UNNAM3D Ransomware | Grouped Behavior
Try VMRay Analyzer
VTI SCORE: 94/100
Dynamic Analysis Report
Classification: Ransomware, Wiper, Dropper

Remarks (2/2)

(0x200000e): The overall sleep time of all monitored processes was truncated from "31 minutes, 2 seconds" to "40 seconds" to reveal dormant functionality.

(0x2000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Remarks

(0x200000c): The maximum memory dump size was exceeded. Some dumps may be missing in the report.

(0x200001f): Code in memory was overwritten during this analysis. Review corresponding VTI for more info.

Monitored Processes

Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x15c Analysis Target High (Elevated) gblyrzexggw.exe "C:\Users\WhuOXYsD\Desktop\gblyrzexggw.exe" -
#2 0x948 Child Process High (Elevated) unnam3d.exe "C:\Users\WhuOXYsD\AppData\Local\Temp\UNNAM3D.EXE" #1
#3 0x8d4 Child Process High (Elevated) cmd.exe "C:\Windows\System32\cmd.exe" /C cd C:\Users\WhuOXYsD\Desktop && C:\Users\WhuOXYsD\AppData\Local\Temp\\WinRAR.exe m -r -pMyPassword Desktop * #2
#4 0x8dc Child Process High (Elevated) cmd.exe "C:\Windows\System32\cmd.exe" /C cd C:\Users\WhuOXYsD\Documents && C:\Users\WhuOXYsD\AppData\Local\Temp\\WinRAR.exe m -r -pMyPassword Documents * #2
#5 0x244 Child Process High (Elevated) cmd.exe "C:\Windows\System32\cmd.exe" /C cd C:\Users\WhuOXYsD\Pictures && C:\Users\WhuOXYsD\AppData\Local\Temp\\WinRAR.exe m -r -pMyPassword Pictures * #2
#6 0x340 Child Process High (Elevated) winrar.exe C:\Users\WhuOXYsD\AppData\Local\Temp\\WinRAR.exe m -r -pMyPassword Desktop * #3
#7 0x6ac Child Process High (Elevated) winrar.exe C:\Users\WhuOXYsD\AppData\Local\Temp\\WinRAR.exe m -r -pMyPassword Pictures * #5
#8 0xa20 Child Process High (Elevated) winrar.exe C:\Users\WhuOXYsD\AppData\Local\Temp\\WinRAR.exe m -r -pMyPassword Documents * #4
#9 0x730 Autostart Medium unnam3d.exe "C:\Users\WhuOXYsD\AppData\Local\Temp\UNNAM3D.EXE" -

Behavior Information - Grouped by Category

Process #1: gblyrzexggw.exe
602 0
»
Information Value
ID #1
File Name c:\users\whuoxysd\desktop\gblyrzexggw.exe
Command Line "C:\Users\WhuOXYsD\Desktop\gblyrzexggw.exe"
Initial Working Directory C:\Users\WhuOXYsD\Desktop\
Monitor Start Time: 00:00:13, Reason: Analysis Target
Unmonitor End Time: 00:00:40, Reason: Self Terminated
Monitor Duration 00:00:26
OS Process Information
»
Information Value
PID 0x15c
Parent PID 0x65c (c:\windows\explorer.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username EGLAFTB1N8YA\WhuOXYsD
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8E0
0x 8F0
0x 8FC
0x 914
0x 904
0x 8D8
0x 94C
0x 8BC
0x 944
0x C4
0x 11C
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points YARA Actions
agiledotnetrt.dll 0x71C00000 0x721C1FFF Marked Writable - 32-bit - False
agiledotnetrt.dll 0x71C00000 0x721C1FFF Content Changed - 32-bit 0x71F65181 False
agiledotnetrt.dll 0x71C00000 0x721C1FFF Content Changed - 32-bit 0x71D98C14, 0x71C7EBF1, ... False
agiledotnetrt.dll 0x71C00000 0x721C1FFF Content Changed - 32-bit 0x71DFA363 False
agiledotnetrt.dll 0x71C00000 0x721C1FFF Content Changed - 32-bit 0x71E15B00, 0x71E246C7 False
agiledotnetrt.dll 0x71C00000 0x721C1FFF Content Changed - 32-bit 0x71CAF180 False
agiledotnetrt.dll 0x71C00000 0x721C1FFF Content Changed - 32-bit 0x71F7E0BA False
agiledotnetrt.dll 0x71C00000 0x721C1FFF Content Changed - 32-bit 0x71F5C000, 0x71F5BFC7 False
Hook Information
»
Type Installer Target Size Information Actions
Code agiledotnetrt.dll:+0xfc2e6 ntdll.dll:DbgBreakPoint+0x0 1 bytes -
Code agiledotnetrt.dll:+0x4b698 clrjit.dll:sxsJitStartup+0x1e3bd 4 bytes -
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\WhuOXYsD\Desktop\gblyrzexggw.exe 7.71 MB MD5: 6ed8c24732529fccf847927c68fc0174
SHA1: c7155a3d2dd0ff0ff2f746b79998a5aabe79735f
SHA256: 567bdc9330d3ff2dfc138fa9f284ebb17a83a5ec0305d846474d7b30cbc36247
SSDeep: 196608:BWvq6ulMDaZkjYTGa44XFcxzkOGXDjD/E:IvXKDk8Sa44XFcxz3GXg
False
C:\Users\WhuOXYsD\AppData\Local\Temp\88044b52-bb1c-4d13-820b-fd46b551698e\AgileDotNetRT.dll 2.10 MB MD5: db956a02daba647f229b01d56ea5d892
SHA1: 1c8d576d60f74b97ac0b7a419fd1ee710bf0ab8f
SHA256: 5b4f5e6cc52df647673b94249e5392e6f00cc5ffb7e1fc7c4219351762618cdd
SSDeep: 49152:tErk8yoNXvvBxlC/ziloFcbhXvmZF4nse2MmnbSUJmrnSloKbS:tErk8y6/Y/nFcVXgesEmOFzSfbS
False
Modified Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\whuoxysd\appdata\local\gdipfontcachev1.dat 106.27 KB MD5: a998686378c9bc64711f21878acf679d
SHA1: ae0784ba9a7ebe18f56625100c42f3f75c3342be
SHA256: 5f3cdc47addc45a9a6c6bddf8f81f2b52c9ae27947189b1faad3414dc74f5d6b
SSDeep: 768:Ve8mqoSHgTl3hohIqdqdsBzke0A8WitQBsclGYlTF6THsyx2:KqoSHgTl3hA51t0A8WitQBHOHBx2
False
Host Behavior
File (19)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\WhuOXYsD\AppData\Local\Temp\88044b52-bb1c-4d13-820b-fd46b551698e\AgileDotNetRT.dll desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL True 1
Fn
Create C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll desired_access = FILE_READ_DATA, share_mode = FILE_SHARE_READ True 1
Fn
Create Directory C:\Users\WhuOXYsD\AppData\Local\Temp\88044b52-bb1c-4d13-820b-fd46b551698e - True 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\88044b52-bb1c-4d13-820b-fd46b551698e\ type = file_attributes False 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\88044b52-bb1c-4d13-820b-fd46b551698e type = file_attributes False 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp type = file_attributes True 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\88044b52-bb1c-4d13-820b-fd46b551698e\AgileDotNetRT.dll type = file_attributes False 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\88044b52-bb1c-4d13-820b-fd46b551698e\AgileDotNetRT.dll type = file_type True 2
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\88044b52-bb1c-4d13-820b-fd46b551698e\ type = file_attributes True 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\88044b52-bb1c-4d13-820b-fd46b551698e\AgileDotNetRT.dll type = file_attributes True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll type = size, size_out = 0 True 1
Fn
Get Info C:\Windows\system32\RichEd20.DLL type = file_attributes True 1
Fn
Get Info C:\Users\WhuOXYsD\Desktop\gblyrzexggw.exe.config type = file_attributes False 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\UNNAM3D.EXE type = file_attributes False 1
Fn
Copy C:\Users\WhuOXYsD\AppData\Local\Temp\UNNAM3D.EXE source_filename = C:\Users\WhuOXYsD\Desktop\gblyrzexggw.exe True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll size = 510104, size_out = 510104 True 1
Fn
Data
Write C:\Users\WhuOXYsD\AppData\Local\Temp\88044b52-bb1c-4d13-820b-fd46b551698e\AgileDotNetRT.dll size = 2197808 True 1
Fn
Delete C:\Users\WhuOXYsD\AppData\Local\Temp\UNNAM3D.EXE:Zone.Identifier - False 1
Fn
Registry (15)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Hardware\description\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System value_name = EnableLUA, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 value_name = DriverDesc, data = 83 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Hardware\description\System value_name = SystemBiosVersion, data = 76 True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Hardware\description\System value_name = VideoBiosVersion, data = 76 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework value_name = DbgJITDebugLaunchSetting, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework value_name = DbgManagedDebugger, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = FirefoxUpdater, type = REG_NONE False 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = FirefoxUpdater, data = C:\Users\WhuOXYsD\AppData\Local\Temp\UNNAM3D.EXE, size = 98, type = REG_SZ True 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\WhuOXYsD\AppData\Local\Temp\UNNAM3D.EXE show_window = SW_SHOWNORMAL True 1
Fn
Module (153)
»
Operation Module Additional Information Success Count Logfile
Load C:\Users\WhuOXYsD\AppData\Local\Temp\88044b52-bb1c-4d13-820b-fd46b551698e\AgileDotNetRT.dll base_address = 0x71c00000 True 2
Fn
Load user32.dll base_address = 0x76d60000 True 1
Fn
Load advapi32.dll base_address = 0x771a0000 True 1
Fn
Load ntdll.dll base_address = 0x77de0000 True 1
Fn
Load shell32.dll base_address = 0x75c10000 True 1
Fn
Load shlwapi.dll base_address = 0x77360000 True 1
Fn
Load clrjit.dll base_address = 0x75260000 True 1
Fn
Load comctl32.dll base_address = 0x75010000 True 1
Fn
Load comctl32.dll base_address = 0x74e70000 True 1
Fn
Load RichEd20.DLL base_address = 0x74df0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x769a0000 True 2
Fn
Get Handle c:\windows\syswow64\crypt32.dll base_address = 0x77240000 True 1
Fn
Get Handle c:\windows\syswow64\psapi.dll base_address = 0x76e60000 True 1
Fn
Get Handle c:\windows\syswow64\version.dll base_address = 0x75870000 True 1
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x76d60000 True 3
Fn
Get Handle comctl32.dll base_address = 0x0 False 2
Fn
Get Handle c:\users\whuoxysd\desktop\gblyrzexggw.exe base_address = 0x1360000 True 25
Fn
Get Handle c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll base_address = 0x75010000 True 77
Fn
Get Handle c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll base_address = 0x74e70000 True 13
Fn
Get Filename C:\Users\WhuOXYsD\AppData\Local\Temp\88044b52-bb1c-4d13-820b-fd46b551698e\AgileDotNetRT.dll process_name = c:\users\whuoxysd\desktop\gblyrzexggw.exe, file_name_orig = C:\Users\WhuOXYsD\AppData\Local\Temp\88044b52-bb1c-4d13-820b-fd46b551698e\AgileDotNetRT.dll, size = 260 True 1
Fn
Get Filename c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll process_name = c:\users\whuoxysd\desktop\gblyrzexggw.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll, size = 260 True 1
Fn
Get Filename RichEd20.DLL process_name = c:\users\whuoxysd\desktop\gblyrzexggw.exe, file_name_orig = C:\Windows\system32\RichEd20.DLL, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x769b11a9 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = IsUserAnAdmin, address_out = 0x75c644f5 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySystemInformation, address_out = 0x77dffda0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlAllocateHeap, address_out = 0x77e0e026 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlLeaveCriticalSection, address_out = 0x77e02270 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlEnterCriticalSection, address_out = 0x77e022b0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitializeCriticalSection, address_out = 0x77e12c42 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlReAllocateHeap, address_out = 0x77e21f6e True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlSizeHeap, address_out = 0x77e13002 True 1
Fn
Get Address c:\users\whuoxysd\appdata\local\temp\88044b52-bb1c-4d13-820b-fd46b551698e\agiledotnetrt.dll function = _Initialize, address_out = 0x71c1142e True 2
Fn
Get Address c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll function = getJit, address_out = 0x752af70e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x77e125dd True 2
Fn
Window (63)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create .NET-BroadcastEventWindow.4.0.0.0.141b42a.0 class_name = .NET-BroadcastEventWindow.4.0.0.0.141b42a.0, wndproc_parameter = 0 True 1
Fn
Create TimerNativeWindow class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create UNNAM3D class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.RichEdit20W.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create Locked Files class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create CREATER: UNNAM3D class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create Discord: UNNAM3D#6666 class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create You will need to send an message to the below discord with a $50 amazon giftcard code. Then you will shortley get an message back with a password to unlock your files. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create All your personal files have been locked and you need to pay a ransom to get them back. You will have 24 hours to pay or the password will be deleted of our servers making it impossible to get your files back. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create How do i pay? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create What Happend? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create -YOUR FILES HAVE BEEN LOCKED- class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 2011243997 True 2
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 19269942 True 1
Fn
Set Attribute TimerNativeWindow class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, index = -4, new_long = 2011243997 True 1
Fn
Set Attribute TimerNativeWindow class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, index = -4, new_long = 19270142 True 1
Fn
Set Attribute UNNAM3D class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 2011243997 True 1
Fn
Set Attribute UNNAM3D class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 19270870 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, index = -4, new_long = 2011243997 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, index = -4, new_long = 19270910 True 1
Fn
Set Attribute UNNAM3D class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -8, new_long = 393324 False 1
Fn
Set Attribute UNNAM3D class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -8, new_long = 393324 True 1
Fn
Set Attribute UNNAM3D class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -16, new_long = 33619968 True 1
Fn
Set Attribute UNNAM3D class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -20, new_long = 65536 True 1
Fn
Set Attribute - class_name = WindowsForms10.RichEdit20W.app.0.141b42a_r14_ad1, index = -4, new_long = 1960780026 True 1
Fn
Set Attribute - class_name = WindowsForms10.RichEdit20W.app.0.141b42a_r14_ad1, index = -4, new_long = 19270990 True 1
Fn
Set Attribute - class_name = WindowsForms10.RichEdit20W.app.0.141b42a_r14_ad1, index = -12, new_long = 393252 False 1
Fn
Set Attribute Locked Files class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1961408713 True 1
Fn
