Gandcrab Ransomware v4.0 | Sequential Behavior
Try VMRay Analyzer
VTI SCORE: 100/100
Target: win10_64 | exe
Classification: Riskware, Ransomware

ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23 (SHA256)

1.pdf.exe

Windows Exe (x86-32)

Created at 2018-07-02 20:32:00

Notifications (1/1)

Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.

Monitored Processes

Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x450 Analysis Target High (Elevated) 1.pdf.exe "C:\Users\CIiHmnxMn6Ps\Desktop\1.pdf.exe" -
#2 0xa7c Child Process High (Elevated) wmic.exe "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete #1
#4 0x930 Child Process High (Elevated) cmd.exe "C:\Windows\System32\cmd.exe" /c timeout -c 5 & del "C:\Users\CIiHmnxMn6Ps\Desktop\1.pdf.exe" /f /q #1
#6 0x858 Child Process High (Elevated) timeout.exe timeout -c 5 #4

Behavior Information - Sequential View

Process #1: 1.pdf.exe
6628 0
»
Information Value
ID #1
File Name c:\users\ciihmnxmn6ps\desktop\1.pdf.exe
Command Line "C:\Users\CIiHmnxMn6Ps\Desktop\1.pdf.exe"
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:00:33, Reason: Analysis Target
Unmonitor End Time: 00:15:41, Reason: Terminated by Timeout
Monitor Duration 00:15:08
OS Process Information
»
Information Value
PID 0x450
Parent PID 0x5dc (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 84
0x BCC
0x 278
0x 344
0x 670
0x 310
0x 420
0x 74C
0x A78
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00023fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory Readable True False False -
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory Readable, Writable True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory Readable True False False -
private_0x00000000001b0000 0x001b0000 0x001b1fff Private Memory Readable, Writable True False False -
locale.nls 0x001c0000 0x0027dfff Memory Mapped File Readable False False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory Readable, Writable True False False -
private_0x0000000000380000 0x00380000 0x00380fff Private Memory Readable, Writable True False False -
private_0x0000000000390000 0x00390000 0x0039dfff Private Memory Readable, Writable, Executable True False False -
private_0x00000000003a0000 0x003a0000 0x003affff Private Memory Readable, Writable True False False -
pagefile_0x00000000003a0000 0x003a0000 0x003a6fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000003a0000 0x003a0000 0x003a0fff Private Memory Readable, Writable True False False -
private_0x00000000003b0000 0x003b0000 0x003bffff Private Memory Readable, Writable True False False -
private_0x00000000003c0000 0x003c0000 0x003fffff Private Memory Readable, Writable True False False -
1.pdf.exe 0x00400000 0x00438fff Memory Mapped File Readable, Writable, Executable True True False
private_0x0000000000440000 0x00440000 0x0053ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000540000 0x00540000 0x006c7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000006d0000 0x006d0000 0x00850fff Pagefile Backed Memory Readable True False False -
private_0x0000000000860000 0x00860000 0x00876fff Private Memory Readable, Writable True False False -
private_0x0000000000860000 0x00860000 0x00873fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000860000 0x00860000 0x00866fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000860000 0x00860000 0x00860fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000870000 0x00870000 0x00870fff Private Memory Readable, Writable True False False -
private_0x0000000000880000 0x00880000 0x00880fff Private Memory Readable, Writable True False False -
private_0x0000000000890000 0x00890000 0x00890fff Private Memory Readable, Writable True False False -
private_0x00000000008a0000 0x008a0000 0x008a0fff Private Memory Readable, Writable True False False -
private_0x00000000008b0000 0x008b0000 0x008bffff Private Memory Readable, Writable True False False -
pagefile_0x00000000008c0000 0x008c0000 0x01cbffff Pagefile Backed Memory Readable True False False -
private_0x0000000001cc0000 0x01cc0000 0x01d8ffff Private Memory Readable, Writable True False False -
private_0x0000000001cc0000 0x01cc0000 0x01d1ffff Private Memory Readable, Writable True False False -
private_0x0000000001cc0000 0x01cc0000 0x01cc0fff Private Memory Readable, Writable True False False -
private_0x0000000001cd0000 0x01cd0000 0x01cd0fff Private Memory Readable, Writable True False False -
private_0x0000000001ce0000 0x01ce0000 0x01ce0fff Private Memory Readable, Writable True False False -
private_0x0000000001cf0000 0x01cf0000 0x01cf0fff Private Memory Readable, Writable True False False -
private_0x0000000001d00000 0x01d00000 0x01d00fff Private Memory Readable, Writable True False False -
private_0x0000000001d10000 0x01d10000 0x01d1ffff Private Memory Readable, Writable True False False -
private_0x0000000001d20000 0x01d20000 0x01d2ffff Private Memory Readable, Writable True False False -
private_0x0000000001d20000 0x01d20000 0x01d33fff Private Memory Readable, Writable True False False -
pagefile_0x0000000001d20000 0x01d20000 0x01d26fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000001d20000 0x01d20000 0x01d20fff Private Memory Readable, Writable True False False -
private_0x0000000001d30000 0x01d30000 0x01d30fff Private Memory Readable, Writable, Executable True False False -
pagefile_0x0000000001d40000 0x01d40000 0x01d46fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000001d40000 0x01d40000 0x01d40fff Private Memory Readable, Writable True False False -
private_0x0000000001d40000 0x01d40000 0x01d43fff Private Memory Readable, Writable True False False -
crypt32.dll.mui 0x01d50000 0x01d59fff Memory Mapped File Readable False False False -
private_0x0000000001d50000 0x01d50000 0x01d50fff Private Memory Readable, Writable True False False -
private_0x0000000001d60000 0x01d60000 0x01d60fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000001d70000 0x01d70000 0x01d71fff Private Memory Readable, Writable True False False -
private_0x0000000001d80000 0x01d80000 0x01d8ffff Private Memory Readable, Writable True False False -
private_0x0000000001d90000 0x01d90000 0x01e8ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01e90000 0x021c6fff Memory Mapped File Readable False False False -
crypt32.dll 0x021d0000 0x02344fff Memory Mapped File Readable False False False -
private_0x00000000021d0000 0x021d0000 0x021d0fff Private Memory Readable, Writable True False False -
private_0x00000000021e0000 0x021e0000 0x021e0fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000021e0000 0x021e0000 0x021e1fff Private Memory Readable, Writable True False False -
private_0x00000000021f0000 0x021f0000 0x0222ffff Private Memory Readable, Writable True False False -
private_0x00000000021f0000 0x021f0000 0x021f0fff Private Memory Readable, Writable True False False -
private_0x0000000002200000 0x02200000 0x02200fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002200000 0x02200000 0x02300fff Private Memory Readable, Writable True False False -
private_0x0000000002200000 0x02200000 0x02206fff Private Memory Readable, Writable True False False -
private_0x0000000002210000 0x02210000 0x02310fff Private Memory Readable, Writable True False False -
private_0x0000000002210000 0x02210000 0x02210fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002210000 0x02210000 0x023fffff Private Memory Readable, Writable True False False -
oleaut32.dll 0x02210000 0x022a0fff Memory Mapped File Readable False False False -
private_0x0000000002230000 0x02230000 0x0232ffff Private Memory Readable, Writable True False False -
private_0x0000000002330000 0x02330000 0x02330fff Private Memory Readable, Writable True False False -
private_0x0000000002340000 0x02340000 0x0237ffff Private Memory Readable, Writable True False False -
private_0x0000000002380000 0x02380000 0x0247ffff Private Memory Readable, Writable True False False -
private_0x00000000023f0000 0x023f0000 0x023fffff Private Memory Readable, Writable True False False -
private_0x0000000002480000 0x02480000 0x02480fff Private Memory Readable, Writable True False False -
private_0x0000000002490000 0x02490000 0x02491fff Private Memory Readable, Writable True False False -
private_0x00000000024a0000 0x024a0000 0x024a0fff Private Memory Readable, Writable True False False -
private_0x00000000024b0000 0x024b0000 0x024b0fff Private Memory Readable, Writable, Executable True False False -
mpr.dll.mui 0x024c0000 0x024c0fff Memory Mapped File Readable False False False -
private_0x00000000024d0000 0x024d0000 0x024d0fff Private Memory Readable, Writable True False False -
private_0x00000000024d0000 0x024d0000 0x025d0fff Private Memory Readable, Writable True False False -
private_0x00000000024e0000 0x024e0000 0x024e0fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000024e0000 0x024e0000 0x025e0fff Private Memory Readable, Writable True False False -
private_0x00000000024e0000 0x024e0000 0x024e1fff Private Memory Readable, Writable True False False -
private_0x00000000024f0000 0x024f0000 0x024f0fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000024f0000 0x024f0000 0x025f0fff Private Memory Readable, Writable True False False -
private_0x00000000025e0000 0x025e0000 0x0261ffff Private Memory Readable, Writable True False False -
private_0x00000000025f0000 0x025f0000 0x026f0fff Private Memory Readable, Writable True False False -
private_0x0000000002600000 0x02600000 0x02700fff Private Memory Readable, Writable True False False -
private_0x0000000002620000 0x02620000 0x0265ffff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x02710000 0x027eefff Memory Mapped File Readable False False False -
private_0x00000000027f0000 0x027f0000 0x028effff Private Memory Readable, Writable True False False -
private_0x00000000028f0000 0x028f0000 0x029effff Private Memory Readable, Writable True False False -
wow64.dll 0x59300000 0x5934efff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x59350000 0x59357fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x59360000 0x593d2fff Memory Mapped File Readable, Writable, Executable False False False -
propsys.dll 0x74800000 0x74941fff Memory Mapped File Readable, Writable, Executable False False False -
browcli.dll 0x74950000 0x7495efff Memory Mapped File Readable, Writable, Executable False False False -
netutils.dll 0x74960000 0x74969fff Memory Mapped File Readable, Writable, Executable False False False -
cscapi.dll 0x74970000 0x7497efff Memory Mapped File Readable, Writable, Executable False False False -
wkscli.dll 0x74980000 0x7498ffff Memory Mapped File Readable, Writable, Executable False False False -
davhlpr.dll 0x74990000 0x7499afff Memory Mapped File Readable, Writable, Executable False False False -
davclnt.dll 0x749a0000 0x749b9fff Memory Mapped File Readable, Writable, Executable False False False -
ntlanman.dll 0x749c0000 0x749d1fff Memory Mapped File Readable, Writable, Executable False False False -
winsta.dll 0x749e0000 0x74a23fff Memory Mapped File Readable, Writable, Executable False False False -
drprov.dll 0x74a30000 0x74a38fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x74a40000 0x74a6efff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x74a70000 0x74a8afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74a90000 0x74aa2fff Memory Mapped File Readable, Writable, Executable False False False -
msvcr100.dll 0x74ab0000 0x74b6efff Memory Mapped File Readable, Writable, Executable False False False -
mpr.dll 0x74b70000 0x74b86fff Memory Mapped File Readable, Writable, Executable False False False -
msimg32.dll 0x74b90000 0x74b95fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74bc0000 0x74c34fff Memory Mapped File Readable, Writable, Executable False False False -
apphelp.dll 0x74c40000 0x74cd0fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x74ce0000 0x74d38fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74d40000 0x74d49fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74d50000 0x74d6dfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x74d70000 0x74eaffff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x75070000 0x7507efff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x75080000 0x750c3fff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x750d0000 0x755acfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x755b0000 0x7696efff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76970000 0x76ae5fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76ca0000 0x76decfff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x76f60000 0x76f6bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76f70000 0x7708ffff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x77090000 0x77249fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x77250000 0x77292fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x77430000 0x77519fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x775e0000 0x7760afff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x77670000 0x7775ffff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x777f0000 0x77833fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x778a0000 0x7792cfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77990000 0x77a0afff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77a10000 0x77acdfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77af0000 0x77b9bfff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x77ba0000 0x77c31fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c40000 0x77db8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007feaa000 0x7feaa000 0x7feacfff Private Memory Readable, Writable True False False -
private_0x000000007fead000 0x7fead000 0x7feaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd7fff Private Memory Readable, Writable True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory Readable, Writable True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory Readable, Writable True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7ffc03e6ffff Private Memory Readable True False False -
ntdll.dll 0x7ffc03e70000 0x7ffc04031fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffc04032000 0x7ffc04032000 0x7ffffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 28 entries are omitted.
The remaining entries can be found in flog.txt.
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x0000000000390000:+0xbec 91. entry of 1.pdf.exe 4 bytes user32.dll:PeekMessageA+0x0 now points to pagefile_0x00000000006d0000:+0xd7978
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\$recycle.bin\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\$recycle.bin\s-1-5-18\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\$recycle.bin\s-1-5-21-1462094071-1423818996-289466292-1000\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\perflogs\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\program files\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\program files (x86)\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\recovery\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\recovery\windowsre\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\collab\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\forms\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\jscache\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\security\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\security\crlcache\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\flash player\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\flash player\assetcache\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\flash player\assetcache\nahqnpmn\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\flash player\nativecache\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\headlights\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\linguistics\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\logtransport2\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\logtransport2\logs\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\sonar\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\sonar\sonar1.0\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\identities\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\identities\{ca8ca1bb-f2a6-4e9c-b7cc-fb56671763e8}\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\#sharedobjects\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\#sharedobjects\dqqhjz8c\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\access\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\addins\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\credentials\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1462094071-1423818996-289466292-1000\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\document building blocks\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\document building blocks\1033\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\document building blocks\1033\16\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\excel\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\excel\xlstart\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\quick launch\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\implicitappshortcuts\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\userdata\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\userdata\low\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\mmc\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\ms project\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\ms project\16\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\ms project\16\en-us\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\network\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\network\connections\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\network\connections\pbk\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\network\connections\pbk\_hiddenpbk\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\recent\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\onenote\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\onenote\16.0\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\outlook\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\powerpoint\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\proof\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\s-1-5-21-1462094071-1423818996-289466292-1000\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\publisher\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\publisher building blocks\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\speech\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\systemcertificates\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\systemcertificates\my\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\systemcertificates\my\certificates\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\systemcertificates\my\crls\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\systemcertificates\my\ctls\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\user\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\user\document themes\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\user\document themes\1033\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\user\smartart graphics\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\user\smartart graphics\1033\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\uproof\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\vault\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\word\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\word\startup\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\extensions\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\crash reports\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\crash reports\events\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\bookmarkbackups\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\crashes\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\crashes\events\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp\winnt_x86-msvc\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-gmpopenh264\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-gmpopenh264\1.6\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\krab-decrypt.txt 7.79 KB MD5: 78a2d76ab67af131ef3a711192d7cafe
