x8b3dd00000 | 0x8b3ddfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3de00000 | 0x8b3de00000 | 0x8b3defffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3df00000 | 0x8b3df00000 | 0x8b3dffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3e000000 | 0x8b3e000000 | 0x8b3e0fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3e100000 | 0x8b3e100000 | 0x8b3e1fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3e200000 | 0x8b3e200000 | 0x8b3e2fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3e300000 | 0x8b3e300000 | 0x8b3e3fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3e400000 | 0x8b3e400000 | 0x8b3e4fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3e500000 | 0x8b3e500000 | 0x8b3e5fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008b3e600000 | 0x8b3e600000 | 0x8b3e6fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff480000 | 0x7df5ff480000 | 0x7ff5ff47ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff673486000 | 0x7ff673486000 | 0x7ff673487fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673488000 | 0x7ff673488000 | 0x7ff673489fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67348a000 | 0x7ff67348a000 | 0x7ff67348bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67348c000 | 0x7ff67348c000 | 0x7ff67348dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67348e000 | 0x7ff67348e000 | 0x7ff67348ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673490000 | 0x7ff673490000 | 0x7ff673491fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673492000 | 0x7ff673492000 | 0x7ff673493fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673494000 | 0x7ff673494000 | 0x7ff673495fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673496000 | 0x7ff673496000 | 0x7ff673497fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673498000 | 0x7ff673498000 | 0x7ff673499fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67349a000 | 0x7ff67349a000 | 0x7ff67349bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67349e000 | 0x7ff67349e000 | 0x7ff67349ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6734a0000 | 0x7ff6734a0000 | 0x7ff6734a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6734a2000 | 0x7ff6734a2000 | 0x7ff6734a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6734a4000 | 0x7ff6734a4000 | 0x7ff6734a5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6734a6000 | 0x7ff6734a6000 | 0x7ff6734a7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6734a8000 | 0x7ff6734a8000 | 0x7ff6734a9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6734aa000 | 0x7ff6734aa000 | 0x7ff6734abfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6734ac000 | 0x7ff6734ac000 | 0x7ff6734adfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6734ae000 | 0x7ff6734ae000 | 0x7ff6734affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6734b0000 | 0x7ff6734b0000 | 0x7ff6735affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6735b0000 | 0x7ff6735b0000 | 0x7ff6735d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6735d3000 | 0x7ff6735d3000 | 0x7ff6735d4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6735d5000 | 0x7ff6735d5000 | 0x7ff6735d6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6735d7000 | 0x7ff6735d7000 | 0x7ff6735d7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6735d8000 | 0x7ff6735d8000 | 0x7ff6735d9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6735da000 | 0x7ff6735da000 | 0x7ff6735dbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6735dc000 | 0x7ff6735dc000 | 0x7ff6735ddfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6735de000 | 0x7ff6735de000 | 0x7ff6735dffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff673b40000 | 0x7ff673b4cfff | Memory Mapped File | rwx |
|
|
|
- |
| dbghelp.dll | 0x7ff8d0b10000 | 0x7ff8d0c99fff | Memory Mapped File | rwx |
|
|
|
- |
| audioses.dll | 0x7ff8d98e0000 | 0x7ff8d9964fff | Memory Mapped File | rwx |
|
|
|
- |
| deviceaccess.dll | 0x7ff8db340000 | 0x7ff8db382fff | Memory Mapped File | rwx |
|
|
|
- |
| wscsvc.dll | 0x7ff8db8d0000 | 0x7ff8db8fffff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x7ff8e0290000 | 0x7ff8e02a3fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7ff8e02b0000 | 0x7ff8e03a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x7ff8e06b0000 | 0x7ff8e06c0fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x7ff8e56f0000 | 0x7ff8e576efff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ff8e5dd0000 | 0x7ff8e5ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcore6.dll | 0x7ff8e7220000 | 0x7ff8e7267fff | Memory Mapped File | rwx |
|
|
|
- |
| cmintegrator.dll | 0x7ff8e7270000 | 0x7ff8e727dfff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ff8e7280000 | 0x7ff8e7299fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ff8e72a0000 | 0x7ff8e72b5fff | Memory Mapped File | rwx |
|
|
|
- |
| wcmcsp.dll | 0x7ff8e72c0000 | 0x7ff8e72f5fff | Memory Mapped File | rwx |
|
|
|
- |
| wcmsvc.dll | 0x7ff8e7300000 | 0x7ff8e7397fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcore.dll | 0x7ff8e73a0000 | 0x7ff8e73fcfff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ff8e7430000 | 0x7ff8e7560fff | Memory Mapped File | rwx |
|
|
|
- |
| avrt.dll | 0x7ff8e75b0000 | 0x7ff8e75bafff | Memory Mapped File | rwx |
|
|
|
- |
| ksuser.dll | 0x7ff8e75c0000 | 0x7ff8e75c7fff | Memory Mapped File | rwx |
|
|
|
- |
| audiosrv.dll | 0x7ff8e75d0000 | 0x7ff8e76e0fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ff8e79b0000 | 0x7ff8e7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ff8e7b40000 | 0x7ff8e7bb1fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiclnt.dll | 0x7ff8e7d90000 | 0x7ff8e7da0fff | Memory Mapped File | rwx |
|
|
|
- |
| wevtsvc.dll | 0x7ff8e82b0000 | 0x7ff8e845afff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ff8e8460000 | 0x7ff8e846afff | Memory Mapped File | rwx |
|
|
|
- |
| nrpsrv.dll | 0x7ff8e8470000 | 0x7ff8e8478fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ff8e8480000 | 0x7ff8e84b7fff | Memory Mapped File | rwx |
|
|
|
- |
| lmhsvc.dll | 0x7ff8e84c0000 | 0x7ff8e84c9fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x7ff8e84e0000 | 0x7ff8e84f7fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ff8e8ad0000 | 0x7ff8e8ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ff8e9720000 | 0x7ff8e9746fff | Memory Mapped File | rwx |
|
|
|
- |
| fwbase.dll | 0x7ff8e9ae0000 | 0x7ff8e9b11fff | Memory Mapped File | rwx |
|
|
|
- |
| firewallapi.dll | 0x7ff8e9b20000 | 0x7ff8e9ba1fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ff8e9cd0000 | 0x7ff8e9cf2fff | Memory Mapped File | rwx |
|
|
|
- |
| hid.dll | 0x7ff8e9e00000 | 0x7ff8e9e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ff8ea000000 | 0x7ff8ea00bfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ff8ea3c0000 | 0x7ff8ea467fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ff8ea5c0000 | 0x7ff8ea61cfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ff8ea820000 | 0x7ff8ea877fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 22 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #14: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:43 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x360 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
984
0x
954
0x
924
0x
914
0x
8CC
0x
8BC
0x
890
0x
3B0
0x
3AC
0x
364
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000000cb8990000 | 0xcb8990000 | 0xcb899ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xcb89a0000 | 0xcb89a0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000cb89b0000 | 0xcb89b0000 | 0xcb89c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000cb89d0000 | 0xcb89d0000 | 0xcb8a4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000cb8a50000 | 0xcb8a50000 | 0xcb8a53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000cb8a60000 | 0xcb8a60000 | 0xcb8a60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000cb8a70000 | 0xcb8a70000 | 0xcb8a71fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xcb8a80000 | 0xcb8b3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000cb8b40000 | 0xcb8b40000 | 0xcb8b40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000cb8b50000 | 0xcb8b50000 | 0xcb8b50fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000cb8b60000 | 0xcb8b60000 | 0xcb8b60fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000cb8b70000 | 0xcb8b70000 | 0xcb8b70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000cb8ba0000 | 0xcb8ba0000 | 0xcb8ba6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000cb8c00000 | 0xcb8c00000 | 0xcb8cfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000cb8d80000 | 0xcb8d80000 | 0xcb8e3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000cb8e70000 | 0xcb8e70000 | 0xcb8e76fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000cb8e80000 | 0xcb8e80000 | 0xcb8efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000cb8f00000 | 0xcb8f00000 | 0xcb8ffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000cb9000000 | 0xcb9000000 | 0xcb9187fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000cb9190000 | 0xcb9190000 | 0xcb9310fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000cb9320000 | 0xcb9320000 | 0xcb941ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000cb9420000 | 0xcb9420000 | 0xcb951ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000cb9520000 | 0xcb9520000 | 0xcb961ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xcb9620000 | 0xcb9956fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000cb9960000 | 0xcb9960000 | 0xcb9a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000cb9a60000 | 0xcb9a60000 | 0xcb9b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000cb9c60000 | 0xcb9c60000 | 0xcb9d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000cb9d60000 | 0xcb9d60000 | 0xcb9e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000cb9e60000 | 0xcb9e60000 | 0xcb9f5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffaa0000 | 0x7df5ffaa0000 | 0x7ff5ffa9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff673964000 | 0x7ff673964000 | 0x7ff673965fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673966000 | 0x7ff673966000 | 0x7ff673967fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673968000 | 0x7ff673968000 | 0x7ff673969fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67396c000 | 0x7ff67396c000 | 0x7ff67396dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67396e000 | 0x7ff67396e000 | 0x7ff67396ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff673970000 | 0x7ff673970000 | 0x7ff673a6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff673a70000 | 0x7ff673a70000 | 0x7ff673a92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff673a93000 | 0x7ff673a93000 | 0x7ff673a94fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673a95000 | 0x7ff673a95000 | 0x7ff673a95fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673a96000 | 0x7ff673a96000 | 0x7ff673a97fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673a98000 | 0x7ff673a98000 | 0x7ff673a99fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673a9a000 | 0x7ff673a9a000 | 0x7ff673a9bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673a9e000 | 0x7ff673a9e000 | 0x7ff673a9ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff673b40000 | 0x7ff673b4cfff | Memory Mapped File | rwx |
|
|
|
- |
| ssdpsrv.dll | 0x7ff8dcdb0000 | 0x7ff8dcdf0fff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelclient.dll | 0x7ff8df3b0000 | 0x7ff8df3f2fff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x7ff8e5d70000 | 0x7ff8e5d77fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x7ff8e5d80000 | 0x7ff8e5d87fff | Memory Mapped File | rwx |
|
|
|
- |
| wshqos.dll | 0x7ff8e5d90000 | 0x7ff8e5d99fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ff8e7280000 | 0x7ff8e7299fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ff8e72a0000 | 0x7ff8e72b5fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ff8e79b0000 | 0x7ff8e7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ff8e7b40000 | 0x7ff8e7bb1fff | Memory Mapped File | rwx |
|
|
|
- |
| bi.dll | 0x7ff8e8040000 | 0x7ff8e804bfff | Memory Mapped File | rwx |
|
|
|
- |
| timebrokerserver.dll | 0x7ff8e8280000 | 0x7ff8e82acfff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ff8e8460000 | 0x7ff8e846afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ff8e8480000 | 0x7ff8e84b7fff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ff8e9060000 | 0x7ff8e9127fff | Memory Mapped File | rwx |
|
|
|
- |
| brokerlib.dll | 0x7ff8e95b0000 | 0x7ff8e95eefff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ff8e9720000 | 0x7ff8e9746fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ff8e9860000 | 0x7ff8e994dfff | Memory Mapped File | rwx |
|
|
|
- |
| fwbase.dll | 0x7ff8e9ae0000 | 0x7ff8e9b11fff | Memory Mapped File | rwx |
|
|
|
- |
| firewallapi.dll | 0x7ff8e9b20000 | 0x7ff8e9ba1fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ff8ea5c0000 | 0x7ff8ea61cfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ff8ee040000 | 0x7ff8ee0a8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ff8ee250000 | 0x7ff8ee257fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #15: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:43 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x368 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F2C
0x
910
0x
ADC
0x
944
0x
93C
0x
774
0x
620
0x
61C
0x
5F8
0x
418
0x
234
0x
194
0x
3D0
0x
3C4
0x
36C
0x
DF8
0x
D10
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000862d330000 | 0x862d330000 | 0x862d33ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0x862d340000 | 0x862d340fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000862d350000 | 0x862d350000 | 0x862d363fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000862d370000 | 0x862d370000 | 0x862d3effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000862d3f0000 | 0x862d3f0000 | 0x862d3f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000862d400000 | 0x862d400000 | 0x862d400fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000862d410000 | 0x862d410000 | 0x862d411fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x862d420000 | 0x862d4ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000862d4e0000 | 0x862d4e0000 | 0x862d4e0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000862d4f0000 | 0x862d4f0000 | 0x862d4f0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000862d500000 | 0x862d500000 | 0x862d500fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000862d510000 | 0x862d510000 | 0x862d510fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000862d520000 | 0x862d520000 | 0x862d520fff | Private Memory | rw |
|
|
|
- |
| private_0x000000862d530000 | 0x862d530000 | 0x862d536fff | Private Memory | rw |
|
|
|
- |
| private_0x000000862d5c0000 | 0x862d5c0000 | 0x862d5c0fff | Private Memory | rw |
|
|
|
- |
| mmdevapi.dll.mui | 0x862d5d0000 | 0x862d5d0fff | Memory Mapped File | r |
|
|
|
- |
| audioendpointbuilder.dll.mui | 0x862d5e0000 | 0x862d5e0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000862d5f0000 | 0x862d5f0000 | 0x862d5f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000862d600000 | 0x862d600000 | 0x862d6fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000862d700000 | 0x862d700000 | 0x862d7bffff | Pagefile Backed Memory | r |
|
|
|
- |
| sysmain.dll.mui | 0x862d7c0000 | 0x862d7c5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000862d7e0000 | 0x862d7e0000 | 0x862d7e6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000862d800000 | 0x862d800000 | 0x862d8fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000862d900000 | 0x862d900000 | 0x862da87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000862da90000 | 0x862da90000 | 0x862dc10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000862dc20000 | 0x862dc20000 | 0x862dc9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000862dca0000 | 0x862dca0000 | 0x862dce3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000862dd20000 | 0x862dd20000 | 0x862de1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000862de20000 | 0x862de20000 | 0x862df1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000862df20000 | 0x862df20000 | 0x862e01ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000862e0a0000 | 0x862e0a0000 | 0x862e11ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000862e120000 | 0x862e120000 | 0x862e21ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x862e220000 | 0x862e556fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000862e560000 | 0x862e560000 | 0x862e65ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000862e660000 | 0x862e660000 | 0x862e75ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000862e760000 | 0x862e760000 | 0x862e85ffff | Private Memory | rw |
|
|
|
- |
| pfpre_871cf952.mkd | 0x862e860000 | 0x862e890fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000862e8a0000 | 0x862e8a0000 | 0x862e8a6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000862e960000 | 0x862e960000 | 0x862ea5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000862ea60000 | 0x862ea60000 | 0x862eb5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000862ebd0000 | 0x862ebd0000 | 0x862ebd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000862ec00000 | 0x862ec00000 | 0x862ecfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000862ed00000 | 0x862ed00000 | 0x872ecfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000872ed00000 | 0x872ed00000 | 0x872edfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000872ee00000 | 0x872ee00000 | 0x872eefffff | Private Memory | rw |
|
|
|
- |
| private_0x000000872ef00000 | 0x872ef00000 | 0x872effffff | Private Memory | rw |
|
|
|
- |
| private_0x000000872f000000 | 0x872f000000 | 0x872f3fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000872f400000 | 0x872f400000 | 0x872f503fff | Private Memory | rw |
|
|
|
- |
| private_0x000000872f510000 | 0x872f510000 | 0x872f60ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000872f700000 | 0x872f700000 | 0x872f7fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000872f980000 | 0x872f980000 | 0x872f986fff | Private Memory | rw |