Set Attribute Locked Files class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 19272414 True 1
Fn
Set Attribute Locked Files class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 393646 False 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 2011243997 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 19272454 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -12, new_long = 197042 False 1
Fn
Set Attribute CREATER: UNNAM3D class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1961408713 True 1
Fn
Set Attribute CREATER: UNNAM3D class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 19272494 True 1
Fn
Set Attribute CREATER: UNNAM3D class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 197044 False 1
Fn
Set Attribute Discord: UNNAM3D#6666 class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1961408713 True 1
Fn
Set Attribute Discord: UNNAM3D#6666 class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 19272534 True 1
Fn
Set Attribute Discord: UNNAM3D#6666 class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 197046 False 1
Fn
Set Attribute You will need to send an message to the below discord with a $50 amazon giftcard code. Then you will shortley get an message back with a password to unlock your files. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1961408713 True 1
Fn
Set Attribute You will need to send an message to the below discord with a $50 amazon giftcard code. Then you will shortley get an message back with a password to unlock your files. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 19315686 True 1
Fn
Set Attribute You will need to send an message to the below discord with a $50 amazon giftcard code. Then you will shortley get an message back with a password to unlock your files. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 131514 False 1
Fn
Set Attribute All your personal files have been locked and you need to pay a ransom to get them back. You will have 24 hours to pay or the password will be deleted of our servers making it impossible to get your files back. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1961408713 True 1
Fn
Set Attribute All your personal files have been locked and you need to pay a ransom to get them back. You will have 24 hours to pay or the password will be deleted of our servers making it impossible to get your files back. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 19315750 True 1
Fn
Set Attribute All your personal files have been locked and you need to pay a ransom to get them back. You will have 24 hours to pay or the password will be deleted of our servers making it impossible to get your files back. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 131512 False 1
Fn
Set Attribute How do i pay? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1961408713 True 1
Fn
Set Attribute How do i pay? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 19315790 True 1
Fn
Set Attribute How do i pay? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 131518 False 1
Fn
Set Attribute What Happend? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1961408713 True 1
Fn
Set Attribute What Happend? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 19315830 True 1
Fn
Set Attribute What Happend? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 131566 False 1
Fn
Set Attribute -YOUR FILES HAVE BEEN LOCKED- class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1961408713 True 1
Fn
Set Attribute -YOUR FILES HAVE BEEN LOCKED- class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 19315870 True 1
Fn
Set Attribute -YOUR FILES HAVE BEEN LOCKED- class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 131564 False 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 2011243997 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 19315910 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -12, new_long = 131520 False 1
Fn
Set Attribute .NET-BroadcastEventWindow.4.0.0.0.141b42a.0 class_name = .NET-BroadcastEventWindow.4.0.0.0.141b42a.0, index = -4, new_long = 2011243997 True 1
Fn
Keyboard (3)
»
Operation Additional Information Success Count Logfile
Get Info type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 True 3
Fn
System (294)
»
Operation Additional Information Success Count Logfile
Get Cursor x_out = 424, y_out = 718 True 3
Fn
Get Cursor x_out = 170, y_out = 368 True 1
Fn
Sleep duration = 100 milliseconds (0.100 seconds) True 26
Fn
Sleep duration = -1 (infinite) True 1
Fn
Sleep duration = 20 milliseconds (0.020 seconds) True 10
Fn
Get Time type = Ticks, time = 10878994 True 16
Fn
Get Time type = Ticks, time = 10879010 True 233
Fn
Get Time type = System Time, time = 2019-04-02 12:03:59 (UTC) True 1
Fn
Get Time type = Ticks, time = 10885718 True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = SYSTEM_MODULE_INFORMATION True 1
Fn
Environment (14)
»
Operation Additional Information Success Count Logfile
Get Environment String name = UKKED False 14
Fn
Debug (4)
»
Operation Process Additional Information Success Count Logfile
Check for Presence c:\users\whuoxysd\desktop\gblyrzexggw.exe - True 1
Fn
Check for Presence c:\users\whuoxysd\desktop\gblyrzexggw.exe - True 1
Fn
Check for Presence c:\users\whuoxysd\desktop\gblyrzexggw.exe - False 1
Fn
Hide c:\users\whuoxysd\desktop\gblyrzexggw.exe - True 1
Fn
Process #2: unnam3d.exe
627 0
»
Information Value
ID #2
File Name c:\users\whuoxysd\appdata\local\temp\unnam3d.exe
Command Line "C:\Users\WhuOXYsD\AppData\Local\Temp\UNNAM3D.EXE"
Initial Working Directory C:\Users\WhuOXYsD\Desktop\
Monitor Start Time: 00:00:37, Reason: Child Process
Unmonitor End Time: 00:05:23, Reason: Terminated by Timeout
Monitor Duration 00:04:46
OS Process Information
»
Information Value
PID 0x948
Parent PID 0x15c (c:\users\whuoxysd\desktop\gblyrzexggw.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username EGLAFTB1N8YA\WhuOXYsD
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 248
0x 884
0x 86C
0x 868
0x 888
0x 95C
0x 960
0x 954
0x 974
0x AD8
Hook Information
»
Type Installer Target Size Information Actions
Code agiledotnetrt.dll:+0xfc2e6 ntdll.dll:DbgBreakPoint+0x0 1 bytes -
Code agiledotnetrt.dll:+0x4b698 clrjit.dll:sxsJitStartup+0x1e3bd 4 bytes -
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\WhuOXYsD\AppData\Local\Temp\Wallpaper.png 498.13 KB MD5: 9fe566aa83d07bc948f5a54e86c37214
SHA1: a1da653bd2d3fa8e0da40a261e2fae3ef5d24293
SHA256: f8681cc352768593054fa68706127f28810fad25aee6c108ddf4ae3c1655395e
SSDeep: 12288:4ekXjvAyvEQ8ZeK/+1VTArMH7k4ds9t4WJHpH8Ea4GfY+OzsC:LkXDbMZ21Vs74dsnZJHpHnacwC
False
C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.exe 2.17 MB MD5: 1e3a2a966f593ad33125f26916267008
SHA1: 38b1a547ddee671edeee7385cac138458a6a6858
SHA256: b18c9b9200e354f81882b29dc8143ec5d6f2b731cf4c7da3800e339ffb3c8827
SSDeep: 49152:m2IoCBtJnxlyU/mWhRcQYhie6/UIdjjQuctXnFDu3nAzNjteyUHBdH3y2:xrCBrtcy/lfkD0nANte9BpC2
False
Host Behavior
File (15)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll desired_access = FILE_READ_DATA, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.exe desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\88044b52-bb1c-4d13-820b-fd46b551698e\ type = file_attributes True 2
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\88044b52-bb1c-4d13-820b-fd46b551698e\AgileDotNetRT.dll type = file_attributes True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll type = size, size_out = 0 True 1
Fn
Get Info C:\Windows\system32\RichEd20.DLL type = file_attributes True 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\UNNAM3D.EXE.config type = file_attributes False 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\UNNAM3D.EXE type = file_attributes True 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\Wallpaper.png type = file_attributes False 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.exe type = file_type True 2
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll size = 510104, size_out = 510104 True 1
Fn
Data
Write C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.exe size = 2276568 True 1
Fn
Registry (12)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Hardware\description\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System value_name = EnableLUA, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 value_name = DriverDesc, data = 83 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Hardware\description\System value_name = SystemBiosVersion, data = 76 True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Hardware\description\System value_name = VideoBiosVersion, data = 76 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework value_name = DbgJITDebugLaunchSetting, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework value_name = DbgManagedDebugger, type = REG_NONE False 1
Fn
Process (3)
»
Operation Process Additional Information Success Count Logfile
Create cmd.exe show_window = SW_HIDE True 1
Fn
Create cmd.exe show_window = SW_HIDE True 1
Fn
Create cmd.exe show_window = SW_HIDE True 1
Fn
Module (146)
»
Operation Module Additional Information Success Count Logfile
Load C:\Users\WhuOXYsD\AppData\Local\Temp\88044b52-bb1c-4d13-820b-fd46b551698e\AgileDotNetRT.dll base_address = 0x71c00000 True 2
Fn
Load user32.dll base_address = 0x76d60000 True 1
Fn
Load advapi32.dll base_address = 0x771a0000 True 1
Fn
Load ntdll.dll base_address = 0x77de0000 True 1
Fn
Load shell32.dll base_address = 0x75c10000 True 1
Fn
Load shlwapi.dll base_address = 0x77360000 True 1
Fn
Load clrjit.dll base_address = 0x75260000 True 1
Fn
Load comctl32.dll base_address = 0x75040000 True 1
Fn
Load comctl32.dll base_address = 0x74ea0000 True 1
Fn
Load RichEd20.DLL base_address = 0x74e20000 True 1
Fn
Get Handle c:\windows\syswow64\crypt32.dll base_address = 0x77240000 True 1
Fn
Get Handle c:\windows\syswow64\psapi.dll base_address = 0x76e60000 True 1
Fn
Get Handle c:\windows\syswow64\version.dll base_address = 0x75870000 True 1
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x76d60000 True 2
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x769a0000 True 1
Fn
Get Handle comctl32.dll base_address = 0x0 False 2
Fn
Get Handle c:\users\whuoxysd\appdata\local\temp\unnam3d.exe base_address = 0xb00000 True 21
Fn
Get Handle c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll base_address = 0x75040000 True 77
Fn
Get Handle c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll base_address = 0x74ea0000 True 13
Fn
Get Filename C:\Users\WhuOXYsD\AppData\Local\Temp\88044b52-bb1c-4d13-820b-fd46b551698e\AgileDotNetRT.dll process_name = c:\users\whuoxysd\appdata\local\temp\unnam3d.exe, file_name_orig = C:\Users\WhuOXYsD\AppData\Local\Temp\88044b52-bb1c-4d13-820b-fd46b551698e\AgileDotNetRT.dll, size = 260 True 1
Fn
Get Filename c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll process_name = c:\users\whuoxysd\appdata\local\temp\unnam3d.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll, size = 260 True 1
Fn
Get Filename RichEd20.DLL process_name = c:\users\whuoxysd\appdata\local\temp\unnam3d.exe, file_name_orig = C:\Windows\system32\RichEd20.DLL, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x769b11a9 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = IsUserAnAdmin, address_out = 0x75c644f5 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySystemInformation, address_out = 0x77dffda0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlAllocateHeap, address_out = 0x77e0e026 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlLeaveCriticalSection, address_out = 0x77e02270 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlEnterCriticalSection, address_out = 0x77e022b0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitializeCriticalSection, address_out = 0x77e12c42 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlReAllocateHeap, address_out = 0x77e21f6e True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlSizeHeap, address_out = 0x77e13002 True 1
Fn
Get Address c:\users\whuoxysd\appdata\local\temp\88044b52-bb1c-4d13-820b-fd46b551698e\agiledotnetrt.dll function = _Initialize, address_out = 0x71c1142e True 2
Fn
Get Address c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll function = getJit, address_out = 0x752af70e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x77e125dd True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Window (61)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create .NET-BroadcastEventWindow.4.0.0.0.141b42a.0 class_name = .NET-BroadcastEventWindow.4.0.0.0.141b42a.0, wndproc_parameter = 0 True 1
Fn
Create TimerNativeWindow class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create UNNAM3D class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.RichEdit20W.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create Locked Files class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create CREATER: UNNAM3D class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create Discord: UNNAM3D#6666 class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create You will need to send an message to the below discord with a $50 amazon giftcard code. Then you will shortley get an message back with a password to unlock your files. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create All your personal files have been locked and you need to pay a ransom to get them back. You will have 24 hours to pay or the password will be deleted of our servers making it impossible to get your files back. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create How do i pay? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create What Happend? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create -YOUR FILES HAVE BEEN LOCKED- class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 2011243997 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 84674782 True 1
Fn
Set Attribute TimerNativeWindow class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, index = -4, new_long = 2011243997 True 1
Fn
Set Attribute TimerNativeWindow class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, index = -4, new_long = 84674982 True 1
Fn
Set Attribute UNNAM3D class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 2011243997 True 1
Fn