SHA1: accd1c81296b1f133b80d3ef4febea55c47eafbc
SHA256: e996544a88e35c5a0599cb2a3fbcc70ac1634e9b3d945eb675f3ab3fec061108
False
c:\$recycle.bin\s-1-5-18\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\$recycle.bin\s-1-5-21-1462094071-1423818996-289466292-1000\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\$recycle.bin\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\perflogs\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\program files\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\program files (x86)\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\recovery\windowsre\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\recovery\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\collab\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\forms\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\jscache\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\security\crlcache\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\security\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\flash player\assetcache\nahqnpmn\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\flash player\assetcache\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\flash player\nativecache\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\flash player\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\headlights\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\linguistics\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\logtransport2\logs\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\logtransport2\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\sonar\sonar1.0\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\sonar\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\identities\{ca8ca1bb-f2a6-4e9c-b7cc-fb56671763e8}\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\identities\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\#sharedobjects\dqqhjz8c\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\#sharedobjects\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\access\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\addins\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\credentials\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1462094071-1423818996-289466292-1000\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\document building blocks\1033\16\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\document building blocks\1033\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\document building blocks\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\excel\xlstart\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\excel\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\implicitappshortcuts\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\quick launch\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\userdata\low\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\userdata\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\internet explorer\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\mmc\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\ms project\16\en-us\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\ms project\16\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\ms project\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\network\connections\pbk\_hiddenpbk\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\network\connections\pbk\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\network\connections\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\network\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\recent\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\onenote\16.0\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\onenote\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\outlook\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\powerpoint\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\proof\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\s-1-5-21-1462094071-1423818996-289466292-1000\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\publisher\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\publisher building blocks\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\speech\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\systemcertificates\my\certificates\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\systemcertificates\my\crls\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\systemcertificates\my\ctls\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\systemcertificates\my\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\systemcertificates\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\user\document themes\1033\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\user\document themes\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\user\smartart graphics\1033\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\user\smartart graphics\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\user\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\uproof\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\vault\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\word\startup\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\word\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\extensions\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\crash reports\events\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\crash reports\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\bookmarkbackups\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\crashes\events\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\crashes\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp\winnt_x86-msvc\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-gmpopenh264\1.6\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-gmpopenh264\d2ca4a08d2ca4dee6a.lock 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\recovery\windowsre\boot.sdi.krab 3.02 MB MD5: 00e91e3911b14419351b6baff3d5fd78
SHA1: d0b40ed7213ff8e1c21a12ff8e6242c59fda0bf6
SHA256: aa7f5e33d43d6c1936ec8802c8e939b265f000b177db72fb09497a7c5025bdb4
False
c:\recovery\windowsre\reagent.xml.krab 1.52 KB MD5: 0761fc9dd577c8cbde077aa7ff31ae07
SHA1: b53a8bcb7e5cb565bbaea99b78fe8f85c6e9c6e0
SHA256: a7f461dd21311bb97fdb2e471c28eb1311117e81e5fcd9a9b38c7dc1adb8cb09
False
c:\recovery\windowsre\winre.wim.krab 10.00 MB MD5: cf14c2e32686f3d82e7884bf6367202a
SHA1: f83424c053891b18e6da18ed7d366fd30e136ee4
SHA256: f714739f6fc86e9a81569218719155c1703e15db2b2a0cca3af66ba9f23aed61
False
c:\users\ciihmnxmn6ps\appdata\roaming\0ot50g8.wav.krab 44.15 KB MD5: b8594f61e49b1d56589c6b2e262bab3d
SHA1: e76b5460f16aab2f2c5c65f22b7011dae536382f
SHA256: c15b5dfef40cc7b358a58d917b29adc249f7e51416e7e606a6f42d88b2bbdded
False
c:\users\ciihmnxmn6ps\appdata\roaming\6pfbsv9hp6f.png.krab 94.67 KB MD5: f136a7e389b5b2e2be628c870e7bf678
SHA1: 53faba0bc99f9297140c75babbb1877760f5e26b
SHA256: ccd50aa3302bf08c7848598a2cc449f8ead9b1ed8e766eeb9be27af4f6df30bd
False
c:\users\ciihmnxmn6ps\appdata\roaming\8obl9.mp3.krab 7.49 KB MD5: ea04a928b46823cf10fd56220c0e0b52
SHA1: 4c9122fc8d27e35bacf9dab89955b8188c2dd0fc
SHA256: 02757c8eb26d4a3a29431a57260b9432915b42312b933166e355451351e9b0b6
False
c:\users\ciihmnxmn6ps\appdata\roaming\9wgle6yhq.wav.krab 95.92 KB MD5: 56f4394295dd0e575d5ac889083c8e56
SHA1: f656d68065b40f382e82bb3ccb082eb1e2e17508
SHA256: 62136e63d4a507281cb44cf1bd47633ae30e35351e7eec0b0d42cc8867a465e4
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\jscache\globdata.krab 0.53 KB MD5: 47b698c02681f7f2fb21cc87ce0da49f
SHA1: 0e1b43219cd87e7efac1d1b7b311f11b7074bf4c
SHA256: e8ab58196cfa86717494ee98471b3f95b80d31bc968d009b7456ed758c2841a5
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\jscache\globsettings.krab 0.53 KB MD5: 00799f06dcb0890ca151cb2166d55659
SHA1: 64e7e67d9636af2d3eb4227eaee4b7f5e0973cae
SHA256: 917a28197a567e57f7217f37662cd1c3a5980b4477eeefd2b8be8a01623876ab
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\security\addressbook.acrodata.krab 11.15 KB MD5: 2191be99ed9987a89982e7f6a6dd8521
SHA1: 62a66ce5de30bcea1ded625959757525bc0b9445
SHA256: 91fe2f50f3d22e8d5a095a72616a4ee91c70bd95596c11ac6d801a1c39daff71
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\security\crlcache\0fded5ceb68c302b1cdb2bddd9d0000e76539cb0.crl.krab 1.13 KB MD5: 545552a8a34caee222b1d373cb8df985
SHA1: 1c60e464bf7aad15fed6d7480e681e84c51802a8
SHA256: 25eb8fb451bf6cdeac85471d9777148fdd7380ce691897d41b6bfc73f2feb6a0
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\security\crlcache\ce338828149963dcea4cd26bb86f0363b4ca0ba5.crl.krab 0.92 KB MD5: 4df56773a53dcc7fdc8e65c17a7a656c
SHA1: 339c5a66f02dc61eccb3087ca86aa664f669bf13
SHA256: 9a8e836c91b053da399323d8613bdff4c7d1caf63dad8b5e85909c503feb2e51
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\logtransport2\logtransport2.cfg.krab 0.72 KB MD5: 7320c8f6d8d78f2759fd4ceefced2109
SHA1: 9050eeff3efe15a500f8613527dd39baaeb855d1
SHA256: 1035f3a9d1365e6564a929277311c55b91b9b6ffd4a777d8023869d8d7fcba90
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\sonar\sonar1.0\sonar_policy.xml.krab 18.83 KB MD5: cb5da228f9bf0bb221eaea9ba661da59
SHA1: 0ee696bcec85baa40d423db5092c0f60f61ca6db
SHA256: c6924e3ff9bd15edc05636db6c6186c5294a0b38fd8c22cfb3a3270be6ebadf3
False
c:\users\ciihmnxmn6ps\appdata\roaming\djuqbavyptzz.pptx.krab 89.29 KB MD5: ac27e8272960681ffe2fa5f999417496
SHA1: b591ff76d6edc6d38e8b51ff75b25b401eff02b3
SHA256: 3ffb13b7f36c6c75ad5d090798433aaba892c6eaa7e71f13f556e000bed5a084
False
c:\users\ciihmnxmn6ps\appdata\roaming\dthsp.wav.krab 55.73 KB MD5: b7c5888b0a9d59ca3e9d4aa4a357a54b
SHA1: e69cda5f9ceac812a681265401420642b333d635
SHA256: 20be64caeae043ab1c892012926f33d1c247e74d9c51a2f2240078afffd94014
False
c:\users\ciihmnxmn6ps\appdata\roaming\e5mdcum.wav.krab 78.76 KB MD5: 663c9411c747b03bc1c7c477c801b9ab
SHA1: d3575c8e4998ec9bf898aedad40ccc49cb196ad8
SHA256: 17307be13018880bc1c07ce7d597a31b8d11d77f46eaaa20972137511ecbe234
False
c:\users\ciihmnxmn6ps\appdata\roaming\g6vvpxdmqflec5.wav.krab 80.29 KB MD5: 8f9d061f111b729a096ea49802a91eba
SHA1: 470767dd5743fec1de216b5aa5a6bea7fea07a82
SHA256: a157edb206952ff566cb9fc956211cd18cd38de475aa8a5ab7ce1c9d72d1411d
False
c:\users\ciihmnxmn6ps\appdata\roaming\gr1x5 npk8rrlq.xlsx.krab 91.42 KB MD5: 4634481251cdfbd2e9f461e5ada126b5
SHA1: 65db246b19b5d82dcc215befd508473392d47562
SHA256: 614858a0d8b848f5489e496d654759359f1bcd874d8e2dce6739128f04dd0785
False
c:\users\ciihmnxmn6ps\appdata\roaming\gzycnwmxpfth1h.mkv.krab 16.41 KB MD5: d272f41de4e008292425761d0c46b177
SHA1: 1f2e907ed119601d21813cf6a575ae9db15d2564
SHA256: 388408b8e1577687aba34ee503841497be869a664db34b7daf066c99508377b1
False
c:\users\ciihmnxmn6ps\appdata\roaming\ihlu8dqstp.avi.krab 67.16 KB MD5: 88e5477b4c51d217cbb2c9333d17e399
SHA1: 6c2bf8593957e2d62d8ea24dced8d5c4cc79e957
SHA256: 9b93fc6102bbe32798febbbc5ca906bea8f2413aff7ba96fd0b2b672134a5fd0
False
c:\users\ciihmnxmn6ps\appdata\roaming\ja bmec_clxvh.png.krab 6.52 KB MD5: 1319821ae48993ae311e07e810c21221
SHA1: b2649ef7a0f28075dd92105b52561eb7b1d7b975
SHA256: a916cc2382c0791ed4d764a05751f5d809ed77bfc3a98326f66f4b46a8ef8e3e
False
c:\users\ciihmnxmn6ps\appdata\roaming\kwagh0pyau.doc.krab 72.67 KB MD5: b09c2ccbb6e8331cf01c65701563f69c
SHA1: bcf97b2dfcd1aea1b68e54b767cce492d9843a9c
SHA256: bd5fde16223280044a339bf0c8f9258dc8b5433797d71f536ad3858f4a2b7a2a
False
c:\users\ciihmnxmn6ps\appdata\roaming\ln5clld3j4vlr4b.xls.krab 2.09 KB MD5: c914b2c40d3346a76357dc5fcc159d90
SHA1: 3ac1431533f6828744694fb1055f2a12d7dae9b4
SHA256: 6827d400b285370e3cfc4330837c26618992735d8e1f86977827408600176446
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\settings.sol.krab 1.00 KB MD5: 776c66ba07c79ff2de472a2fd7d810f3
SHA1: 994f05d437b24fcc94cb76d6de54ec525f5f2c8c
SHA256: 0da286d6c56e851fef8aea9bcfda71d74169bfba209d269623915db81f09bea9
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\access\accesscache.accdb.krab 196.51 KB MD5: fe26b285d4f3565558d91c8d8be7ef28
SHA1: e1b076eb08a6cf63b3ae6f4d5fef23c45d37a60e
SHA256: eb69783d2c614aa4256ce49100590261485dccf7231579ff0604efe90f7fae4b
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\access\system.mdw.krab 124.51 KB MD5: 23603324f48ac03fecb2c6fd9add294c
SHA1: e01d9c7067437bd7b72352e062cfbba3af900113
SHA256: 6198d7bfd5ea2ecb12217f11d7f3188b636337f3a56c60681af4051354cafc0c
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\apasixtheditionofficeonline.xsl.krab 326.29 KB MD5: b7b6f3e95fe1f37bfb9a28470938ae9d
SHA1: 86c0f200db987346773a887a82b1e613fea1d604
SHA256: c9175b9cc3e10aa4b147cba9e3781be387cdebc93a164692d11a16396e55b4d2
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\chicago.xsl.krab 290.56 KB MD5: 3f25a49b3b5973f41aeda53776409a37
SHA1: ba6a74ae8f9f10b77efafb8c0188dc1c2c4abe70
SHA256: d91e10aa69e91332f051eddc0089778b7d25c79e1aa02b46d1b9bf7872b18423
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\gb.xsl.krab 262.88 KB MD5: 1bc3fcd0ebd07e974b74e16008c6cb43
SHA1: c6ab35de6c06ec3f78f1b392c1d63ed5fc34b8fb
SHA256: c56c53103660c35e580ffd91abbcd744fadbf8d0b169eeec4a275496e7c8eb7e
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\gostname.xsl.krab 250.86 KB MD5: e901e94e7a271fe208d6a9d38aaf5035
SHA1: 358693b9a0fabb0e13246c67048926196699e0ab
SHA256: 61f8a1e05b7c48615cdfa745427e0cd8e0f729a0d0099f5f56938bc3d6b212a4
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\gosttitle.xsl.krab 246.06 KB MD5: 26cabf8a4ccc0816d9488f54abc5f25b
SHA1: 9c58b6adc77c39d025c188809818576b3ad53e8e
SHA256: af2afa9013ea2de66de4d441e1469f3406082c9698f2d0fe0cb600792228fa22
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\harvardanglia2008officeonline.xsl.krab 278.63 KB MD5: 6fd0657158ac77ab7024f4d237876e51
SHA1: b26c3283e07b162e1df7e5e048e38aa6f20874f5
SHA256: a61e6b199966d205e41d5e507dfe7c9476fe282da60527acea13e2a1c16f4ac5
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\ieee2006officeonline.xsl.krab 288.13 KB MD5: 3b0dbb990e9b780f7a9b0ed3234df731
SHA1: 43d4d51d18ea235b1fdf1f15b3d56b73e4687692
SHA256: 4fccbbbe69d7f74e4470d368d88b14c2c8ec449e254bfd83a118a3005e6450c9
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\iso690.xsl.krab 264.81 KB MD5: e72a69be5d2635efd6d3e1f4df886583
SHA1: 1efab2ce1bdad23ad43f91eab1a91812c6bb76b1
SHA256: 3079823facc76310cb3abcc9bd597b6c02553f34a3fae1ed70e5a1a699df1bba
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\iso690nmerical.xsl.krab 212.99 KB MD5: 6fb4a47b4326cad0975b895d3d80f8e5
SHA1: 5a9e1239d2522f303f9a211e3ee7cb37bf63dae4
SHA256: d51ea2905b15358ddf2ace9990d1ae0c47a436316859606f95c28461fed7790c
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\mlaseventheditionofficeonline.xsl.krab 249.75 KB MD5: 4fca62c4432a333f626a4981cafc3cfe
SHA1: 7a85aaa220f1a26c1aafcece6171d1adc9ccc508
SHA256: af8c890ced0d373df04a76acccda4cd990fc34d021fc804d31210e9403e5c41c
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\sist02.xsl.krab 245.95 KB MD5: f0d21a61c20df93d4cb5cd305be38a2b
SHA1: 7a7f484b6c009362328fdb1a1ce06cbf2783d8ec
SHA256: d2b44aa72c9ab6d7e96c5c6d663efade88ba6a6c7b84dff3abfcdc4ffa9d8bae
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\turabian.xsl.krab 337.09 KB MD5: 54b0474e337ba2bb700dde0208253d7e
SHA1: a3adf5ed1c346e1e1cf5dbacb18db981c5f8119e
SHA256: 1852672acf39be581765e35b2b183e2cd5c6f321c8ca07a406240660257c9448
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1462094071-1423818996-289466292-1000\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b.krab 0.56 KB MD5: 9b664610387cbb19a6d61689ed521ba0
SHA1: c149a8d9dd836badfaa30bb372971987e6c61ded
SHA256: 418380aa01214a71053ec3561e4d77739bc43ad6b50fb47605a1b84893878e5c
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1462094071-1423818996-289466292-1000\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b.krab 0.55 KB MD5: 482c38ee74c7196e72a63e813772b44e