|
|
|
- |
| private_0x000000872f9b0000 | 0x872f9b0000 | 0x872faaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000872fd00000 | 0x872fd00000 | 0x872fdfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000872fe00000 | 0x872fe00000 | 0x872ffcafff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730000000 | 0x8730000000 | 0x87300fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730100000 | 0x8730100000 | 0x87301fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730200000 | 0x8730200000 | 0x87302fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730300000 | 0x8730300000 | 0x87303fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730400000 | 0x8730400000 | 0x87304fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730500000 | 0x8730500000 | 0x87305fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730600000 | 0x8730600000 | 0x87306fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730700000 | 0x8730700000 | 0x87307fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730800000 | 0x8730800000 | 0x87308fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730a50000 | 0x8730a50000 | 0x8730b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730d00000 | 0x8730d00000 | 0x8730dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730e00000 | 0x8730e00000 | 0x8730efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008730f00000 | 0x8730f00000 | 0x8730ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008731000000 | 0x8731000000 | 0x87310fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008731100000 | 0x8731100000 | 0x87311fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008731200000 | 0x8731200000 | 0x87312fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008731300000 | 0x8731300000 | 0x87313fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008731400000 | 0x8731400000 | 0x87314fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008731500000 | 0x8731500000 | 0x87315fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008731600000 | 0x8731600000 | 0x87316fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffac0000 | 0x7df5ffac0000 | 0x7ff5ffabffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6737d6000 | 0x7ff6737d6000 | 0x7ff6737d7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737d8000 | 0x7ff6737d8000 | 0x7ff6737d9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737da000 | 0x7ff6737da000 | 0x7ff6737dbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737dc000 | 0x7ff6737dc000 | 0x7ff6737ddfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737de000 | 0x7ff6737de000 | 0x7ff6737dffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737e0000 | 0x7ff6737e0000 | 0x7ff6737e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737e2000 | 0x7ff6737e2000 | 0x7ff6737e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737e4000 | 0x7ff6737e4000 | 0x7ff6737e5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737e8000 | 0x7ff6737e8000 | 0x7ff6737e9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737ea000 | 0x7ff6737ea000 | 0x7ff6737ebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737ee000 | 0x7ff6737ee000 | 0x7ff6737effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6737f0000 | 0x7ff6737f0000 | 0x7ff6738effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6738f0000 | 0x7ff6738f0000 | 0x7ff673912fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff673914000 | 0x7ff673914000 | 0x7ff673914fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673918000 | 0x7ff673918000 | 0x7ff673919fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67391a000 | 0x7ff67391a000 | 0x7ff67391bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67391c000 | 0x7ff67391c000 | 0x7ff67391dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67391e000 | 0x7ff67391e000 | 0x7ff67391ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff673b40000 | 0x7ff673b4cfff | Memory Mapped File | rwx |
|
|
|
- |
| wer.dll | 0x7ff8d5ea0000 | 0x7ff8d5f3dfff | Memory Mapped File | rwx |
|
|
|
- |
| ncbservice.dll | 0x7ff8dcaa0000 | 0x7ff8dcaf7fff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelclient.dll | 0x7ff8df3b0000 | 0x7ff8df3f2fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ff8e0f70000 | 0x7ff8e0f7dfff | Memory Mapped File | rwx |
|
|
|
- |
| trkwks.dll | 0x7ff8e2370000 | 0x7ff8e2391fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.dll | 0x7ff8e23a0000 | 0x7ff8e24b2fff | Memory Mapped File | rwx |
|
|
|
- |
| pcasvc.dll | 0x7ff8e2550000 | 0x7ff8e25cffff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7ff8e2760000 | 0x7ff8e279efff | Memory Mapped File | rwx |
|
|
|
- |
| pcacli.dll | 0x7ff8e5360000 | 0x7ff8e536efff | Memory Mapped File | rwx |
|
|
|
- |
| systemeventsbrokerclient.dll | 0x7ff8e5420000 | 0x7ff8e542afff | Memory Mapped File | rwx |
|
|
|
- |
| wdi.dll | 0x7ff8e5520000 | 0x7ff8e553cfff | Memory Mapped File | rwx |
|
|
|
- |
| httpprxc.dll | 0x7ff8e6180000 | 0x7ff8e6188fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ff8e6330000 | 0x7ff8e6365fff | Memory Mapped File | rwx |
|
|
|
- |
| wudfplatform.dll | 0x7ff8e6ed0000 | 0x7ff8e6f02fff | Memory Mapped File | rwx |
|
|
|
- |
| wudfsvc.dll | 0x7ff8e6f10000 | 0x7ff8e6f2afff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ff8e79b0000 | 0x7ff8e7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ff8e7b40000 | 0x7ff8e7bb1fff | Memory Mapped File | rwx |
|
|
|
- |
| audioendpointbuilder.dll | 0x7ff8e7bc0000 | 0x7ff8e7c09fff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x7ff8e7f80000 | 0x7ff8e803ffff | Memory Mapped File | rwx |
|
|
|
- |
| bi.dll | 0x7ff8e8040000 | 0x7ff8e804bfff | Memory Mapped File | rwx |
|
|
|
- |
| portabledeviceconnectapi.dll | 0x7ff8e8120000 | 0x7ff8e8136fff | Memory Mapped File | rwx |
|
|
|
- |
| portabledeviceapi.dll | 0x7ff8e8140000 | 0x7ff8e81e0fff | Memory Mapped File | rwx |
|
|
|
- |
| pcadm.dll | 0x7ff8e8270000 | 0x7ff8e827ffff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ff8e8460000 | 0x7ff8e846afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ff8e8480000 | 0x7ff8e84b7fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ff8e8ad0000 | 0x7ff8e8ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ff8e9060000 | 0x7ff8e9127fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ff8e9500000 | 0x7ff8e9577fff | Memory Mapped File | rwx |
|
|
|
- |
| brokerlib.dll | 0x7ff8e95b0000 | 0x7ff8e95eefff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ff8e9720000 | 0x7ff8e9746fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ff8e9fe0000 | 0x7ff8e9ffbfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ff8ea0f0000 | 0x7ff8ea121fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ff8ea5c0000 | 0x7ff8ea61cfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ff8ea820000 | 0x7ff8ea877fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ff8eadb0000 | 0x7ff8eadc0fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x7ff8eae50000 | 0x7ff8eaea3fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ff8eafb0000 | 0x7ff8eb170fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7ff8ebbf0000 | 0x7ff8ebdb4fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 13 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #16: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k LocalService |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:43 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3a0 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
790
0x
770
0x
710
0x
6F4
0x
6EC
0x
6D4
0x
6A4
0x
6A0
0x
69C
0x
698
0x
690
0x
670
0x
5B8
0x
560
0x
54C
0x
454
0x
1A4
0x
150
0x
154
0x
120
0x
3FC
0x
3F8
0x
3F4
0x
3A4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000086e6be0000 | 0x86e6be0000 | 0x86e6beffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0x86e6bf0000 | 0x86e6bf0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000086e6c00000 | 0x86e6c00000 | 0x86e6c13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000086e6c20000 | 0x86e6c20000 | 0x86e6c9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000086e6ca0000 | 0x86e6ca0000 | 0x86e6ca3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000086e6cb0000 | 0x86e6cb0000 | 0x86e6cb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000086e6cc0000 | 0x86e6cc0000 | 0x86e6cc1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x86e6cd0000 | 0x86e6d8dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000086e6d90000 | 0x86e6d90000 | 0x86e6d90fff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e6da0000 | 0x86e6da0000 | 0x86e6da0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000086e6db0000 | 0x86e6db0000 | 0x86e6db0fff | Pagefile Backed Memory | r |
|
|
|
- |
| es.dll | 0x86e6dc0000 | 0x86e6dd1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000086e6de0000 | 0x86e6de0000 | 0x86e6de6fff | Private Memory | rw |
|
|
|
- |
| stdole2.tlb | 0x86e6df0000 | 0x86e6df4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000086e6e00000 | 0x86e6e00000 | 0x86e6efffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000086e6f80000 | 0x86e6f80000 | 0x86e703ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000086e7040000 | 0x86e7040000 | 0x86e7041fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000086e7050000 | 0x86e7050000 | 0x86e7056fff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e7060000 | 0x86e7060000 | 0x86e70dffff | Private Memory | rw |
|
|
|
- |
| netprofmsvc.dll.mui | 0x86e70e0000 | 0x86e70e1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000086e70f0000 | 0x86e70f0000 | 0x86e70f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000086e7100000 | 0x86e7100000 | 0x86e71fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000086e7200000 | 0x86e7200000 | 0x86e7387fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000086e7390000 | 0x86e7390000 | 0x86e7510fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000086e7520000 | 0x86e7520000 | 0x86e761ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x86e7620000 | 0x86e7956fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000086e7960000 | 0x86e7960000 | 0x86e7a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e7a60000 | 0x86e7a60000 | 0x86e7b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e7b60000 | 0x86e7b60000 | 0x86e7c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e7c60000 | 0x86e7c60000 | 0x86e7d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e7d60000 | 0x86e7d60000 | 0x86e7e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e7e60000 | 0x86e7e60000 | 0x86e7f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e7f60000 | 0x86e7f60000 | 0x86e805ffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-fontface.dat | 0x86e8060000 | 0x86e905ffff | Memory Mapped File | rw |
|
|
|
- |
| ~fontcache-system.dat | 0x86e9060000 | 0x86e90d5fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000086e90e0000 | 0x86e90e0000 | 0x86e91dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e91e0000 | 0x86e91e0000 | 0x86e92dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e93e0000 | 0x86e93e0000 | 0x86e94dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e9500000 | 0x86e9500000 | 0x86e95fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e9e00000 | 0x86e9e00000 | 0x86e9efffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086e9f00000 | 0x86e9f00000 | 0x86e9ffffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086ea000000 | 0x86ea000000 | 0x86ea0fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086ea100000 | 0x86ea100000 | 0x86ea1fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086ea200000 | 0x86ea200000 | 0x86ea2fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086ea300000 | 0x86ea300000 | 0x86ea3fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086ea400000 | 0x86ea400000 | 0x86ea4fffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x86ea500000 | 0x86ea5defff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000086ea5e0000 | 0x86ea5e0000 | 0x86ea6dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086ea6e0000 | 0x86ea6e0000 | 0x86ea7dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086ea7e0000 | 0x86ea7e0000 | 0x86ea8dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086ea900000 | 0x86ea900000 | 0x86ea9fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086eaa00000 | 0x86eaa00000 | 0x86eaafffff | Private Memory | rw |
|
|
|
- |
| private_0x00000086eab00000 | 0x86eab00000 | 0x86eabfffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat | 0x86eac00000 | 0x86eb3fffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00007df5ff5e0000 | 0x7df5ff5e0000 | 0x7ff5ff5dffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff673338000 | 0x7ff673338000 | 0x7ff673339fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67333a000 | 0x7ff67333a000 | 0x7ff67333bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67333c000 | 0x7ff67333c000 | 0x7ff67333dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67333e000 | 0x7ff67333e000 | 0x7ff67333ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673340000 | 0x7ff673340000 | 0x7ff673341fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673342000 | 0x7ff673342000 | 0x7ff673343fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673344000 | 0x7ff673344000 | 0x7ff673345fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673346000 | 0x7ff673346000 | 0x7ff673347fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673348000 | 0x7ff673348000 | 0x7ff673349fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67334a000 | 0x7ff67334a000 | 0x7ff67334bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67334c000 | 0x7ff67334c000 | 0x7ff67334dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67334e000 | 0x7ff67334e000 | 0x7ff67334ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673350000 | 0x7ff673350000 | 0x7ff673351fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673354000 | 0x7ff673354000 | 0x7ff673355fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673356000 | 0x7ff673356000 | 0x7ff673357fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673358000 | 0x7ff673358000 | 0x7ff673359fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67335a000 | 0x7ff67335a000 | 0x7ff67335bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67335c000 | 0x7ff67335c000 | 0x7ff67335dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67335e000 | 0x7ff67335e000 | 0x7ff67335ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff673360000 | 0x7ff673360000 | 0x7ff67345ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff673460000 | 0x7ff673460000 | 0x7ff673482fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff673483000 | 0x7ff673483000 | 0x7ff673484fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673485000 | 0x7ff673485000 | 0x7ff673486fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673487000 | 0x7ff673487000 | 0x7ff673488fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673489000 | 0x7ff673489000 | 0x7ff67348afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67348b000 | 0x7ff67348b000 | 0x7ff67348bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67348e000 | 0x7ff67348e000 | 0x7ff67348ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff673b40000 | 0x7ff673b4cfff | Memory Mapped File | rwx |
|
|
|
- |
| bitsproxy.dll | 0x7ff8dca80000 | 0x7ff8dca91fff | Memory Mapped File | rwx |
|
|
|
- |
| bluetoothapis.dll | 0x7ff8e09f0000 | 0x7ff8e0a0dfff | Memory Mapped File | rwx |
|
|
|
- |
| bthtelemetry.dll | 0x7ff8e0a10000 | 0x7ff8e0a1cfff | Memory Mapped File | rwx |
|
|
|
- |
| bthradiomedia.dll | 0x7ff8e0a20000 | 0x7ff8e0a37fff | Memory Mapped File | rwx |
|
|
|
- |
| wlanradiomanager.dll | 0x7ff8e0a40000 | 0x7ff8e0a53fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ff8e0f70000 | 0x7ff8e0f7dfff | Memory Mapped File | rwx |
|
|
|
- |
| wlanapi.dll | 0x7ff8e15f0000 | 0x7ff8e164efff | Memory Mapped File | rwx |
|
|
|
- |
| netprofmsvc.dll | 0x7ff8e1870000 | 0x7ff8e18fcfff | Memory Mapped File | rwx |
|
|
|
- |
| perftrack.dll | 0x7ff8e25d0000 | 0x7ff8e25e7fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7ff8e2ea0000 | 0x7ff8e2ea9fff | Memory Mapped File | rwx |
|
|
|
- |
| wdi.dll | 0x7ff8e5520000 | 0x7ff8e553cfff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ff8e5dd0000 | 0x7ff8e5ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ff8e6330000 | 0x7ff8e6365fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ff8e7280000 | 0x7ff8e7299fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ff8e72a0000 | 0x7ff8e72b5fff | Memory Mapped File | rwx |
|
|
|
- |
| nsisvc.dll | 0x7ff8e7420000 | 0x7ff8e742bfff | Memory Mapped File | rwx |
|
|
|
- |
| fontprovider.dll | 0x7ff8e77d0000 | 0x7ff8e77f8fff | Memory Mapped File | rwx |
|
|
|
- |
| fntcache.dll | 0x7ff8e7800000 | 0x7ff8e79a3fff | Memory Mapped File | rwx |
|
|
|
- |
| es.dll | 0x7ff8e7f00000 | 0x7ff8e7f79fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ff8e8460000 | 0x7ff8e846afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ff8e8480000 | 0x7ff8e84b7fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x7ff8e84e0000 | 0x7ff8e84f7fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ff8e9720000 | 0x7ff8e9746fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ff8e9cd0000 | 0x7ff8e9cf2fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ff8ea3c0000 | 0x7ff8ea467fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ff8ea5c0000 | 0x7ff8ea61cfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7ff8eac70000 | 0x7ff8ead07fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ff8ee040000 | 0x7ff8ee0a8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ff8ee250000 | 0x7ff8ee257fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #17: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k NetworkService |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:43 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2a0 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F94
0x
F8C
0x
F88
0x
D54
0x
980
0x