Set Attribute UNNAM3D class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 84675710 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, index = -4, new_long = 2011243997 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, index = -4, new_long = 84675750 True 1
Fn
Set Attribute UNNAM3D class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -8, new_long = 327968 False 1
Fn
Set Attribute UNNAM3D class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -8, new_long = 327968 True 1
Fn
Set Attribute UNNAM3D class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -16, new_long = 33619968 True 1
Fn
Set Attribute UNNAM3D class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -20, new_long = 65536 True 1
Fn
Set Attribute - class_name = WindowsForms10.RichEdit20W.app.0.141b42a_r14_ad1, index = -4, new_long = 1960976634 True 1
Fn
Set Attribute - class_name = WindowsForms10.RichEdit20W.app.0.141b42a_r14_ad1, index = -4, new_long = 84675830 True 1
Fn
Set Attribute - class_name = WindowsForms10.RichEdit20W.app.0.141b42a_r14_ad1, index = -12, new_long = 197100 False 1
Fn
Set Attribute Locked Files class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1961605321 True 1
Fn
Set Attribute Locked Files class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 84677254 True 1
Fn
Set Attribute Locked Files class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 197102 False 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 2011243997 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 84677294 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -12, new_long = 197054 False 1
Fn
Set Attribute CREATER: UNNAM3D class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1961605321 True 1
Fn
Set Attribute CREATER: UNNAM3D class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 84677334 True 1
Fn
Set Attribute CREATER: UNNAM3D class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 197048 False 1
Fn
Set Attribute Discord: UNNAM3D#6666 class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1961605321 True 1
Fn
Set Attribute Discord: UNNAM3D#6666 class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 84677374 True 1
Fn
Set Attribute Discord: UNNAM3D#6666 class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 197050 False 1
Fn
Set Attribute You will need to send an message to the below discord with a $50 amazon giftcard code. Then you will shortley get an message back with a password to unlock your files. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1961605321 True 1
Fn
Set Attribute You will need to send an message to the below discord with a $50 amazon giftcard code. Then you will shortley get an message back with a password to unlock your files. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 84720526 True 1
Fn
Set Attribute You will need to send an message to the below discord with a $50 amazon giftcard code. Then you will shortley get an message back with a password to unlock your files. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 262582 False 1
Fn
Set Attribute All your personal files have been locked and you need to pay a ransom to get them back. You will have 24 hours to pay or the password will be deleted of our servers making it impossible to get your files back. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1961605321 True 1
Fn
Set Attribute All your personal files have been locked and you need to pay a ransom to get them back. You will have 24 hours to pay or the password will be deleted of our servers making it impossible to get your files back. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 84720590 True 1
Fn
Set Attribute All your personal files have been locked and you need to pay a ransom to get them back. You will have 24 hours to pay or the password will be deleted of our servers making it impossible to get your files back. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 262580 False 1
Fn
Set Attribute How do i pay? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1961605321 True 1
Fn
Set Attribute How do i pay? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 84720630 True 1
Fn
Set Attribute How do i pay? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 262578 False 1
Fn
Set Attribute What Happend? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1961605321 True 1
Fn
Set Attribute What Happend? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 84720670 True 1
Fn
Set Attribute What Happend? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 459182 False 1
Fn
Set Attribute -YOUR FILES HAVE BEEN LOCKED- class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1961605321 True 1
Fn
Set Attribute -YOUR FILES HAVE BEEN LOCKED- class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 84720710 True 1
Fn
Set Attribute -YOUR FILES HAVE BEEN LOCKED- class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 458788 False 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 2011243997 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 84720750 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -12, new_long = 262588 False 1
Fn
Keyboard (1)
»
Operation Additional Information Success Count Logfile
Get Info type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 True 1
Fn
System (336)
»
Operation Additional Information Success Count Logfile
Create Desktop desktop_name = Hbchsbfgcd True 1
Fn
Switch Desktop desktop_name = Hbchsbfgcd True 1
Fn
Get Cursor x_out = 170, y_out = 368 True 4
Fn
Sleep duration = 100 milliseconds (0.100 seconds) True 67
Fn
Sleep duration = 3000 milliseconds (3.000 seconds) True 4
Fn
Sleep duration = 3000 milliseconds (3.000 seconds) True 1
Fn
Get Time type = Ticks, time = 10889088 True 249
Fn
Get Time type = System Time, time = 2019-04-02 12:04:09 (UTC) True 1
Fn
Get Time type = Ticks, time = 10894361 True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = SYSTEM_MODULE_INFORMATION True 1
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 5
Fn
Environment (18)
»
Operation Additional Information Success Count Logfile
Get Environment String name = UKKED False 18
Fn
Debug (4)
»
Operation Process Additional Information Success Count Logfile
Check for Presence c:\users\whuoxysd\appdata\local\temp\unnam3d.exe - True 1
Fn
Check for Presence c:\users\whuoxysd\appdata\local\temp\unnam3d.exe - True 1
Fn
Check for Presence c:\users\whuoxysd\appdata\local\temp\unnam3d.exe - False 1
Fn
Hide c:\users\whuoxysd\appdata\local\temp\unnam3d.exe - True 1
Fn
Process #3: cmd.exe
63 0
»
Information Value
ID #3
File Name c:\windows\syswow64\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /C cd C:\Users\WhuOXYsD\Desktop && C:\Users\WhuOXYsD\AppData\Local\Temp\\WinRAR.exe m -r -pMyPassword Desktop *
Initial Working Directory C:\Users\WhuOXYsD\Desktop\
Monitor Start Time: 00:00:45, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:22
OS Process Information
»
Information Value
PID 0x8d4
Parent PID 0x948 (c:\users\whuoxysd\appdata\local\temp\unnam3d.exe)
Bitness 32-bit
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username EGLAFTB1N8YA\WhuOXYsD
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 908
Host Behavior
File (12)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\WhuOXYsD\Desktop type = file_attributes True 4
Fn
Open STD_OUTPUT_HANDLE - True 5
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.exe os_pid = 0x340, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\cmd.exe base_address = 0x4a740000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x769a0000 True 2
Fn
Get Filename - process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadUILanguage, address_out = 0x769ca84f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileExW, address_out = 0x769d3b92 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x769b4a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x769ca79d True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-04-02 12:04:15 (UTC) True 1
Fn
Get Time type = Ticks, time = 10894501 True 1
Fn
Get Time type = Performance Ctr, time = 12153315597 True 1
Fn
Environment (20)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 8
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\WhuOXYsD\Desktop True 2
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #4: cmd.exe
56 0
»
Information Value
ID #4
File Name c:\windows\syswow64\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /C cd C:\Users\WhuOXYsD\Documents && C:\Users\WhuOXYsD\AppData\Local\Temp\\WinRAR.exe m -r -pMyPassword Documents *
Initial Working Directory C:\Users\WhuOXYsD\Desktop\
Monitor Start Time: 00:00:45, Reason: Child Process
Unmonitor End Time: 00:05:23, Reason: Terminated by Timeout
Monitor Duration 00:04:38
OS Process Information
»
Information Value
PID 0x8dc
Parent PID 0x948 (c:\users\whuoxysd\appdata\local\temp\unnam3d.exe)
Bitness 32-bit
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username EGLAFTB1N8YA\WhuOXYsD
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 20C
Host Behavior
File (9)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\WhuOXYsD\Desktop type = file_attributes True 2
Fn
Get Info C:\Users\WhuOXYsD\Documents type = file_attributes True 2
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.exe os_pid = 0xa20, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\cmd.exe base_address = 0x4a740000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x769a0000 True 2
Fn
Get Filename - process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadUILanguage, address_out = 0x769ca84f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileExW, address_out = 0x769d3b92 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x769b4a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x769ca79d True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-04-02 12:04:15 (UTC) True 1
Fn
Get Time type = Ticks, time = 10894454 True 1
Fn
Get Time type = Performance Ctr, time = 12149431321 True 1
Fn
Environment (16)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 6
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\WhuOXYsD\Desktop True 1
Fn
Set Environment String name = =C:, value = C:\Users\WhuOXYsD\Documents True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Process #5: cmd.exe
63 0
»
Information Value
ID #5
File Name c:\windows\syswow64\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /C cd C:\Users\WhuOXYsD\Pictures && C:\Users\WhuOXYsD\AppData\Local\Temp\\WinRAR.exe m -r -pMyPassword Pictures *
Initial Working Directory C:\Users\WhuOXYsD\Desktop\
Monitor Start Time: 00:00:45, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:22
OS Process Information
»
Information Value
PID 0x244
Parent PID 0x948 (c:\users\whuoxysd\appdata\local\temp\unnam3d.exe)
Bitness 32-bit
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username EGLAFTB1N8YA\WhuOXYsD
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 950
Host Behavior
File (12)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\WhuOXYsD\Desktop type = file_attributes True 2
Fn
Get Info C:\Users\WhuOXYsD\Pictures type = file_attributes True 2
Fn
Open STD_OUTPUT_HANDLE - True 5
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.exe os_pid = 0x6ac, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\cmd.exe base_address = 0x4a740000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x769a0000 True 2
Fn
Get Filename - process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadUILanguage, address_out = 0x769ca84f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileExW, address_out = 0x769d3b92 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x769b4a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x769ca79d True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-04-02 12:04:15 (UTC) True 1
Fn
Get Time type = Ticks, time = 10894532 True 1
Fn
Get Time type = Performance Ctr, time = 12156766839 True 1
Fn
Environment (20)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 8
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\WhuOXYsD\Desktop True 1
Fn
Set Environment String name = =C:, value = C:\Users\WhuOXYsD\Pictures True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #6: winrar.exe
1833 0
»
Information Value
ID #6
File Name c:\users\whuoxysd\appdata\local\temp\winrar.exe
Command Line C:\Users\WhuOXYsD\AppData\Local\Temp\\WinRAR.exe m -r -pMyPassword Desktop *
Initial Working Directory C:\Users\WhuOXYsD\Desktop\
Monitor Start Time: 00:00:46, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:22
OS Process Information
»
Information Value
PID 0x340
Parent PID 0x8d4 (c:\windows\syswow64\cmd.exe)
Bitness 64-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username EGLAFTB1N8YA\WhuOXYsD
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6A8
0x A58
0x 6DC
0x 530
0x AB8
0x B84
0x B7C
0x 9B0
0x B8C
0x 9AC
0x B28
0x 5E0
0x 1C4
0x 688
0x 238
0x B94
0x 4AC
0x 720
0x 9B8
0x BB4
0x BAC
0x BC0
0x BB0
0x B74
0x 9B4
0x B70
0x 704
0x 5D0
0x BE0
0x 374
0x 39C
0x A48
0x BE8
0x BEC
0x BE4
0x BDC
0x BD8
0x BD4
0x 74C
0x BD0
0x BCC
0x BC8
0x BC4
0x BF0
0x 6E4
0x B9C
0x BA0
0x 5B8
0x 634
0x BF8
0x B00
0x B04
0x 97C
0x 98C
0x 9FC
0x A0C
0x A1C
0x A2C
0x A3C
0x A54
0x A64
0x A74
0x A84
0x A94
0x AA4
0x AB4
0x AC4
0x AD4
0x AE4
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
Desktop.rar 8.42 MB MD5: f86ba5fef5fef6e7f3328faaa8aac027
SHA1: 9703bf05e525500ddc7680e0c6049eb2c8b28fa2
SHA256: 544bc424404caa14d14ed54e44213ece17bfd68128e93358e17fb52e30d19411
SSDeep: 196608:w8yCznar4brhLNAMf3uR0edxEjMLw60dQNI7hPr1xBG:wJCznarCZiMI5dGMAFlG
False
Host Behavior
COM (19)
»
Operation Class Interface Additional Information Success Count Logfile
Create 56FDF344-FD6D-11D0-958A-006097C9A090 EA1AFB91-9E28-4B86-90E9-9E9F8A5EEFAF cls_context = CLSCTX_INPROC_SERVER True 19
Fn
File (284)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\WhuOXYsD\AppData\Local\Temp\winrar.lng desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create \\?\C:\Users\WhuOXYsD\AppData\Local\Temp\winrar.lng desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\version.dat desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\version.dat desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create Desktop.rar desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