SHA1: 54d53b0222a7967ec96aebc9894d3845b4e4ae7c
SHA256: 93261c8a87e2119a9734f19b4caf592c8c9939cfc8d239504647ce02e1918116
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\document building blocks\1033\16\built-in building blocks.dotx.krab 3.53 MB MD5: 413336ea03aedced36c5373e986ae4d9
SHA1: 31e8819cbbf367ea929c9885ca9b7ef0db0ba38f
SHA256: 8594e3dd69c5b4c95d436f49f4bb11102c93a644099636a8b1b26ff15aafb4ce
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\ms project\16\en-us\global.mpt.krab 1.21 MB MD5: 2cd47dd242b9977badea7124d551781d
SHA1: 2fb3e6d611a193c17c130233587a1dda2639d9cc
SHA256: 8665919b883a3265b0d32cef6cb29e946e61c66331da34c41c81bcd094ac0048
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\mso1033.acl.krab 37.35 KB MD5: da025703b23acfa1744c4cc2a3b1d164
SHA1: 6a468c8a390a5cba93671aee1519b0dfcc543379
SHA256: e7260f5965cff47db4508c891442b38b8932783d8affde85502ba779a2981a1c
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\recent\database1.lnk.krab 1.60 KB MD5: 18f2462c3804ede587c1398b766c2744
SHA1: a1fa99b963d29adfec29ed5581b439ea85394391
SHA256: 5a8c19dd2d73e6aaacf8e3f2a4caa47e39e76b1e520c5094bd294f0ba2454e91
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\recent\documents.lnk.krab 1.44 KB MD5: 07b11deccc8c5addcd353d95c2ee011e
SHA1: 2a2126c9c3b29c4c8cdaef76b6a8b1323cb7ea3f
SHA256: cab26212b44079fe5a4e13bbcb1373660b4cb34c80899d615c22d2c77004a02c
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\recent\global.lnk.krab 1.98 KB MD5: 280e31615cd761b35f8850ecb2a3f6c6
SHA1: a573d234719349aca6e8f4395e8e6ffd3897ce5f
SHA256: beb2915b3ae2196a73d2fffa91000632ed1a4ffb1bcf979eea753ddfe3b1c69e
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\recent\index.dat.krab 0.60 KB MD5: f564f461941174a2302bfacd575e4087
SHA1: b0a91a939c3bff0e95c4d7020bdec07a652770b2
SHA256: cf8b2d5974315b44c113bb15b7bd633083fff57781b1650c09f5bfc854e063e4
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\recent\templates.lnk.krab 1.67 KB MD5: 4b30b47c838f81fa3992b4d4e095b292
SHA1: 1accb30349de24f568d13d11f652d3ba71a8be66
SHA256: 5b6d91c19c31c3dd140128b9f3105a6b2da44d2ef5844006c83acc3be59c9fdf
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\onenote\16.0\preferences.dat.krab 5.57 KB MD5: 395f6e760661fe1cd0ee6e860fb99cdd
SHA1: 3963c7e127b38e6837815d450347aba4eb8eb64e
SHA256: 64bca5ccf90516fb2208a0fc3e0c959f8b23fa625c6b3b6a50a33aa6f4003103
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\outlook\outlook.srs.krab 3.01 KB MD5: d69b1bc9cf14f53237bbeb0e50d53173
SHA1: ba039b34be0004dcb3591c565a6dd28617f37450
SHA256: a359615036096667df26e7da88cb58ab261e32ea09c98b1b650f62bc6c863ff3
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\outlook\outlook.xml.krab 2.84 KB MD5: b3a39d841585c208ef19b9018b2ac02a
SHA1: 8cac512205f304e98c15907bd8f85f7dd187802e
SHA256: a59fd904a118e8f77d5114b550893b86b36e22d44ec17c4c33110ed554ce5801
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\credhist.krab 0.95 KB MD5: 636b7df83226f84a2e1fa45517b7ed2a
SHA1: 41576d47dc9a9101932ba3fa9d3e8b338efc7f02
SHA256: 139b9a9550eebce3077f29ff01026c7a2d7e72ec00799a4978c94e21abadc763
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\s-1-5-21-1462094071-1423818996-289466292-1000\496f2c5b-a90f-4380-b805-3bf6ac63451b.krab 0.96 KB MD5: 8ef87d37e80b13905cd652bcf7d049c6
SHA1: 55a7c57f6a0650e23026ee18971dbe29fafb93c7
SHA256: 54062646b34bada7ebb4823fbdd00078c92ef57b71805693c0de70193d7faf7f
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\s-1-5-21-1462094071-1423818996-289466292-1000\5b8a3202-35dc-4437-b5d7-374f5e872415.krab 0.96 KB MD5: 25c1df823a41e8ec04d23ca4c1463e7c
SHA1: 2ac9acb800e9f8e3afc22e927278b8a044413fb2
SHA256: d0623b4f1aa7f7fe307141cfd02c0548f7145745e3db2eae989426967c38a28b
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\s-1-5-21-1462094071-1423818996-289466292-1000\d7746ecf-458e-4e71-8557-8ac80457022a.krab 0.96 KB MD5: ae479649a52203e6bc43a4d02071c90a
SHA1: 5f4eaf0ed0a8084c5d888ddda25e58c9a1f70dcd
SHA256: e2fdcd3155556c693ed1272d96cb592436d91be915422f89b3d3713ce6ef6af1
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\s-1-5-21-1462094071-1423818996-289466292-1000\preferred.krab 0.53 KB MD5: dbd3a5c8ae9470921dcc43b5b2ff2d81
SHA1: 1d76b729deac0c451f11408785488fab92906da0
SHA256: 8b47085f2950663e8d9ae31e27df350834c5ff07827176a43c87ebab0c38e16d
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\synchist.krab 0.58 KB MD5: 16fc1a75b3d05bc8cb5b08d5b860dfdc
SHA1: 9f7d473af4b4680af5b59455b4d32ac364bd7af3
SHA256: 5c5cbc45ca3218afe32885a1ec3c6da7a0b0f4986753fb3d3efbeb9b8153d1a3
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\publisher building blocks\contentstore.xml.krab 0.67 KB MD5: 9059ba285dad4403c276c8a3de6e2d57
SHA1: 0b2adabcd8cd20276520ba862e7e70d2cdfd3a4d
SHA256: 5ad46091c457446fd742e93b41521f7be905bea861bb59d7609ba0bd8ebf00ec
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\calendar insights.xltm.krab 893.35 KB MD5: 20f3fcda31ca0a50d2156b4d4a244a10
SHA1: 32a77f89093fd8afef31b4b7704ce1b4bc626ff2
SHA256: 251b096ba10ce0dd4f47202661e021122973d1ce6b7a405989b6b5503d3810ab
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\cashflow analysis.xltm.krab 371.61 KB MD5: 78b16a0e105044334bcbdb2307165082
SHA1: d8b178d22d403703b5de7475fa504496c2aa2014
SHA256: 4d53c60e4470ab052dbaaac1c138d1677ea1e98239eca6de1732192046a1a027
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\email insights.xltm.krab 721.29 KB MD5: 2180ed405f5a11e97ea8642ed2409dda
SHA1: 1661c9d4aa3d59d9b430a848285050479b90bd8d
SHA256: 3b519b39848f490ed526705b12e08397d051bc18145f9a80e10ca57f2eaff2cd
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03090430[[fn=banded]].thmx.krab 549.45 KB MD5: 460d1f105c7e605248c700e510e30e4a
SHA1: a8f4989b135ffc709662d826b50e08c98c7fa696
SHA256: 4dedfabf200bab3704a5e3f604740c1764c3a69fab51298cf2ba2255a4f06477
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03090434[[fn=wood type]].thmx.krab 1.57 MB MD5: b2326ab7f9255beda69b94946c692edb
SHA1: 3110ea0f795a6e69ed5d6bbf419a4e7c27ee37ff
SHA256: becd09b001f1297da3c00c7d52bbdc2ed742ccc3466ceee0f28e853ac7c160f0
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457444[[fn=basis]].thmx.krab 545.46 KB MD5: f4412c9c166e1500bdbd390c291e695b
SHA1: e42c65dd59fdd40cb1feced23aef1f583b5e1518
SHA256: 7d6b25fd6697f1fa7038aaacdaaf57b62232b4e1f3992f348c9e7fe2188c35ec
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457464[[fn=dividend]].thmx.krab 558.03 KB MD5: dd92425fcc2584d2e2edcd59bf958f67
SHA1: 7be55cd809c085eae0536595f93851146f763d05
SHA256: ec8fb8b0860dc6e44aefdaf4b075bb26ed74b288621cd9408c907c566b4f6951
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457475[[fn=frame]].thmx.krab 511.30 KB MD5: a711ab332f6745ac4bec3325e14af57b
SHA1: 850abc20e56bef04b27cb50789d943a9045fc193
SHA256: e5832dc6d7adc3dcd0b1ae746872a849dd761c8db67e56d15d98271bbe5da476
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457485[[fn=mesh]].thmx.krab 2.94 MB MD5: f71297a41015bacf419aeb506f8c5e14
SHA1: eab8e223431a610e3ec5aeabe866a341489da7d9
SHA256: cfe5b275d9e879d8ce39a8a97da954fa83ee0538cae4f454dfc5b616fb4c7a07
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457491[[fn=metropolitan]].thmx.krab 759.93 KB MD5: 3ce4a79d0428c4e2306aa999887b9aef
SHA1: 60cb46bc3e37d21a8a28926796596a9a6e01d700
SHA256: 9ab908b00fafed42c4bf1ec8d519be6ffd1e481adc164c679cbad3186e5bcdbc
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457496[[fn=parallax]].thmx.krab 903.52 KB MD5: 54175ed2e611799624dacdd47f9ee54b
SHA1: 69a371697dc711997f18590b74af4f7397d59ba2
SHA256: 0f93871efd82ff2d04577834f0da6c618a6bbcfaaaf9addf11790702928ef836
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457503[[fn=quotable]].thmx.krab 944.79 KB MD5: e429b8f109a9837732c888b5567c3920
SHA1: 2ce29528a26a1a1b6395750c8d85221209fad2d5
SHA256: e8ffed16e65bb54466dcda6ef50757e99f5685075e4d003f4110229db3221045
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457510[[fn=savon]].thmx.krab 1.15 MB MD5: a1fae0795368c08fc42275b295c0c98f
SHA1: b5d847aa4ff24b3e849d4c490c0a64f97bcf191d
SHA256: d1efb8e2eec2afd6e7f46b821300503b5392aef53847386b5e278a3cbb184813
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457515[[fn=view]].thmx.krab 475.70 KB MD5: d79d00f94ea683c29e1973d4267f0972
SHA1: 8c3daec6391c5608c1d02fe5a01ae34917f44d9c
SHA256: 09cc4f14806ebe9d28db9ba476ea83e1141bc20a9fb68dab3299569b205aac20
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033917[[fn=berlin]].thmx.krab 953.63 KB MD5: 78e7de0bdd9b5f9d5d2a01e8491010a7
SHA1: a8600cca9ba3ab9110261b649b414b03afe2bd6d
SHA256: eb90e290cf679fa12d79d6cd376eccbc7b0e8ee3061808fb060b1aee21c46d10
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033919[[fn=circuit]].thmx.krab 1.40 MB MD5: 27aeeeb6986043d1f0cc0656979692a6
SHA1: cb834712ebb02f40b81d50dccea1daee1c7c3068
SHA256: 4c45b935ac3f9cba8c3f6c2fb97f8363a4218b7fa7844b458993938879b6ad50
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033921[[fn=damask]].thmx.krab 2.12 MB MD5: 3af54ea85a33cdf11c23b6e772716d62
SHA1: 2cf3732ca56bf3e79e64308510ee8200a575d29a
SHA256: c39d8e49c6f2290bf0b49e7c8aa8bc7a1442746b5d7f54af5121c2aa9b5490d4
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033925[[fn=droplet]].thmx.krab 1.67 MB MD5: b5b487bf1127e5e9fb89ad812f663737
SHA1: b8f9b7e163c4c2c16048d1d16e069cf58f481941
SHA256: 6094c1bbe2f790dd63316ed29894217bb88bc8ce6c7b97b75c472ec968536dc9
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033927[[fn=main event]].thmx.krab 2.79 MB MD5: 1e401a3abf45626c010483d9f855b163
SHA1: a3f9a3bf86b169c80fe435f077ff500301fb808d
SHA256: d17adeb1a69b533e5a035edd68f7b1a5f5ead5e380bd36f9ee97d22c28a5ee14
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033929[[fn=slate]].thmx.krab 2.25 MB MD5: 1042a175e6da3a9f6805a455036a35d0
SHA1: 873dfaf117ab328f82a65383ee2fcc861b2d70bd
SHA256: 8dfaa433368f1c5270eeb601cfb4639bfbbd89906954c33ee19a0b692042582a
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033937[[fn=vapor trail]].thmx.krab 3.44 MB MD5: 09cd6c5fef59db6edc4041dfba3ceabf
SHA1: 6c171eac37805c4ff39d9cba5be52c4cc32c3ea9
SHA256: 752106fa51820cdb6131f8b5e6799e9ddbcf38725723d9c154de2d495558d4cf
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001103[[fn=headlines]].thmx.krab 527.47 KB MD5: a836297d194c4c503a9bc50a3ddca95b
SHA1: c91cb94ff146aff8fd2fdc03432d9bdc7c6fc04b
SHA256: 8c3e08ba9888980efd267ccf4f2f52c385c66a6af7ca83d365f107f9ed88a93d
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001104[[fn=feathered]].thmx.krab 1.96 MB MD5: aaec40687a0c14c350fb3e87373beaa2
SHA1: 894305513568b0166a8db73539acdd851f6dfdeb
SHA256: 8b65ca03dfb8ff4b41e3d79228d04707c16a0ace9deddb2ae43c2f169ef0ebb1
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001105[[fn=crop]].thmx.krab 524.54 KB MD5: e78fd90b95e7f988ca4d1c3b9c7973a6
SHA1: aae05247c2a1efb77eb413e1b72c88129d49b0d6
SHA256: 0e9c33e540b7f477edbe51f66e657cb66669d927c4a02c453924d1525971ea64
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001106[[fn=badge]].thmx.krab 648.88 KB MD5: 6411be3a0c2e1a6a1d1e5085b7308e33
SHA1: bad89cc54671aa6e6a2530c0f5cc39299101b252
SHA256: c53b5f4e73d481be608f8973226847026f765579bae5676af3c08a358a1c062a
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001114[[fn=gallery]].thmx.krab 1.04 MB MD5: 02d0e2ec4a1b2441200d15d13c78fb0e
SHA1: 3507f3adc6e8376c6d493bc3d57ff191b58259e4
SHA256: efa6c75beb17d815d1b9f1c7827ef3360708b6f7c72923f7a6d254e818f6d8e8
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001115[[fn=parcel]].thmx.krab 594.38 KB MD5: fff2b201372d6e55f09bae908cbe67f4
SHA1: 17acd170f95305cb318021092aa9fb4a502725f9
SHA256: 6f2bb3b4a9eb2edb3767b487d1e0a676997f8196cfe9a564cb7d05db5efe4222
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328884[[fn=architecture]].glox.krab 6.16 KB MD5: 772d6728332ee7dcaefa978f7d619526
SHA1: 43428fd41980850932f93eb635e248756973d5b3
SHA256: c3006e4202e98f9de259dfa713e101c927e9a2f61e463de4c4d2b447dc8747d7
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328893[[fn=bracketlist]].glox.krab 4.44 KB MD5: 2964d89e7fa5624f193b5e3421356ff2
SHA1: ea6522453491f420fecea5a9b635d8e2f86142ea
SHA256: d65ed93b126f50e0323e7b62228a2c58229415ee6dcf961881408b529ca0a343
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328905[[fn=chevron accent]].glox.krab 4.65 KB MD5: 73820386b7e683d810617672f61d7cb4
SHA1: ede121741bd338fa043d291a03824fa796a02edb
SHA256: 3744650bc1dd255ff803844f5d3c3da9e195247ccb3be15f5c4c20ea80b33e25
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328908[[fn=circle process]].glox.krab 16.92 KB MD5: 9c99af14b03a774578bbdcdcba89abef
SHA1: b2ca8688f31632d8556bc0ff6fb3be270a261893
SHA256: ab70152963ff11be4887fcee1effb82d4c582269ba861602f54e0c2ffec69f3e
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328916[[fn=converging text]].glox.krab 11.62 KB MD5: deb4d76a922f5e2fc39962cb4c2ec2d7
SHA1: ae4c71c1bd1b5af8dc8b4af54eef6deca730b397
SHA256: 4a427dee90d445b8f03de5c4b213002274fb93efd3bbf06f3094ba7feb724a0e
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328919[[fn=hexagon radial]].glox.krab 6.39 KB MD5: c4dda67aa7e5d72d36a94876e9711d95
SHA1: d2d03b76edc74c38dd7022c7160156439b841efa
SHA256: 3fb798e4bf4e97b1209b0269943c4422986816427c04602e8858a835d42a2130
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328925[[fn=interconnected block process]].glox.krab 9.48 KB MD5: e0aaacd5b34969640694ed7f62577da3
SHA1: 3162a37d9dd85ed65f45fa142645fe37568f81d7
SHA256: 2ed7d0e8e3706d72826cac6a4fa465e162da114d61c2a2daaaa65998aedaa028
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328932[[fn=picture frame]].glox.krab 4.73 KB MD5: 3af980b4d71bc4b18177fb56812d99e0
SHA1: 3b4b2df239e7847b2a39c9dd60f167e3dfe5fab9
SHA256: e1e9413054feef84971028a0899d30477e41bf512077470c0a2d8be9db0ad766
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328935[[fn=picture organization chart]].glox.krab 7.71 KB MD5: b4a7eafaa73dcbfbf7bb0fb0ebb7911a
SHA1: 96127bd646c449be311d2e4efa7cdcc80d14461e
SHA256: 88628a74c59b9a1d511b0dc0810c76a0726f02705b38bec2f094fa5f95eec848
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328940[[fn=radial picture list]].glox.krab 5.97 KB MD5: c4dff54b196097786103b2b835d6970d
SHA1: d8d4f808e77cb23f087fa0fd10bb5a22ad895078
SHA256: 994456267605f92d475750a67644c45adcfe8499175378c0be113d7157a6e5e2
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328951[[fn=tabbed arc]].glox.krab 4.10 KB MD5: 52e50d6f50161753fa8bf5db8b2a0e4b
SHA1: 359809d0699f0e44af359b5b7241de0a24d1f397
SHA256: 7a21b40fe4e408aa9395d15b610d978c58bdb86bb2139fef3da700aff508a074
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328972[[fn=tab list]].glox.krab 5.28 KB MD5: eebde2d701ced98107cf1bbe0e8d66f4
SHA1: d68bec97922786f441ef786804c453b4cbbc674c
SHA256: 12884854715ced1c27a4f5664ad3d27705fd7a4a33f3db317bb4c041072c7ed5
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328975[[fn=theme picture accent]].glox.krab 6.80 KB MD5: 79da77240708866c579b445a81ed2e86
SHA1: e54b25b3ead25203c50cce29912806fc35105ec9
SHA256: 0c4e14787d234b453bf1a78b2f35e9ac5c7e8a65cb7fec6635bc231f07ee651f
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328983[[fn=theme picture alternating accent]].glox.krab 6.01 KB MD5: 50fc7073da60f8438d4b79c6995609a1
SHA1: d379f5ba3b1f46faebbbd660c63354a620d199c2
SHA256: 65aded2c5fea5e30c08cba34ce811385c4e8d8ca3a7c1d40097ac8283a8be209
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328986[[fn=theme picture grid]].glox.krab 6.56 KB MD5: 38263f80ad9d09af7ee4e3909f99ab0f
SHA1: 01400eb83072759c46d3d2d1ae926f5b2a038c4f
SHA256: 37bec650d9867c935d2f0deccad1f48f2e092c174cd6106cf801d4289814a383
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328990[[fn=varying width list]].glox.krab 3.51 KB MD5: 389093cf1fe488a30d5938c7986ad0a3
SHA1: fc163ee1fb01a62256c6eaef7bd086c03271702e
SHA256: 30625b9f90d92d49d3c639f499bd30cee96695534fa59643eedb23df4fd6f6b6
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328998[[fn=rings]].glox.krab 5.54 KB MD5: 71cc0ba865569bb6ea3d124fb5e05981
SHA1: 575f936a68804efb0b867f6ebe1613daff94c733
SHA256: 21a89a95cd6684b951833ffbb80a3cd9a150a82748090196c30c36892dc43367
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\normal.dotm.krab 18.92 KB MD5: 43ffb707b9c55a00ba402953f316a0de
SHA1: 024531ca7d01ba224925d86168d17f4a258c940a
SHA256: 9ca2f367f4a33c8ecbd6096f7613063045d700376d16d3b763fe25c650e55115
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\process map for basic flowchart.xltx.krab 107.88 KB MD5: cfff3f11564df90ddd7bb90c68354aaa
SHA1: 23a5d973ba7be5f0b55404cb1c041be00a410c9b
SHA256: ef3ab669bd245011dc693987cc375b2889ee3b85893f6976cd025975a673d362
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\process map for cross-functional flowchart.xltx.krab 141.85 KB MD5: fd176cbe511e24a0b02eefbe0e79a9a9
SHA1: 3c4f660482de7965b4b73b257f643dd670b9fc24
SHA256: 7b372dad62c68bbf9c78d3baebdfa4cb36d50641c8fffc82be1b5aff3fe2aebf
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\stock symbols comparison.xltm.krab 1.39 MB MD5: 573dd31e7e458801ead10b35c809cd19
SHA1: a802cfe92f34fb0ad7a43d9879fedb4d42fcfd08
SHA256: b9cd52553226be3212dc28de4fa787577481f4baa8ce24fec5de77a690beb39d
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\welcome to excel.xltx.krab 483.66 KB MD5: 0e01436b047f42ea13fa48f4487b3cec
SHA1: 7b7c3bc37c7faeb226eb94a2f2558d0d08ab9674
SHA256: 1a391984ee07ce19ccf40a942a15b86615261f635d13997fc465f6f4017f1d72
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\uproof\custom.dic.krab 0.54 KB MD5: 21229a31d06ad890a2c490fd56b16aee
SHA1: 6b001aef284df6d367cf3d004d06838773cfc051
SHA256: 7b409210f81a1533d17cb211535df0e29d202ccb4d468829b5204e290f5302c4
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\crash reports\installtime20170518000419.krab 0.52 KB MD5: 207cab16a34ad4ca2d66db680678f2e3
SHA1: 1251d9c304ad786d81f20fa5d0c8e6914e085543
SHA256: 5b0e5dbacb2964a935088220c02d88e106b76308802c083b8c3a53476fd81b6b
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\addons.json.krab 0.53 KB MD5: 4a3691d0c347671e102107994b1f11e7
SHA1: d319c1eb1f81feab4535065554c8c5bb4e66aa1e
SHA256: 6f24c73851714dbb24d5d967b0c1a8652d91aefba30eb92c6009cd47c3785bf6