918
0x
68C
0x
688
0x
680
0x
674
0x
668
0x
614
0x
5E0
0x
590
0x
530
0x
488
0x
470
0x
468
0x
464
0x
460
0x
458
0x
3EC
0x
38C
0x
2C4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000005400000000 | 0x5400000000 | 0x540fffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005410000000 | 0x5410000000 | 0x541fffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005458fb0000 | 0x5458fb0000 | 0x5458fbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0x5458fc0000 | 0x5458fc0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005458fd0000 | 0x5458fd0000 | 0x5458fe3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005458ff0000 | 0x5458ff0000 | 0x545906ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005459070000 | 0x5459070000 | 0x5459073fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005459080000 | 0x5459080000 | 0x5459080fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005459090000 | 0x5459090000 | 0x5459091fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x54590a0000 | 0x545915dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005459160000 | 0x5459160000 | 0x5459160fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005459170000 | 0x5459170000 | 0x5459170fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005459180000 | 0x5459180000 | 0x5459180fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005459190000 | 0x5459190000 | 0x5459190fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000054591a0000 | 0x54591a0000 | 0x54591a6fff | Private Memory | rw |
|
|
|
- |
| vsstrace.dll.mui | 0x54591b0000 | 0x54591b8fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000054591c0000 | 0x54591c0000 | 0x54591c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000054591d0000 | 0x54591d0000 | 0x54591d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000054591e0000 | 0x54591e0000 | 0x54591e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000054591f0000 | 0x54591f0000 | 0x54591f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005459200000 | 0x5459200000 | 0x54592fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005459380000 | 0x5459380000 | 0x545943ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005459440000 | 0x5459440000 | 0x5459440fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005459450000 | 0x5459450000 | 0x5459450fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005459460000 | 0x5459460000 | 0x5459466fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005459470000 | 0x5459470000 | 0x54594effff | Private Memory | rw |
|
|
|
- |
| private_0x00000054594f0000 | 0x54594f0000 | 0x54594f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005459500000 | 0x5459500000 | 0x54595fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005459600000 | 0x5459600000 | 0x5459787fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005459790000 | 0x5459790000 | 0x5459910fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005459920000 | 0x5459920000 | 0x5459a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005459a20000 | 0x5459a20000 | 0x5459b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005459b20000 | 0x5459b20000 | 0x5459c1ffff | Private Memory | rw |
|
|
|
- |
| catdb | 0x5459c20000 | 0x5459c2ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x5459c30000 | 0x5459c3ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x5459c40000 | 0x5459c4ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x5459c50000 | 0x5459c5ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x5459c60000 | 0x5459c6ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x5459c70000 | 0x5459c7ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005459d20000 | 0x5459d20000 | 0x5459e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005459e20000 | 0x5459e20000 | 0x5459f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005459f20000 | 0x5459f20000 | 0x545a01ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545a020000 | 0x545a020000 | 0x545a11ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545a120000 | 0x545a120000 | 0x545a21ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545a220000 | 0x545a220000 | 0x545a31ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545a320000 | 0x545a320000 | 0x545a41ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545a420000 | 0x545a420000 | 0x545a51ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x545a520000 | 0x545a856fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000545a860000 | 0x545a860000 | 0x545a95ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545a960000 | 0x545a960000 | 0x545aa5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545aa60000 | 0x545aa60000 | 0x545aadffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545aae0000 | 0x545aae0000 | 0x545aae1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000545aaf0000 | 0x545aaf0000 | 0x545aaf0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000545ab00000 | 0x545ab00000 | 0x545ab00fff | Private Memory | rw |
|
|
|
- |
| private_0x000000545ab10000 | 0x545ab10000 | 0x545ab16fff | Private Memory | rw |
|
|
|
- |
| private_0x000000545ab20000 | 0x545ab20000 | 0x545abe1fff | Private Memory | rw |
|
|
|
- |
| catdb | 0x545abf0000 | 0x545abfffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000545ac00000 | 0x545ac00000 | 0x545acfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545ad00000 | 0x545ad00000 | 0x545adfffff | Private Memory | rw |
|
|
|
- |
| catdb | 0x545ae00000 | 0x545ae0ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545ae10000 | 0x545ae1ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545ae20000 | 0x545ae2ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545ae30000 | 0x545ae3ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000545ae40000 | 0x545ae40000 | 0x545ae46fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000545ae50000 | 0x545ae50000 | 0x545ae5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000545ae60000 | 0x545ae60000 | 0x545ae6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000545ae70000 | 0x545ae70000 | 0x545ae7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000545ae80000 | 0x545ae80000 | 0x545ae8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000545ae90000 | 0x545ae90000 | 0x545ae9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000545aea0000 | 0x545aea0000 | 0x545aeaffff | Pagefile Backed Memory | rw |
|
|
|
- |
| catdb | 0x545aeb0000 | 0x545aebffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545aec0000 | 0x545aecffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545aed0000 | 0x545aedffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545aee0000 | 0x545aeeffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545aef0000 | 0x545aefffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000545af00000 | 0x545af00000 | 0x545affffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545b000000 | 0x545b000000 | 0x545b0fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000545b100000 | 0x545b100000 | 0x545b10ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000545b110000 | 0x545b110000 | 0x545b11ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000545b120000 | 0x545b120000 | 0x545b12ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000545b130000 | 0x545b130000 | 0x545b13ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000545b140000 | 0x545b140000 | 0x545b14ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000545b150000 | 0x545b150000 | 0x545b15ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| catdb | 0x545b160000 | 0x545b16ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545b170000 | 0x545b17ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545b180000 | 0x545b18ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545b190000 | 0x545b19ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545b1a0000 | 0x545b1affff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545b1b0000 | 0x545b1bffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000545b1c0000 | 0x545b1c0000 | 0x545b1c0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000545b1d0000 | 0x545b1d0000 | 0x545b1d6fff | Private Memory | rw |
|
|
|
- |
| catdb | 0x545b1e0000 | 0x545b1effff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545b1f0000 | 0x545b1fffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000545b200000 | 0x545b200000 | 0x545b2fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545b300000 | 0x545b300000 | 0x545b3fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545b400000 | 0x545b400000 | 0x545b4fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545b500000 | 0x545b500000 | 0x545b5fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545b600000 | 0x545b600000 | 0x545b6fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545b700000 | 0x545b700000 | 0x545b7fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545b800000 | 0x545b800000 | 0x545b8fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545b900000 | 0x545b900000 | 0x545b9fffff | Private Memory | rw |
|
|
|
- |
| catdb | 0x545ba00000 | 0x545ba0ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000545ba10000 | 0x545ba10000 | 0x545ba10fff | Private Memory | rw |
|
|
|
- |
| catdb | 0x545ba20000 | 0x545ba2ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545ba30000 | 0x545ba3ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545ba40000 | 0x545ba4ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x545ba50000 | 0x545ba5ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000545ba60000 | 0x545ba60000 | 0x545ba66fff | Private Memory | rw |
|
|
|
- |
| private_0x000000545ba70000 | 0x545ba70000 | 0x545baeffff | Private Memory | rw |
|
|
|
- |
| catdb | 0x545baf0000 | 0x545bafffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000545bb00000 | 0x545bb00000 | 0x545bbfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545bc00000 | 0x545bc00000 | 0x545bcfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545bd00000 | 0x545bd00000 | 0x545bdfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545be00000 | 0x545be00000 | 0x545cdfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545ce00000 | 0x545ce00000 | 0x545d00ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000545d010000 | 0x545d010000 | 0x546d00ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000546d010000 | 0x546d010000 | 0x547d00ffff | Private Memory | rw |
|
|
|
- |
| catdb | 0x547d010000 | 0x547d01ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d020000 | 0x547d02ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d030000 | 0x547d03ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d040000 | 0x547d04ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d050000 | 0x547d05ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d060000 | 0x547d06ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d070000 | 0x547d07ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d080000 | 0x547d08ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d090000 | 0x547d09ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d0a0000 | 0x547d0affff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d0b0000 | 0x547d0bffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d0c0000 | 0x547d0cffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d0d0000 | 0x547d0dffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d0e0000 | 0x547d0effff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d0f0000 | 0x547d0fffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d100000 | 0x547d10ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x547d110000 | 0x547d11ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000547d120000 | 0x547d120000 | 0x547d21ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff980000 | 0x7df5ff980000 | 0x7ff5ff97ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6733ba000 | 0x7ff6733ba000 | 0x7ff6733bbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733bc000 | 0x7ff6733bc000 | 0x7ff6733bdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733be000 | 0x7ff6733be000 | 0x7ff6733bffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733c0000 | 0x7ff6733c0000 | 0x7ff6733c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733c2000 | 0x7ff6733c2000 | 0x7ff6733c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733c4000 | 0x7ff6733c4000 | 0x7ff6733c5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733c6000 | 0x7ff6733c6000 | 0x7ff6733c7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733c8000 | 0x7ff6733c8000 | 0x7ff6733c9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733ca000 | 0x7ff6733ca000 | 0x7ff6733cbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733cc000 | 0x7ff6733cc000 | 0x7ff6733cdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733ce000 | 0x7ff6733ce000 | 0x7ff6733cffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733d0000 | 0x7ff6733d0000 | 0x7ff6733d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733d2000 | 0x7ff6733d2000 | 0x7ff6733d3fff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 80 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #18: spoolsv.exe
0
0
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\system32\spoolsv.exe |
| Command Line | C:\Windows\System32\spoolsv.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:43 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x230 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege |
| Thread IDs |
0x
474
0x
ECC
0x
EC8
0x
EBC
0x
EB4
0x
EB0
0x
EA8
0x
EA4
0x
894
0x
47C
0x
414
0x
40C
0x
2F0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x008bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008c6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x008e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00933fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x00940fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x00951fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| spoolsv.exe.mui | 0x009a0000 | 0x009a0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x009d6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x009e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00af0000 | 0x00badfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x00d37fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d40000 | 0x00d40000 | 0x00ec0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ed0000 | 0x00ed0000 | 0x00f8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001050000 | 0x01050000 | 0x01056fff | Private Memory | rw |
|
|
|
- |
| localspl.dll.mui | 0x01060000 | 0x01073fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001080000 | 0x01080000 | 0x0108ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x0110ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001110000 | 0x01110000 | 0x01110fff | Pagefile Backed Memory | r |
|
|
|
- |
| wsdmon.dll.mui | 0x01120000 | 0x01120fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001130000 | 0x01130000 | 0x01130fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001140000 | 0x01140000 | 0x01140fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001150000 | 0x01150000 | 0x0115ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01160000 | 0x01496fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000014a0000 | 0x014a0000 | 0x0159ffff | Private Memory | rw |
|
|
|
- |
| msxml6r.dll | 0x015a0000 | 0x015a0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000015b0000 | 0x015b0000 | 0x015b6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000015c0000 | 0x015c0000 | 0x015fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001600000 | 0x01600000 | 0x0160ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001610000 | 0x01610000 | 0x0170ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x01710000 | 0x017eefff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000017f0000 | 0x017f0000 | 0x018effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000018f0000 | 0x018f0000 | 0x01aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001af0000 | 0x01af0000 | 0x01b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001b30000 | 0x01b30000 | 0x01b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001b70000 | 0x01b70000 | 0x01baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001bb0000 | 0x01bb0000 | 0x01beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c30000 | 0x01c30000 | 0x01c6ffff | Private Memory | rw |
|
|
|
- |
| win32spl.dll.mui | 0x01c70000 | 0x01c70fff | Memory Mapped File | r |
|
|
|
- |
| inetpp.dll.mui | 0x01c80000 | 0x01c80fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df5ffcb0000 | 0x7df5ffcb0000 | 0x7ff5ffcaffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6fc80e000 | 0x7ff6fc80e000 | 0x7ff6fc80ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fc812000 | 0x7ff6fc812000 | 0x7ff6fc813fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fc814000 | 0x7ff6fc814000 | 0x7ff6fc815fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fc816000 | 0x7ff6fc816000 | 0x7ff6fc817fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fc818000 | 0x7ff6fc818000 | 0x7ff6fc819fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fc81a000 | 0x7ff6fc81a000 | 0x7ff6fc81bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fc81c000 | 0x7ff6fc81c000 | 0x7ff6fc81dfff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6fc820000 | 0x7ff6fc820000 | 0x7ff6fc91ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6fc920000 | 0x7ff6fc920000 | 0x7ff6fc942fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6fc944000 | 0x7ff6fc944000 | 0x7ff6fc944fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fc946000 | 0x7ff6fc946000 | 0x7ff6fc947fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fc948000 | 0x7ff6fc948000 | 0x7ff6fc949fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fc94a000 | 0x7ff6fc94a000 | 0x7ff6fc94bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fc94c000 | 0x7ff6fc94c000 | 0x7ff6fc94dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6fc94e000 | 0x7ff6fc94e000 | 0x7ff6fc94ffff | Private Memory | rw |
|
|
|
- |
| spoolsv.exe | 0x7ff6fd6e0000 | 0x7ff6fd7a4fff | Memory Mapped File | rwx |