Create \\?\C:\Users\WhuOXYsD\Desktop\Desktop.rar desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
Create Desktop.rar desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
Create \\?\C:\Users\WhuOXYsD\Desktop\Desktop.rar desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
Create Desktop.rar desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create 0SoXJeVDMd8XB.wav desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create 4XGIZDiLaaAzBLi8uMJ.gif desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create 8ZCScAn2t4O2J7-d.doc desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create AVuWJQwE5di201z9 d.ots desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create CjID.mp3 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create czSQaVnIQO 0LFtEP.flv desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create desktop.ini desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create dfxuFxjX5YwdPMIH\2A58ceH2t.png desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create dfxuFxjX5YwdPMIH\OsbsjTTafsX31mSiaRnW.ppt desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create dfxuFxjX5YwdPMIH\YEeHQp1lME uExplJtB3.flv desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create e-bHwq0LPy0uA9lpR0jp.jpg desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create f7MdNo-AKV0.mkv desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create Fj4kdfeguFEe8WDxBVP.png desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create FuvJMN.m4a desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create gblyrzexggw.exe desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create HAuM_g1AD_0J.mp4 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create jGh255P.m4a desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create JhTtCfiuDFLeGwcL.bmp desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create L4T8mDg3vHms9Y.xls desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create LFfk9JORsG.avi desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create MKzdWyU3NziO.m4a desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create PWldfUkUS.mp3 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create Qes6-o-.docx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create TYcyuRxH.mkv desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create w9CVHhfkQl0.mkv desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create wfNksu nJRG5\3rrOtsNWKjt8qLje.swf desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create wfNksu nJRG5\GeJdlc0asWB3ISPXdFJ8.csv desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create wfNksu nJRG5\qHh6uE8iAnd.xls desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create wfNksu nJRG5\RFLcwh3Vitv1c_T4nL.avi desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create wfNksu nJRG5\WIsnHaDYoZ0.ppt desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create wfNksu nJRG5\XTt3.swf desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create wfNksu nJRG5\_acNQOwErx 4yX.mp3 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create xipMOvrpEcaMKsnrOoK.m4a desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Add Search Path - - True 1
Fn
Get Info STD_INPUT_HANDLE type = file_type False 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type False 1
Fn
Get Info STD_ERROR_HANDLE type = file_type False 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.ini type = file_attributes False 1
Fn
Get Info \\?\C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.ini type = file_attributes False 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Roaming\WinRAR type = file_attributes True 7
Fn
Get Info C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\WinRAR.ini type = file_attributes False 1
Fn
Get Info \\?\C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\WinRAR.ini type = file_attributes False 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\version.dat type = file_type True 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\Settings.reg type = file_attributes False 1
Fn
Get Info \\?\C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\Settings.reg type = file_attributes False 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\Settings.reg type = file_attributes False 2
Fn
Get Info \\?\C:\Users\WhuOXYsD\AppData\Local\Temp\Settings.reg type = file_attributes False 2
Fn
Get Info Desktop type = file_attributes False 1
Fn
Get Info \\?\C:\Users\WhuOXYsD\Desktop\Desktop type = file_attributes False 1
Fn
Get Info Desktop.rar type = file_attributes False 3
Fn
Get Info \\?\C:\Users\WhuOXYsD\Desktop\Desktop.rar type = file_attributes False 3
Fn
Get Info Desktop.zip type = file_attributes False 1
Fn
Get Info \\?\C:\Users\WhuOXYsD\Desktop\Desktop.zip type = file_attributes False 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\Themes type = file_attributes False 1
Fn
Get Info \\?\C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\Themes type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Read 0SoXJeVDMd8XB.wav size = 1048576, size_out = 53827 True 1
Fn
Data
Read 0SoXJeVDMd8XB.wav size = 994749, size_out = 0 True 1
Fn
Read 4XGIZDiLaaAzBLi8uMJ.gif size = 1048576, size_out = 34749 True 1
Fn
Data
Read 4XGIZDiLaaAzBLi8uMJ.gif size = 1013827, size_out = 0 True 1
Fn
Read 8ZCScAn2t4O2J7-d.doc size = 1048576, size_out = 6103 True 1
Fn
Data
Read 8ZCScAn2t4O2J7-d.doc size = 1042473, size_out = 0 True 1
Fn
Read AVuWJQwE5di201z9 d.ots size = 1048576, size_out = 56152 True 1
Fn
Data
Read AVuWJQwE5di201z9 d.ots size = 992424, size_out = 0 True 1
Fn
Read CjID.mp3 size = 1048576, size_out = 52912 True 1
Fn
Data
Read CjID.mp3 size = 995664, size_out = 0 True 1
Fn
Read czSQaVnIQO 0LFtEP.flv size = 1048576, size_out = 64574 True 1
Fn
Data
Read czSQaVnIQO 0LFtEP.flv size = 984002, size_out = 0 True 1
Fn
Read desktop.ini size = 1048576, size_out = 282 True 1
Fn
Data
Read desktop.ini size = 1048294, size_out = 0 True 1
Fn
Read dfxuFxjX5YwdPMIH\2A58ceH2t.png size = 1048576, size_out = 89167 True 1
Fn
Data
Read dfxuFxjX5YwdPMIH\2A58ceH2t.png size = 959409, size_out = 0 True 1
Fn
Read dfxuFxjX5YwdPMIH\OsbsjTTafsX31mSiaRnW.ppt size = 1048576, size_out = 58444 True 1
Fn
Data
Read dfxuFxjX5YwdPMIH\OsbsjTTafsX31mSiaRnW.ppt size = 990132, size_out = 0 True 1
Fn
Read dfxuFxjX5YwdPMIH\YEeHQp1lME uExplJtB3.flv size = 1048576, size_out = 36157 True 1
Fn
Data
Read dfxuFxjX5YwdPMIH\YEeHQp1lME uExplJtB3.flv size = 1012419, size_out = 0 True 1
Fn
Read e-bHwq0LPy0uA9lpR0jp.jpg size = 1048576, size_out = 70986 True 1
Fn
Data
Read e-bHwq0LPy0uA9lpR0jp.jpg size = 977590, size_out = 0 True 1
Fn
Read f7MdNo-AKV0.mkv size = 1048576, size_out = 47783 True 1
Fn
Data
Read f7MdNo-AKV0.mkv size = 1000793, size_out = 0 True 1
Fn
Read Fj4kdfeguFEe8WDxBVP.png size = 1048576, size_out = 23495 True 1
Fn
Data
Read Fj4kdfeguFEe8WDxBVP.png size = 1025081, size_out = 0 True 1
Fn
Read FuvJMN.m4a size = 1048576, size_out = 63964 True 1
Fn
Data
Read FuvJMN.m4a size = 984612, size_out = 0 True 1
Fn
Read gblyrzexggw.exe size = 1048576, size_out = 1048576 True 1
Fn
Data
Read gblyrzexggw.exe size = 3145728, size_out = 3145728 True 1
Fn
Read gblyrzexggw.exe size = 4194304, size_out = 3889152 True 1
Fn
Read gblyrzexggw.exe size = 4194304, size_out = 0 True 1
Fn
Read HAuM_g1AD_0J.mp4 size = 1048576, size_out = 44059 True 1
Fn
Data
Read HAuM_g1AD_0J.mp4 size = 1004517, size_out = 0 True 1
Fn
Read jGh255P.m4a size = 1048576, size_out = 42260 True 1
Fn
Data
Read jGh255P.m4a size = 1006316, size_out = 0 True 1
Fn
Read JhTtCfiuDFLeGwcL.bmp size = 1048576, size_out = 85856 True 1
Fn
Data
Read JhTtCfiuDFLeGwcL.bmp size = 962720, size_out = 0 True 1
Fn
Read L4T8mDg3vHms9Y.xls size = 1048576, size_out = 56779 True 1
Fn
Data
Read L4T8mDg3vHms9Y.xls size = 991797, size_out = 0 True 1
Fn
Read LFfk9JORsG.avi size = 1048576, size_out = 69289 True 1
Fn
Data
Read LFfk9JORsG.avi size = 979287, size_out = 0 True 1
Fn
Read MKzdWyU3NziO.m4a size = 1048576, size_out = 43928 True 1
Fn
Data
Read MKzdWyU3NziO.m4a size = 1004648, size_out = 0 True 1
Fn
Read PWldfUkUS.mp3 size = 1048576, size_out = 3930 True 1
Fn
Data
Read PWldfUkUS.mp3 size = 1044646, size_out = 0 True 1
Fn
Read Qes6-o-.docx size = 1048576, size_out = 100913 True 1
Fn
Data
Read Qes6-o-.docx size = 947663, size_out = 0 True 1
Fn
Read TYcyuRxH.mkv size = 1048576, size_out = 14806 True 1
Fn
Data
Read TYcyuRxH.mkv size = 1033770, size_out = 0 True 1
Fn
Read w9CVHhfkQl0.mkv size = 1048576, size_out = 91951 True 1
Fn
Data
Read w9CVHhfkQl0.mkv size = 956625, size_out = 0 True 1
Fn
Read wfNksu nJRG5\3rrOtsNWKjt8qLje.swf size = 1048576, size_out = 69590 True 1
Fn
Data
Read wfNksu nJRG5\3rrOtsNWKjt8qLje.swf size = 978986, size_out = 0 True 1
Fn
Read wfNksu nJRG5\GeJdlc0asWB3ISPXdFJ8.csv size = 1048576, size_out = 26584 True 1
Fn
Data
Read wfNksu nJRG5\GeJdlc0asWB3ISPXdFJ8.csv size = 1021992, size_out = 0 True 1
Fn
Read wfNksu nJRG5\qHh6uE8iAnd.xls size = 1048576, size_out = 79803 True 1
Fn
Data
Read wfNksu nJRG5\qHh6uE8iAnd.xls size = 968773, size_out = 0 True 1
Fn
Read wfNksu nJRG5\RFLcwh3Vitv1c_T4nL.avi size = 1048576, size_out = 86131 True 1
Fn
Data
Read wfNksu nJRG5\RFLcwh3Vitv1c_T4nL.avi size = 962445, size_out = 0 True 1
Fn
Read wfNksu nJRG5\WIsnHaDYoZ0.ppt size = 1048576, size_out = 27218 True 1
Fn
Data
Read wfNksu nJRG5\WIsnHaDYoZ0.ppt size = 1021358, size_out = 0 True 1
Fn
Read wfNksu nJRG5\XTt3.swf size = 1048576, size_out = 33177 True 1
Fn
Data
Read wfNksu nJRG5\XTt3.swf size = 1015399, size_out = 0 True 1
Fn
Read wfNksu nJRG5\_acNQOwErx 4yX.mp3 size = 1048576, size_out = 99959 True 1
Fn
Data
Read wfNksu nJRG5\_acNQOwErx 4yX.mp3 size = 948617, size_out = 0 True 1
Fn
Read xipMOvrpEcaMKsnrOoK.m4a size = 1048576, size_out = 67031 True 1
Fn
Data
Read xipMOvrpEcaMKsnrOoK.m4a size = 981545, size_out = 0 True 1
Fn
Write C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\version.dat size = 12 True 1
Fn
Data
Write Desktop.rar size = 8 True 2
Fn
Data
Write Desktop.rar size = 18 True 2
Fn
Data
Write Desktop.rar size = 53984 True 1
Fn
Data
Write Desktop.rar size = 101 True 1
Fn
Data
Write Desktop.rar size = 34880 True 1
Fn
Data
Write Desktop.rar size = 107 True 3
Fn
Data
Write Desktop.rar size = 6144 True 1
Fn
Data
Write Desktop.rar size = 102 True 2
Fn
Data
Write Desktop.rar size = 56288 True 1
Fn
Data
Write Desktop.rar size = 106 True 2
Fn
Data
Write Desktop.rar size = 53056 True 1
Fn
Data
Write Desktop.rar size = 92 True 1
Fn
Data
Write Desktop.rar size = 64704 True 1
Fn
Data
Write Desktop.rar size = 176 True 1
Fn
Data
Write Desktop.rar size = 93 True 1
Fn
Data
Write Desktop.rar size = 89376 True 1
Fn
Data
Write Desktop.rar size = 114 True 1
Fn
Data
Write Desktop.rar size = 58576 True 1
Fn
Data
Write Desktop.rar size = 125 True 2
Fn
Data
Write Desktop.rar size = 36304 True 1
Fn
Data
Write Desktop.rar size = 71168 True 1
Fn
Data
Write Desktop.rar size = 108 True 1
Fn
Data
Write Desktop.rar size = 47872 True 1
Fn
Data
Write Desktop.rar size = 99 True 2
Fn
Data
Write Desktop.rar size = 23584 True 1
Fn
Data
Write Desktop.rar size = 64096 True 1
Fn
Data
Write Desktop.rar size = 94 True 1
Fn
Data
Write Desktop.rar size = 262144 True 27
Fn
Data
Write Desktop.rar size = 40160 True 1
Fn
Data
Write Desktop.rar size = 103 True 1
Fn
Data
Write Desktop.rar size = 44160 True 1
Fn
Data
Write Desktop.rar size = 100 True 2
Fn
Data
Write Desktop.rar size = 42368 True 1
Fn
Data
Write Desktop.rar size = 95 True 2
Fn
Data
Write Desktop.rar size = 86048 True 1
Fn
Data
Write Desktop.rar size = 104 True 1
Fn
Data
Write Desktop.rar size = 56912 True 1
Fn
Data
Write Desktop.rar size = 69472 True 1
Fn
Data
Write Desktop.rar size = 98 True 1
Fn
Data
Write Desktop.rar size = 44032 True 1
Fn
Data
Write Desktop.rar size = 3984 True 1
Fn
Data
Write Desktop.rar size = 101136 True 1
Fn
Data
Write Desktop.rar size = 96 True 2
Fn
Data
Write Desktop.rar size = 14848 True 1
Fn
Data
Write Desktop.rar size = 92144 True 1
Fn
Data
Write Desktop.rar size = 69760 True 1
Fn
Data
Write Desktop.rar size = 117 True 1
Fn
Data
Write Desktop.rar size = 26672 True 1
Fn
Data
Write Desktop.rar size = 121 True 1
Fn
Data
Write Desktop.rar size = 79952 True 1
Fn
Data
Write Desktop.rar size = 112 True 2
Fn
Data
Write Desktop.rar size = 86352 True 1
Fn
Data
Write Desktop.rar size = 119 True 1
Fn
Data
Write Desktop.rar size = 27280 True 1
Fn
Data
Write Desktop.rar size = 33312 True 1
Fn
Data
Write Desktop.rar size = 105 True 1
Fn
Data
Write Desktop.rar size = 100224 True 1
Fn
Data
Write Desktop.rar size = 115 True 1
Fn
Data
Write Desktop.rar size = 67232 True 1
Fn
Data
Write Desktop.rar size = 47 True 1
Fn
Data
Write Desktop.rar size = 43 True 1
Fn
Data
Write Desktop.rar size = 19 True 1
Fn
Data
Write Desktop.rar size = 3613 True 1
Fn
Data
Delete Directory wfNksu nJRG5 - True 1
Fn
Delete Directory dfxuFxjX5YwdPMIH - True 1
Fn
Delete xipMOvrpEcaMKsnrOoK.m4a - True 1
Fn
Delete wfNksu nJRG5\_acNQOwErx 4yX.mp3 - True 1
Fn
Delete wfNksu nJRG5\XTt3.swf - True 1
Fn
Delete wfNksu nJRG5\WIsnHaDYoZ0.ppt - True 1
Fn
Delete wfNksu nJRG5\RFLcwh3Vitv1c_T4nL.avi - True 1
Fn
Delete wfNksu nJRG5\qHh6uE8iAnd.xls - True 1
Fn
Delete wfNksu nJRG5\GeJdlc0asWB3ISPXdFJ8.csv - True 1
Fn
Delete wfNksu nJRG5\3rrOtsNWKjt8qLje.swf - True 1
Fn
Delete w9CVHhfkQl0.mkv - True 1
Fn
Delete TYcyuRxH.mkv - True 1
Fn
Delete Qes6-o-.docx - True 1
Fn
Delete PWldfUkUS.mp3 - True 1
Fn
Delete MKzdWyU3NziO.m4a - True 1
Fn
Delete LFfk9JORsG.avi - True 1
Fn
Delete L4T8mDg3vHms9Y.xls - True 1
Fn
Delete JhTtCfiuDFLeGwcL.bmp - True 1
Fn
Delete jGh255P.m4a - True 1
Fn
Delete HAuM_g1AD_0J.mp4 - True 1
Fn
Delete gblyrzexggw.exe - True 1
Fn
Delete FuvJMN.m4a - True 1
Fn
Delete Fj4kdfeguFEe8WDxBVP.png - True 1
Fn
Delete f7MdNo-AKV0.mkv - True 1
Fn
Delete e-bHwq0LPy0uA9lpR0jp.jpg - True 1
Fn
Delete dfxuFxjX5YwdPMIH\YEeHQp1lME uExplJtB3.flv - True 1
Fn
Delete dfxuFxjX5YwdPMIH\OsbsjTTafsX31mSiaRnW.ppt - True 1
Fn
Delete dfxuFxjX5YwdPMIH\2A58ceH2t.png - True 1
Fn
Delete desktop.ini - True 1
Fn
Delete czSQaVnIQO 0LFtEP.flv - True 1
Fn
Delete CjID.mp3 - True 1
Fn
Delete AVuWJQwE5di201z9 d.ots - True 1
Fn
Delete 8ZCScAn2t4O2J7-d.doc - True 1
Fn
Delete 4XGIZDiLaaAzBLi8uMJ.gif - True 1
Fn
Delete 0SoXJeVDMd8XB.wav - True 1
Fn