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-addons.json.krab 450.02 KB MD5: 24296c539ab10fb8e1f9c21ca9d39ddc
SHA1: c769b17b890ecbfb5c9c05195d37f9b465e9a92b
SHA256: f70bd2f9b538baceeff49e6ab4bd3d3512592bef71a606f20660cbdb3422e064
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-gfx.json.krab 27.81 KB MD5: 131935fd95112f45e8420cde08856fb3
SHA1: 335dafc6112daa5f38cc00568d8ac50f323627fa
SHA256: b81199ebd7eef7483eb975c489f5b36ab836f98c453557b7caa91991fc9bca52
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-plugins.json.krab 197.20 KB MD5: 322cd63770a694694c282b76a04c29b1
SHA1: eae4fecde2f020846ec8ad7a79f3620249922944
SHA256: c4fa5885a615d2d41c1c3428c09c71ef1667462017c031aaf675e40131c6dd61
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist.xml.krab 252.41 KB MD5: 4d3dd2e8b5dcbe224b4b5df0d51813f8
SHA1: 84c4bb5f1166d9721d511f7378d30ff792282f52
SHA256: 875b8561807212a0963db3d3ed94fa404f763d6ebca54441c9d39e7f953d285e
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kl0o5i+exwq3txuldkmf9w==.jsonlz4.krab 1.84 KB MD5: a955d58e756cfdc7be07dc11f1dd7844
SHA1: 3b030bf0938c6e5c9eb4289d31884707ac12e170
SHA256: 67c82772aed785b7ee879a67176fbb8986baf60b45ea870a7636ca659f2767c8
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\cert8.db.krab 96.51 KB MD5: 86e3ceb419506995378046a1981adcfd
SHA1: 50cbca7862144ec3e056cd76c205fea763c35b05
SHA256: f1ae0aaf6a29ee8b8822ad56f032b43c778afc6c49326a65674a1fca1cc8b1bc
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\compatibility.ini.krab 0.71 KB MD5: 14ec5701b2c0ca06770a40d570006f8e
SHA1: 604b7e123e9879dc16a4b4f4f5e826dffcfb027b
SHA256: da5a851219a5993f41cf0f9f2a96fa1248b757e9118ff84963d397287af682cd
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\containers.json.krab 1.30 KB MD5: 0376671d79c08a604a1e2bfa737fa240
SHA1: f3867920bcf15054b2df83eef9e051f01c88e026
SHA256: fbe91ee91c192e562b545111df2688b7b1e96905bbf218e972745194f592f230
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\content-prefs.sqlite.krab 224.51 KB MD5: e5f778dc8aafd376c8ed3cbd7514cd40
SHA1: ba249d198c3ded6340886df30f0d51d7967f5b0d
SHA256: 346bf8cc7c64427b141194b1a6957de8eaafc5208c22a065bb26e167d201ec29
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\cookies.sqlite.krab 512.51 KB MD5: 65845903f7700333de8ec73983d71e64
SHA1: 8f18d12c4103d5a4a32691d93eea3abd942571c6
SHA256: 2f05fcf77a6c291a5815f63ab50a5957e2c311714821adf84f47647f4c4da4e3
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\crashes\store.json.mozlz4.krab 0.57 KB MD5: 362bc7bf855de20bf96075b9bd148e98
SHA1: 5e79eb1b6c43d5cae0d8372161927b42d0632562
SHA256: 007b086bd585a44bd1d92f977be760611649f26476c65a73edf24ce966ba29a5
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4.krab 6.05 KB MD5: 19c342a7e6b03440618ee07859af5a0f
SHA1: 53e85149db9d3034612981bdda10bdd0e12b7f70
SHA256: f0aed7beda6280824f7bdcfdd53bee0e9b7ee97538ac6b39b4db8bfad2bf5cb2
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4.krab 5.38 KB MD5: 198023d134de522fb9b7e828bb05960a
SHA1: 258061a2cb457a10c3dcc40f47f1067aa60433ae
SHA256: 6c866cf56dc2175fe663407e54ffe0c62ed7789fd6929aab183ece69b1c5a790
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4.krab 5.51 KB MD5: 26d0230b0bb5035f10e4e936f39a65a8
SHA1: 2e18d505b0771b73431a0db76553f1241099f98e
SHA256: a3b2c0486d193621053cf5e694ff641db14c83b539e3f97410487ec57c5bd734
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4.krab 5.68 KB MD5: e4daf0adf8f5a3056819c362a01c30bb
SHA1: be0800f29e1ed1ca7d063d526a58fe8fc9ebd8c9
SHA256: fb2792b99b95dd008ad19f928c288c9a4b9ac80f3928d5d35dcb4136f040f1ec
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4.krab 5.66 KB MD5: 91c11f6e2bfc77cb9db8ce4558fa3b04
SHA1: 8bbdacc33bc015db92ed05b9b8d2a1e96eaf9853
SHA256: ca10d0d2086901abbb2fc80d8cecc8b72a94645d4b9acb3a51bfb97667547732
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4.krab 6.54 KB MD5: cde96802c88f853f27e0237defff402d
SHA1: fb0176870e6c42f750e1082e64cde35ef2e8847f
SHA256: e5285a21d65d96e035f8c8a8f5d8dce9ae1583e94e1a2ce8c32a191f36d8b3d1
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4.krab 5.56 KB MD5: c6f9c84ac88e05a693c20628dff3f884
SHA1: e218cb870985208817f71a0bfcf3cdb82f8be609
SHA256: db5d1c74d91b8d25ebf63562f2417f33f702e136c6fc19232b0ba5d10b3d93b7
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\session-state.json.krab 0.64 KB MD5: 9674985b0dfd469cc09b719f40b3be54
SHA1: c8d142672eabfc484b7001bdc5cb08230c41ed84
SHA256: 2570c64d2bb47abe66c634c0509ad5d0562e6ae3b55c64efa675783d7972f0ab
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\state.json.krab 0.56 KB MD5: bbe7dd74d012f52e98c2c65c86933b12
SHA1: 794e56131252b984228ac5c4f65d4883cac5ffab
SHA256: 72e3297d284cd32ac80064a0629551cf678c025ee2ae9ca0b4befc872b5d99cd
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\extensions.ini.krab 0.69 KB MD5: 460610eaf33816f4b994113d8fa9362c
SHA1: 20292e4c0e9abe636d30b25d0b388cf7b821c6fc
SHA256: 94faa02330713a0d975c7f97e512dcca7a335adb3b72be95cdab81373fcd7e11
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\extensions.json.krab 6.30 KB MD5: a01af3f7267be03c7c19e3fd2e82971e
SHA1: 2a2251bba4b85e876de23c44c240c2b8bf4af4bd
SHA256: cc1ae8304d7c2d96362058e078dd707dbd058ef6e69c52fac46b3530a7ee7cc5
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\formhistory.sqlite.krab 192.51 KB MD5: 5d6c6aa3182c751c6028ae7be32b254e
SHA1: 1b3681de81a053c0ef28237f2199075c650e9215
SHA256: 14ddaafd3df7721baa07c2c2252e03e6668b50522a1f477176c927cef76be403
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info.krab 0.62 KB MD5: 21b216b20b7a6442eeb7de398bd57c9f
SHA1: 9305a3fddf488acb2a78e099afb7bf2f853f1ad6
SHA256: 3a84af64a82a6b5a3c6b713aa94baf9a2b7307e09e8bc36cb1af5876a0067ac5
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\license.txt.krab 0.98 KB MD5: 8635a1c4bb84685e526fe3786ed006d0
SHA1: 361df376b85110416c860f3592a2d42d00729518
SHA256: f4b137f4376ce6481960da092321dc87d66f862d4119fa3b84bd3b67c9123367
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json.krab 0.85 KB MD5: 3e04d664bf925c6b25e558d3d49cab9e
SHA1: f7afe1d712c5c4a9ea92e3521c0fd3295698c06e
SHA256: af96dc4614a4600a37baa8a8dcfb3a882d4c6524a8c5b0755706cf692ad50635
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib.krab 2.92 KB MD5: 2963c2e52951e348487397be39c73dc3
SHA1: c6e3a651ccc6a46fcfd1ee2c34a02ec7773c8c57
SHA256: f64f3384e841335c5dfcd58e24924ff31c071e47ef94d10184048b151b6f13fa
False
Modified Files
»
Filename File Size Hash Values YARA Match Actions
c:\recovery\windowsre\boot.sdi 3.02 MB MD5: 00e91e3911b14419351b6baff3d5fd78
SHA1: d0b40ed7213ff8e1c21a12ff8e6242c59fda0bf6
SHA256: aa7f5e33d43d6c1936ec8802c8e939b265f000b177db72fb09497a7c5025bdb4
False
c:\recovery\windowsre\reagent.xml 1.52 KB MD5: 0761fc9dd577c8cbde077aa7ff31ae07
SHA1: b53a8bcb7e5cb565bbaea99b78fe8f85c6e9c6e0
SHA256: a7f461dd21311bb97fdb2e471c28eb1311117e81e5fcd9a9b38c7dc1adb8cb09
False
c:\recovery\windowsre\winre.wim 10.00 MB MD5: cf14c2e32686f3d82e7884bf6367202a
SHA1: f83424c053891b18e6da18ed7d366fd30e136ee4
SHA256: f714739f6fc86e9a81569218719155c1703e15db2b2a0cca3af66ba9f23aed61
False
c:\users\ciihmnxmn6ps\appdata\roaming\0ot50g8.wav 44.15 KB MD5: b8594f61e49b1d56589c6b2e262bab3d
SHA1: e76b5460f16aab2f2c5c65f22b7011dae536382f
SHA256: c15b5dfef40cc7b358a58d917b29adc249f7e51416e7e606a6f42d88b2bbdded
False
c:\users\ciihmnxmn6ps\appdata\roaming\6pfbsv9hp6f.png 94.67 KB MD5: f136a7e389b5b2e2be628c870e7bf678
SHA1: 53faba0bc99f9297140c75babbb1877760f5e26b
SHA256: ccd50aa3302bf08c7848598a2cc449f8ead9b1ed8e766eeb9be27af4f6df30bd
False
c:\users\ciihmnxmn6ps\appdata\roaming\8obl9.mp3 7.49 KB MD5: ea04a928b46823cf10fd56220c0e0b52
SHA1: 4c9122fc8d27e35bacf9dab89955b8188c2dd0fc
SHA256: 02757c8eb26d4a3a29431a57260b9432915b42312b933166e355451351e9b0b6
False
c:\users\ciihmnxmn6ps\appdata\roaming\9wgle6yhq.wav 95.92 KB MD5: 56f4394295dd0e575d5ac889083c8e56
SHA1: f656d68065b40f382e82bb3ccb082eb1e2e17508
SHA256: 62136e63d4a507281cb44cf1bd47633ae30e35351e7eec0b0d42cc8867a465e4
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\jscache\globdata 0.53 KB MD5: 47b698c02681f7f2fb21cc87ce0da49f
SHA1: 0e1b43219cd87e7efac1d1b7b311f11b7074bf4c
SHA256: e8ab58196cfa86717494ee98471b3f95b80d31bc968d009b7456ed758c2841a5
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\jscache\globsettings 0.53 KB MD5: 00799f06dcb0890ca151cb2166d55659
SHA1: 64e7e67d9636af2d3eb4227eaee4b7f5e0973cae
SHA256: 917a28197a567e57f7217f37662cd1c3a5980b4477eeefd2b8be8a01623876ab
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\security\addressbook.acrodata 11.15 KB MD5: 2191be99ed9987a89982e7f6a6dd8521
SHA1: 62a66ce5de30bcea1ded625959757525bc0b9445
SHA256: 91fe2f50f3d22e8d5a095a72616a4ee91c70bd95596c11ac6d801a1c39daff71
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\security\crlcache\0fded5ceb68c302b1cdb2bddd9d0000e76539cb0.crl 1.13 KB MD5: 545552a8a34caee222b1d373cb8df985
SHA1: 1c60e464bf7aad15fed6d7480e681e84c51802a8
SHA256: 25eb8fb451bf6cdeac85471d9777148fdd7380ce691897d41b6bfc73f2feb6a0
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\acrobat\dc\security\crlcache\ce338828149963dcea4cd26bb86f0363b4ca0ba5.crl 0.92 KB MD5: 4df56773a53dcc7fdc8e65c17a7a656c
SHA1: 339c5a66f02dc61eccb3087ca86aa664f669bf13
SHA256: 9a8e836c91b053da399323d8613bdff4c7d1caf63dad8b5e85909c503feb2e51
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\logtransport2\logtransport2.cfg 0.72 KB MD5: 7320c8f6d8d78f2759fd4ceefced2109
SHA1: 9050eeff3efe15a500f8613527dd39baaeb855d1
SHA256: 1035f3a9d1365e6564a929277311c55b91b9b6ffd4a777d8023869d8d7fcba90
False
c:\users\ciihmnxmn6ps\appdata\roaming\adobe\sonar\sonar1.0\sonar_policy.xml 18.83 KB MD5: cb5da228f9bf0bb221eaea9ba661da59
SHA1: 0ee696bcec85baa40d423db5092c0f60f61ca6db
SHA256: c6924e3ff9bd15edc05636db6c6186c5294a0b38fd8c22cfb3a3270be6ebadf3
False
c:\users\ciihmnxmn6ps\appdata\roaming\djuqbavyptzz.pptx 89.29 KB MD5: ac27e8272960681ffe2fa5f999417496
SHA1: b591ff76d6edc6d38e8b51ff75b25b401eff02b3
SHA256: 3ffb13b7f36c6c75ad5d090798433aaba892c6eaa7e71f13f556e000bed5a084
False
c:\users\ciihmnxmn6ps\appdata\roaming\dthsp.wav 55.73 KB MD5: b7c5888b0a9d59ca3e9d4aa4a357a54b
SHA1: e69cda5f9ceac812a681265401420642b333d635
SHA256: 20be64caeae043ab1c892012926f33d1c247e74d9c51a2f2240078afffd94014
False
c:\users\ciihmnxmn6ps\appdata\roaming\e5mdcum.wav 78.76 KB MD5: 663c9411c747b03bc1c7c477c801b9ab
SHA1: d3575c8e4998ec9bf898aedad40ccc49cb196ad8
SHA256: 17307be13018880bc1c07ce7d597a31b8d11d77f46eaaa20972137511ecbe234
False
c:\users\ciihmnxmn6ps\appdata\roaming\g6vvpxdmqflec5.wav 80.29 KB MD5: 8f9d061f111b729a096ea49802a91eba
SHA1: 470767dd5743fec1de216b5aa5a6bea7fea07a82
SHA256: a157edb206952ff566cb9fc956211cd18cd38de475aa8a5ab7ce1c9d72d1411d
False
c:\users\ciihmnxmn6ps\appdata\roaming\gr1x5 npk8rrlq.xlsx 91.42 KB MD5: 4634481251cdfbd2e9f461e5ada126b5
SHA1: 65db246b19b5d82dcc215befd508473392d47562
SHA256: 614858a0d8b848f5489e496d654759359f1bcd874d8e2dce6739128f04dd0785
False
c:\users\ciihmnxmn6ps\appdata\roaming\gzycnwmxpfth1h.mkv 16.41 KB MD5: d272f41de4e008292425761d0c46b177
SHA1: 1f2e907ed119601d21813cf6a575ae9db15d2564
SHA256: 388408b8e1577687aba34ee503841497be869a664db34b7daf066c99508377b1
False
c:\users\ciihmnxmn6ps\appdata\roaming\ihlu8dqstp.avi 67.16 KB MD5: 88e5477b4c51d217cbb2c9333d17e399
SHA1: 6c2bf8593957e2d62d8ea24dced8d5c4cc79e957
SHA256: 9b93fc6102bbe32798febbbc5ca906bea8f2413aff7ba96fd0b2b672134a5fd0
False
c:\users\ciihmnxmn6ps\appdata\roaming\ja bmec_clxvh.png 6.52 KB MD5: 1319821ae48993ae311e07e810c21221
SHA1: b2649ef7a0f28075dd92105b52561eb7b1d7b975
SHA256: a916cc2382c0791ed4d764a05751f5d809ed77bfc3a98326f66f4b46a8ef8e3e
False
c:\users\ciihmnxmn6ps\appdata\roaming\kwagh0pyau.doc 72.67 KB MD5: b09c2ccbb6e8331cf01c65701563f69c
SHA1: bcf97b2dfcd1aea1b68e54b767cce492d9843a9c
SHA256: bd5fde16223280044a339bf0c8f9258dc8b5433797d71f536ad3858f4a2b7a2a
False
c:\users\ciihmnxmn6ps\appdata\roaming\ln5clld3j4vlr4b.xls 2.09 KB MD5: c914b2c40d3346a76357dc5fcc159d90
SHA1: 3ac1431533f6828744694fb1055f2a12d7dae9b4
SHA256: 6827d400b285370e3cfc4330837c26618992735d8e1f86977827408600176446
False
c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\settings.sol 1.00 KB MD5: 776c66ba07c79ff2de472a2fd7d810f3
SHA1: 994f05d437b24fcc94cb76d6de54ec525f5f2c8c
SHA256: 0da286d6c56e851fef8aea9bcfda71d74169bfba209d269623915db81f09bea9
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\access\accesscache.accdb 196.51 KB MD5: fe26b285d4f3565558d91c8d8be7ef28
SHA1: e1b076eb08a6cf63b3ae6f4d5fef23c45d37a60e
SHA256: eb69783d2c614aa4256ce49100590261485dccf7231579ff0604efe90f7fae4b
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\access\system.mdw 124.51 KB MD5: 23603324f48ac03fecb2c6fd9add294c
SHA1: e01d9c7067437bd7b72352e062cfbba3af900113
SHA256: 6198d7bfd5ea2ecb12217f11d7f3188b636337f3a56c60681af4051354cafc0c
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\apasixtheditionofficeonline.xsl 326.29 KB MD5: b7b6f3e95fe1f37bfb9a28470938ae9d
SHA1: 86c0f200db987346773a887a82b1e613fea1d604
SHA256: c9175b9cc3e10aa4b147cba9e3781be387cdebc93a164692d11a16396e55b4d2
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\chicago.xsl 290.56 KB MD5: 3f25a49b3b5973f41aeda53776409a37
SHA1: ba6a74ae8f9f10b77efafb8c0188dc1c2c4abe70
SHA256: d91e10aa69e91332f051eddc0089778b7d25c79e1aa02b46d1b9bf7872b18423
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\gb.xsl 262.88 KB MD5: 1bc3fcd0ebd07e974b74e16008c6cb43
SHA1: c6ab35de6c06ec3f78f1b392c1d63ed5fc34b8fb
SHA256: c56c53103660c35e580ffd91abbcd744fadbf8d0b169eeec4a275496e7c8eb7e
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\gostname.xsl 250.86 KB MD5: e901e94e7a271fe208d6a9d38aaf5035
SHA1: 358693b9a0fabb0e13246c67048926196699e0ab
SHA256: 61f8a1e05b7c48615cdfa745427e0cd8e0f729a0d0099f5f56938bc3d6b212a4
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\gosttitle.xsl 246.06 KB MD5: 26cabf8a4ccc0816d9488f54abc5f25b
SHA1: 9c58b6adc77c39d025c188809818576b3ad53e8e
SHA256: af2afa9013ea2de66de4d441e1469f3406082c9698f2d0fe0cb600792228fa22
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\harvardanglia2008officeonline.xsl 278.63 KB MD5: 6fd0657158ac77ab7024f4d237876e51
SHA1: b26c3283e07b162e1df7e5e048e38aa6f20874f5
SHA256: a61e6b199966d205e41d5e507dfe7c9476fe282da60527acea13e2a1c16f4ac5
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\ieee2006officeonline.xsl 288.13 KB MD5: 3b0dbb990e9b780f7a9b0ed3234df731
SHA1: 43d4d51d18ea235b1fdf1f15b3d56b73e4687692
SHA256: 4fccbbbe69d7f74e4470d368d88b14c2c8ec449e254bfd83a118a3005e6450c9
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\iso690.xsl 264.81 KB MD5: e72a69be5d2635efd6d3e1f4df886583
SHA1: 1efab2ce1bdad23ad43f91eab1a91812c6bb76b1
SHA256: 3079823facc76310cb3abcc9bd597b6c02553f34a3fae1ed70e5a1a699df1bba
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\iso690nmerical.xsl 212.99 KB MD5: 6fb4a47b4326cad0975b895d3d80f8e5
SHA1: 5a9e1239d2522f303f9a211e3ee7cb37bf63dae4
SHA256: d51ea2905b15358ddf2ace9990d1ae0c47a436316859606f95c28461fed7790c
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\mlaseventheditionofficeonline.xsl 249.75 KB MD5: 4fca62c4432a333f626a4981cafc3cfe
SHA1: 7a85aaa220f1a26c1aafcece6171d1adc9ccc508
SHA256: af8c890ced0d373df04a76acccda4cd990fc34d021fc804d31210e9403e5c41c
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\sist02.xsl 245.95 KB MD5: f0d21a61c20df93d4cb5cd305be38a2b
SHA1: 7a7f484b6c009362328fdb1a1ce06cbf2783d8ec
SHA256: d2b44aa72c9ab6d7e96c5c6d663efade88ba6a6c7b84dff3abfcdc4ffa9d8bae
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\bibliography\style\turabian.xsl 337.09 KB MD5: 54b0474e337ba2bb700dde0208253d7e
SHA1: a3adf5ed1c346e1e1cf5dbacb18db981c5f8119e
SHA256: 1852672acf39be581765e35b2b183e2cd5c6f321c8ca07a406240660257c9448
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1462094071-1423818996-289466292-1000\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b 0.56 KB MD5: 9b664610387cbb19a6d61689ed521ba0
SHA1: c149a8d9dd836badfaa30bb372971987e6c61ded
SHA256: 418380aa01214a71053ec3561e4d77739bc43ad6b50fb47605a1b84893878e5c
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1462094071-1423818996-289466292-1000\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b 0.55 KB MD5: 482c38ee74c7196e72a63e813772b44e
SHA1: 54d53b0222a7967ec96aebc9894d3845b4e4ae7c
SHA256: 93261c8a87e2119a9734f19b4caf592c8c9939cfc8d239504647ce02e1918116
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\document building blocks\1033\16\built-in building blocks.dotx 3.53 MB MD5: 413336ea03aedced36c5373e986ae4d9
SHA1: 31e8819cbbf367ea929c9885ca9b7ef0db0ba38f
SHA256: 8594e3dd69c5b4c95d436f49f4bb11102c93a644099636a8b1b26ff15aafb4ce
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\ms project\16\en-us\global.mpt 1.21 MB MD5: 2cd47dd242b9977badea7124d551781d
SHA1: 2fb3e6d611a193c17c130233587a1dda2639d9cc
SHA256: 8665919b883a3265b0d32cef6cb29e946e61c66331da34c41c81bcd094ac0048
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\mso1033.acl 37.35 KB MD5: da025703b23acfa1744c4cc2a3b1d164
SHA1: 6a468c8a390a5cba93671aee1519b0dfcc543379
SHA256: e7260f5965cff47db4508c891442b38b8932783d8affde85502ba779a2981a1c
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\recent\database1.lnk 1.60 KB MD5: 18f2462c3804ede587c1398b766c2744
SHA1: a1fa99b963d29adfec29ed5581b439ea85394391
SHA256: 5a8c19dd2d73e6aaacf8e3f2a4caa47e39e76b1e520c5094bd294f0ba2454e91
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\recent\documents.lnk 1.44 KB MD5: 07b11deccc8c5addcd353d95c2ee011e
SHA1: 2a2126c9c3b29c4c8cdaef76b6a8b1323cb7ea3f
SHA256: cab26212b44079fe5a4e13bbcb1373660b4cb34c80899d615c22d2c77004a02c
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\recent\global.lnk 1.98 KB MD5: 280e31615cd761b35f8850ecb2a3f6c6
SHA1: a573d234719349aca6e8f4395e8e6ffd3897ce5f
SHA256: beb2915b3ae2196a73d2fffa91000632ed1a4ffb1bcf979eea753ddfe3b1c69e
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\recent\index.dat 0.60 KB MD5: f564f461941174a2302bfacd575e4087
SHA1: b0a91a939c3bff0e95c4d7020bdec07a652770b2
SHA256: cf8b2d5974315b44c113bb15b7bd633083fff57781b1650c09f5bfc854e063e4