|
|
|
- |
| win32spl.dll | 0x7ff8d1a80000 | 0x7ff8d1b51fff | Memory Mapped File | rwx |
|
|
|
- |
| drvstore.dll | 0x7ff8d1b60000 | 0x7ff8d1c32fff | Memory Mapped File | rwx |
|
|
|
- |
| webservices.dll | 0x7ff8d1c40000 | 0x7ff8d1dbafff | Memory Mapped File | rwx |
|
|
|
- |
| localspl.dll | 0x7ff8d1dc0000 | 0x7ff8d1ed5fff | Memory Mapped File | rwx |
|
|
|
- |
| wsdapi.dll | 0x7ff8d5c30000 | 0x7ff8d5cd6fff | Memory Mapped File | rwx |
|
|
|
- |
| inetpp.dll | 0x7ff8d6210000 | 0x7ff8d623dfff | Memory Mapped File | rwx |
|
|
|
- |
| wsdmon.dll | 0x7ff8d6240000 | 0x7ff8d62d3fff | Memory Mapped File | rwx |
|
|
|
- |
| fundisc.dll | 0x7ff8d7620000 | 0x7ff8d7649fff | Memory Mapped File | rwx |
|
|
|
- |
| usbmon.dll | 0x7ff8d7650000 | 0x7ff8d769efff | Memory Mapped File | rwx |
|
|
|
- |
| winspool.drv | 0x7ff8da840000 | 0x7ff8da8c3fff | Memory Mapped File | rwx |
|
|
|
- |
| tcpmon.dll | 0x7ff8db5d0000 | 0x7ff8db609fff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x7ff8e05b0000 | 0x7ff8e05c1fff | Memory Mapped File | rwx |
|
|
|
- |
| msxml6.dll | 0x7ff8e1c70000 | 0x7ff8e1ee6fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7ff8e2ea0000 | 0x7ff8e2ea9fff | Memory Mapped File | rwx |
|
|
|
- |
| winprint.dll | 0x7ff8e2fe0000 | 0x7ff8e2feffff | Memory Mapped File | rwx |
|
|
|
- |
| fdpnp.dll | 0x7ff8e3010000 | 0x7ff8e3022fff | Memory Mapped File | rwx |
|
|
|
- |
| deviceassociation.dll | 0x7ff8e3030000 | 0x7ff8e303ffff | Memory Mapped File | rwx |
|
|
|
- |
| wsnmp32.dll | 0x7ff8e3100000 | 0x7ff8e3113fff | Memory Mapped File | rwx |
|
|
|
- |
| snmpapi.dll | 0x7ff8e3120000 | 0x7ff8e312bfff | Memory Mapped File | rwx |
|
|
|
- |
| fxsmon.dll | 0x7ff8e5370000 | 0x7ff8e5380fff | Memory Mapped File | rwx |
|
|
|
- |
| printisolationproxy.dll | 0x7ff8e5390000 | 0x7ff8e53a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sfc_os.dll | 0x7ff8e53c0000 | 0x7ff8e53d0fff | Memory Mapped File | rwx |
|
|
|
- |
| spoolss.dll | 0x7ff8e53e0000 | 0x7ff8e53fbfff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ff8e5480000 | 0x7ff8e548bfff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ff8e5dd0000 | 0x7ff8e5ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ff8e6330000 | 0x7ff8e6365fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7ff8e7160000 | 0x7ff8e71c7fff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x7ff8e8070000 | 0x7ff8e808dfff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ff8e8460000 | 0x7ff8e846afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ff8e8480000 | 0x7ff8e84b7fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ff8e84d0000 | 0x7ff8e84d9fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ff8e8ad0000 | 0x7ff8e8ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ff8e9720000 | 0x7ff8e9746fff | Memory Mapped File | rwx |
|
|
|
- |
| fwbase.dll | 0x7ff8e9ae0000 | 0x7ff8e9b11fff | Memory Mapped File | rwx |
|
|
|
- |
| firewallapi.dll | 0x7ff8e9b20000 | 0x7ff8e9ba1fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ff8e9cd0000 | 0x7ff8e9cf2fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ff8ea000000 | 0x7ff8ea00bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ff8ea010000 | 0x7ff8ea035fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ff8ea3c0000 | 0x7ff8ea467fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ff8ea5c0000 | 0x7ff8ea61cfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ff8ea820000 | 0x7ff8ea877fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ff8eadb0000 | 0x7ff8eadc0fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x7ff8eae50000 | 0x7ff8eaea3fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ff8eafb0000 | 0x7ff8eb170fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7ff8ebbf0000 | 0x7ff8ebdb4fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ff8ee040000 | 0x7ff8ee0a8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ff8ee250000 | 0x7ff8ee257fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #19: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k WbioSvcGroup |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:00:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x428 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege |
| Thread IDs |
0x
BFC
0x
440
0x
438
0x
434
0x
42C
0x
4E0
0x
56C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000050714f0000 | 0x50714f0000 | 0x50714fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| wbiosrvc.dll.mui | 0x5071500000 | 0x5071505fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005071510000 | 0x5071510000 | 0x5071523fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005071530000 | 0x5071530000 | 0x50715affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000050715b0000 | 0x50715b0000 | 0x50715b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000050715c0000 | 0x50715c0000 | 0x50715c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000050715d0000 | 0x50715d0000 | 0x50715d1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x50715e0000 | 0x507169dfff | Memory Mapped File | r |
|
|
|
- |
| winbiostorageadapter.dll.mui | 0x50716a0000 | 0x50716a0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000050716b0000 | 0x50716b0000 | 0x50716b6fff | Private Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0x50716c0000 | 0x50716c0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000050716d0000 | 0x50716d0000 | 0x50716d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000050716e0000 | 0x50716e0000 | 0x50716e0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005071700000 | 0x5071700000 | 0x50717fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005071880000 | 0x5071880000 | 0x507197ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005071980000 | 0x5071980000 | 0x5071a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005071a80000 | 0x5071a80000 | 0x5071b7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005071b80000 | 0x5071b80000 | 0x5071c3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005071c60000 | 0x5071c60000 | 0x5071c66fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005071d00000 | 0x5071d00000 | 0x5071dfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005071e00000 | 0x5071e00000 | 0x5071f87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005071f90000 | 0x5071f90000 | 0x5072110fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005072220000 | 0x5072220000 | 0x507231ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff220000 | 0x7df5ff220000 | 0x7ff5ff21ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff67355c000 | 0x7ff67355c000 | 0x7ff67355dfff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff673560000 | 0x7ff673560000 | 0x7ff67365ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff673660000 | 0x7ff673660000 | 0x7ff673682fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff673684000 | 0x7ff673684000 | 0x7ff673685fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673686000 | 0x7ff673686000 | 0x7ff673687fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673688000 | 0x7ff673688000 | 0x7ff673689fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67368c000 | 0x7ff67368c000 | 0x7ff67368dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67368e000 | 0x7ff67368e000 | 0x7ff67368efff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff673b40000 | 0x7ff673b4cfff | Memory Mapped File | rwx |
|
|
|
- |
| rtworkq.dll | 0x7ff8e6440000 | 0x7ff8e646ffff | Memory Mapped File | rwx |
|
|
|
- |
| mfplat.dll | 0x7ff8e6470000 | 0x7ff8e657bfff | Memory Mapped File | rwx |
|
|
|
- |
| nuivoicewbsadapters.dll | 0x7ff8e6580000 | 0x7ff8e65eafff | Memory Mapped File | rwx |
|
|
|
- |
| winbiostorageadapter.dll | 0x7ff8e65f0000 | 0x7ff8e65fafff | Memory Mapped File | rwx |
|
|
|
- |
| facerecognitionengineadapter.dll | 0x7ff8e6600000 | 0x7ff8e6635fff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x7ff8e6640000 | 0x7ff8e6b84fff | Memory Mapped File | rwx |
|
|
|
- |
| facerecognitionsensoradapter.dll | 0x7ff8e6b90000 | 0x7ff8e6bc0fff | Memory Mapped File | rwx |
|
|
|
- |
| winbioext.dll | 0x7ff8e6c20000 | 0x7ff8e6c27fff | Memory Mapped File | rwx |
|
|
|
- |
| ucrtbase.dll | 0x7ff8e6c30000 | 0x7ff8e6d21fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp_win.dll | 0x7ff8e6d30000 | 0x7ff8e6dcafff | Memory Mapped File | rwx |
|
|
|
- |
| wbiosrvc.dll | 0x7ff8e6dd0000 | 0x7ff8e6e69fff | Memory Mapped File | rwx |
|
|
|
- |
| avrt.dll | 0x7ff8e75b0000 | 0x7ff8e75bafff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ff8e9720000 | 0x7ff8e9746fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x7ff8ea1d0000 | 0x7ff8ea1d9fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ff8eadb0000 | 0x7ff8eadc0fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ff8eafb0000 | 0x7ff8eb170fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #20: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #20 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:43 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x444 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
748
0x
730
0x
70C
0x
6E8
0x
6E4
0x
6BC
0x
6B0
0x
650
0x
554
0x
550
0x
52C
0x
518
0x
514
0x
50C
0x
500
0x
4E4
0x
4C8
0x
4C4
0x
4BC
0x
4B8
0x
4B0
0x
4A8
0x
4A4
0x
4A0
0x
49C
0x
48C
0x
448
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000b175140000 | 0xb175140000 | 0xb17514ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xb175150000 | 0xb175150fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b175160000 | 0xb175160000 | 0xb175173fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b175180000 | 0xb175180000 | 0xb1751fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b175200000 | 0xb175200000 | 0xb175203fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b175210000 | 0xb175210000 | 0xb175210fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b175220000 | 0xb175220000 | 0xb175221fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b175230000 | 0xb175230000 | 0xb175230fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b175240000 | 0xb175240000 | 0xb175240fff | Private Memory | rw |
|
|
|
- |
| bfe.dll.mui | 0xb175250000 | 0xb175256fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b175260000 | 0xb175260000 | 0xb175266fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b175270000 | 0xb175270000 | 0xb17527ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b175280000 | 0xb175280000 | 0xb175286fff | Private Memory | rw |
|
|
|
- |
| firewallapi.dll.mui | 0xb175290000 | 0xb1752b3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b1752c0000 | 0xb1752c0000 | 0xb1752c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b1752d0000 | 0xb1752d0000 | 0xb1752d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b1752e0000 | 0xb1752e0000 | 0xb1752e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b1752f0000 | 0xb1752f0000 | 0xb1752f7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b175300000 | 0xb175300000 | 0xb1753fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xb175400000 | 0xb1754bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b1754c0000 | 0xb1754c0000 | 0xb1754c1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b175540000 | 0xb175540000 | 0xb1755fffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b175600000 | 0xb175600000 | 0xb1756fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b175700000 | 0xb175700000 | 0xb175887fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b175890000 | 0xb175890000 | 0xb175a10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b175a20000 | 0xb175a20000 | 0xb175b1ffff | Private Memory | rw |
|
|
|
- |
| firewallapi.dll | 0xb175b20000 | 0xb175b9cfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b175ba0000 | 0xb175ba0000 | 0xb175ba1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b175bb0000 | 0xb175bb0000 | 0xb175bb0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b175bc0000 | 0xb175bc0000 | 0xb175bc6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b175c00000 | 0xb175c00000 | 0xb175cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b175d00000 | 0xb175d00000 | 0xb175dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b175e00000 | 0xb175e00000 | 0xb175efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b175f00000 | 0xb175f00000 | 0xb175ffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176000000 | 0xb176000000 | 0xb1760fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176100000 | 0xb176100000 | 0xb1761fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176200000 | 0xb176200000 | 0xb1762fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176300000 | 0xb176300000 | 0xb176373fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176400000 | 0xb176400000 | 0xb1764fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176500000 | 0xb176500000 | 0xb1765fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176600000 | 0xb176600000 | 0xb17667ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176680000 | 0xb176680000 | 0xb17677ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176780000 | 0xb176780000 | 0xb17687ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176880000 | 0xb176880000 | 0xb17697ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176980000 | 0xb176980000 | 0xb176a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b176a80000 | 0xb176a80000 | 0xb17727ffff | Private Memory | - |
|
|
|
- |
| private_0x000000b177280000 | 0xb177280000 | 0xb17737ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b177380000 | 0xb177380000 | 0xb17747ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b177500000 | 0xb177500000 | 0xb1775fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b177600000 | 0xb177600000 | 0xb1776fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b177700000 | 0xb177700000 | 0xb1777fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xb177800000 | 0xb177b36fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b177c00000 | 0xb177c00000 | 0xb177cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b177d00000 | 0xb177d00000 | 0xb177dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b177e00000 | 0xb177e00000 | 0xb177efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b177f00000 | 0xb177f00000 | 0xb177ffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b178000000 | 0xb178000000 | 0xb1780fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b178100000 | 0xb178100000 | 0xb1781fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179200000 | 0xb179200000 | 0xb1792fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179420000 | 0xb179420000 | 0xb17951ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179520000 | 0xb179520000 | 0xb17961ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179620000 | 0xb179620000 | 0xb17971ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179720000 | 0xb179720000 | 0xb17981ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179820000 | 0xb179820000 | 0xb17991ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179920000 | 0xb179920000 | 0xb179926fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b1799a0000 | 0xb1799a0000 | 0xb1799a6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179a00000 | 0xb179a00000 | 0xb179afffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179b00000 | 0xb179b00000 | 0xb179bfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179c00000 | 0xb179c00000 | 0xb179cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179d00000 | 0xb179d00000 | 0xb179f00fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b179f10000 | 0xb179f10000 | 0xb17a00ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b17a100000 | 0xb17a100000 | 0xb17a1fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b17a200000 | 0xb17a200000 | 0xb17a2fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b17a300000 | 0xb17a300000 | 0xb17a400fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b17a410000 | 0xb17a410000 | 0xb17a510fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b17a600000 | 0xb17a600000 | 0xb17a6fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b17a700000 | 0xb17a700000 | 0xb17a7fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b17a800000 | 0xb17a800000 | 0xb17a8fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff620000 | 0x7df5ff620000 | 0x7ff5ff61ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff67378e000 | 0x7ff67378e000 | 0x7ff67378ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673790000 | 0x7ff673790000 | 0x7ff673791fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673792000 | 0x7ff673792000 | 0x7ff673793fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673794000 | 0x7ff673794000 | 0x7ff673795fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673796000 | 0x7ff673796000 | 0x7ff673797fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67379a000 | 0x7ff67379a000 | 0x7ff67379bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67379c000 | 0x7ff67379c000 | 0x7ff67379dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67379e000 | 0x7ff67379e000 | 0x7ff67379ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737a0000 | 0x7ff6737a0000 | 0x7ff6737a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737a2000 | 0x7ff6737a2000 | 0x7ff6737a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737a4000 | 0x7ff6737a4000 | 0x7ff6737a5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737a6000 | 0x7ff6737a6000 | 0x7ff6737a7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737a8000 | 0x7ff6737a8000 | 0x7ff6737a9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737aa000 | 0x7ff6737aa000 | 0x7ff6737abfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737ac000 | 0x7ff6737ac000 | 0x7ff6737adfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737ae000 | 0x7ff6737ae000 | 0x7ff6737affff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737b0000 | 0x7ff6737b0000 | 0x7ff6737b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737b2000 | 0x7ff6737b2000 | 0x7ff6737b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737b4000 | 0x7ff6737b4000 | 0x7ff6737b5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737b8000 | 0x7ff6737b8000 | 0x7ff6737b9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737ba000 | 0x7ff6737ba000 | 0x7ff6737bbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737bc000 | 0x7ff6737bc000 | 0x7ff6737bdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6737be000 | 0x7ff6737be000 | 0x7ff6737bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6737c0000 | 0x7ff6737c0000 | 0x7ff6738bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6738c0000 | 0x7ff6738c0000 | 0x7ff6738e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6738e4000 | 0x7ff6738e4000 | 0x7ff6738e5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6738e6000 | 0x7ff6738e6000 | 0x7ff6738e7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6738e8000 | 0x7ff6738e8000 | 0x7ff6738e8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6738ea000 | 0x7ff6738ea000 | 0x7ff6738ebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6738ee000 | 0x7ff6738ee000 | 0x7ff6738effff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff673b40000 | 0x7ff673b4cfff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| radardt.dll | 0x7ff8e0270000 | 0x7ff8e028cfff | Memory Mapped File | rwx |