Registry (245)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\WinRAR\General - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes - True 2
Fn
Create Key HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths - True 4
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\General - False 4
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Paths - False 7
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\WinRAR\Policy - False 4
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Policy - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\Software\WinRAR - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR - True 2
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\General - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Extraction - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\General - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 - True 81
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\5 - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Compression - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\FileList - False 8
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths - False 9
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnStates - False 5
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnStates - False 5
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Interface - True 2
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\General - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR value_name = rarkey, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\General value_name = Priority, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR value_name = rarreg.key, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\General value_name = SMP, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Default, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 2
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ArcName, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileNames False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ExclNames True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ExclNames, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = StoreNames True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = StoreNames, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = UseRAR, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = RAR5, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SFXModule, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SFX, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SFXIcon, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SFXLogo, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SFXElevate, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = CmtFile, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = CmtDataWide, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = CmtTextWide, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = CmtTextData, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = VolumeSize, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = VolSizeMod, data = 2, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = VolPause, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = OldVolNames, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = RecVolNumber, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Update, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Fresh, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SyncFiles, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Overwrite, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Move, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ArcRecBin, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ArcWipe, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = WipeIfPassword, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Solid, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Test, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = RecEnabled, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = RecSize, data = 4294967293, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Recovery, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = EraseDest, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = AddArcOnly, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ClearArc, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Lock, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Method, data = 3, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = DictSizeLZ, data = 4194304, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = DictSize, data = 33554432, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Name, data = Default Profile, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = PasswordData, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = EncryptHeaders, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ZipLegacyEncrypt, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = OpenShared, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ProcessOwners, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SaveStreams, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SaveSymLinks, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SaveHardLinks, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Background, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = WaitForOther, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Shutdown, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = GenerateArcName, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = VersionControl, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = BLAKE2, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileCopies, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = QuickOpen, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = GenerateMask, data = yyyymmddhhmmss, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileTimeMode, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileDays, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileHours, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileMinutes, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ArcTimeOriginal, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ArcTimeLatest, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = mtime, data = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ctime, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = atime, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = PathsAbs, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = PathsNone, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = PathsAbsDrive, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ImmExec, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SeparateArc, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SeparateArcDoubleExt, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SeparateArcSubfolders, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = EmailArcTo, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = PackDetails, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\WinRAR\Interface value_name = SystemProgressBar, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Interface value_name = TaskbarProgressBar, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\General value_name = Sound, data = 1, type = REG_NONE False 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\General value_name = VerInfo, size = 12, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes value_name = ShellExtBMP, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes value_name = ShellExtIcon, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths value_name = name, data = 120, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths value_name = size, data = 80, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths value_name = type, data = 120, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths value_name = mtime, data = 100, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Module (51)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x7fef7a20000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 4
Fn
Load - base_address = 0x0 False 1
Fn
Load kernel32 base_address = 0x77ae0000 True 2
Fn
Load kernel32 base_address = 0x0 False 1
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 2
Fn
Load C:\Users\WhuOXYsD\AppData\Local\Temp\rarlng.dll base_address = 0x0 False 1
Fn
Load C:\Windows\system32\riched20.dll base_address = 0x7fef7980000 True 1
Fn
Load C:\Windows\system32\Crypt32.dll base_address = 0x7fefdc00000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x0 False 2
Fn
Load ext-ms-win-kernel32-package-current-l1-1-0 base_address = 0x0 False 2
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77ae0000 True 3
Fn
Get Handle c:\users\whuoxysd\appdata\local\temp\winrar.exe base_address = 0x13f160000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS True 1
Fn
Get Handle c:\users\whuoxysd\appdata\local\temp\winrar.exe base_address = 0x13f160000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\whuoxysd\appdata\local\temp\winrar.exe, file_name_orig = C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.exe, size = 260 True 1
Fn
Get Filename - process_name = c:\users\whuoxysd\appdata\local\temp\winrar.exe, file_name_orig = C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.exe, size = 2048 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\whuoxysd\appdata\local\temp\winrar.exe, file_name_orig = C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.exe, size = 2048 True 1
Fn
Get Filename C:\Users\WhuOXYsD\AppData\Local\Temp\rarlng.dll process_name = c:\users\whuoxysd\appdata\local\temp\winrar.exe, file_name_orig = C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.exe, size = 2048 True 4
Fn
Get Address c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll function = InitializeCriticalSectionEx, address_out = 0x0 False 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsAlloc, address_out = 0x77af7190 True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsSetValue, address_out = 0x77afbd90 True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsGetValue, address_out = 0x77b03520 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LCMapStringEx, address_out = 0x77b2b710 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c384f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SleepConditionVariableCS, address_out = 0x77b2b230 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WakeAllConditionVariable, address_out = 0x77c200b0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetDllDirectoryW, address_out = 0x77b2d8c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\crypt32.dll function = CryptProtectMemory, address_out = 0x7fefdc316f8 True 1
Fn
Get Address c:\windows\system32\crypt32.dll function = CryptUnprotectMemory, address_out = 0x7fefdc3171c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CompareStringOrdinal, address_out = 0x77afd720 True 1
Fn
Window (6)
»
Operation Window Name Additional Information Success Count Logfile
Create WinRAR class_name = WinRarWindow, wndproc_parameter = 0 True 1
Fn
Create - class_name = SysListView32, wndproc_parameter = 0 True 1
Fn
Create - class_name = tooltips_class32, wndproc_parameter = 0 True 1
Fn
Create - class_name = tooltips_class32, wndproc_parameter = 0 True 1
Fn
Find - class_name = WinRarWindow True 1
Fn
Find - class_name = WinRarWindow True 1
Fn
Keyboard (4)
»
Operation Additional Information Success Count Logfile
Get Info type = KB_CODEPAGE, result_out = 437 True 1
Fn
Read virtual_key_code = VK_SHIFT, result_out = 0 True 3
Fn
System (673)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-04-02 12:04:15 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 12514842502 True 1
Fn
Get Time type = Performance Ctr, time = 12518867803 True 1
Fn
Get Time type = System Time, time = 2019-04-02 12:04:16 (UTC) True 1
Fn
Get Time type = Local Time, time = 2019-04-02 16:04:16 (Local Time) True 1
Fn
Get Time type = Performance Ctr, time = 12872668189 True 1
Fn
Get Time type = Ticks, time = 10896420 True 4
Fn
Get Time type = System Time, time = 2019-04-02 12:04:17 (UTC) True 2
Fn
Get Time type = Performance Ctr, time = 12929900214 True 1
Fn
Get Time type = Performance Ctr, time = 12930018838 True 1
Fn
Get Time type = Ticks, time = 10896685 True 1
Fn
Get Time type = Ticks, time = 10899337 True 1
Fn
Get Time type = Performance Ctr, time = 13196364461 True 1
Fn
Get Time type = Ticks, time = 10899493 True 3
Fn
Get Time type = System Time, time = 2019-04-02 12:04:20 (UTC) True 4
Fn
Get Time type = Performance Ctr, time = 13211114475 True 1
Fn
Get Time type = Performance Ctr, time = 13212280596 True 1
Fn
Get Time type = Ticks, time = 10899509 True 2
Fn
Get Time type = Ticks, time = 10899883 True 1
Fn
Get Time type = Performance Ctr, time = 13437021817 True 1
Fn
Get Time type = Ticks, time = 10899945 True 3
Fn
Get Time type = Ticks, time = 10900195 True 10
Fn
Get Time type = Performance Ctr, time = 13462281104 True 1
Fn
Get Time type = Performance Ctr, time = 13462564984 True 1
Fn
Get Time type = Performance Ctr, time = 13463057023 True 1
Fn
Get Time type = Ticks, time = 10900211 True 20
Fn
Get Time type = Performance Ctr, time = 13463617651 True 1
Fn
Get Time type = Performance Ctr, time = 13463764445 True 1
Fn
Get Time type = Performance Ctr, time = 13463982241 True 1
Fn
Get Time type = Performance Ctr, time = 13464298504 True 1
Fn
Get Time type = Performance Ctr, time = 13464433258 True 1
Fn
Get Time type = Performance Ctr, time = 13464954266 True 1
Fn
Get Time type = Ticks, time = 10900226 True 10
Fn
Get Time type = System Time, time = 2019-04-02 12:04:21 (UTC) True 11
Fn
Get Time type = Performance Ctr, time = 13465574069 True 1
Fn
Get Time type = Performance Ctr, time = 13465788819 True 1
Fn
Get Time type = Performance Ctr, time = 13466220026 True 1
Fn
Get Time type = Ticks, time = 10900242 True 6
Fn
Get Time type = Performance Ctr, time = 13466826965 True 1
Fn
Get Time type = Performance Ctr, time = 13467043611 True 1
Fn
Get Time type = Ticks, time = 10900335 True 6
Fn
Get Time type = Performance Ctr, time = 13476522789 True 1
Fn
Get Time type = Performance Ctr, time = 13477230184 True 1