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\office\recent\templates.lnk 1.67 KB MD5: 4b30b47c838f81fa3992b4d4e095b292
SHA1: 1accb30349de24f568d13d11f652d3ba71a8be66
SHA256: 5b6d91c19c31c3dd140128b9f3105a6b2da44d2ef5844006c83acc3be59c9fdf
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\onenote\16.0\preferences.dat 5.57 KB MD5: 395f6e760661fe1cd0ee6e860fb99cdd
SHA1: 3963c7e127b38e6837815d450347aba4eb8eb64e
SHA256: 64bca5ccf90516fb2208a0fc3e0c959f8b23fa625c6b3b6a50a33aa6f4003103
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\outlook\outlook.srs 3.01 KB MD5: d69b1bc9cf14f53237bbeb0e50d53173
SHA1: ba039b34be0004dcb3591c565a6dd28617f37450
SHA256: a359615036096667df26e7da88cb58ab261e32ea09c98b1b650f62bc6c863ff3
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\outlook\outlook.xml 2.84 KB MD5: b3a39d841585c208ef19b9018b2ac02a
SHA1: 8cac512205f304e98c15907bd8f85f7dd187802e
SHA256: a59fd904a118e8f77d5114b550893b86b36e22d44ec17c4c33110ed554ce5801
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\credhist 0.95 KB MD5: 636b7df83226f84a2e1fa45517b7ed2a
SHA1: 41576d47dc9a9101932ba3fa9d3e8b338efc7f02
SHA256: 139b9a9550eebce3077f29ff01026c7a2d7e72ec00799a4978c94e21abadc763
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\s-1-5-21-1462094071-1423818996-289466292-1000\496f2c5b-a90f-4380-b805-3bf6ac63451b 0.96 KB MD5: 8ef87d37e80b13905cd652bcf7d049c6
SHA1: 55a7c57f6a0650e23026ee18971dbe29fafb93c7
SHA256: 54062646b34bada7ebb4823fbdd00078c92ef57b71805693c0de70193d7faf7f
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\s-1-5-21-1462094071-1423818996-289466292-1000\5b8a3202-35dc-4437-b5d7-374f5e872415 0.96 KB MD5: 25c1df823a41e8ec04d23ca4c1463e7c
SHA1: 2ac9acb800e9f8e3afc22e927278b8a044413fb2
SHA256: d0623b4f1aa7f7fe307141cfd02c0548f7145745e3db2eae989426967c38a28b
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\s-1-5-21-1462094071-1423818996-289466292-1000\d7746ecf-458e-4e71-8557-8ac80457022a 0.96 KB MD5: ae479649a52203e6bc43a4d02071c90a
SHA1: 5f4eaf0ed0a8084c5d888ddda25e58c9a1f70dcd
SHA256: e2fdcd3155556c693ed1272d96cb592436d91be915422f89b3d3713ce6ef6af1
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\s-1-5-21-1462094071-1423818996-289466292-1000\preferred 0.53 KB MD5: dbd3a5c8ae9470921dcc43b5b2ff2d81
SHA1: 1d76b729deac0c451f11408785488fab92906da0
SHA256: 8b47085f2950663e8d9ae31e27df350834c5ff07827176a43c87ebab0c38e16d
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\protect\synchist 0.58 KB MD5: 16fc1a75b3d05bc8cb5b08d5b860dfdc
SHA1: 9f7d473af4b4680af5b59455b4d32ac364bd7af3
SHA256: 5c5cbc45ca3218afe32885a1ec3c6da7a0b0f4986753fb3d3efbeb9b8153d1a3
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\publisher building blocks\contentstore.xml 0.67 KB MD5: 9059ba285dad4403c276c8a3de6e2d57
SHA1: 0b2adabcd8cd20276520ba862e7e70d2cdfd3a4d
SHA256: 5ad46091c457446fd742e93b41521f7be905bea861bb59d7609ba0bd8ebf00ec
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\calendar insights.xltm 893.35 KB MD5: 20f3fcda31ca0a50d2156b4d4a244a10
SHA1: 32a77f89093fd8afef31b4b7704ce1b4bc626ff2
SHA256: 251b096ba10ce0dd4f47202661e021122973d1ce6b7a405989b6b5503d3810ab
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\cashflow analysis.xltm 371.61 KB MD5: 78b16a0e105044334bcbdb2307165082
SHA1: d8b178d22d403703b5de7475fa504496c2aa2014
SHA256: 4d53c60e4470ab052dbaaac1c138d1677ea1e98239eca6de1732192046a1a027
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\email insights.xltm 721.29 KB MD5: 2180ed405f5a11e97ea8642ed2409dda
SHA1: 1661c9d4aa3d59d9b430a848285050479b90bd8d
SHA256: 3b519b39848f490ed526705b12e08397d051bc18145f9a80e10ca57f2eaff2cd
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03090430[[fn=banded]].thmx 549.45 KB MD5: 460d1f105c7e605248c700e510e30e4a
SHA1: a8f4989b135ffc709662d826b50e08c98c7fa696
SHA256: 4dedfabf200bab3704a5e3f604740c1764c3a69fab51298cf2ba2255a4f06477
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03090434[[fn=wood type]].thmx 1.57 MB MD5: b2326ab7f9255beda69b94946c692edb
SHA1: 3110ea0f795a6e69ed5d6bbf419a4e7c27ee37ff
SHA256: becd09b001f1297da3c00c7d52bbdc2ed742ccc3466ceee0f28e853ac7c160f0
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457444[[fn=basis]].thmx 545.46 KB MD5: f4412c9c166e1500bdbd390c291e695b
SHA1: e42c65dd59fdd40cb1feced23aef1f583b5e1518
SHA256: 7d6b25fd6697f1fa7038aaacdaaf57b62232b4e1f3992f348c9e7fe2188c35ec
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457464[[fn=dividend]].thmx 558.03 KB MD5: dd92425fcc2584d2e2edcd59bf958f67
SHA1: 7be55cd809c085eae0536595f93851146f763d05
SHA256: ec8fb8b0860dc6e44aefdaf4b075bb26ed74b288621cd9408c907c566b4f6951
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457475[[fn=frame]].thmx 511.30 KB MD5: a711ab332f6745ac4bec3325e14af57b
SHA1: 850abc20e56bef04b27cb50789d943a9045fc193
SHA256: e5832dc6d7adc3dcd0b1ae746872a849dd761c8db67e56d15d98271bbe5da476
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457485[[fn=mesh]].thmx 2.94 MB MD5: f71297a41015bacf419aeb506f8c5e14
SHA1: eab8e223431a610e3ec5aeabe866a341489da7d9
SHA256: cfe5b275d9e879d8ce39a8a97da954fa83ee0538cae4f454dfc5b616fb4c7a07
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457491[[fn=metropolitan]].thmx 759.93 KB MD5: 3ce4a79d0428c4e2306aa999887b9aef
SHA1: 60cb46bc3e37d21a8a28926796596a9a6e01d700
SHA256: 9ab908b00fafed42c4bf1ec8d519be6ffd1e481adc164c679cbad3186e5bcdbc
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457496[[fn=parallax]].thmx 903.52 KB MD5: 54175ed2e611799624dacdd47f9ee54b
SHA1: 69a371697dc711997f18590b74af4f7397d59ba2
SHA256: 0f93871efd82ff2d04577834f0da6c618a6bbcfaaaf9addf11790702928ef836
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457503[[fn=quotable]].thmx 944.79 KB MD5: e429b8f109a9837732c888b5567c3920
SHA1: 2ce29528a26a1a1b6395750c8d85221209fad2d5
SHA256: e8ffed16e65bb54466dcda6ef50757e99f5685075e4d003f4110229db3221045
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457510[[fn=savon]].thmx 1.15 MB MD5: a1fae0795368c08fc42275b295c0c98f
SHA1: b5d847aa4ff24b3e849d4c490c0a64f97bcf191d
SHA256: d1efb8e2eec2afd6e7f46b821300503b5392aef53847386b5e278a3cbb184813
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457515[[fn=view]].thmx 475.70 KB MD5: d79d00f94ea683c29e1973d4267f0972
SHA1: 8c3daec6391c5608c1d02fe5a01ae34917f44d9c
SHA256: 09cc4f14806ebe9d28db9ba476ea83e1141bc20a9fb68dab3299569b205aac20
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033917[[fn=berlin]].thmx 953.63 KB MD5: 78e7de0bdd9b5f9d5d2a01e8491010a7
SHA1: a8600cca9ba3ab9110261b649b414b03afe2bd6d
SHA256: eb90e290cf679fa12d79d6cd376eccbc7b0e8ee3061808fb060b1aee21c46d10
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033919[[fn=circuit]].thmx 1.40 MB MD5: 27aeeeb6986043d1f0cc0656979692a6
SHA1: cb834712ebb02f40b81d50dccea1daee1c7c3068
SHA256: 4c45b935ac3f9cba8c3f6c2fb97f8363a4218b7fa7844b458993938879b6ad50
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033921[[fn=damask]].thmx 2.12 MB MD5: 3af54ea85a33cdf11c23b6e772716d62
SHA1: 2cf3732ca56bf3e79e64308510ee8200a575d29a
SHA256: c39d8e49c6f2290bf0b49e7c8aa8bc7a1442746b5d7f54af5121c2aa9b5490d4
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033925[[fn=droplet]].thmx 1.67 MB MD5: b5b487bf1127e5e9fb89ad812f663737
SHA1: b8f9b7e163c4c2c16048d1d16e069cf58f481941
SHA256: 6094c1bbe2f790dd63316ed29894217bb88bc8ce6c7b97b75c472ec968536dc9
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033927[[fn=main event]].thmx 2.79 MB MD5: 1e401a3abf45626c010483d9f855b163
SHA1: a3f9a3bf86b169c80fe435f077ff500301fb808d
SHA256: d17adeb1a69b533e5a035edd68f7b1a5f5ead5e380bd36f9ee97d22c28a5ee14
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033929[[fn=slate]].thmx 2.25 MB MD5: 1042a175e6da3a9f6805a455036a35d0
SHA1: 873dfaf117ab328f82a65383ee2fcc861b2d70bd
SHA256: 8dfaa433368f1c5270eeb601cfb4639bfbbd89906954c33ee19a0b692042582a
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033937[[fn=vapor trail]].thmx 3.44 MB MD5: 09cd6c5fef59db6edc4041dfba3ceabf
SHA1: 6c171eac37805c4ff39d9cba5be52c4cc32c3ea9
SHA256: 752106fa51820cdb6131f8b5e6799e9ddbcf38725723d9c154de2d495558d4cf
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001103[[fn=headlines]].thmx 527.47 KB MD5: a836297d194c4c503a9bc50a3ddca95b
SHA1: c91cb94ff146aff8fd2fdc03432d9bdc7c6fc04b
SHA256: 8c3e08ba9888980efd267ccf4f2f52c385c66a6af7ca83d365f107f9ed88a93d
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001104[[fn=feathered]].thmx 1.96 MB MD5: aaec40687a0c14c350fb3e87373beaa2
SHA1: 894305513568b0166a8db73539acdd851f6dfdeb
SHA256: 8b65ca03dfb8ff4b41e3d79228d04707c16a0ace9deddb2ae43c2f169ef0ebb1
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001105[[fn=crop]].thmx 524.54 KB MD5: e78fd90b95e7f988ca4d1c3b9c7973a6
SHA1: aae05247c2a1efb77eb413e1b72c88129d49b0d6
SHA256: 0e9c33e540b7f477edbe51f66e657cb66669d927c4a02c453924d1525971ea64
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001106[[fn=badge]].thmx 648.88 KB MD5: 6411be3a0c2e1a6a1d1e5085b7308e33
SHA1: bad89cc54671aa6e6a2530c0f5cc39299101b252
SHA256: c53b5f4e73d481be608f8973226847026f765579bae5676af3c08a358a1c062a
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001114[[fn=gallery]].thmx 1.04 MB MD5: 02d0e2ec4a1b2441200d15d13c78fb0e
SHA1: 3507f3adc6e8376c6d493bc3d57ff191b58259e4
SHA256: efa6c75beb17d815d1b9f1c7827ef3360708b6f7c72923f7a6d254e818f6d8e8
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001115[[fn=parcel]].thmx 594.38 KB MD5: fff2b201372d6e55f09bae908cbe67f4
SHA1: 17acd170f95305cb318021092aa9fb4a502725f9
SHA256: 6f2bb3b4a9eb2edb3767b487d1e0a676997f8196cfe9a564cb7d05db5efe4222
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328884[[fn=architecture]].glox 6.16 KB MD5: 772d6728332ee7dcaefa978f7d619526
SHA1: 43428fd41980850932f93eb635e248756973d5b3
SHA256: c3006e4202e98f9de259dfa713e101c927e9a2f61e463de4c4d2b447dc8747d7
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328893[[fn=bracketlist]].glox 4.44 KB MD5: 2964d89e7fa5624f193b5e3421356ff2
SHA1: ea6522453491f420fecea5a9b635d8e2f86142ea
SHA256: d65ed93b126f50e0323e7b62228a2c58229415ee6dcf961881408b529ca0a343
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328905[[fn=chevron accent]].glox 4.65 KB MD5: 73820386b7e683d810617672f61d7cb4
SHA1: ede121741bd338fa043d291a03824fa796a02edb
SHA256: 3744650bc1dd255ff803844f5d3c3da9e195247ccb3be15f5c4c20ea80b33e25
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328908[[fn=circle process]].glox 16.92 KB MD5: 9c99af14b03a774578bbdcdcba89abef
SHA1: b2ca8688f31632d8556bc0ff6fb3be270a261893
SHA256: ab70152963ff11be4887fcee1effb82d4c582269ba861602f54e0c2ffec69f3e
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328916[[fn=converging text]].glox 11.62 KB MD5: deb4d76a922f5e2fc39962cb4c2ec2d7
SHA1: ae4c71c1bd1b5af8dc8b4af54eef6deca730b397
SHA256: 4a427dee90d445b8f03de5c4b213002274fb93efd3bbf06f3094ba7feb724a0e
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328919[[fn=hexagon radial]].glox 6.39 KB MD5: c4dda67aa7e5d72d36a94876e9711d95
SHA1: d2d03b76edc74c38dd7022c7160156439b841efa
SHA256: 3fb798e4bf4e97b1209b0269943c4422986816427c04602e8858a835d42a2130
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328925[[fn=interconnected block process]].glox 9.48 KB MD5: e0aaacd5b34969640694ed7f62577da3
SHA1: 3162a37d9dd85ed65f45fa142645fe37568f81d7
SHA256: 2ed7d0e8e3706d72826cac6a4fa465e162da114d61c2a2daaaa65998aedaa028
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328932[[fn=picture frame]].glox 4.73 KB MD5: 3af980b4d71bc4b18177fb56812d99e0
SHA1: 3b4b2df239e7847b2a39c9dd60f167e3dfe5fab9
SHA256: e1e9413054feef84971028a0899d30477e41bf512077470c0a2d8be9db0ad766
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328935[[fn=picture organization chart]].glox 7.71 KB MD5: b4a7eafaa73dcbfbf7bb0fb0ebb7911a
SHA1: 96127bd646c449be311d2e4efa7cdcc80d14461e
SHA256: 88628a74c59b9a1d511b0dc0810c76a0726f02705b38bec2f094fa5f95eec848
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328940[[fn=radial picture list]].glox 5.97 KB MD5: c4dff54b196097786103b2b835d6970d
SHA1: d8d4f808e77cb23f087fa0fd10bb5a22ad895078
SHA256: 994456267605f92d475750a67644c45adcfe8499175378c0be113d7157a6e5e2
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328951[[fn=tabbed arc]].glox 4.10 KB MD5: 52e50d6f50161753fa8bf5db8b2a0e4b
SHA1: 359809d0699f0e44af359b5b7241de0a24d1f397
SHA256: 7a21b40fe4e408aa9395d15b610d978c58bdb86bb2139fef3da700aff508a074
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328972[[fn=tab list]].glox 5.28 KB MD5: eebde2d701ced98107cf1bbe0e8d66f4
SHA1: d68bec97922786f441ef786804c453b4cbbc674c
SHA256: 12884854715ced1c27a4f5664ad3d27705fd7a4a33f3db317bb4c041072c7ed5
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328975[[fn=theme picture accent]].glox 6.80 KB MD5: 79da77240708866c579b445a81ed2e86
SHA1: e54b25b3ead25203c50cce29912806fc35105ec9
SHA256: 0c4e14787d234b453bf1a78b2f35e9ac5c7e8a65cb7fec6635bc231f07ee651f
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328983[[fn=theme picture alternating accent]].glox 6.01 KB MD5: 50fc7073da60f8438d4b79c6995609a1
SHA1: d379f5ba3b1f46faebbbd660c63354a620d199c2
SHA256: 65aded2c5fea5e30c08cba34ce811385c4e8d8ca3a7c1d40097ac8283a8be209
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328986[[fn=theme picture grid]].glox 6.56 KB MD5: 38263f80ad9d09af7ee4e3909f99ab0f
SHA1: 01400eb83072759c46d3d2d1ae926f5b2a038c4f
SHA256: 37bec650d9867c935d2f0deccad1f48f2e092c174cd6106cf801d4289814a383
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328990[[fn=varying width list]].glox 3.51 KB MD5: 389093cf1fe488a30d5938c7986ad0a3
SHA1: fc163ee1fb01a62256c6eaef7bd086c03271702e
SHA256: 30625b9f90d92d49d3c639f499bd30cee96695534fa59643eedb23df4fd6f6b6
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328998[[fn=rings]].glox 5.54 KB MD5: 71cc0ba865569bb6ea3d124fb5e05981
SHA1: 575f936a68804efb0b867f6ebe1613daff94c733
SHA256: 21a89a95cd6684b951833ffbb80a3cd9a150a82748090196c30c36892dc43367
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\normal.dotm 18.92 KB MD5: 43ffb707b9c55a00ba402953f316a0de
SHA1: 024531ca7d01ba224925d86168d17f4a258c940a
SHA256: 9ca2f367f4a33c8ecbd6096f7613063045d700376d16d3b763fe25c650e55115
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\process map for basic flowchart.xltx 107.88 KB MD5: cfff3f11564df90ddd7bb90c68354aaa
SHA1: 23a5d973ba7be5f0b55404cb1c041be00a410c9b
SHA256: ef3ab669bd245011dc693987cc375b2889ee3b85893f6976cd025975a673d362
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\process map for cross-functional flowchart.xltx 141.85 KB MD5: fd176cbe511e24a0b02eefbe0e79a9a9
SHA1: 3c4f660482de7965b4b73b257f643dd670b9fc24
SHA256: 7b372dad62c68bbf9c78d3baebdfa4cb36d50641c8fffc82be1b5aff3fe2aebf
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\stock symbols comparison.xltm 1.39 MB MD5: 573dd31e7e458801ead10b35c809cd19
SHA1: a802cfe92f34fb0ad7a43d9879fedb4d42fcfd08
SHA256: b9cd52553226be3212dc28de4fa787577481f4baa8ce24fec5de77a690beb39d
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\templates\welcome to excel.xltx 483.66 KB MD5: 0e01436b047f42ea13fa48f4487b3cec
SHA1: 7b7c3bc37c7faeb226eb94a2f2558d0d08ab9674
SHA256: 1a391984ee07ce19ccf40a942a15b86615261f635d13997fc465f6f4017f1d72
False
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\uproof\custom.dic 0.54 KB MD5: 21229a31d06ad890a2c490fd56b16aee
SHA1: 6b001aef284df6d367cf3d004d06838773cfc051
SHA256: 7b409210f81a1533d17cb211535df0e29d202ccb4d468829b5204e290f5302c4
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\crash reports\installtime20170518000419 0.52 KB MD5: 207cab16a34ad4ca2d66db680678f2e3
SHA1: 1251d9c304ad786d81f20fa5d0c8e6914e085543
SHA256: 5b0e5dbacb2964a935088220c02d88e106b76308802c083b8c3a53476fd81b6b
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\addons.json 0.53 KB MD5: 4a3691d0c347671e102107994b1f11e7
SHA1: d319c1eb1f81feab4535065554c8c5bb4e66aa1e
SHA256: 6f24c73851714dbb24d5d967b0c1a8652d91aefba30eb92c6009cd47c3785bf6
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-addons.json 450.02 KB MD5: 24296c539ab10fb8e1f9c21ca9d39ddc
SHA1: c769b17b890ecbfb5c9c05195d37f9b465e9a92b
SHA256: f70bd2f9b538baceeff49e6ab4bd3d3512592bef71a606f20660cbdb3422e064
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-gfx.json 27.81 KB MD5: 131935fd95112f45e8420cde08856fb3
SHA1: 335dafc6112daa5f38cc00568d8ac50f323627fa
SHA256: b81199ebd7eef7483eb975c489f5b36ab836f98c453557b7caa91991fc9bca52
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-plugins.json 197.20 KB MD5: 322cd63770a694694c282b76a04c29b1
SHA1: eae4fecde2f020846ec8ad7a79f3620249922944
SHA256: c4fa5885a615d2d41c1c3428c09c71ef1667462017c031aaf675e40131c6dd61
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist.xml 252.41 KB MD5: 4d3dd2e8b5dcbe224b4b5df0d51813f8
SHA1: 84c4bb5f1166d9721d511f7378d30ff792282f52
SHA256: 875b8561807212a0963db3d3ed94fa404f763d6ebca54441c9d39e7f953d285e
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kl0o5i+exwq3txuldkmf9w==.jsonlz4 1.84 KB MD5: a955d58e756cfdc7be07dc11f1dd7844
SHA1: 3b030bf0938c6e5c9eb4289d31884707ac12e170
SHA256: 67c82772aed785b7ee879a67176fbb8986baf60b45ea870a7636ca659f2767c8
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\cert8.db 96.51 KB MD5: 86e3ceb419506995378046a1981adcfd
SHA1: 50cbca7862144ec3e056cd76c205fea763c35b05
SHA256: f1ae0aaf6a29ee8b8822ad56f032b43c778afc6c49326a65674a1fca1cc8b1bc
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\compatibility.ini 0.71 KB MD5: 14ec5701b2c0ca06770a40d570006f8e
SHA1: 604b7e123e9879dc16a4b4f4f5e826dffcfb027b
SHA256: da5a851219a5993f41cf0f9f2a96fa1248b757e9118ff84963d397287af682cd
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\containers.json 1.30 KB MD5: 0376671d79c08a604a1e2bfa737fa240
SHA1: f3867920bcf15054b2df83eef9e051f01c88e026
SHA256: fbe91ee91c192e562b545111df2688b7b1e96905bbf218e972745194f592f230
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\content-prefs.sqlite 224.51 KB MD5: e5f778dc8aafd376c8ed3cbd7514cd40
SHA1: ba249d198c3ded6340886df30f0d51d7967f5b0d
SHA256: 346bf8cc7c64427b141194b1a6957de8eaafc5208c22a065bb26e167d201ec29
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\cookies.sqlite 512.51 KB MD5: 65845903f7700333de8ec73983d71e64