|
|
|
- |
| srumapi.dll | 0x7ff8e03b0000 | 0x7ff8e03c2fff | Memory Mapped File | rwx |
|
|
|
- |
| energyprov.dll | 0x7ff8e03d0000 | 0x7ff8e03e2fff | Memory Mapped File | rwx |
|
|
|
- |
| ncuprov.dll | 0x7ff8e0950000 | 0x7ff8e095cfff | Memory Mapped File | rwx |
|
|
|
- |
| wpnsruprov.dll | 0x7ff8e0960000 | 0x7ff8e096dfff | Memory Mapped File | rwx |
|
|
|
- |
| appsruprov.dll | 0x7ff8e0970000 | 0x7ff8e0986fff | Memory Mapped File | rwx |
|
|
|
- |
| eeprov.dll | 0x7ff8e0990000 | 0x7ff8e09aafff | Memory Mapped File | rwx |
|
|
|
- |
| nduprov.dll | 0x7ff8e09b0000 | 0x7ff8e09c4fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ff8e0f70000 | 0x7ff8e0f7dfff | Memory Mapped File | rwx |
|
|
|
- |
| wlanapi.dll | 0x7ff8e15f0000 | 0x7ff8e164efff | Memory Mapped File | rwx |
|
|
|
- |
| esent.dll | 0x7ff8e1940000 | 0x7ff8e1c21fff | Memory Mapped File | rwx |
|
|
|
- |
| srumsvc.dll | 0x7ff8e1c30000 | 0x7ff8e1c67fff | Memory Mapped File | rwx |
|
|
|
- |
| diagperf.dll | 0x7ff8e25f0000 | 0x7ff8e2755fff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7ff8e2760000 | 0x7ff8e279efff | Memory Mapped File | rwx |
|
|
|
- |
| pnpts.dll | 0x7ff8e2eb0000 | 0x7ff8e2eb8fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ff8e3a50000 | 0x7ff8e3a59fff | Memory Mapped File | rwx |
|
|
|
- |
| wfapigp.dll | 0x7ff8e3a60000 | 0x7ff8e3a6bfff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ff8e3c30000 | 0x7ff8e3fa5fff | Memory Mapped File | rwx |
|
|
|
- |
| mrmcorer.dll | 0x7ff8e5050000 | 0x7ff8e515efff | Memory Mapped File | rwx |
|
|
|
- |
| wdi.dll | 0x7ff8e5520000 | 0x7ff8e553cfff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x7ff8e5d70000 | 0x7ff8e5d77fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x7ff8e5d80000 | 0x7ff8e5d87fff | Memory Mapped File | rwx |
|
|
|
- |
| wshqos.dll | 0x7ff8e5d90000 | 0x7ff8e5d99fff | Memory Mapped File | rwx |
|
|
|
- |
| dps.dll | 0x7ff8e5da0000 | 0x7ff8e5dcefff | Memory Mapped File | rwx |
|
|
|
- |
| adhapi.dll | 0x7ff8e6090000 | 0x7ff8e6099fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp110_win.dll | 0x7ff8e60a0000 | 0x7ff8e6131fff | Memory Mapped File | rwx |
|
|
|
- |
| policymanager.dll | 0x7ff8e6140000 | 0x7ff8e6178fff | Memory Mapped File | rwx |
|
|
|
- |
| httpprxc.dll | 0x7ff8e6180000 | 0x7ff8e6188fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpolicyiomgr.dll | 0x7ff8e6210000 | 0x7ff8e6244fff | Memory Mapped File | rwx |
|
|
|
- |
| mpssvc.dll | 0x7ff8e6250000 | 0x7ff8e6329fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ff8e6330000 | 0x7ff8e6365fff | Memory Mapped File | rwx |
|
|
|
- |
| bfe.dll | 0x7ff8e6370000 | 0x7ff8e6439fff | Memory Mapped File | rwx |
|
|
|
- |
| ucrtbase.dll | 0x7ff8e6c30000 | 0x7ff8e6d21fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp_win.dll | 0x7ff8e6d30000 | 0x7ff8e6dcafff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7ff8e7160000 | 0x7ff8e71c7fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ff8e7280000 | 0x7ff8e7299fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ff8e72a0000 | 0x7ff8e72b5fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ff8e7cd0000 | 0x7ff8e7ce5fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 39 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #21: officeclicktorun.exe
0
0
| Information | Value |
|---|---|
| ID | #21 |
| File Name | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe |
| Command Line | "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:43 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4e8 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
C74
0x
B90
0x
C24
0x
AF8
0x
B60
0x
740
0x
72C
0x
728
0x
71C
0x
634
0x
5E4
0x
5D4
0x
544
0x
540
0x
538
0x
4EC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000d109c10000 | 0xd109c10000 | 0xd109c1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000d109c20000 | 0xd109c20000 | 0xd109c26fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d109c30000 | 0xd109c30000 | 0xd109c43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d109c50000 | 0xd109c50000 | 0xd109d4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d109d50000 | 0xd109d50000 | 0xd109d53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d109d60000 | 0xd109d60000 | 0xd109d62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d109d70000 | 0xd109d70000 | 0xd109d71fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xd109d80000 | 0xd109e3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d109e40000 | 0xd109e40000 | 0xd109e46fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d109e50000 | 0xd109e50000 | 0xd109e50fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d109e60000 | 0xd109e60000 | 0xd109e60fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d109e70000 | 0xd109e70000 | 0xd109e70fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d109e80000 | 0xd109e80000 | 0xd109f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d109f80000 | 0xd109f80000 | 0xd10a07ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d10a080000 | 0xd10a080000 | 0xd10a13ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d10a140000 | 0xd10a140000 | 0xd10a140fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d10a150000 | 0xd10a150000 | 0xd10a151fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10a160000 | 0xd10a160000 | 0xd10a160fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000d10a170000 | 0xd10a170000 | 0xd10a171fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d10a180000 | 0xd10a180000 | 0xd10a184fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d10a190000 | 0xd10a190000 | 0xd10a190fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d10a1a0000 | 0xd10a1a0000 | 0xd10a1affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d10a1b0000 | 0xd10a1b0000 | 0xd10a337fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10a340000 | 0xd10a340000 | 0xd10a4c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0xd10a4d0000 | 0xd10a806fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d10a810000 | 0xd10a810000 | 0xd10a90ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10a910000 | 0xd10a910000 | 0xd10aa0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10aa10000 | 0xd10aa10000 | 0xd10ab0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10ab10000 | 0xd10ab10000 | 0xd10ac0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10ac10000 | 0xd10ac10000 | 0xd10ae0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10ae10000 | 0xd10ae10000 | 0xd10af0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10af10000 | 0xd10af10000 | 0xd10b00ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10b010000 | 0xd10b010000 | 0xd10b10ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10b110000 | 0xd10b110000 | 0xd10b216fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10b220000 | 0xd10b220000 | 0xd10b423fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10b430000 | 0xd10b430000 | 0xd10b52ffff | Private Memory | rw |
|
|
|
- |
| tdh.dll.mui | 0xd10b530000 | 0xd10b54afff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000d10b550000 | 0xd10b550000 | 0xd10b550fff | Pagefile Backed Memory | r |
|
|
|
- |
| kernelbase.dll.mui | 0xd10b560000 | 0xd10b63efff | Memory Mapped File | r |
|
|
|
- |
| msxml6r.dll | 0xd10b640000 | 0xd10b640fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d10b650000 | 0xd10b650000 | 0xd10b656fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d10b660000 | 0xd10b660000 | 0xd10b660fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10b670000 | 0xd10b670000 | 0xd10b670fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10b680000 | 0xd10b680000 | 0xd10b680fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10b690000 | 0xd10b690000 | 0xd10b690fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10b6a0000 | 0xd10b6a0000 | 0xd10b6a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10b6b0000 | 0xd10b6b0000 | 0xd10b6b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10b6c0000 | 0xd10b6c0000 | 0xd10b6c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10b6d0000 | 0xd10b6d0000 | 0xd10b6d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10b6e0000 | 0xd10b6e0000 | 0xd10b6e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10b6f0000 | 0xd10b6f0000 | 0xd10b6f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d10b700000 | 0xd10b700000 | 0xd10b700fff | Pagefile Backed Memory | rw |
|
|
|
- |
| counters.dat | 0xd10b710000 | 0xd10b710fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000d10b720000 | 0xd10b720000 | 0xd10b72ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10b730000 | 0xd10b730000 | 0xd10b82ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10b830000 | 0xd10b830000 | 0xd10ba2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10ba30000 | 0xd10ba30000 | 0xd10be2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10be30000 | 0xd10be30000 | 0xd10bf2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10bf30000 | 0xd10bf30000 | 0xd10c02ffff | Private Memory | rw |
|
|
|
- |
| winnlsres.dll | 0xd10c030000 | 0xd10c034fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0xd10c040000 | 0xd10c04ffff | Memory Mapped File | r |
|
|
|
- |
| mswsock.dll.mui | 0xd10c050000 | 0xd10c052fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000d10c060000 | 0xd10c060000 | 0xd10c061fff | Pagefile Backed Memory | rw |
|
|
|
- |
| crypt32.dll.mui | 0xd10c070000 | 0xd10c079fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d10c130000 | 0xd10c130000 | 0xd10c22ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10c230000 | 0xd10c230000 | 0xd10c32ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10c330000 | 0xd10c330000 | 0xd10c42ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10c430000 | 0xd10c430000 | 0xd10c52ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10c530000 | 0xd10c530000 | 0xd10c62ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10c630000 | 0xd10c630000 | 0xd10c72ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10c730000 | 0xd10c730000 | 0xd10cb2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10cb30000 | 0xd10cb30000 | 0xd10d32ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10d330000 | 0xd10d330000 | 0xd10e2fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10e300000 | 0xd10e300000 | 0xd10e3fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d10ea30000 | 0xd10ea30000 | 0xd10f9fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d110210000 | 0xd110210000 | 0xd1111dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff1c0000 | 0x7df5ff1c0000 | 0x7ff5ff1bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff649a4c000 | 0x7ff649a4c000 | 0x7ff649a4dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649a4e000 | 0x7ff649a4e000 | 0x7ff649a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649a50000 | 0x7ff649a50000 | 0x7ff649a51fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649a52000 | 0x7ff649a52000 | 0x7ff649a53fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649a54000 | 0x7ff649a54000 | 0x7ff649a55fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649a56000 | 0x7ff649a56000 | 0x7ff649a57fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649a58000 | 0x7ff649a58000 | 0x7ff649a59fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649a5a000 | 0x7ff649a5a000 | 0x7ff649a5bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649a5c000 | 0x7ff649a5c000 | 0x7ff649a5dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649a5e000 | 0x7ff649a5e000 | 0x7ff649a5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff649a60000 | 0x7ff649a60000 | 0x7ff649b5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff649b60000 | 0x7ff649b60000 | 0x7ff649b82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff649b83000 | 0x7ff649b83000 | 0x7ff649b84fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649b85000 | 0x7ff649b85000 | 0x7ff649b86fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649b87000 | 0x7ff649b87000 | 0x7ff649b87fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649b88000 | 0x7ff649b88000 | 0x7ff649b89fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649b8a000 | 0x7ff649b8a000 | 0x7ff649b8bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649b8c000 | 0x7ff649b8c000 | 0x7ff649b8dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff649b8e000 | 0x7ff649b8e000 | 0x7ff649b8ffff | Private Memory | rw |
|
|
|
- |
| officeclicktorun.exe | 0x7ff64a820000 | 0x7ff64b07bfff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x7ff8dcbd0000 | 0x7ff8dcc4ffff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x7ff8dff00000 | 0x7ff8e01a6fff | Memory Mapped File | rwx |
|
|
|
- |
| appvfilesystemmetadata.dll | 0x7ff8e0770000 | 0x7ff8e07bcfff | Memory Mapped File | rwx |
|
|
|
- |
| appvisvsubsystemcontroller.dll | 0x7ff8e07c0000 | 0x7ff8e0945fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x7ff8e0a60000 | 0x7ff8e0bf6fff | Memory Mapped File | rwx |
|
|
|
- |
| appvintegration.dll | 0x7ff8e0c90000 | 0x7ff8e0ec0fff | Memory Mapped File | rwx |
|
|
|
- |
| appvisvvirtualization.dll | 0x7ff8e0ed0000 | 0x7ff8e0f67fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ff8e0f70000 | 0x7ff8e0f7dfff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x7ff8e0f80000 | 0x7ff8e0f94fff | Memory Mapped File | rwx |
|
|
|
- |
| appvcatalog.dll | 0x7ff8e0fa0000 | 0x7ff8e1049fff | Memory Mapped File | rwx |
|
|
|
- |
| appvmanifest.dll | 0x7ff8e1070000 | 0x7ff8e11a1fff | Memory Mapped File | rwx |
|
|
|
- |
| appvisvstreamingmanager.dll | 0x7ff8e11b0000 | 0x7ff8e11e6fff | Memory Mapped File | rwx |
|
|
|
- |
| appvorchestration.dll | 0x7ff8e11f0000 | 0x7ff8e12dffff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x7ff8e12e0000 | 0x7ff8e12f6fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr120.dll | 0x7ff8e1300000 | 0x7ff8e13eefff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp120.dll | 0x7ff8e13f0000 | 0x7ff8e1495fff | Memory Mapped File | rwx |
|
|
|
- |
| appvpolicy.dll | 0x7ff8e14a0000 | 0x7ff8e15e0fff | Memory Mapped File | rwx |
|
|
|
- |
| appvisvapi.dll | 0x7ff8e1700000 | 0x7ff8e177bfff | Memory Mapped File | rwx |
|
|
|
- |
| msxml6.dll | 0x7ff8e1c70000 | 0x7ff8e1ee6fff | Memory Mapped File | rwx |
|
|
|
- |
| msdelta.dll | 0x7ff8e1ef0000 | 0x7ff8e1f71fff | Memory Mapped File | rwx |
|
|
|
- |
| streamserver.dll | 0x7ff8e1f80000 | 0x7ff8e2367fff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7ff8e2760000 | 0x7ff8e279efff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7ff8e2ea0000 | 0x7ff8e2ea9fff | Memory Mapped File | rwx |
|
|
|
- |
| mskeyprotect.dll | 0x7ff8e3170000 | 0x7ff8e3183fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ff8e3a50000 | 0x7ff8e3a59fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ff8e3c30000 | 0x7ff8e3fa5fff | Memory Mapped File | rwx |
|
|
|
- |
| ncryptsslp.dll | 0x7ff8e52f0000 | 0x7ff8e530efff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ff8e5480000 | 0x7ff8e548bfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e57b0000 | 0x7ff8e5a23fff | Memory Mapped File | rwx |
|
|
|
- |
| msi.dll | 0x7ff8e5a30000 | 0x7ff8e5d6cfff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ff8e5dd0000 | 0x7ff8e5ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| apiclient.dll | 0x7ff8e5eb0000 | 0x7ff8e5ee9fff | Memory Mapped File | rwx |
|
|
|
- |
| rstrtmgr.dll | 0x7ff8e5ef0000 | 0x7ff8e5f21fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp140.dll | 0x7ff8e5f30000 | 0x7ff8e5fcefff | Memory Mapped File | rwx |
|
|
|
- |
| vcruntime140.dll | 0x7ff8e5fd0000 | 0x7ff8e5fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| cabinet.dll | 0x7ff8e5ff0000 | 0x7ff8e6016fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ff8e6330000 | 0x7ff8e6365fff | Memory Mapped File | rwx |
|
|
|
- |
| ucrtbase.dll | 0x7ff8e6c30000 | 0x7ff8e6d21fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7ff8e7160000 | 0x7ff8e71c7fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ff8e7280000 | 0x7ff8e7299fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ff8e72a0000 | 0x7ff8e72b5fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ff8e76f0000 | 0x7ff8e7707fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ff8e7cd0000 | 0x7ff8e7ce5fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ff8e8460000 | 0x7ff8e846afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ff8e8480000 | 0x7ff8e84b7fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ff8e8ad0000 | 0x7ff8e8ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ff8e9cd0000 | 0x7ff8e9cf2fff | Memory Mapped File | rwx |
|
|
|
- |