Fn
Get Time type = Ticks, time = 10900351 True 14
Fn
Get Time type = Performance Ctr, time = 13477532209 True 1
Fn
Get Time type = Performance Ctr, time = 13477595192 True 1
Fn
Get Time type = Performance Ctr, time = 13477884501 True 1
Fn
Get Time type = Performance Ctr, time = 13478029887 True 1
Fn
Get Time type = Ticks, time = 10900367 True 10
Fn
Get Time type = Performance Ctr, time = 13479366267 True 1
Fn
Get Time type = Performance Ctr, time = 13480099743 True 1
Fn
Get Time type = Performance Ctr, time = 13480418697 True 1
Fn
Get Time type = Ticks, time = 10900382 True 10
Fn
Get Time type = Performance Ctr, time = 13480904298 True 1
Fn
Get Time type = Performance Ctr, time = 13481491407 True 1
Fn
Get Time type = Performance Ctr, time = 13481696627 True 1
Fn
Get Time type = Ticks, time = 10900554 True 10
Fn
Get Time type = Performance Ctr, time = 13498080682 True 1
Fn
Get Time type = Performance Ctr, time = 13498843309 True 1
Fn
Get Time type = Performance Ctr, time = 13499093119 True 1
Fn
Get Time type = Ticks, time = 10900569 True 10
Fn
Get Time type = Performance Ctr, time = 13499735238 True 1
Fn
Get Time type = Performance Ctr, time = 13500545471 True 1
Fn
Get Time type = Performance Ctr, time = 13500792808 True 1
Fn
Get Time type = Ticks, time = 10900585 True 14
Fn
Get Time type = Performance Ctr, time = 13501208066 True 1
Fn
Get Time type = Performance Ctr, time = 13501718702 True 1
Fn
Get Time type = Performance Ctr, time = 13502069192 True 1
Fn
Get Time type = Performance Ctr, time = 13502328086 True 1
Fn
Get Time type = Ticks, time = 10900601 True 6
Fn
Get Time type = Performance Ctr, time = 13502759548 True 1
Fn
Get Time type = Performance Ctr, time = 13502922029 True 1
Fn
Get Time type = Ticks, time = 10900694 True 6
Fn
Get Time type = Performance Ctr, time = 13512273156 True 1
Fn
Get Time type = Performance Ctr, time = 13512885640 True 1
Fn
Get Time type = Ticks, time = 10900835 True 4
Fn
Get Time type = Performance Ctr, time = 13526812910 True 1
Fn
Get Time type = Ticks, time = 10902629 True 1
Fn
Get Time type = Performance Ctr, time = 28213577408 True 1
Fn
Get Time type = Ticks, time = 10902722 True 3
Fn
Get Time type = Ticks, time = 10903892 True 10
Fn
Get Time type = Performance Ctr, time = 59820875328 True 1
Fn
Get Time type = System Time, time = 2019-04-02 12:04:24 (UTC) True 6
Fn
Get Time type = Performance Ctr, time = 63320669952 True 1
Fn
Get Time type = Performance Ctr, time = 63321061989 True 1
Fn
Get Time type = Ticks, time = 10903908 True 14
Fn
Get Time type = Performance Ctr, time = 63321709259 True 1
Fn
Get Time type = Performance Ctr, time = 63322137687 True 1
Fn
Get Time type = Performance Ctr, time = 63322304853 True 1
Fn
Get Time type = Performance Ctr, time = 63322654258 True 1
Fn
Get Time type = Ticks, time = 10903923 True 6
Fn
Get Time type = Performance Ctr, time = 63323122692 True 1
Fn
Get Time type = Performance Ctr, time = 63323303990 True 1
Fn
Get Time type = Ticks, time = 10904126 True 4
Fn
Get Time type = Performance Ctr, time = 63346510474 True 1
Fn
Get Time type = Ticks, time = 10904142 True 10
Fn
Get Time type = Performance Ctr, time = 66846431859 True 1
Fn
Get Time type = Performance Ctr, time = 66846742333 True 1
Fn
Get Time type = Performance Ctr, time = 66847363333 True 1
Fn
Get Time type = Ticks, time = 10904157 True 6
Fn
Get Time type = Performance Ctr, time = 66848426144 True 1
Fn
Get Time type = Performance Ctr, time = 66848645547 True 1
Fn
Get Time type = Ticks, time = 10904173 True 10
Fn
Get Time type = Performance Ctr, time = 66849190387 True 1
Fn
Get Time type = Performance Ctr, time = 70348785924 True 1
Fn
Get Time type = Performance Ctr, time = 70349025917 True 1
Fn
Get Time type = Ticks, time = 10904407 True 16
Fn
Get Time type = Performance Ctr, time = 73873027853 True 1
Fn
Get Time type = System Time, time = 2019-04-02 12:04:25 (UTC) True 12
Fn
Get Time type = Performance Ctr, time = 73873693334 True 1
Fn
Get Time type = Performance Ctr, time = 73873840650 True 1
Fn
Get Time type = Performance Ctr, time = 73873957491 True 1
Fn
Get Time type = Performance Ctr, time = 73874316231 True 1
Fn
Get Time type = Ticks, time = 10904423 True 10
Fn
Get Time type = Performance Ctr, time = 73874503922 True 1
Fn
Get Time type = Performance Ctr, time = 73875276474 True 1
Fn
Get Time type = Performance Ctr, time = 73875796560 True 1
Fn
Get Time type = Ticks, time = 10904438 True 14
Fn
Get Time type = Performance Ctr, time = 73876176320 True 1
Fn
Get Time type = Performance Ctr, time = 73876377848 True 1
Fn
Get Time type = Performance Ctr, time = 73876655887 True 1
Fn
Get Time type = Performance Ctr, time = 73876798647 True 1
Fn
Get Time type = Ticks, time = 10904454 True 10
Fn
Get Time type = Performance Ctr, time = 73877505539 True 1
Fn
Get Time type = Performance Ctr, time = 77377216901 True 1
Fn
Get Time type = Performance Ctr, time = 77377515946 True 1
Fn
Get Time type = Ticks, time = 10904516 True 10
Fn
Get Time type = Performance Ctr, time = 80884153218 True 1
Fn
Get Time type = Performance Ctr, time = 80885107852 True 1
Fn
Get Time type = Performance Ctr, time = 80885327953 True 1
Fn
Get Time type = Ticks, time = 10904532 True 14
Fn
Get Time type = Performance Ctr, time = 80885671823 True 1
Fn
Get Time type = Performance Ctr, time = 80886086302 True 1
Fn
Get Time type = Performance Ctr, time = 80886245567 True 1
Fn
Get Time type = Performance Ctr, time = 80886835388 True 1
Fn
Get Time type = Ticks, time = 10904547 True 6
Fn
Get Time type = Performance Ctr, time = 84386496912 True 1
Fn
Get Time type = Performance Ctr, time = 84386775422 True 1
Fn
Get Time type = Ticks, time = 10904563 True 10
Fn
Get Time type = Performance Ctr, time = 84387678791 True 1
Fn
Get Time type = Performance Ctr, time = 84388168487 True 1
Fn
Get Time type = Performance Ctr, time = 84388441405 True 1
Fn
Get Time type = Ticks, time = 10904657 True 10
Fn
Get Time type = Performance Ctr, time = 84400037334 True 1
Fn
Get Time type = Performance Ctr, time = 84400523644 True 1
Fn
Get Time type = Performance Ctr, time = 84400712315 True 1
Fn
Get Time type = Ticks, time = 10904672 True 10
Fn
Get Time type = Performance Ctr, time = 84401042596 True 1
Fn
Get Time type = Performance Ctr, time = 84401507454 True 1
Fn
Get Time type = Performance Ctr, time = 84401802355 True 1
Fn
Get Time type = Ticks, time = 10904688 True 10
Fn
Get Time type = Performance Ctr, time = 84402663786 True 1
Fn
Get Time type = Performance Ctr, time = 87902321077 True 1
Fn
Get Time type = Performance Ctr, time = 87902649367 True 1
Fn
Get Time type = Ticks, time = 10904703 True 8
Fn
Get Time type = Performance Ctr, time = 91404761946 True 1
Fn
Get Time type = Ticks, time = 10906903 True 4
Fn
Get Time type = Performance Ctr, time = 91624477958 True 1
Fn
Get Time type = Ticks, time = 10907418 True 28
Fn
Get Time type = Performance Ctr, time = 95178123222 True 1
Fn
Get Time type = Performance Ctr, time = 95178534783 True 1
Fn
Get Time type = Performance Ctr, time = 95178728535 True 1
Fn
Get Time type = Performance Ctr, time = 95178897113 True 1
Fn
Get Time type = Performance Ctr, time = 95179033290 True 1
Fn
Get Time type = Performance Ctr, time = 95179171378 True 1
Fn
Get Time type = Performance Ctr, time = 95179323493 True 1
Fn
Get Time type = Ticks, time = 10907433 True 4
Fn
Get Time type = Performance Ctr, time = 95179485161 True 1
Fn
Get Time type = Ticks, time = 10907527 True 32
Fn
Get Time type = Performance Ctr, time = 95188972497 True 1
Fn
Get Time type = Performance Ctr, time = 95189137591 True 1
Fn
Get Time type = Performance Ctr, time = 95189424913 True 1
Fn
Get Time type = Performance Ctr, time = 95189590127 True 1
Fn
Get Time type = Performance Ctr, time = 95189744521 True 1
Fn
Get Time type = Performance Ctr, time = 95189896346 True 1
Fn
Get Time type = Performance Ctr, time = 95190048082 True 1
Fn
Get Time type = Performance Ctr, time = 95190198437 True 1
Fn
Get Time type = Ticks, time = 10907543 True 34
Fn
Get Time type = Performance Ctr, time = 95190371125 True 1
Fn
Get Time type = Performance Ctr, time = 95190632390 True 1
Fn
Get Time type = Performance Ctr, time = 95190834492 True 1
Fn
Get Time type = Performance Ctr, time = 95191087031 True 1
Fn
Get Time type = Performance Ctr, time = 95191240036 True 1
Fn
Get Time type = Performance Ctr, time = 95191394757 True 1
Fn
Get Time type = Performance Ctr, time = 95191549521 True 1
Fn
Get Time type = Performance Ctr, time = 95191700700 True 1
Fn
Get Time type = Performance Ctr, time = 95191943524 True 1
Fn
Get Time type = Ticks, time = 10907558 True 10
Fn
Get Time type = Performance Ctr, time = 95192163174 True 1
Fn
Get Time type = Performance Ctr, time = 95192302292 True 1
Fn
Get Time type = Ticks, time = 10907652 True 28
Fn
Get Time type = Performance Ctr, time = 95201510897 True 1
Fn
Get Time type = Performance Ctr, time = 95201750758 True 1
Fn
Get Time type = Performance Ctr, time = 95201960184 True 1
Fn
Get Time type = Performance Ctr, time = 95202120673 True 1
Fn
Get Time type = Performance Ctr, time = 95202299667 True 1
Fn
Get Time type = Performance Ctr, time = 95202478691 True 1
Fn
Get Time type = Performance Ctr, time = 95202658126 True 1
Fn
Get Time type = Ticks, time = 10907667 True 4
Fn
Get Time type = Performance Ctr, time = 95202819176 True 1
Fn
Get Time type = Performance Ctr, time = 95206347866 True 1
Fn
Get Time type = Performance Ctr, time = 95206372045 True 1
Fn
Get Info type = Operating System True 2
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 2
Fn
Mutex (2)
»
Operation Additional Information Success Count Logfile
Create mutex_name = WinRAR_Busy True 1
Fn
Release mutex_name = WinRAR_Busy True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #7: winrar.exe
3079 0
»
Information Value
ID #7
File Name c:\users\whuoxysd\appdata\local\temp\winrar.exe
Command Line C:\Users\WhuOXYsD\AppData\Local\Temp\\WinRAR.exe m -r -pMyPassword Pictures *
Initial Working Directory C:\Users\WhuOXYsD\Pictures\
Monitor Start Time: 00:00:46, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:22
OS Process Information
»
Information Value
PID 0x6ac
Parent PID 0x244 (c:\windows\syswow64\cmd.exe)
Bitness 64-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username EGLAFTB1N8YA\WhuOXYsD
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A10
0x A40
0x 2C8
0x A78
0x 760
0x AF8
0x AFC
0x B48
0x 96C
0x 978
0x BA8
0x B90
0x 968
0x 970
0x 9D8
0x 808
0x 9D4
0x 9C8
0x 9CC
0x 9D0
0x 9C4
0x 810
0x 620
0x 9C0
0x 7DC
0x 854
0x 7FC
0x 784
0x 398
0x 53C
0x 90
0x 768
0x 848
0x 834
0x 7D8
0x 6F0
0x 84C
0x 788
0x 7B4
0x 7F8
0x 7AC
0x 68C
0x 4A4
0x 420
0x 4CC
0x 858
0x 8E4
0x BF4
0x 64
0x 574
0x 814
0x 38C
0x 804
0x 92C
0x 88C
0x 910
0x 3B8
0x 820
0x 824
0x 90C
0x 818
0x 6C0
0x 2EC
0x 5C0
0x 638
0x B40
0x B3C
0x B38
0x B34
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
Pictures.rar 9.10 MB MD5: 7bf2ee95ffc00b4496762468e4227d44
SHA1: f93457257e95c65a24ddc307132053c00c5a5b08
SHA256: 1e0611ee8df0cd446b1d7aa1c6719e4c42fddd6b51db155422cbe0c06b8e03b6
SSDeep: 196608:Oqc0UeJbHEOp0EV3pDYcBVrj7SzekHBhZk22Vp8QBvxWuH1e:MCJI+0gJYcPNCvkV8QOuQ
False
Host Behavior
COM (13)
»
Operation Class Interface Additional Information Success Count Logfile
Create 56FDF344-FD6D-11D0-958A-006097C9A090 EA1AFB91-9E28-4B86-90E9-9E9F8A5EEFAF cls_context = CLSCTX_INPROC_SERVER True 13
Fn
File (297)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\WhuOXYsD\AppData\Local\Temp\winrar.lng desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create \\?\C:\Users\WhuOXYsD\AppData\Local\Temp\winrar.lng desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\version.dat desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create Pictures.rar desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
Create \\?\C:\Users\WhuOXYsD\Pictures\Pictures.rar desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
Create Pictures.rar desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
Create \\?\C:\Users\WhuOXYsD\Pictures\Pictures.rar desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
Create Pictures.rar desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create 6so3uw\9Cnbfi2a\B5WGJFxuORhJIbLXl.jpg desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create 6so3uw\9Cnbfi2a\JzMMZnM0QB06bugb_OB.gif desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create 6so3uw\9Cnbfi2a\mwTl5gGRtX.png desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create 6so3uw\9Cnbfi2a\RIcQ1EmpXOwuZfKzm7T.bmp desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create 6so3uw\9Cnbfi2a\_J-TfTf8bux6i5ev.jpg desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create 6so3uw\c0kYrk2r.gif desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create 6so3uw\F6rd1F-UBg20OJcO.bmp desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create 6so3uw\kSdj3VO3TR7ki6gTEs.gif desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create atyP90aK6HDTB.png desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create desktop.ini desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create FF-GXA22K-J\23KKWJn4X.jpg desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create FF-GXA22K-J\FKAF idlRz23ptJ2k-O.bmp desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create FF-GXA22K-J\i--dke3Y4B2pF6twr.bmp desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create FF-GXA22K-J\qe4w BUBvbI.png desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create FF-GXA22K-J\TXT2nL.jpg desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create FF-GXA22K-J\y_NnvZ hOSogKdF.gif desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create HoZdmtHokVR3Wl.jpg desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create Itucwf.jpg desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create m6NzXvQi8lk.jpg desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create r8gP7fn6WcydRhKaYYc.png desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\0XRpWOZ7BIgaFl\AcSwmq12.png desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\0XRpWOZ7BIgaFl\FS9X-Jz92l3SkJz_uf.bmp desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\0XRpWOZ7BIgaFl\G StNxmi.gif desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\0XRpWOZ7BIgaFl\o7iZDtChRQGlm.png desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\aEAx1CrFMianQavi.jpg desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\Ni-WplZKUKZ.gif desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\UqtyoyIZxKksp3kD\dn2lN2aa\pQzU4fgJS_VJhSEBB.bmp desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\UqtyoyIZxKksp3kD\dn2lN2aa\PSQZiwIN8uJzzTdjOFX.jpg desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create ULcrruHeMH6lLDqYX5zP\u_fq38hVgFy.png desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create ULcrruHeMH6lLDqYX5zP\zTrGUpS5uq YgUIf.png desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create UrPVXySoY.jpg desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create xuzEq3zwZkPG\UhrjNpf0XOWEy -M.png desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Add Search Path - - True 1