SHA1: 8f18d12c4103d5a4a32691d93eea3abd942571c6
SHA256: 2f05fcf77a6c291a5815f63ab50a5957e2c311714821adf84f47647f4c4da4e3
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\crashes\store.json.mozlz4 0.57 KB MD5: 362bc7bf855de20bf96075b9bd148e98
SHA1: 5e79eb1b6c43d5cae0d8372161927b42d0632562
SHA256: 007b086bd585a44bd1d92f977be760611649f26476c65a73edf24ce966ba29a5
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 6.05 KB MD5: 19c342a7e6b03440618ee07859af5a0f
SHA1: 53e85149db9d3034612981bdda10bdd0e12b7f70
SHA256: f0aed7beda6280824f7bdcfdd53bee0e9b7ee97538ac6b39b4db8bfad2bf5cb2
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 5.38 KB MD5: 198023d134de522fb9b7e828bb05960a
SHA1: 258061a2cb457a10c3dcc40f47f1067aa60433ae
SHA256: 6c866cf56dc2175fe663407e54ffe0c62ed7789fd6929aab183ece69b1c5a790
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 5.51 KB MD5: 26d0230b0bb5035f10e4e936f39a65a8
SHA1: 2e18d505b0771b73431a0db76553f1241099f98e
SHA256: a3b2c0486d193621053cf5e694ff641db14c83b539e3f97410487ec57c5bd734
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 5.68 KB MD5: e4daf0adf8f5a3056819c362a01c30bb
SHA1: be0800f29e1ed1ca7d063d526a58fe8fc9ebd8c9
SHA256: fb2792b99b95dd008ad19f928c288c9a4b9ac80f3928d5d35dcb4136f040f1ec
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4 5.66 KB MD5: 91c11f6e2bfc77cb9db8ce4558fa3b04
SHA1: 8bbdacc33bc015db92ed05b9b8d2a1e96eaf9853
SHA256: ca10d0d2086901abbb2fc80d8cecc8b72a94645d4b9acb3a51bfb97667547732
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4 6.54 KB MD5: cde96802c88f853f27e0237defff402d
SHA1: fb0176870e6c42f750e1082e64cde35ef2e8847f
SHA256: e5285a21d65d96e035f8c8a8f5d8dce9ae1583e94e1a2ce8c32a191f36d8b3d1
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4 5.56 KB MD5: c6f9c84ac88e05a693c20628dff3f884
SHA1: e218cb870985208817f71a0bfcf3cdb82f8be609
SHA256: db5d1c74d91b8d25ebf63562f2417f33f702e136c6fc19232b0ba5d10b3d93b7
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\session-state.json 0.64 KB MD5: 9674985b0dfd469cc09b719f40b3be54
SHA1: c8d142672eabfc484b7001bdc5cb08230c41ed84
SHA256: 2570c64d2bb47abe66c634c0509ad5d0562e6ae3b55c64efa675783d7972f0ab
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\state.json 0.56 KB MD5: bbe7dd74d012f52e98c2c65c86933b12
SHA1: 794e56131252b984228ac5c4f65d4883cac5ffab
SHA256: 72e3297d284cd32ac80064a0629551cf678c025ee2ae9ca0b4befc872b5d99cd
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\extensions.ini 0.69 KB MD5: 460610eaf33816f4b994113d8fa9362c
SHA1: 20292e4c0e9abe636d30b25d0b388cf7b821c6fc
SHA256: 94faa02330713a0d975c7f97e512dcca7a335adb3b72be95cdab81373fcd7e11
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\extensions.json 6.30 KB MD5: a01af3f7267be03c7c19e3fd2e82971e
SHA1: 2a2251bba4b85e876de23c44c240c2b8bf4af4bd
SHA256: cc1ae8304d7c2d96362058e078dd707dbd058ef6e69c52fac46b3530a7ee7cc5
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\formhistory.sqlite 192.51 KB MD5: 5d6c6aa3182c751c6028ae7be32b254e
SHA1: 1b3681de81a053c0ef28237f2199075c650e9215
SHA256: 14ddaafd3df7721baa07c2c2252e03e6668b50522a1f477176c927cef76be403
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info 0.62 KB MD5: 21b216b20b7a6442eeb7de398bd57c9f
SHA1: 9305a3fddf488acb2a78e099afb7bf2f853f1ad6
SHA256: 3a84af64a82a6b5a3c6b713aa94baf9a2b7307e09e8bc36cb1af5876a0067ac5
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\license.txt 0.98 KB MD5: 8635a1c4bb84685e526fe3786ed006d0
SHA1: 361df376b85110416c860f3592a2d42d00729518
SHA256: f4b137f4376ce6481960da092321dc87d66f862d4119fa3b84bd3b67c9123367
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json 0.85 KB MD5: 3e04d664bf925c6b25e558d3d49cab9e
SHA1: f7afe1d712c5c4a9ea92e3521c0fd3295698c06e
SHA256: af96dc4614a4600a37baa8a8dcfb3a882d4c6524a8c5b0755706cf692ad50635
False
c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib 2.92 KB MD5: 2963c2e52951e348487397be39c73dc3
SHA1: c6e3a651ccc6a46fcfd1ee2c34a02ec7773c8c57
SHA256: f64f3384e841335c5dfcd58e24924ff31c071e47ef94d10184048b151b6f13fa
False
Threads
Thread 0x84
242 0
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77670000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x7768a330 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x77687580 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x77689910 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x7768f400 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77670000 True 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Filename process_name = c:\users\ciihmnxmn6ps\desktop\1.pdf.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\1.pdf.exe, size = 260 True 1
Fn
Module Get Handle module_name = mevumavizaseha.dll, base_address = 0x0 False 249
Fn
System Get Time type = Ticks, time = 117359 True 1
Fn
Module Load module_name = kernel32.dll, base_address = 0x77670000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x77688c50 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x7768d8d0 True 1
Fn
Module Load module_name = kernel32.dll, base_address = 0x77670000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x77688b70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x77688c50 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x77688c70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExA, address_out = 0x77689fe0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x7768fbc0 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Load module_name = KERNEL32.dll, base_address = 0x77670000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryW, address_out = 0x77689a90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x7768fbc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x77689560 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x77ca2570 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x77682d60 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x77682d80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualUnlock, address_out = 0x7768fac0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemInfo, address_out = 0x7768a1f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForMultipleObjects, address_out = 0x776960f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiW, address_out = 0x77687540 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x776ad320 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultUILanguage, address_out = 0x7768a6f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x77c99920 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetShortPathNameW, address_out = 0x776843f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetWindowsDirectoryW, address_out = 0x77694cc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x776ad410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVolumeInformationW, address_out = 0x77696450 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x77689700 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x7768e320 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x7768c8c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Process32FirstW, address_out = 0x7768ee30 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Process32NextW, address_out = 0x7768c9b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x77697510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x77693a30 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x776892b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x77c85e80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualLock, address_out = 0x776b29e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x77696250 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x776878d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MoveFileW, address_out = 0x7768a770 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x776961d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x77696290 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTime, address_out = 0x77694a60 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x7768a410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDriveTypeW, address_out = 0x77696300 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x77689660 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x77687940 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDiskFreeSpaceW, address_out = 0x776962e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VerSetConditionMask, address_out = 0x77c953c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x77682da0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VerifyVersionInfoW, address_out = 0x77687960 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x7768d8d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LocalAlloc, address_out = 0x77688840 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x77689640 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x776887c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetStdHandle, address_out = 0x776b26a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleMode, address_out = 0x77696870 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleCP, address_out = 0x77696860 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSection, address_out = 0x77c995f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDriveTypeA, address_out = 0x776962f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineA, address_out = 0x7768a3c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x77687910 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x77688c70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameW, address_out = 0x77693e90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x77696110 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x77688b70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetErrorMode, address_out = 0x77688bf0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDefaultUILanguage, address_out = 0x7768a840 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x776974f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x77695f20 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x77682db0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x77696180 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x776964a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x776877b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x77696590 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointerEx, address_out = 0x77696540 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x77c85e00 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x776962a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = OutputDebugStringW, address_out = 0x776b1c30 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77c7da90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = RtlUnwind, address_out = 0x77689a80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryExW, address_out = 0x77687920 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStdHandle, address_out = 0x7768a060 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringW, address_out = 0x77689a40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x77689680 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsValidCodePage, address_out = 0x7768a090 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetACP, address_out = 0x77688770 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetOEMCP, address_out = 0x7768fd10 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCPInfo, address_out = 0x77689fc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x77682af0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThreadId, address_out = 0x77681b90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c9f190 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77c9a200 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleExW, address_out = 0x77689fa0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WideCharToMultiByte, address_out = 0x776875a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x776825e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStringTypeW, address_out = 0x776879b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x776b28e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x7768a2c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x77696020 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsGetValue, address_out = 0x77681ba0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsSetValue, address_out = 0x77681da0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7768a790 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteConsoleW, address_out = 0x77696920 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x74d70000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x74d9ddf0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x74da50f0 True 1
Fn
Module Load module_name = ADVAPI32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGetKeyParam, address_out = 0x779c5c90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x779aed40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthorityCount, address_out = 0x779b0f50 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthority, address_out = 0x779b0ea0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x779aee90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameW, address_out = 0x779b0ee0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyKey, address_out = 0x779afc10 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenKey, address_out = 0x779b3fd0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x779c5bd0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptImportKey, address_out = 0x779af890 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x779b0ad0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextW, address_out = 0x779b0730 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptExportKey, address_out = 0x779af8f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x779af0a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x779aefa0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExW, address_out = 0x779aed80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x779aed60 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyExW, address_out = 0x779af550 True 1
Fn
Module Load module_name = SHELL32.dll, base_address = 0x755b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = SHGetSpecialFolderPathW, address_out = 0x7573edb0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteW, address_out = 0x75744370 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x75744cb0 True 1
Fn
Module Load module_name = MPR.dll, base_address = 0x74b70000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\mpr.dll, function = WNetOpenEnumW, address_out = 0x74b73810 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\mpr.dll, function = WNetEnumResourceW, address_out = 0x74b732d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\mpr.dll, function = WNetCloseEnum, address_out = 0x74b73710 True 1
Fn
Module Load module_name = msvcr100.dll, base_address = 0x74ab0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\msvcr100.dll, function = atexit, address_out = 0x74acc544 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 1, data = 48 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 2, data = 48 False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 3, data = 48 False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 4, data = 48 False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 5, data = 48 False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 6, data = 48 False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 7, data = 48 False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 8, data = 48 False 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\ProgramData\696526F7.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_DELETE_ON_CLOSE True 1
Fn
System Get Computer Name result_out = LHNIWSJ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Control Panel\International True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Control Panel\International, value_name = LocaleName, data = 101 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 1, data = 48 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 2, data = 48 False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = productName, data = 87 True 1
Fn
System Get Info type = Hardware Information True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77c40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77c66b10 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\SOFTWARE\keys_data\data False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Registry Create Key reg_name = HKEY_CURRENT_USER\SOFTWARE\keys_data\data True 1
Fn
Registry Write Value reg_name = HKEY_CURRENT_USER\SOFTWARE\keys_data\data, value_name = public, size = 276, type = REG_BINARY True 1
Fn
Data
Registry Write Value reg_name = HKEY_CURRENT_USER\SOFTWARE\keys_data\data, value_name = private, size = 1688, type = REG_BINARY True 1
Fn
Data
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77c40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77c66b10 True 1
Fn
System Get Info type = Hardware Information True 1
Fn
System Sleep duration = -1 (infinite) True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Process Create process_name = C:\Windows\system32\wbem\wmic.exe, show_window = SW_HIDE True 1
Fn
Module Get Filename module_name = mevumavizaseha.dll, process_name = c:\users\ciihmnxmn6ps\desktop\1.pdf.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\1.pdf.exe, size = 512 True 1
Fn
Process Create process_name = cmd.exe, show_window = SW_HIDE True 1
Fn
Thread 0x278
1 0
»
Category Operation Information Success Count Logfile
System Get Computer Name result_out = LHNIWSJ True 1
Fn
Thread 0x344
6165 0
»
Category Operation Information Success Count Logfile
File Create filename = C:\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
Data
System Get Time type = System Time, time = 2018-07-02 20:32:55 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\$Recycle.Bin\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\$Recycle.Bin\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