| tdh.dll | 0x7ff8e9d00000 | 0x7ff8e9df7fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ff8ea000000 | 0x7ff8ea00bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ff8ea010000 | 0x7ff8ea035fff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x7ff8ea150000 | 0x7ff8ea1c3fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x7ff8ea1d0000 | 0x7ff8ea1d9fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 43 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #22: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #22 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k appmodel |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:43 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x600 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege |
| Thread IDs |
0x
AC0
0x
A34
0x
9F8
0x
97C
0x
978
0x
6CC
0x
6C8
0x
6C4
0x
604
0x
D90
0x
D84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000005120a40000 | 0x5120a40000 | 0x5120a4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0x5120a50000 | 0x5120a50fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005120a60000 | 0x5120a60000 | 0x5120a73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005120a80000 | 0x5120a80000 | 0x5120afffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005120b00000 | 0x5120b00000 | 0x5120b03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005120b10000 | 0x5120b10000 | 0x5120b10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005120b20000 | 0x5120b20000 | 0x5120b21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005120b30000 | 0x5120b30000 | 0x5120b30fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005120b40000 | 0x5120b40000 | 0x5120b46fff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0x5120b50000 | 0x5120b5ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5120b60000 | 0x5120b6ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5120b70000 | 0x5120b7ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5120b80000 | 0x5120b8ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5120b90000 | 0x5120b9ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5120ba0000 | 0x5120baffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5120bb0000 | 0x5120bbffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5120bc0000 | 0x5120bcffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005120bd0000 | 0x5120bd0000 | 0x5120bd0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005120be0000 | 0x5120be0000 | 0x5120be0fff | Pagefile Backed Memory | r |
|
|
|
- |
| vedatamodel.edb | 0x5120bf0000 | 0x5120bfffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005120c00000 | 0x5120c00000 | 0x5120cfffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x5120d00000 | 0x5120dbdfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005120dc0000 | 0x5120dc0000 | 0x5120e7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| staterepository-machine.srd-shm | 0x5120e80000 | 0x5120e87fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000005120e90000 | 0x5120e90000 | 0x5120e90fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005120ea0000 | 0x5120ea0000 | 0x5120ea0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005120eb0000 | 0x5120eb0000 | 0x5120eb0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005120ec0000 | 0x5120ec0000 | 0x5120ecffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005120ed0000 | 0x5120ed0000 | 0x5120edffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005120ee0000 | 0x5120ee0000 | 0x5120eeffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005120ef0000 | 0x5120ef0000 | 0x5120efffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005120f00000 | 0x5120f00000 | 0x5120f00fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005120f10000 | 0x5120f10000 | 0x5120f10fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005120f20000 | 0x5120f20000 | 0x5120f20fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005120f30000 | 0x5120f30000 | 0x5120f36fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005120f40000 | 0x5120f40000 | 0x5120f4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005120f50000 | 0x5120f50000 | 0x5120f5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005120f60000 | 0x5120f60000 | 0x5120f6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005120f70000 | 0x5120f70000 | 0x5120f7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005120f80000 | 0x5120f80000 | 0x5120f83fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005120f90000 | 0x5120f90000 | 0x5120f91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005120fa0000 | 0x5120fa0000 | 0x5120fa0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005120fb0000 | 0x5120fb0000 | 0x5120fb0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005120fc0000 | 0x5120fc0000 | 0x5120fdffff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0x5120fe0000 | 0x5120feffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5120ff0000 | 0x5120ffffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005121000000 | 0x5121000000 | 0x51210fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005121100000 | 0x5121100000 | 0x5121287fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005121290000 | 0x5121290000 | 0x5121410fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005121420000 | 0x5121420000 | 0x512151ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005121520000 | 0x5121520000 | 0x512161ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x5121620000 | 0x5121956fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005121960000 | 0x5121960000 | 0x5121a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005121a60000 | 0x5121a60000 | 0x5121b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005121b60000 | 0x5121b60000 | 0x5121c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005121c60000 | 0x5121c60000 | 0x5121d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005121d60000 | 0x5121d60000 | 0x5122d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005122d60000 | 0x5122d60000 | 0x5132d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005132d60000 | 0x5132d60000 | 0x5142d5ffff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0x5142d60000 | 0x5142d6ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142d70000 | 0x5142d7ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142d80000 | 0x5142d8ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142d90000 | 0x5142d9ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142da0000 | 0x5142daffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142db0000 | 0x5142dbffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142dc0000 | 0x5142dcffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142dd0000 | 0x5142ddffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142de0000 | 0x5142deffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005142e30000 | 0x5142e30000 | 0x5142eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005142ec0000 | 0x5142ec0000 | 0x5142ec0fff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0x5142ed0000 | 0x5142edffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142ee0000 | 0x5142eeffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142ef0000 | 0x5142efffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142f00000 | 0x5142f0ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142f10000 | 0x5142f1ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142f20000 | 0x5142f2ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142f30000 | 0x5142f3ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142f40000 | 0x5142f4ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142f50000 | 0x5142f5ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142f60000 | 0x5142f6ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142f70000 | 0x5142f7ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142f80000 | 0x5142f8ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142f90000 | 0x5142f9ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142fa0000 | 0x5142faffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142fb0000 | 0x5142fbffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142fc0000 | 0x5142fcffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142fd0000 | 0x5142fdffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142fe0000 | 0x5142feffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5142ff0000 | 0x5142ffffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143000000 | 0x514300ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143010000 | 0x514301ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143020000 | 0x514302ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143030000 | 0x514303ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143040000 | 0x514304ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143050000 | 0x514305ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143060000 | 0x514306ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143070000 | 0x514307ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005143080000 | 0x5143080000 | 0x51430a9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0x51430b0000 | 0x51430bffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51430c0000 | 0x51430cffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51430d0000 | 0x51430dffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51430e0000 | 0x51430effff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51430f0000 | 0x51430fffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143100000 | 0x514310ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005143110000 | 0x5143110000 | 0x514320ffff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0x5143210000 | 0x514321ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143220000 | 0x514322ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143230000 | 0x514323ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143240000 | 0x514324ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143250000 | 0x514325ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143260000 | 0x514326ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143270000 | 0x514327ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143280000 | 0x514328ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143290000 | 0x514329ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51432a0000 | 0x51432affff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51432b0000 | 0x51432bffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51432c0000 | 0x51432cffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51432d0000 | 0x51432dffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51432e0000 | 0x51432effff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000051432f0000 | 0x51432f0000 | 0x51432f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005143300000 | 0x5143300000 | 0x51433fffff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0x5143400000 | 0x514340ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143410000 | 0x514341ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143420000 | 0x514342ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005143430000 | 0x5143430000 | 0x514352ffff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0x5143530000 | 0x514353ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143540000 | 0x514354ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143550000 | 0x514355ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143560000 | 0x514356ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143570000 | 0x514357ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143580000 | 0x514358ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143590000 | 0x514359ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51435a0000 | 0x51435affff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51435b0000 | 0x51435bffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51435c0000 | 0x51435cffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51435d0000 | 0x51435dffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51435e0000 | 0x51435effff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x51435f0000 | 0x51435fffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005143600000 | 0x5143600000 | 0x5143600fff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0x5143610000 | 0x514361ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143620000 | 0x514362ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143650000 | 0x514365ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0x5143660000 | 0x514366ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005143700000 | 0x5143700000 | 0x51437fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff480000 | 0x7df5ff480000 | 0x7ff5ff47ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6733d8000 | 0x7ff6733d8000 | 0x7ff6733d9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733da000 | 0x7ff6733da000 | 0x7ff6733dbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733dc000 | 0x7ff6733dc000 | 0x7ff6733ddfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6733de000 | 0x7ff6733de000 | 0x7ff6733dffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 45 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #23: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k UnistackSvcGroup |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:43 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf0c |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
FBC
0x
FB8
0x
FB4
0x
FB0
0x
FAC
0x
F18
0x
F10
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000402e2c0000 | 0x402e2c0000 | 0x402e2cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0x402e2d0000 | 0x402e2d0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000402e2e0000 | 0x402e2e0000 | 0x402e2f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000402e300000 | 0x402e300000 | 0x402e37ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000402e380000 | 0x402e380000 | 0x402e383fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000402e390000 | 0x402e390000 | 0x402e390fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000402e3a0000 | 0x402e3a0000 | 0x402e3a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x402e3b0000 | 0x402e46dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000402e470000 | 0x402e470000 | 0x402e4effff | Private Memory | rw |
|
|
|
- |
| private_0x000000402e4f0000 | 0x402e4f0000 | 0x402e4f0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000402e500000 | 0x402e500000 | 0x402e506fff | Private Memory | rw |
|
|
|
- |
| private_0x000000402e510000 | 0x402e510000 | 0x402e510fff | Private Memory | rw |
|
|
|
- |
| phoneutilres.dll | 0x402e520000 | 0x402e520fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000402e540000 | 0x402e540000 | 0x402e540fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000402e550000 | 0x402e550000 | 0x402e550fff | Pagefile Backed Memory | r |
|
|
|
- |
| syncres.dll | 0x402e560000 | 0x402e560fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000402e570000 | 0x402e570000 | 0x402e599fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000402e5a0000 | 0x402e5a0000 | 0x402e5a6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000402e600000 | 0x402e600000 | 0x402e6fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000402e700000 | 0x402e700000 | 0x402e7fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000402e800000 | 0x402e800000 | 0x402e987fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000402e990000 | 0x402e990000 | 0x402eb10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000402eb20000 | 0x402eb20000 | 0x402ff1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000402ff20000 | 0x402ff20000 | 0x403001ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004030020000 | 0x4030020000 | 0x403011ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004030120000 | 0x4030120000 | 0x403019ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000040301a0000 | 0x40301a0000 | 0x403029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000040302a0000 | 0x40302a0000 | 0x403039ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x40303a0000 | 0x40306d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000040306e0000 | 0x40306e0000 | 0x40307dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff9b0000 | 0x7df5ff9b0000 | 0x7ff5ff9affff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6734fe000 | 0x7ff6734fe000 | 0x7ff6734fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff673500000 | 0x7ff673500000 | 0x7ff6735fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff673600000 | 0x7ff673600000 | 0x7ff673622fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff673623000 | 0x7ff673623000 | 0x7ff673624fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673625000 | 0x7ff673625000 | 0x7ff673626fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673627000 | 0x7ff673627000 | 0x7ff673628fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff673629000 | 0x7ff673629000 | 0x7ff67362afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67362b000 | 0x7ff67362b000 | 0x7ff67362cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67362d000 | 0x7ff67362d000 | 0x7ff67362efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67362f000 | 0x7ff67362f000 | 0x7ff67362ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff673b40000 | 0x7ff673b4cfff | Memory Mapped File | rwx |
|
|
|
- |
| phoneutil.dll | 0x7ff8d14b0000 | 0x7ff8d14f0fff | Memory Mapped File | rwx |
|
|
|
- |
| pimstore.dll | 0x7ff8d1500000 | 0x7ff8d1670fff | Memory Mapped File | rwx |
|
|
|
- |
| syncutil.dll | 0x7ff8d1680000 | 0x7ff8d16c6fff | Memory Mapped File | rwx |
|
|
|
- |
| userdatatimeutil.dll | 0x7ff8d1940000 | 0x7ff8d1960fff | Memory Mapped File | rwx |
|
|
|
- |
| userdatalanguageutil.dll | 0x7ff8d1970000 | 0x7ff8d1980fff | Memory Mapped File | rwx |
|
|
|
- |
| accountaccessor.dll | 0x7ff8d1990000 | 0x7ff8d19c5fff | Memory Mapped File | rwx |
|
|
|
- |
| cemapi.dll | 0x7ff8d19d0000 | 0x7ff8d1a0ffff | Memory Mapped File | rwx |
|
|
|
- |
| synccontroller.dll | 0x7ff8d1a10000 | 0x7ff8d1a7bfff | Memory Mapped File | rwx |
|
|
|
- |
| aphostservice.dll | 0x7ff8d5be0000 | 0x7ff8d5c2dfff | Memory Mapped File | rwx |
|
|
|
- |
| userdataplatformhelperutil.dll | 0x7ff8d61f0000 | 0x7ff8d6205fff | Memory Mapped File | rwx |
|
|
|
- |