Fn
Get Info STD_INPUT_HANDLE type = file_type False 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type False 1
Fn
Get Info STD_ERROR_HANDLE type = file_type False 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.ini type = file_attributes False 1
Fn
Get Info \\?\C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.ini type = file_attributes False 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Roaming\WinRAR type = file_attributes True 7
Fn
Get Info C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\WinRAR.ini type = file_attributes False 1
Fn
Get Info \\?\C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\WinRAR.ini type = file_attributes False 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\version.dat type = file_type True 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\Settings.reg type = file_attributes False 1
Fn
Get Info \\?\C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\Settings.reg type = file_attributes False 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\Settings.reg type = file_attributes False 2
Fn
Get Info \\?\C:\Users\WhuOXYsD\AppData\Local\Temp\Settings.reg type = file_attributes False 2
Fn
Get Info Pictures type = file_attributes False 1
Fn
Get Info \\?\C:\Users\WhuOXYsD\Pictures\Pictures type = file_attributes False 1
Fn
Get Info Pictures.rar type = file_attributes False 3
Fn
Get Info \\?\C:\Users\WhuOXYsD\Pictures\Pictures.rar type = file_attributes False 3
Fn
Get Info Pictures.zip type = file_attributes False 1
Fn
Get Info \\?\C:\Users\WhuOXYsD\Pictures\Pictures.zip type = file_attributes False 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\Themes type = file_attributes False 1
Fn
Get Info \\?\C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\Themes type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Read C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\version.dat size = 4096, size_out = 12 True 1
Fn
Data
Read 6so3uw\9Cnbfi2a\B5WGJFxuORhJIbLXl.jpg size = 1048576, size_out = 62410 True 1
Fn
Data
Read 6so3uw\9Cnbfi2a\B5WGJFxuORhJIbLXl.jpg size = 986166, size_out = 0 True 1
Fn
Read 6so3uw\9Cnbfi2a\JzMMZnM0QB06bugb_OB.gif size = 1048576, size_out = 101959 True 1
Fn
Data
Read 6so3uw\9Cnbfi2a\JzMMZnM0QB06bugb_OB.gif size = 946617, size_out = 0 True 1
Fn
Read 6so3uw\9Cnbfi2a\mwTl5gGRtX.png size = 1048576, size_out = 41414 True 1
Fn
Data
Read 6so3uw\9Cnbfi2a\mwTl5gGRtX.png size = 1007162, size_out = 0 True 1
Fn
Read 6so3uw\9Cnbfi2a\RIcQ1EmpXOwuZfKzm7T.bmp size = 1048576, size_out = 15905 True 1
Fn
Data
Read 6so3uw\9Cnbfi2a\RIcQ1EmpXOwuZfKzm7T.bmp size = 1032671, size_out = 0 True 1
Fn
Read 6so3uw\9Cnbfi2a\_J-TfTf8bux6i5ev.jpg size = 1048576, size_out = 68802 True 1
Fn
Data
Read 6so3uw\9Cnbfi2a\_J-TfTf8bux6i5ev.jpg size = 979774, size_out = 0 True 1
Fn
Read 6so3uw\c0kYrk2r.gif size = 1048576, size_out = 75686 True 1
Fn
Data
Read 6so3uw\c0kYrk2r.gif size = 972890, size_out = 0 True 1
Fn
Read 6so3uw\F6rd1F-UBg20OJcO.bmp size = 1048576, size_out = 28024 True 1
Fn
Data
Read 6so3uw\F6rd1F-UBg20OJcO.bmp size = 1020552, size_out = 0 True 1
Fn
Read 6so3uw\kSdj3VO3TR7ki6gTEs.gif size = 1048576, size_out = 75564 True 1
Fn
Data
Read 6so3uw\kSdj3VO3TR7ki6gTEs.gif size = 973012, size_out = 0 True 1
Fn
Read atyP90aK6HDTB.png size = 1048576, size_out = 15791 True 1
Fn
Data
Read atyP90aK6HDTB.png size = 1032785, size_out = 0 True 1
Fn
Read desktop.ini size = 1048576, size_out = 504 True 1
Fn
Data
Read desktop.ini size = 1048072, size_out = 0 True 1
Fn
Read FF-GXA22K-J\23KKWJn4X.jpg size = 1048576, size_out = 14013 True 1
Fn
Data
Read FF-GXA22K-J\23KKWJn4X.jpg size = 1034563, size_out = 0 True 1
Fn
Read FF-GXA22K-J\FKAF idlRz23ptJ2k-O.bmp size = 1048576, size_out = 61183 True 1
Fn
Data
Read FF-GXA22K-J\FKAF idlRz23ptJ2k-O.bmp size = 987393, size_out = 0 True 1
Fn
Read FF-GXA22K-J\i--dke3Y4B2pF6twr.bmp size = 1048576, size_out = 48840 True 1
Fn
Data
Read FF-GXA22K-J\i--dke3Y4B2pF6twr.bmp size = 999736, size_out = 0 True 1
Fn
Read FF-GXA22K-J\qe4w BUBvbI.png size = 1048576, size_out = 68481 True 1
Fn
Data
Read FF-GXA22K-J\qe4w BUBvbI.png size = 980095, size_out = 0 True 1
Fn
Read FF-GXA22K-J\TXT2nL.jpg size = 1048576, size_out = 24661 True 1
Fn
Data
Read FF-GXA22K-J\TXT2nL.jpg size = 1023915, size_out = 0 True 1
Fn
Read FF-GXA22K-J\y_NnvZ hOSogKdF.gif size = 1048576, size_out = 77540 True 1
Fn
Data
Read FF-GXA22K-J\y_NnvZ hOSogKdF.gif size = 971036, size_out = 0 True 1
Fn
Read HoZdmtHokVR3Wl.jpg size = 1048576, size_out = 40987 True 1
Fn
Data
Read HoZdmtHokVR3Wl.jpg size = 1007589, size_out = 0 True 1
Fn
Read Itucwf.jpg size = 1048576, size_out = 1048576 True 1
Fn
Data
Read Itucwf.jpg size = 3145728, size_out = 2304558 True 1
Fn
Read Itucwf.jpg size = 4194304, size_out = 0 True 1
Fn
Read m6NzXvQi8lk.jpg size = 1048576, size_out = 80062 True 1
Fn
Data
Read m6NzXvQi8lk.jpg size = 968514, size_out = 0 True 1
Fn
Read r8gP7fn6WcydRhKaYYc.png size = 1048576, size_out = 36515 True 1
Fn
Data
Read r8gP7fn6WcydRhKaYYc.png size = 1012061, size_out = 0 True 1
Fn
Read ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\0XRpWOZ7BIgaFl\AcSwmq12.png size = 1048576, size_out = 61507 True 1
Fn
Data
Read ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\0XRpWOZ7BIgaFl\AcSwmq12.png size = 987069, size_out = 0 True 1
Fn
Read ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\0XRpWOZ7BIgaFl\FS9X-Jz92l3SkJz_uf.bmp size = 1048576, size_out = 43065 True 1
Fn
Data
Read ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\0XRpWOZ7BIgaFl\FS9X-Jz92l3SkJz_uf.bmp size = 1005511, size_out = 0 True 1
Fn
Read ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\0XRpWOZ7BIgaFl\G StNxmi.gif size = 1048576, size_out = 60425 True 1
Fn
Data
Read ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\0XRpWOZ7BIgaFl\G StNxmi.gif size = 988151, size_out = 0 True 1
Fn
Read ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\0XRpWOZ7BIgaFl\o7iZDtChRQGlm.png size = 1048576, size_out = 75417 True 1
Fn
Data
Read ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\0XRpWOZ7BIgaFl\o7iZDtChRQGlm.png size = 973159, size_out = 0 True 1
Fn
Read ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\aEAx1CrFMianQavi.jpg size = 1048576, size_out = 44093 True 1
Fn
Data
Read ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\aEAx1CrFMianQavi.jpg size = 1004483, size_out = 0 True 1
Fn
Read ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\Ni-WplZKUKZ.gif size = 1048576, size_out = 88331 True 1
Fn
Data
Read ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\Ni-WplZKUKZ.gif size = 960245, size_out = 0 True 1
Fn
Read ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\UqtyoyIZxKksp3kD\dn2lN2aa\pQzU4fgJS_VJhSEBB.bmp size = 1048576, size_out = 30691 True 1
Fn
Data
Read ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\UqtyoyIZxKksp3kD\dn2lN2aa\pQzU4fgJS_VJhSEBB.bmp size = 1017885, size_out = 0 True 1
Fn
Read ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\UqtyoyIZxKksp3kD\dn2lN2aa\PSQZiwIN8uJzzTdjOFX.jpg size = 1048576, size_out = 48632 True 1
Fn
Data
Read ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\UqtyoyIZxKksp3kD\dn2lN2aa\PSQZiwIN8uJzzTdjOFX.jpg size = 999944, size_out = 0 True 1
Fn
Read ULcrruHeMH6lLDqYX5zP\u_fq38hVgFy.png size = 1048576, size_out = 9525 True 1
Fn
Data
Read ULcrruHeMH6lLDqYX5zP\u_fq38hVgFy.png size = 1039051, size_out = 0 True 1
Fn
Read ULcrruHeMH6lLDqYX5zP\zTrGUpS5uq YgUIf.png size = 1048576, size_out = 73694 True 1
Fn
Data
Read ULcrruHeMH6lLDqYX5zP\zTrGUpS5uq YgUIf.png size = 974882, size_out = 0 True 1
Fn
Read UrPVXySoY.jpg size = 1048576, size_out = 1048576 True 1
Fn
Data
Read UrPVXySoY.jpg size = 3145728, size_out = 3145728 True 1
Fn
Read UrPVXySoY.jpg size = 4194304, size_out = 643537 True 1
Fn
Data
Read UrPVXySoY.jpg size = 4194304, size_out = 0 True 1
Fn
Read xuzEq3zwZkPG\UhrjNpf0XOWEy -M.png size = 1048576, size_out = 36059 True 1
Fn
Data
Read xuzEq3zwZkPG\UhrjNpf0XOWEy -M.png size = 1012517, size_out = 0 True 1
Fn
Write Pictures.rar size = 8 True 2
Fn
Data
Write Pictures.rar size = 18 True 2
Fn
Data
Write Pictures.rar size = 62528 True 1
Fn
Data
Write Pictures.rar size = 121 True 1
Fn
Data
Write Pictures.rar size = 102208 True 1
Fn
Data
Write Pictures.rar size = 123 True 2
Fn
Data
Write Pictures.rar size = 41520 True 1
Fn
Data
Write Pictures.rar size = 114 True 1
Fn
Data
Write Pictures.rar size = 15936 True 1
Fn
Data
Write Pictures.rar size = 68992 True 1
Fn
Data
Write Pictures.rar size = 120 True 2
Fn
Data
Write Pictures.rar size = 75840 True 1
Fn
Data
Write Pictures.rar size = 103 True 1
Fn
Data
Write Pictures.rar size = 28096 True 1
Fn
Data
Write Pictures.rar size = 111 True 2
Fn
Data
Write Pictures.rar size = 75728 True 1
Fn
Data
Write Pictures.rar size = 113 True 1
Fn
Data
Write Pictures.rar size = 15840 True 1
Fn
Data
Write Pictures.rar size = 101 True 2
Fn
Data
Write Pictures.rar size = 208 True 1
Fn
Data
Write Pictures.rar size = 93 True 1
Fn
Data
Write Pictures.rar size = 14048 True 1
Fn
Data
Write Pictures.rar size = 109 True 1
Fn
Data
Write Pictures.rar size = 61296 True 1
Fn
Data
Write Pictures.rar size = 119 True 1
Fn
Data
Write Pictures.rar size = 48928 True 1
Fn
Data
Write Pictures.rar size = 117 True 2
Fn
Data
Write Pictures.rar size = 68656 True 1
Fn
Data
Write Pictures.rar size = 24752 True 1
Fn
Data
Write Pictures.rar size = 106 True 1
Fn
Data
Write Pictures.rar size = 77696 True 1
Fn
Data
Write Pictures.rar size = 115 True 1
Fn
Data
Write Pictures.rar size = 41088 True 1
Fn
Data
Write Pictures.rar size = 102 True 1
Fn
Data
Write Pictures.rar size = 262144 True 30
Fn
Data
Write Pictures.rar size = 101344 True 1
Fn
Data
Write Pictures.rar size = 98 True 1
Fn
Data
Write Pictures.rar size = 80240 True 1
Fn
Data
Write Pictures.rar size = 99 True 1
Fn
Data
Write Pictures.rar size = 36640 True 1
Fn
Data
Write Pictures.rar size = 107 True 1
Fn
Data
Write Pictures.rar size = 61632 True 1
Fn
Data
Write Pictures.rar size = 147 True 2
Fn
Data
Write Pictures.rar size = 43152 True 1
Fn
Data
Write Pictures.rar size = 157 True 1
Fn
Data
Write Pictures.rar size = 60560 True 1
Fn
Data
Write Pictures.rar size = 75568 True 1
Fn
Data
Write Pictures.rar size = 152 True 1
Fn
Data
Write Pictures.rar size = 44208 True 1
Fn
Data
Write Pictures.rar size = 140 True 1
Fn
Data
Write Pictures.rar size = 88560 True 1
Fn
Data
Write Pictures.rar size = 135 True 1
Fn
Data
Write Pictures.rar size = 30736 True 1
Fn
Data
Write Pictures.rar size = 167 True 1
Fn
Data
Write Pictures.rar size = 48736 True 1
Fn
Data
Write Pictures.rar size = 169 True 1
Fn
Data
Write Pictures.rar size = 9568 True 1
Fn
Data
Write Pictures.rar size = 73856 True 1
Fn
Data
Write Pictures.rar size = 125 True 1
Fn
Data
Write Pictures.rar size = 56720 True 1
Fn
Data
Write Pictures.rar size = 36192 True 1
Fn
Data
Write Pictures.rar size = 91 True 1
Fn
Data
Write Pictures.rar size = 80 True 1
Fn
Data
Write Pictures.rar size = 82 True 1
Fn
Data
Write Pictures.rar size = 46 True 1
Fn
Data
Write Pictures.rar size = 65 True 1
Fn
Data
Write Pictures.rar size = 49 True 1
Fn
Data
Write Pictures.rar size = 37 True 1
Fn
Data
Write Pictures.rar size = 42 True 1
Fn
Data
Write Pictures.rar size = 51 True 1
Fn
Data
Write Pictures.rar size = 43 True 1
Fn
Data
Write Pictures.rar size = 19 True 1
Fn
Data
Write Pictures.rar size = 4148 True 1
Fn
Data
Delete Directory xuzEq3zwZkPG - True 1
Fn
Delete Directory ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\UqtyoyIZxKksp3kD\dn2lN2aa - True 1
Fn
Delete Directory ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\UqtyoyIZxKksp3kD - True 1
Fn
Delete Directory ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\0XRpWOZ7BIgaFl - True 1
Fn
Delete Directory ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl - True 1
Fn
Delete Directory ULcrruHeMH6lLDqYX5zP - True 1
Fn
Delete Directory FF-GXA22K-J - True 1
Fn
Delete Directory 6so3uw\9Cnbfi2a - True 1
Fn
Delete Directory 6so3uw - True 1
Fn
Delete Directory 4Vw2ygLPEu-Maci0qp - True 1
Fn
Delete xuzEq3zwZkPG\UhrjNpf0XOWEy -M.png - True 1
Fn
Delete UrPVXySoY.jpg - True 1
Fn
Delete ULcrruHeMH6lLDqYX5zP\zTrGUpS5uq YgUIf.png - True 1
Fn
Delete ULcrruHeMH6lLDqYX5zP\u_fq38hVgFy.png - True 1
Fn
Delete ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\UqtyoyIZxKksp3kD\dn2lN2aa\PSQZiwIN8uJzzTdjOFX.jpg - True 1
Fn
Delete ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\UqtyoyIZxKksp3kD\dn2lN2aa\pQzU4fgJS_VJhSEBB.bmp - True 1
Fn
Delete ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\Ni-WplZKUKZ.gif - True 1
Fn
Delete ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\aEAx1CrFMianQavi.jpg - True 1
Fn
Delete ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\0XRpWOZ7BIgaFl\o7iZDtChRQGlm.png - True 1
Fn
Delete ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\0XRpWOZ7BIgaFl\G StNxmi.gif - True 1
Fn
Delete ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\0XRpWOZ7BIgaFl\FS9X-Jz92l3SkJz_uf.bmp - True 1
Fn
Delete ULcrruHeMH6lLDqYX5zP\HNlFrbJUHSODl\0XRpWOZ7BIgaFl\AcSwmq12.png - True 1
Fn
Delete r8gP7fn6WcydRhKaYYc.png - True 1
Fn
Delete m6NzXvQi8lk.jpg - True 1
Fn
Delete Itucwf.jpg - True 1
Fn
Delete HoZdmtHokVR3Wl.jpg - True 1
Fn
Delete FF-GXA22K-J\y_NnvZ hOSogKdF.gif - True 1
Fn
Delete FF-GXA22K-J\TXT2nL.jpg - True 1
Fn
Delete FF-GXA22K-J\qe4w BUBvbI.png - True 1
Fn
Delete FF-GXA22K-J\i--dke3Y4B2pF6twr.bmp - True 1
Fn
Delete FF-GXA22K-J\FKAF idlRz23ptJ2k-O.bmp - True 1