Data
System Get Time type = System Time, time = 2018-07-02 20:32:55 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\$Recycle.Bin\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\$Recycle.Bin\S-1-5-18\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\$Recycle.Bin\S-1-5-18\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
Data
System Get Time type = System Time, time = 2018-07-02 20:32:55 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\$Recycle.Bin\S-1-5-18\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\$Recycle.Bin\S-1-5-21-1462094071-1423818996-289466292-1000\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\$Recycle.Bin\S-1-5-21-1462094071-1423818996-289466292-1000\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
Data
System Get Time type = System Time, time = 2018-07-02 20:32:55 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\$Recycle.Bin\S-1-5-21-1462094071-1423818996-289466292-1000\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\bootmgr, desired_access = GENERIC_WRITE, GENERIC_READ False 1
Fn
File Create filename = C:\Documents and Settings\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Documents and Settings\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
Data
System Get Time type = System Time, time = 2018-07-02 20:32:55 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Documents and Settings\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\PerfLogs\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\PerfLogs\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
Data
System Get Time type = System Time, time = 2018-07-02 20:32:55 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\PerfLogs\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Program Files\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Program Files\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
Data
System Get Time type = System Time, time = 2018-07-02 20:32:55 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Program Files\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Program Files (x86)\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Program Files (x86)\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
Data
System Get Time type = System Time, time = 2018-07-02 20:32:56 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Program Files (x86)\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Recovery\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Recovery\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
Data
System Get Time type = System Time, time = 2018-07-02 20:32:56 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Recovery\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Recovery\WindowsRE\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Recovery\WindowsRE\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
Data
System Get Time type = System Time, time = 2018-07-02 20:32:56 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Recovery\WindowsRE\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Recovery\WindowsRE\boot.sdi, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Recovery\WindowsRE\boot.sdi, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\boot.sdi, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\boot.sdi, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\boot.sdi, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\boot.sdi, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\boot.sdi, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\boot.sdi, size = 1048576, size_out = 24576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\boot.sdi, size = 24576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\boot.sdi, size = 520 True 1
Fn
Data
File Move source_filename = C:\Recovery\WindowsRE\boot.sdi, destination_filename = C:\Recovery\WindowsRE\boot.sdi.KRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Recovery\WindowsRE\ReAgent.xml, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Recovery\WindowsRE\ReAgent.xml, size = 1048576, size_out = 1041 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\ReAgent.xml, size = 1041 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\ReAgent.xml, size = 520 True 1
Fn
Data
File Move source_filename = C:\Recovery\WindowsRE\ReAgent.xml, destination_filename = C:\Recovery\WindowsRE\ReAgent.xml.KRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Recovery\WindowsRE\Winre.wim, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\WindowsRE\Winre.wim, size = 1048576, size_out = 818707 True 1
Fn
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 818707 True 1
Fn
File Write filename = C:\Recovery\WindowsRE\Winre.wim, size = 520 True 1
Fn
File Move source_filename = C:\Recovery\WindowsRE\Winre.wim, destination_filename = C:\Recovery\WindowsRE\Winre.wim.KRAB True 1
Fn
File Create filename = C:\System Volume Information\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE False 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:08 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\System Volume Information\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
File Create filename = C:\Users\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE False 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:08 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:08 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:08 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:09 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\0OT50G8.wav, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\0OT50G8.wav, size = 1048576, size_out = 44694 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\0OT50G8.wav, size = 44694 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\0OT50G8.wav, size = 520 True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\0OT50G8.wav, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\0OT50G8.wav.KRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6PfBsV9Hp6f.png, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6PfBsV9Hp6f.png, size = 1048576, size_out = 96419 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6PfBsV9Hp6f.png, size = 96419 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6PfBsV9Hp6f.png, size = 520 True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6PfBsV9Hp6f.png, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6PfBsV9Hp6f.png.KRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\8oBl9.mp3, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\8oBl9.mp3, size = 1048576, size_out = 7146 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\8oBl9.mp3, size = 7146 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\8oBl9.mp3, size = 520 True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\8oBl9.mp3, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\8oBl9.mp3.KRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\9wgle6YHQ.wav, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\9wgle6YHQ.wav, size = 1048576, size_out = 97698 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\9wgle6YHQ.wav, size = 97698 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\9wgle6YHQ.wav, size = 520 True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\9wgle6YHQ.wav, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\9wgle6YHQ.wav.KRAB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:09 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:09 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:09 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Collab\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Collab\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:10 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Collab\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Forms\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Forms\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:10 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Forms\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:10 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData, size = 1048576, size_out = 22 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData, size = 22 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData, size = 520 True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData.KRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings, size = 1048576, size_out = 24 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings, size = 24 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings, size = 520 True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings.KRAB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:10 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata, size = 1048576, size_out = 10895 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata, size = 10895 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata, size = 520 True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata.KRAB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:10 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl, size = 1048576, size_out = 637 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl, size = 637 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl, size = 520 True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.KRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl, size = 1048576, size_out = 425 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl, size = 425 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl, size = 520 True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.KRAB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:10 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\AssetCache\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\AssetCache\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:10 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\AssetCache\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\AssetCache\NAHQNPMN\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\AssetCache\NAHQNPMN\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:10 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\AssetCache\NAHQNPMN\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:10 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Headlights\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Headlights\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:10 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Headlights\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Linguistics\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Linguistics\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:10 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Linguistics\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:10 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:10 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\Logs\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg, size = 1048576, size_out = 216 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg, size = 216 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg, size = 520 True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg.KRAB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:10 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:10 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml, size = 1048576, size_out = 18761 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml, size = 18761 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml, size = 520 True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml.KRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DJuQBAvyPtZZ.pptx, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DJuQBAvyPtZZ.pptx, size = 1048576, size_out = 90916 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DJuQBAvyPtZZ.pptx, size = 90916 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DJuQBAvyPtZZ.pptx, size = 520 True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DJuQBAvyPtZZ.pptx, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DJuQBAvyPtZZ.pptx.KRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\dThsP.wav, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\dThsP.wav, size = 1048576, size_out = 56543 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\dThsP.wav, size = 56543 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\dThsP.wav, size = 520 True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\dThsP.wav, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\dThsP.wav.KRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\E5MdCUm.wav, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\E5MdCUm.wav, size = 1048576, size_out = 80130 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\E5MdCUm.wav, size = 80130 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\E5MdCUm.wav, size = 520 True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\E5MdCUm.wav, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\E5MdCUm.wav.KRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\G6vvpxdmqfLeC5.wav, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\G6vvpxdmqfLeC5.wav, size = 1048576, size_out = 81696 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\G6vvpxdmqfLeC5.wav, size = 81696 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\G6vvpxdmqfLeC5.wav, size = 520 True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\G6vvpxdmqfLeC5.wav, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\G6vvpxdmqfLeC5.wav.KRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\gR1x5 NpK8rRLq.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\gR1x5 NpK8rRLq.xlsx, size = 1048576, size_out = 93095 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\gR1x5 NpK8rRLq.xlsx, size = 93095 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\gR1x5 NpK8rRLq.xlsx, size = 520 True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\gR1x5 NpK8rRLq.xlsx, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\gR1x5 NpK8rRLq.xlsx.KRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\GzYcNwMxpfth1h.mkv, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\GzYcNwMxpfth1h.mkv, size = 1048576, size_out = 16285 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\GzYcNwMxpfth1h.mkv, size = 16285 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\GzYcNwMxpfth1h.mkv, size = 520 True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\GzYcNwMxpfth1h.mkv, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\GzYcNwMxpfth1h.mkv.KRAB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Identities\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Identities\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:10 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Identities\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Identities\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Identities\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:10 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Identities\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\IhlU8dqSTp.avi, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\IhlU8dqSTp.avi, size = 1048576, size_out = 68251 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\IhlU8dqSTp.avi, size = 68251 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\IhlU8dqSTp.avi, size = 520 True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\IhlU8dqSTp.avi, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\IhlU8dqSTp.avi.KRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ja BMEC_cLXVh.png, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ja BMEC_cLXVh.png, size = 1048576, size_out = 6153 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ja BMEC_cLXVh.png, size = 6153 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ja BMEC_cLXVh.png, size = 520 True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ja BMEC_cLXVh.png, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ja BMEC_cLXVh.png.KRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\KwagH0pyaU.doc, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\KwagH0pyaU.doc, size = 1048576, size_out = 73893 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\KwagH0pyaU.doc, size = 73893 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\KwagH0pyaU.doc, size = 520 True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\KwagH0pyaU.doc, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\KwagH0pyaU.doc.KRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77990000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x779b0df0 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\LN5cLLd3J4VLr4b.xls, desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\LN5cLLd3J4VLr4b.xls, size = 1048576, size_out = 1617 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\LN5cLLd3J4VLr4b.xls, size = 1617 True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\LN5cLLd3J4VLr4b.xls, size = 520 True 1
Fn
File Move source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\LN5cLLd3J4VLr4b.xls, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\LN5cLLd3J4VLr4b.xls.KRAB True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:11 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:11 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:11 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\DQQHJZ8C\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\DQQHJZ8C\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:11 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\DQQHJZ8C\d2ca4a08d2ca4dee6a.lock, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\\KRAB-DECRYPT.txt, desired_access = GENERIC_WRITE True 1
Fn
File Write filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\\KRAB-DECRYPT.txt, size = 7974 True 1
Fn
System Get Time type = System Time, time = 2018-07-02 20:33:11 (UTC) True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
For performance reasons, the remaining 4379 entries are omitted.
The remaining entries can be found in glog.xml.