| aphostclient.dll | 0x7ff8d73d0000 | 0x7ff8d73dffff | Memory Mapped File | rwx |
|
|
|
- |
| inproclogger.dll | 0x7ff8db330000 | 0x7ff8db33cfff | Memory Mapped File | rwx |
|
|
|
- |
| networkhelper.dll | 0x7ff8db5b0000 | 0x7ff8db5c6fff | Memory Mapped File | rwx |
|
|
|
- |
| vaultcli.dll | 0x7ff8dcd60000 | 0x7ff8dcda7fff | Memory Mapped File | rwx |
|
|
|
- |
| tokenbroker.dll | 0x7ff8deca0000 | 0x7ff8ded65fff | Memory Mapped File | rwx |
|
|
|
- |
| mccspal.dll | 0x7ff8df180000 | 0x7ff8df18afff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| userdatatypehelperutil.dll | 0x7ff8e1050000 | 0x7ff8e1060fff | Memory Mapped File | rwx |
|
|
|
- |
| dsclient.dll | 0x7ff8e1650000 | 0x7ff8e165bfff | Memory Mapped File | rwx |
|
|
|
- |
| esent.dll | 0x7ff8e1940000 | 0x7ff8e1c21fff | Memory Mapped File | rwx |
|
|
|
- |
| idstore.dll | 0x7ff8e3040000 | 0x7ff8e3066fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ff8e3c30000 | 0x7ff8e3fa5fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ff8e5dd0000 | 0x7ff8e5ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x7ff8e7400000 | 0x7ff8e741bfff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ff8e7430000 | 0x7ff8e7560fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x7ff8e84e0000 | 0x7ff8e84f7fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ff8e8ad0000 | 0x7ff8e8ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ff8ea0f0000 | 0x7ff8ea121fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| ntlmshared.dll | 0x7ff8ea550000 | 0x7ff8ea55afff | Memory Mapped File | rwx |
|
|
|
- |
| msv1_0.dll | 0x7ff8ea560000 | 0x7ff8ea5befff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptdll.dll | 0x7ff8ea770000 | 0x7ff8ea783fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ff8eadb0000 | 0x7ff8eadc0fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ff8eafb0000 | 0x7ff8eb170fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #24: sppsvc.exe
52
0
| Information | Value |
|---|---|
| ID | #24 |
| File Name | c:\windows\system32\sppsvc.exe |
| Command Line | C:\Windows\system32\sppsvc.exe |
| Initial Working Directory | C:\Windows |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:43 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x768 |
| Parent PID | 0x1e8 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C34
0x
C48
0x
C4C
0x
128
0x
C5C
0x
D48
0x
D08
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000006278e90000 | 0x6278e90000 | 0x6278e96fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006278ea0000 | 0x6278ea0000 | 0x6278eaffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000006278eb0000 | 0x6278eb0000 | 0x6278ec3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006278ed0000 | 0x6278ed0000 | 0x6278f4ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x6278f50000 | 0x627900dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000006279010000 | 0x6279010000 | 0x627908ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006279090000 | 0x6279090000 | 0x6279096fff | Private Memory | rw |
|
|
|
- |
| sppsvc.exe.mui | 0x62790a0000 | 0x62790a5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000062790b0000 | 0x62790b0000 | 0x62790b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000062790c0000 | 0x62790c0000 | 0x62790c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000062790d0000 | 0x62790d0000 | 0x62790dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000062790e0000 | 0x62790e0000 | 0x62790effff | Private Memory | rw |
|
|
|
- |
| private_0x00000062790f0000 | 0x62790f0000 | 0x62790fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006279100000 | 0x6279100000 | 0x627910ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006279110000 | 0x6279110000 | 0x627911ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006279140000 | 0x6279140000 | 0x627923ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006279240000 | 0x6279240000 | 0x62793c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000062793d0000 | 0x62793d0000 | 0x6279550fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000006279560000 | 0x6279560000 | 0x627961ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006279620000 | 0x6279620000 | 0x627969ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000062796a0000 | 0x62796a0000 | 0x627979ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000062797a0000 | 0x62797a0000 | 0x627981ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x6279820000 | 0x6279b56fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000006279b60000 | 0x6279b60000 | 0x6279bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006279be0000 | 0x6279be0000 | 0x6279cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006279ce0000 | 0x6279ce0000 | 0x6279d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006279d60000 | 0x6279d60000 | 0x6279e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006279e60000 | 0x6279e60000 | 0x6279f6efff | Private Memory | rw |
|
|
|
- |
| private_0x0000006279f70000 | 0x6279f70000 | 0x627a07efff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff860000 | 0x7df5ff860000 | 0x7ff5ff85ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff781500000 | 0x7ff781500000 | 0x7ff7815fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff781600000 | 0x7ff781600000 | 0x7ff781622fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff781623000 | 0x7ff781623000 | 0x7ff781624fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff781625000 | 0x7ff781625000 | 0x7ff781625fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff781626000 | 0x7ff781626000 | 0x7ff781627fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff781628000 | 0x7ff781628000 | 0x7ff781629fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78162a000 | 0x7ff78162a000 | 0x7ff78162bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78162c000 | 0x7ff78162c000 | 0x7ff78162dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78162e000 | 0x7ff78162e000 | 0x7ff78162ffff | Private Memory | rw |
|
|
|
- |
| sppsvc.exe | 0x7ff7819d0000 | 0x7ff781ffdfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptxml.dll | 0x7ff8d17a0000 | 0x7ff8d17c1fff | Memory Mapped File | rwx |
|
|
|
- |
| webservices.dll | 0x7ff8d1c40000 | 0x7ff8d1dbafff | Memory Mapped File | rwx |
|
|
|
- |
| sppobjs.dll | 0x7ff8d74a0000 | 0x7ff8d7617fff | Memory Mapped File | rwx |
|
|
|
- |
| sppwinob.dll | 0x7ff8daa50000 | 0x7ff8daae9fff | Memory Mapped File | rwx |
|
|
|
- |
| clipc.dll | 0x7ff8db8b0000 | 0x7ff8db8c5fff | Memory Mapped File | rwx |
|
|
|
- |
| wwapi.dll | 0x7ff8dcc70000 | 0x7ff8dcc85fff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x7ff8e12e0000 | 0x7ff8e12f6fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ff8e6330000 | 0x7ff8e6365fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ff8e7cd0000 | 0x7ff8e7ce5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ff8e84d0000 | 0x7ff8e84d9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ff8ea000000 | 0x7ff8ea00bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ff8ea010000 | 0x7ff8ea035fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ff8eadb0000 | 0x7ff8eadc0fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ff8eafb0000 | 0x7ff8eb170fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (29)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\spp\store\2.0\data.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_WRITE_THROUGH, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Windows\System32\spp\store\2.0\data.dat.tmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_WRITE_THROUGH, share_mode = FILE_SHARE_READ |
|
3 | |
| Get Info | C:\Windows\System32\spp\store\2.0\data.dat.bak | type = file_attributes |
|
6 | |
| Get Info | C:\Windows\System32\spp\store\2.0\data.dat.tmp | type = file_attributes |
|
6 | |
| Get Info | C:\Windows\System32\spp\store\2.0\data.dat | type = size, size_out = 0 |
|
2 | |
| Move | C:\Windows\System32\spp\store\2.0\data.dat.bak | source_filename = C:\Windows\System32\spp\store\2.0\data.dat.tmp, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_WRITE_THROUGH |
|
3 | |
| Move | C:\Windows\System32\spp\store\2.0\data.dat | source_filename = C:\Windows\System32\spp\store\2.0\data.dat.bak, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_WRITE_THROUGH |
|
3 | |
| Read | C:\Windows\System32\spp\store\2.0\data.dat | size = 31360, size_out = 31360 |
|
1 | |
| Write | C:\Windows\System32\spp\store\2.0\data.dat.tmp | size = 31360 |
|
1 | |
| Write | C:\Windows\System32\spp\store\2.0\data.dat.tmp | size = 31648 |
|
1 | |
| Write | C:\Windows\System32\spp\store\2.0\data.dat.tmp | size = 31680 |
|
1 |
Module (12)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\system32\wwapi.dll | base_address = 0x7ff8dcc70000 |
|
1 | |
| Get Handle | c:\windows\system32\ntdll.dll | base_address = 0x7ff8ee380000, flags = GET_MODULE_HANDLE_EX_FLAG_PIN |
|
2 | |
| Get Handle | c:\windows\system32\ntdll.dll | base_address = 0x7ff8ee380000, flags = GET_MODULE_HANDLE_EX_FLAG_PIN |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x7ff8ee4138a0 |
|
3 | |
| Get Address | c:\windows\system32\wwapi.dll | function = WwanOpenHandle, address_out = 0x7ff8dcc71010 |
|
1 | |
| Get Address | c:\windows\system32\wwapi.dll | function = WwanCloseHandle, address_out = 0x7ff8dcc74f40 |
|
1 | |
| Get Address | c:\windows\system32\wwapi.dll | function = WwanEnumerateInterfaces, address_out = 0x7ff8dcc75bb0 |
|
1 | |
| Get Address | c:\windows\system32\wwapi.dll | function = WwanQueryInterface, address_out = 0x7ff8dcc77150 |
|
1 | |
| Get Address | c:\windows\system32\wwapi.dll | function = WwanFreeMemory, address_out = 0x7ff8dcc75d60 |
|
1 |
System (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-10 14:40:15 (UTC) |
|
1 | |
| Get Time | type = System Time, time = 2018-11-10 14:40:42 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 324921 |
|
1 | |
| Get Time | type = System Time, time = 2018-11-10 14:41:45 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 330859 |
|
1 | |
| Get Time | type = Ticks, time = 330921 |
|
1 | |
| Get Time | type = System Time, time = 2018-11-10 14:42:00 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 345984 |
|
1 | |
| Get Info | - |
|
3 |
Process #25: backgroundtaskhost.exe
0
0
| Information | Value |
|---|---|
| ID | #25 |
| File Name | c:\windows\system32\backgroundtaskhost.exe |
| Command Line | "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca |
| Initial Working Directory | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ |
| Monitor | Start Time: 00:02:11, Reason: Child Process |
| Unmonitor | End Time: 00:04:12, Reason: Self Terminated |
| Monitor Duration | 00:02:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8d4 |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
160
0x
208
0x
34C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000003c30660000 | 0x3c30660000 | 0x3c3067ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003c30660000 | 0x3c30660000 | 0x3c3066ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000003c30670000 | 0x3c30670000 | 0x3c30670fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000003c30680000 | 0x3c30680000 | 0x3c30693fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003c306a0000 | 0x3c306a0000 | 0x3c3071ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003c30720000 | 0x3c30720000 | 0x3c30723fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003c30730000 | 0x3c30730000 | 0x3c30731fff | Private Memory | rw |
|
|
|
- |
| s-1-5-21-1462094071-1423818996-289466292-1000.pckgdep | 0x3c30740000 | 0x3c30740fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000003c30740000 | 0x3c30740000 | 0x3c30769fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000003c30790000 | 0x3c30790000 | 0x3c30796fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003c30800000 | 0x3c30800000 | 0x3c308fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x3c30900000 | 0x3c309bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003c309c0000 | 0x3c309c0000 | 0x3c30a3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003c30a40000 | 0x3c30a40000 | 0x3c30abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003c30c30000 | 0x3c30c30000 | 0x3c30c36fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003c30d00000 | 0x3c30d00000 | 0x3c30dfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff710000 | 0x7df5ff710000 | 0x7ff5ff70ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff655780000 | 0x7ff655780000 | 0x7ff65587ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff655880000 | 0x7ff655880000 | 0x7ff6558a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6558a7000 | 0x7ff6558a7000 | 0x7ff6558a7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6558aa000 | 0x7ff6558aa000 | 0x7ff6558abfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6558ac000 | 0x7ff6558ac000 | 0x7ff6558adfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6558ae000 | 0x7ff6558ae000 | 0x7ff6558affff | Private Memory | rw |
|
|
|
- |
| backgroundtaskhost.exe | 0x7ff6560e0000 | 0x7ff6560e6fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ff8e9860000 | 0x7ff8e994dfff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #26: mpcmdrun.exe
0
0
| Information | Value |
|---|---|
| ID | #26 |
| File Name | c:\program files\windows defender\mpcmdrun.exe |
| Command Line | "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:44, Reason: Child Process |
| Unmonitor | End Time: 00:02:46, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x784 |
| Parent PID | 0x338 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
420
0x
9D8
0x
390
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000032d91e0000 | 0x32d91e0000 | 0x32d91fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000032d91e0000 | 0x32d91e0000 | 0x32d91effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000032d91f0000 | 0x32d91f0000 | 0x32d91f6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000032d9200000 | 0x32d9200000 | 0x32d9213fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000032d9220000 | 0x32d9220000 | 0x32d929ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000032d92a0000 | 0x32d92a0000 | 0x32d92a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000032d92b0000 | 0x32d92b0000 | 0x32d92b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000032d92c0000 | 0x32d92c0000 | 0x32d92c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x32d92d0000 | 0x32d938dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000032d9390000 | 0x32d9390000 | 0x32d9396fff | Private Memory | rw |
|
|
|
- |
| private_0x00000032d93a0000 | 0x32d93a0000 | 0x32d93a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000032d93b0000 | 0x32d93b0000 | 0x32d93b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000032d93d0000 | 0x32d93d0000 | 0x32d94cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000032d94d0000 | 0x32d94d0000 | 0x32d954ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000032d9550000 | 0x32d9550000 | 0x32d960ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000032d9620000 | 0x32d9620000 | 0x32d962ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000032d9630000 | 0x32d9630000 | 0x32d97b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000032d97c0000 | 0x32d97c0000 | 0x32d9940fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000032d9950000 | 0x32d9950000 | 0x32d9a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000032d9a50000 | 0x32d9a50000 | 0x32d9acffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff200000 | 0x7df5ff200000 | 0x7ff5ff1fffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6a8970000 | 0x7ff6a8970000 | 0x7ff6a8a6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6a8a70000 | 0x7ff6a8a70000 | 0x7ff6a8a92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6a8a99000 | 0x7ff6a8a99000 | 0x7ff6a8a9afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6a8a9b000 | 0x7ff6a8a9b000 | 0x7ff6a8a9bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6a8a9c000 | 0x7ff6a8a9c000 | 0x7ff6a8a9dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6a8a9e000 | 0x7ff6a8a9e000 | 0x7ff6a8a9ffff | Private Memory | rw |
|
|
|
- |
| mpcmdrun.exe | 0x7ff6a9270000 | 0x7ff6a92c6fff | Memory Mapped File | rwx |
|
|
|
- |
| mpclient.dll | 0x7ff8d7540000 | 0x7ff8d7619fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ff8e3a50000 | 0x7ff8e3a59fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ff8e5480000 | 0x7ff8e548bfff | Memory Mapped File | rwx |
|
|
|
- |
| cabinet.dll | 0x7ff8e5ff0000 | 0x7ff8e6016fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ff8e9cd0000 | 0x7ff8e9cf2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ff8eadb0000 | 0x7ff8eadc0fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x7ff8eae50000 | 0x7ff8eaea3fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ff8eafb0000 | 0x7ff8eb170fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #28: wmiadap.exe
0
0
| Information | Value |
|---|---|
| ID | #28 |
| File Name | c:\windows\system32\wbem\wmiadap.exe |
| Command Line | wmiadap.exe /F /T /R |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:51, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:42 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4d8 |
| Parent PID | 0x330 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
2D8
0x
838
0x
57C
0x
574
0x
CE8
0x