Process #2: wmic.exe
16 0
»
Information Value
ID #2
File Name c:\windows\syswow64\wbem\wmic.exe
Command Line "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:15:41, Reason: Terminated by Timeout
Monitor Duration 00:14:00
OS Process Information
»
Information Value
PID 0xa7c
Parent PID 0x450 (c:\users\ciihmnxmn6ps\desktop\1.pdf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 524
0x A58
0x 9F4
0x BD4
0x 3C0
0x 620
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x00000000002f0000 0x002f0000 0x0030ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000002f0000 0x002f0000 0x002fffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000300000 0x00300000 0x00303fff Private Memory Readable, Writable True False False -
private_0x0000000000310000 0x00310000 0x00311fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000310000 0x00310000 0x00310fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000320000 0x00320000 0x00333fff Pagefile Backed Memory Readable True False False -
private_0x0000000000340000 0x00340000 0x0037ffff Private Memory Readable, Writable True False False -
private_0x0000000000380000 0x00380000 0x003bffff Private Memory Readable, Writable True False False -
pagefile_0x00000000003c0000 0x003c0000 0x003c3fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000003d0000 0x003d0000 0x003d0fff Pagefile Backed Memory Readable True False False -
private_0x00000000003e0000 0x003e0000 0x003e1fff Private Memory Readable, Writable True False False -
locale.nls 0x003f0000 0x004adfff Memory Mapped File Readable False False False -
pagefile_0x00000000004b0000 0x004b0000 0x004b0fff Pagefile Backed Memory Readable True False False -
private_0x00000000004c0000 0x004c0000 0x004c3fff Private Memory Readable, Writable True False False -
private_0x00000000004d0000 0x004d0000 0x004dffff Private Memory Readable, Writable True False False -
private_0x00000000004e0000 0x004e0000 0x004effff Private Memory Readable, Writable True False False -
private_0x00000000004f0000 0x004f0000 0x0052ffff Private Memory Readable, Writable True False False -
private_0x0000000000530000 0x00530000 0x0056ffff Private Memory Readable, Writable True False False -
private_0x0000000000570000 0x00570000 0x0066ffff Private Memory Readable, Writable True False False -
private_0x0000000000670000 0x00670000 0x006affff Private Memory Readable, Writable True False False -
private_0x00000000006b0000 0x006b0000 0x006effff Private Memory Readable, Writable True False False -
sortdefault.nls 0x006f0000 0x00a26fff Memory Mapped File Readable False False False -
ole32.dll 0x00a30000 0x00b18fff Memory Mapped File Readable False False False -
private_0x0000000000a30000 0x00a30000 0x00aaffff Private Memory Readable, Writable True False False -
private_0x0000000000a30000 0x00a30000 0x00a9ffff Private Memory Readable, Writable True False False -
msxml3r.dll 0x00a30000 0x00a30fff Memory Mapped File Readable False False False -
private_0x0000000000a40000 0x00a40000 0x00a5ffff Private Memory - True False False -
imm32.dll 0x00a60000 0x00a89fff Memory Mapped File Readable False False False -
wmic.exe.mui 0x00a60000 0x00a6ffff Memory Mapped File Readable False False False -
private_0x0000000000a70000 0x00a70000 0x00a70fff Private Memory Readable, Writable True False False -
private_0x0000000000a80000 0x00a80000 0x00a80fff Private Memory Readable, Writable True False False -
private_0x0000000000a90000 0x00a90000 0x00a9ffff Private Memory Readable, Writable True False False -
private_0x0000000000aa0000 0x00aa0000 0x00aaffff Private Memory Readable, Writable True False False -
private_0x0000000000ab0000 0x00ab0000 0x00bfffff Private Memory Readable, Writable True False False -
private_0x0000000000ab0000 0x00ab0000 0x00b7ffff Private Memory Readable, Writable True False False -
private_0x0000000000ab0000 0x00ab0000 0x00b0ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000ab0000 0x00ab0000 0x00ab0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000ab0000 0x00ab0000 0x00ab3fff Pagefile Backed Memory Readable True False False -
private_0x0000000000ac0000 0x00ac0000 0x00afffff Private Memory Readable, Writable True False False -
private_0x0000000000b00000 0x00b00000 0x00b0ffff Private Memory Readable, Writable True False False -
private_0x0000000000b10000 0x00b10000 0x00b4ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000b50000 0x00b50000 0x00b5cfff Pagefile Backed Memory Readable, Writable True False False -
wmiutils.dll.mui 0x00b50000 0x00b54fff Memory Mapped File Readable False False False -
private_0x0000000000b70000 0x00b70000 0x00b7ffff Private Memory Readable, Writable True False False -
private_0x0000000000b80000 0x00b80000 0x00bbffff Private Memory Readable, Writable True False False -
private_0x0000000000bf0000 0x00bf0000 0x00bfffff Private Memory Readable, Writable True False False -
private_0x0000000000c00000 0x00c00000 0x00d7ffff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x00c00000 0x00cdefff Memory Mapped File Readable False False False -
private_0x0000000000ce0000 0x00ce0000 0x00d1ffff Private Memory Readable, Writable True False False -
private_0x0000000000d20000 0x00d20000 0x00d5ffff Private Memory Readable, Writable True False False -
private_0x0000000000d70000 0x00d70000 0x00d7ffff Private Memory Readable, Writable True False False -
wmic.exe 0x00d90000 0x00df3fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000e00000 0x00e00000 0x04dfffff Pagefile Backed Memory - True False False -
private_0x0000000004e00000 0x04e00000 0x051fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000005200000 0x05200000 0x05387fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000005390000 0x05390000 0x05510fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000005520000 0x05520000 0x0691ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000006920000 0x06920000 0x069d7fff Pagefile Backed Memory Readable True False False -
private_0x00000000069e0000 0x069e0000 0x06adffff Private Memory Readable, Writable True False False -
private_0x0000000006ae0000 0x06ae0000 0x06b1ffff Private Memory Readable, Writable True False False -
wow64.dll 0x59300000 0x5934efff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x59350000 0x59357fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x59360000 0x593d2fff Memory Mapped File Readable, Writable, Executable False False False -
fastprox.dll 0x740b0000 0x7416bfff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x74170000 0x74393fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x743a0000 0x74660fff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x74670000 0x747cffff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x747d0000 0x747fffff Memory Mapped File Readable, Writable, Executable False False False -
wmiutils.dll 0x74870000 0x7488dfff Memory Mapped File Readable, Writable, Executable False False False -
wbemsvc.dll 0x748b0000 0x748c0fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x748d0000 0x748fefff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74900000 0x74912fff Memory Mapped File Readable, Writable, Executable False False False -
msxml3.dll 0x74920000 0x74aaffff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x74ab0000 0x74acafff Memory Mapped File Readable, Writable, Executable False False False -
wbemcomn.dll 0x74ad0000 0x74b35fff Memory Mapped File Readable, Writable, Executable False False False -
wbemprox.dll 0x74b40000 0x74b4cfff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x74b50000 0x74b57fff Memory Mapped File Readable, Writable, Executable False False False -
framedynos.dll 0x74b60000 0x74b9efff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x74ba0000 0x74bbcfff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74bc0000 0x74c34fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x74ce0000 0x74d38fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74d40000 0x74d49fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74d50000 0x74d6dfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x74d70000 0x74eaffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x75080000 0x750c3fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76970000 0x76ae5fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76ca0000 0x76decfff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x76f60000 0x76f6bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76f70000 0x7708ffff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x77090000 0x77249fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x77250000 0x77292fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x77430000 0x77519fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x775e0000 0x7760afff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x77670000 0x7775ffff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x77760000 0x777e1fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x778a0000 0x7792cfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x77930000 0x7798bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77990000 0x77a0afff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77a10000 0x77acdfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x77ad0000 0x77ad6fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77af0000 0x77b9bfff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x77ba0000 0x77c31fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c40000 0x77db8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007f597000 0x7f597000 0x7f599fff Private Memory Readable, Writable True False False -
private_0x000000007f59a000 0x7f59a000 0x7f59cfff Private Memory Readable, Writable True False False -
private_0x000000007f59d000 0x7f59d000 0x7f59ffff Private Memory Readable, Writable True False False -
pagefile_0x000000007f5a0000 0x7f5a0000 0x7f69ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007f6a0000 0x7f6a0000 0x7f6c2fff Pagefile Backed Memory Readable True False False -
private_0x000000007f6c5000 0x7f6c5000 0x7f6c7fff Private Memory Readable, Writable True False False -
private_0x000000007f6c8000 0x7f6c8000 0x7f6cafff Private Memory Readable, Writable True False False -
private_0x000000007f6cb000 0x7f6cb000 0x7f6cdfff Private Memory Readable, Writable True False False -
private_0x000000007f6ce000 0x7f6ce000 0x7f6cefff Private Memory Readable, Writable True False False -
private_0x000000007f6cf000 0x7f6cf000 0x7f6cffff Private Memory Readable, Writable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7dfc03e6ffff Private Memory Readable True False False -
pagefile_0x00007dfc03e70000 0x7dfc03e70000 0x7ffc03e6ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ffc03e70000 0x7ffc04031fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffc04032000 0x7ffc04032000 0x7ffffffeffff Private Memory Readable True False False -
Threads
Thread 0x524
16 0
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\syswow64\wbem\wmic.exe, base_address = 0xd90000 True 1
Fn
COM Create interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
System Get Computer Name result_out = LHNIWSJ True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging, data = 48 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging Directory True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging Directory, data = 37 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Log File Max Size, data = 54 True 1
Fn
COM Create interface = 2933BF95-7B36-11D2-B20E-00C04F983E60, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
System Get Time type = Local Time, time = 2018-07-03 06:34:08 (Local Time) True 1
Fn
COM Create interface = EB87E1BC-3233-11D2-AEC9-00C04FB68820, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Process #4: cmd.exe
59 0
»
Information Value
ID #4
File Name c:\windows\syswow64\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /c timeout -c 5 & del "C:\Users\CIiHmnxMn6Ps\Desktop\1.pdf.exe" /f /q
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:15:41, Reason: Terminated by Timeout
Monitor Duration 00:13:54
OS Process Information
»
Information Value
PID 0x930
Parent PID 0x450 (c:\users\ciihmnxmn6ps\desktop\1.pdf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 954
0x A84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
cmd.exe 0x00060000 0x000affff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000610000 0x00610000 0x0460ffff Pagefile Backed Memory - True False False -
private_0x0000000004610000 0x04610000 0x0462ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000004610000 0x04610000 0x0461ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000004620000 0x04620000 0x04623fff Private Memory Readable, Writable True False False -
private_0x0000000004630000 0x04630000 0x04631fff Private Memory Readable, Writable True False False -
private_0x0000000004630000 0x04630000 0x0463ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000004640000 0x04640000 0x04653fff Pagefile Backed Memory Readable True False False -
private_0x0000000004660000 0x04660000 0x0469ffff Private Memory Readable, Writable True False False -
private_0x00000000046a0000 0x046a0000 0x0479ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000047a0000 0x047a0000 0x047a3fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000047b0000 0x047b0000 0x047b0fff Pagefile Backed Memory Readable True False False -
private_0x00000000047c0000 0x047c0000 0x047c1fff Private Memory Readable, Writable True False False -
private_0x00000000047d0000 0x047d0000 0x047d3fff Private Memory Readable, Writable True False False -
private_0x00000000047e0000 0x047e0000 0x047effff Private Memory Readable, Writable True False False -
locale.nls 0x047f0000 0x048adfff Memory Mapped File Readable False False False -
private_0x00000000048b0000 0x048b0000 0x048effff Private Memory Readable, Writable True False False -
private_0x0000000004990000 0x04990000 0x04a8ffff Private Memory Readable, Writable True False False -
private_0x0000000004a90000 0x04a90000 0x04b8ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x04b90000 0x04ec6fff Memory Mapped File Readable False False False -
wow64.dll 0x59300000 0x5934efff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x59350000 0x59357fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x59360000 0x593d2fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76970000 0x76ae5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x77670000 0x7775ffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77a10000 0x77acdfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c40000 0x77db8fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007e850000 0x7e850000 0x7e94ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007e950000 0x7e950000 0x7e972fff Pagefile Backed Memory Readable True False False -
private_0x000000007e977000 0x7e977000 0x7e977fff Private Memory Readable, Writable True False False -
private_0x000000007e979000 0x7e979000 0x7e97bfff Private Memory Readable, Writable True False False -
private_0x000000007e97c000 0x7e97c000 0x7e97efff Private Memory Readable, Writable True False False -
private_0x000000007e97f000 0x7e97f000 0x7e97ffff Private Memory Readable, Writable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7dfc03e6ffff Private Memory Readable True False False -
pagefile_0x00007dfc03e70000 0x7dfc03e70000 0x7ffc03e6ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ffc03e70000 0x7ffc04031fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffc04032000 0x7ffc04032000 0x7ffffffeffff Private Memory Readable True False False -
Threads
Thread 0x954
59 0
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\syswow64\cmd.exe, base_address = 0x60000 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77670000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x776b2780 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System False 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 3
Fn
File Open filename = STD_INPUT_HANDLE True 2
Fn
Environment Get Environment String - True 2
Fn
Data
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 196, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module Get Filename process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Environment Get Environment String name = PROMPT False 1
Fn
Environment Set Environment String name = PROMPT, value = $P$G True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Environment Get Environment String name = KEYS False 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\Desktop, type = file_attributes True 2
Fn
Environment Set Environment String name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77670000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x7768fa80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7768a790 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76a835c0 True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Process Create process_name = C:\Windows\system32\timeout.exe, os_pid = 0x858, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Environment Set Environment String name = COPYCMD True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCode, value = 00000001 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCodeAscii True 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Get Info filename = C:\Users\CIiHmnxMn6Ps\Desktop\1.pdf.exe, type = file_attributes True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\Desktop, type = file_attributes True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\Desktop\1.pdf.exe, type = file_attributes True 1
Fn
File Open filename = \??\C:\Users\CIiHmnxMn6Ps\Desktop\1.pdf.exe, desired_access = DELETE, open_options = FILE_NON_DIRECTORY_FILE, FILE_DELETE_ON_CLOSE, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_DELETE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 2
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
Process #6: timeout.exe
14 0
»
Information Value
ID #6
File Name c:\windows\syswow64\timeout.exe
Command Line timeout -c 5
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:15:41, Reason: Terminated by Timeout
Monitor Duration 00:13:51
OS Process Information
»
Information Value
PID 0x858
Parent PID 0x930 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 610
0x 300
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000ce0000 0x00ce0000 0x00cfffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000ce0000 0x00ce0000 0x00ceffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000cf0000 0x00cf0000 0x00cf3fff Private Memory Readable, Writable True False False -
private_0x0000000000d00000 0x00d00000 0x00d01fff Private Memory Readable, Writable True False False -
timeout.exe.mui 0x00d00000 0x00d02fff Memory Mapped File Readable False False False -
pagefile_0x0000000000d10000 0x00d10000 0x00d23fff Pagefile Backed Memory Readable True False False -
private_0x0000000000d30000 0x00d30000 0x00d6ffff Private Memory Readable, Writable True False False -
private_0x0000000000d70000 0x00d70000 0x00daffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000db0000 0x00db0000 0x00db3fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000dc0000 0x00dc0000 0x00dc0fff Pagefile Backed Memory Readable True False False -
private_0x0000000000dd0000 0x00dd0000 0x00dd1fff Private Memory Readable, Writable True False False -
private_0x0000000000de0000 0x00de0000 0x00de0fff Private Memory Readable, Writable True False False -
private_0x0000000000df0000 0x00df0000 0x00df0fff Private Memory Readable, Writable True False False -
private_0x0000000000e10000 0x00e10000 0x00e1ffff Private Memory Readable, Writable True False False -
locale.nls 0x00e20000 0x00eddfff Memory Mapped File Readable False False False -
private_0x0000000000ee0000 0x00ee0000 0x00f1ffff Private Memory Readable, Writable True False False -
private_0x0000000000f20000 0x00f20000 0x00f5ffff Private Memory Readable, Writable True False False -
timeout.exe 0x01000000 0x01009fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000001010000 0x01010000 0x0500ffff Pagefile Backed Memory - True False False -
private_0x0000000005140000 0x05140000 0x0523ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000005240000 0x05240000 0x053c7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000053d0000 0x053d0000 0x05550fff Pagefile Backed Memory Readable True False False -
private_0x0000000005570000 0x05570000 0x0557ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000005580000 0x05580000 0x0697ffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x06980000 0x06cb6fff Memory Mapped File Readable False False False -
wow64.dll 0x59300000 0x5934efff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x59350000 0x59357fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x59360000 0x593d2fff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x74b40000 0x74b47fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x74ce0000 0x74d38fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74d40000 0x74d49fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74d50000 0x74d6dfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x74d70000 0x74eaffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x75080000 0x750c3fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76970000 0x76ae5fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76ca0000 0x76decfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76f70000 0x7708ffff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x77090000 0x77249fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x77250000 0x77292fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x775e0000 0x7760afff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x77670000 0x7775ffff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x77930000 0x7798bfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77a10000 0x77acdfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x77ad0000 0x77ad6fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77af0000 0x77b9bfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c40000 0x77db8fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f310000 0x7f310000 0x7f40ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007f410000 0x7f410000 0x7f432fff Pagefile Backed Memory Readable True False False -
private_0x000000007f436000 0x7f436000 0x7f436fff Private Memory Readable, Writable True False False -
private_0x000000007f437000 0x7f437000 0x7f439fff Private Memory Readable, Writable True False False -
private_0x000000007f43a000 0x7f43a000 0x7f43cfff Private Memory Readable, Writable True False False -
private_0x000000007f43d000 0x7f43d000 0x7f43dfff Private Memory Readable, Writable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7dfc03e6ffff Private Memory Readable True False False -
pagefile_0x00007dfc03e70000 0x7dfc03e70000 0x7ffc03e6ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ffc03e70000 0x7ffc04031fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffc04032000 0x7ffc04032000 0x7ffffffeffff Private Memory Readable True False False -
Threads
Thread 0x610
14 0
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\syswow64\timeout.exe, base_address = 0x1000000 True 1
Fn
Module Get Filename process_name = c:\windows\syswow64\timeout.exe, file_name_orig = C:\Windows\SysWOW64\timeout.exe, size = 260 True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
File Write filename = STD_ERROR_HANDLE, size = 7 True 1
Fn
Data
File Open filename = STD_ERROR_HANDLE True 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
File Write filename = STD_ERROR_HANDLE, size = 98 True 1
Fn
Data
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image