2FC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000cb80000000 | 0xcb80000000 | 0xcb8001ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cb80000000 | 0xcb80000000 | 0xcb8000ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000cb80010000 | 0xcb80010000 | 0xcb80016fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cb80020000 | 0xcb80020000 | 0xcb80033fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000cb80040000 | 0xcb80040000 | 0xcb800bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cb800c0000 | 0xcb800c0000 | 0xcb800c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000cb800d0000 | 0xcb800d0000 | 0xcb800d1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xcb800e0000 | 0xcb8019dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000cb801a0000 | 0xcb801a0000 | 0xcb801a6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb801b0000 | 0xcb801b0000 | 0xcb801b0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb801c0000 | 0xcb801c0000 | 0xcb801cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb801d0000 | 0xcb801d0000 | 0xcb801d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cb801e0000 | 0xcb801e0000 | 0xcb801e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000cb801f0000 | 0xcb801f0000 | 0xcb801f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000cb80210000 | 0xcb80210000 | 0xcb8030ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb80310000 | 0xcb80310000 | 0xcb8038ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb80390000 | 0xcb80390000 | 0xcb8040ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cb80410000 | 0xcb80410000 | 0xcb80597fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000cb805a0000 | 0xcb805a0000 | 0xcb80720fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000cb80730000 | 0xcb80730000 | 0xcb807effff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0xcb807f0000 | 0xcb80b26fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000cb80b30000 | 0xcb80b30000 | 0xcb80baffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb80bb0000 | 0xcb80bb0000 | 0xcb80c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb80c30000 | 0xcb80c30000 | 0xcb80caffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cbffff0000 | 0xcbffff0000 | 0xcbffff3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007df5ff530000 | 0x7df5ff530000 | 0x7ff5ff52ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff655cfe000 | 0x7ff655cfe000 | 0x7ff655cfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff655d00000 | 0x7ff655d00000 | 0x7ff655dfffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff655e00000 | 0x7ff655e00000 | 0x7ff655e22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff655e24000 | 0x7ff655e24000 | 0x7ff655e25fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff655e26000 | 0x7ff655e26000 | 0x7ff655e27fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff655e28000 | 0x7ff655e28000 | 0x7ff655e29fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff655e2a000 | 0x7ff655e2a000 | 0x7ff655e2bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff655e2c000 | 0x7ff655e2c000 | 0x7ff655e2cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff655e2e000 | 0x7ff655e2e000 | 0x7ff655e2ffff | Private Memory | rw |
|
|
|
- |
| wmiadap.exe | 0x7ff656840000 | 0x7ff65686efff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x7ff8e0290000 | 0x7ff8e02a3fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7ff8e02b0000 | 0x7ff8e03a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x7ff8e06b0000 | 0x7ff8e06c0fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x7ff8e56f0000 | 0x7ff8e576efff | Memory Mapped File | rwx |
|
|
|
- |
| loadperf.dll | 0x7ff8e6e40000 | 0x7ff8e6e64fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ff8ee040000 | 0x7ff8ee0a8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x7ff8ee240000 | 0x7ff8ee247fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ff8ee250000 | 0x7ff8ee257fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #29: wmiprvse.exe
0
0
| Information | Value |
|---|---|
| ID | #29 |
| File Name | c:\windows\system32\wbem\wmiprvse.exe |
| Command Line | C:\Windows\system32\wbem\wmiprvse.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:53, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:40 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd74 |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
DCC
0x
D70
0x
D58
0x
D60
0x
D5C
0x
D4C
0x
D64
0x
D78
0x
D68
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000005640c0000 | 0x5640c0000 | 0x5640dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000005640c0000 | 0x5640c0000 | 0x5640cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000005640d0000 | 0x5640d0000 | 0x5640d6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000005640e0000 | 0x5640e0000 | 0x5640f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000564100000 | 0x564100000 | 0x56417ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000564180000 | 0x564180000 | 0x564183fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000564190000 | 0x564190000 | 0x564190fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000005641a0000 | 0x5641a0000 | 0x5641a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x5641b0000 | 0x56426dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000564270000 | 0x564270000 | 0x564276fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000564280000 | 0x564280000 | 0x564280fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000564290000 | 0x564290000 | 0x56438ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000564390000 | 0x564390000 | 0x56440ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000564410000 | 0x564410000 | 0x564410fff | Private Memory | rw |
|
|
|
- |
| user32.dll.mui | 0x564420000 | 0x564424fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000564430000 | 0x564430000 | 0x564430fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000564440000 | 0x564440000 | 0x564440fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000564450000 | 0x564450000 | 0x564450fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000564460000 | 0x564460000 | 0x56446ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x564470000 | 0x5647a6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000005647b0000 | 0x5647b0000 | 0x564937fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000564940000 | 0x564940000 | 0x564ac0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000564ad0000 | 0x564ad0000 | 0x564b8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000564b90000 | 0x564b90000 | 0x564c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000564c10000 | 0x564c10000 | 0x564d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000564d10000 | 0x564d10000 | 0x564d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000564d90000 | 0x564d90000 | 0x564e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000564e10000 | 0x564e10000 | 0x564e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000564e90000 | 0x564e90000 | 0x564f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000564f10000 | 0x564f10000 | 0x564f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000564f90000 | 0x564f90000 | 0x56500ffff | Private Memory | rw |
|
|
|
- |
| advapi32.dll.mui | 0x565010000 | 0x565057fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff920000 | 0x7df5ff920000 | 0x7ff5ff91ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6969aa000 | 0x7ff6969aa000 | 0x7ff6969abfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6969ac000 | 0x7ff6969ac000 | 0x7ff6969adfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6969ae000 | 0x7ff6969ae000 | 0x7ff6969affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6969b0000 | 0x7ff6969b0000 | 0x7ff696aaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff696ab0000 | 0x7ff696ab0000 | 0x7ff696ad2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff696ad3000 | 0x7ff696ad3000 | 0x7ff696ad4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff696ad5000 | 0x7ff696ad5000 | 0x7ff696ad6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff696ad7000 | 0x7ff696ad7000 | 0x7ff696ad8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff696ad9000 | 0x7ff696ad9000 | 0x7ff696adafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff696adb000 | 0x7ff696adb000 | 0x7ff696adcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff696add000 | 0x7ff696add000 | 0x7ff696adefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff696adf000 | 0x7ff696adf000 | 0x7ff696adffff | Private Memory | rw |
|
|
|
- |
| wmiprvse.exe | 0x7ff6971b0000 | 0x7ff69722efff | Memory Mapped File | rwx |
|
|
|
- |
| ncobjapi.dll | 0x7ff8dfe00000 | 0x7ff8dfe15fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x7ff8e0240000 | 0x7ff8e0264fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x7ff8e0290000 | 0x7ff8e02a3fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7ff8e02b0000 | 0x7ff8e03a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x7ff8e06b0000 | 0x7ff8e06c0fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x7ff8e56f0000 | 0x7ff8e576efff | Memory Mapped File | rwx |
|
|
|
- |
| mofd.dll | 0x7ff8e65f0000 | 0x7ff8e6630fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiprov.dll | 0x7ff8e6e00000 | 0x7ff8e6e3cfff | Memory Mapped File | rwx |
|
|
|
- |
| wmiclnt.dll | 0x7ff8e7d90000 | 0x7ff8e7da0fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ff8ea0f0000 | 0x7ff8ea121fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ff8ee040000 | 0x7ff8ee0a8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ff8ee250000 | 0x7ff8ee257fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #30: taskeng.exe
0
0
| Information | Value |
|---|---|
| ID | #30 |
| File Name | c:\windows\system32\taskeng.exe |
| Command Line | taskeng.exe {3E326D51-B595-4E5F-B4B9-918A4AEB178E} S-1-5-18:NT AUTHORITY\System:Service: |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:53, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:40 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x534 |
| Parent PID | 0x330 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
A28
0x
F0
0x
67C
0x
5C0
0x
E18
0x
41C
0x
E24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000001fe1bb0000 | 0x1fe1bb0000 | 0x1fe1bcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001fe1bb0000 | 0x1fe1bb0000 | 0x1fe1bbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000001fe1bc0000 | 0x1fe1bc0000 | 0x1fe1bc6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001fe1bd0000 | 0x1fe1bd0000 | 0x1fe1be3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001fe1bf0000 | 0x1fe1bf0000 | 0x1fe1c6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001fe1c70000 | 0x1fe1c70000 | 0x1fe1c73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001fe1c80000 | 0x1fe1c80000 | 0x1fe1c80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001fe1c90000 | 0x1fe1c90000 | 0x1fe1c91fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x1fe1ca0000 | 0x1fe1d5dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001fe1d60000 | 0x1fe1d60000 | 0x1fe1ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe1de0000 | 0x1fe1de0000 | 0x1fe1de6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe1df0000 | 0x1fe1df0000 | 0x1fe1eeffff | Private Memory | rw |
|
|
|
- |
| taskeng.exe.mui | 0x1fe1ef0000 | 0x1fe1ef0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001fe1f00000 | 0x1fe1f00000 | 0x1fe1f00fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe1f10000 | 0x1fe1f10000 | 0x1fe1f10fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001fe1f20000 | 0x1fe1f20000 | 0x1fe1f20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001fe1f30000 | 0x1fe1f30000 | 0x1fe1f36fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe1f80000 | 0x1fe1f80000 | 0x1fe1f8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001fe1f90000 | 0x1fe1f90000 | 0x1fe204ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001fe2050000 | 0x1fe2050000 | 0x1fe20cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe2100000 | 0x1fe2100000 | 0x1fe210ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001fe2110000 | 0x1fe2110000 | 0x1fe2297fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001fe22a0000 | 0x1fe22a0000 | 0x1fe2420fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001fe2430000 | 0x1fe2430000 | 0x1fe252ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x1fe2530000 | 0x1fe2866fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001fe2870000 | 0x1fe2870000 | 0x1fe28effff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe28f0000 | 0x1fe28f0000 | 0x1fe296ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001fe2970000 | 0x1fe2970000 | 0x1fe29effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff3c0000 | 0x7df5ff3c0000 | 0x7ff5ff3bffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7270d0000 | 0x7ff7270d0000 | 0x7ff7271cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7271d0000 | 0x7ff7271d0000 | 0x7ff7271f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7271f3000 | 0x7ff7271f3000 | 0x7ff7271f4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7271f5000 | 0x7ff7271f5000 | 0x7ff7271f6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7271f7000 | 0x7ff7271f7000 | 0x7ff7271f8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7271f9000 | 0x7ff7271f9000 | 0x7ff7271fafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7271fb000 | 0x7ff7271fb000 | 0x7ff7271fcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7271fd000 | 0x7ff7271fd000 | 0x7ff7271fefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7271ff000 | 0x7ff7271ff000 | 0x7ff7271fffff | Private Memory | rw |
|
|
|
- |
| taskeng.exe | 0x7ff727b80000 | 0x7ff727bccfff | Memory Mapped File | rwx |
|
|
|
- |
| tschannel.dll | 0x7ff8db900000 | 0x7ff8db908fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ff8e6330000 | 0x7ff8e6365fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ff8ea9d0000 | 0x7ff8ea9fbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #31: backgroundtaskhost.exe
0
0
| Information | Value |
|---|---|
| ID | #31 |
| File Name | c:\windows\system32\backgroundtaskhost.exe |
| Command Line | "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca |
| Initial Working Directory | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ |
| Monitor | Start Time: 00:04:11, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:22 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdfc |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs | - |
Process #32: xyuencrypt.exe
0
0
| Information | Value |
|---|---|
| ID | #32 |
| File Name | c:\users\ciihmnxmn6ps\desktop\xyuencrypt.exe |
| Command Line | C:\Users\CIiHmnxMn6Ps\Desktop\XyuEncrypt.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:24, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:09 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdb0 |
| Parent PID | 0xff8 (c:\windows\system32\taskeng.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
DD0
0x
D2C
0x
D20
0x
D18
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| xyuencrypt.exe | 0x00d20000 | 0x00d29fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000d30000 | 0x00d30000 | 0x00d4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d30000 | 0x00d30000 | 0x00d3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00d46fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d50000 | 0x00d50000 | 0x00d63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e70000 | 0x00e70000 | 0x00e73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x00e80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00e91fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00ea0000 | 0x00f5dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x0105ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001060000 | 0x01060000 | 0x01066fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001070000 | 0x01070000 | 0x01076fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001080000 | 0x01080000 | 0x01080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001090000 | 0x01090000 | 0x0118ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001190000 | 0x01190000 | 0x01190fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000012d0000 | 0x012d0000 | 0x012dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001300000 | 0x01300000 | 0x0130ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001310000 | 0x01310000 | 0x01497fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000014a0000 | 0x014a0000 | 0x01620fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001630000 | 0x01630000 | 0x02a2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007ff5ff970000 | 0x7ff5ff970000 | 0x7ff5ffa6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff5ffa70000 | 0x7ff5ffa70000 | 0x7ff5ffa92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff5ffa9b000 | 0x7ff5ffa9b000 | 0x7ff5ffa9bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffa9c000 | 0x7ff5ffa9c000 | 0x7ff5ffa9dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffa9e000 | 0x7ff5ffa9e000 | 0x7ff5ffa9ffff | Private Memory | rw |
|
|
|
- |
| msvcr120_clr0400.dll | 0x7ff8d5180000 | 0x7ff8d5276fff | Memory Mapped File | rwx |
|
|
|
- |
| clr.dll | 0x7ff8d5280000 | 0x7ff8d5bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7ff8d5f40000 | 0x7ff8d5fd6fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7ff8d5fe0000 | 0x7ff8d6047fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ff8e3a50000 | 0x7ff8e3a59fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Process #33: officec2rclient.exe
0
0
| Information | Value |
|---|---|
| ID | #33 |
| File Name | c:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe |
| Command Line | "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:32, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd24 |
| Parent PID | 0x534 (c:\windows\system32\taskeng.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
D34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000009d23310000 | 0x9d23310000 | 0x9d2332ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000009d23330000 | 0x9d23330000 | 0x9d23343fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000009d23350000 | 0x9d23350000 | 0x9d2344ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff8f0000 | 0x7df5ff8f0000 | 0x7ff5ff8effff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7fa670000 | 0x7ff7fa670000 | 0x7ff7fa692fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7fa69a000 | 0x7ff7fa69a000 | 0x7ff7fa69afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7fa69e000 | 0x7ff7fa69e000 | 0x7ff7fa69ffff | Private Memory | rw |
|
|
|
- |
| officec2rclient.exe | 0x7ff7facb0000 | 0x7ff7fc3d3fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