Fn
Delete FF-GXA22K-J\23KKWJn4X.jpg - True 1
Fn
Delete desktop.ini - True 1
Fn
Delete atyP90aK6HDTB.png - True 1
Fn
Delete 6so3uw\kSdj3VO3TR7ki6gTEs.gif - True 1
Fn
Delete 6so3uw\F6rd1F-UBg20OJcO.bmp - True 1
Fn
Delete 6so3uw\c0kYrk2r.gif - True 1
Fn
Delete 6so3uw\9Cnbfi2a\_J-TfTf8bux6i5ev.jpg - True 1
Fn
Delete 6so3uw\9Cnbfi2a\RIcQ1EmpXOwuZfKzm7T.bmp - True 1
Fn
Delete 6so3uw\9Cnbfi2a\mwTl5gGRtX.png - True 1
Fn
Delete 6so3uw\9Cnbfi2a\JzMMZnM0QB06bugb_OB.gif - True 1
Fn
Delete 6so3uw\9Cnbfi2a\B5WGJFxuORhJIbLXl.jpg - True 1
Fn
Registry (1035)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 - True 72
Fn
Create Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 - True 72
Fn
Create Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 - True 72
Fn
Create Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 - True 72
Fn
Create Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 - True 70
Fn
Create Key HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes - True 2
Fn
Create Key HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths - True 4
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\General - False 4
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Paths - False 7
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 - True 11
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\General - True 5
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 - True 9
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 - True 7
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 - True 5
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\Software\WinRAR\Policy - False 4
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Policy - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\Software\WinRAR - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR - True 2
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\General - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Extraction - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\General - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 - True 81
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\5 - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Compression - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\FileList - False 8
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths - False 9
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnStates - False 5
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnStates - False 5
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Interface - True 2
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\General - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\General value_name = SMP, data = 1, type = REG_NONE False 4
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Name, data = Default Profile, type = REG_SZ True 4
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = Name, data = Create e-mail attachment, type = REG_SZ True 3
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = Name, data = Backup selected files, type = REG_SZ True 2
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = Name, data = Create 10 MB volumes, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\General value_name = VerInfo, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\WinRAR value_name = rarkey, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\General value_name = Priority, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR value_name = rarreg.key, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\General value_name = SMP, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Default, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 2
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ArcName, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileNames False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ExclNames True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ExclNames, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = StoreNames True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = StoreNames, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = UseRAR, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = RAR5, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SFXModule, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SFX, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SFXIcon, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SFXLogo, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SFXElevate, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = CmtFile, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = CmtDataWide, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = CmtTextWide, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = CmtTextData, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = VolumeSize, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = VolSizeMod, data = 2, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = VolPause, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = OldVolNames, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = RecVolNumber, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Update, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Fresh, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SyncFiles, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Overwrite, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Move, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ArcRecBin, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ArcWipe, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = WipeIfPassword, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Solid, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Test, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = RecEnabled, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = RecSize, data = 4294967293, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Recovery, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = EraseDest, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = AddArcOnly, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ClearArc, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Lock, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Method, data = 3, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = DictSizeLZ, data = 4194304, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = DictSize, data = 33554432, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Name, data = Default Profile, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = PasswordData, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = EncryptHeaders, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ZipLegacyEncrypt, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = OpenShared, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ProcessOwners, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SaveStreams, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SaveSymLinks, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SaveHardLinks, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Background, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = WaitForOther, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Shutdown, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = GenerateArcName, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = VersionControl, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = BLAKE2, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileCopies, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = QuickOpen, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = GenerateMask, data = yyyymmddhhmmss, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileTimeMode, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileDays, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileHours, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileMinutes, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ArcTimeOriginal, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ArcTimeLatest, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = mtime, data = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ctime, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = atime, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = PathsAbs, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = PathsNone, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = PathsAbsDrive, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ImmExec, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SeparateArc, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SeparateArcDoubleExt, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SeparateArcSubfolders, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = EmailArcTo, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = PackDetails, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes value_name = ActivePath, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Interface value_name = SystemProgressBar, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Interface value_name = TaskbarProgressBar, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\General value_name = Sound, data = 1, type = REG_NONE False 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Name, data = Default Profile, size = 32, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Default, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ImmExec, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ExclNames, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = StoreNames, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = UseRAR, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = RAR5, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SFXModule, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SFXIcon, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SFXLogo, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SFXElevate, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = CmtFile, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = CmtDataWide, size = 2, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = VolumeSize, data = 0, size = 4, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = VolSizeMod, data = 2, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = VolPause, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = OldVolNames, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = RecVolNumber, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Update, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Fresh, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SyncFiles, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Overwrite, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Move, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ArcRecBin, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ArcWipe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = WipeIfPassword, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Solid, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Test, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = RecEnabled, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = RecSize, data = 4294967293, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = EraseDest, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = AddArcOnly, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ClearArc, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Lock, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Method, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = DictSizeLZ, data = 4194304, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = DictSize, data = 33554432, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Background, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = WaitForOther, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Shutdown, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = PasswordData, size = 1, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = EncryptHeaders, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ZipLegacyEncrypt, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = OpenShared, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ProcessOwners, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SaveStreams, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SaveSymLinks, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SaveHardLinks, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = GenerateArcName, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = VersionControl, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = BLAKE2, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileCopies, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = QuickOpen, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = GenerateMask, data = yyyymmddhhmmss, size = 30, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileTimeMode, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileDays, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileHours, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileMinutes, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileTimeLimit, data = 0, size = 8, type = REG_QWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ArcTimeOriginal, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ArcTimeLatest, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = mtime, data = 4, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ctime, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = atime, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = PathsAbs, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = PathsNone, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = PathsAbsDrive, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SeparateArc, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SeparateArcDoubleExt, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SeparateArcSubfolders, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = EmailArcTo, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = PackDetails, size = 192, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = Name, data = Create e-mail attachment, size = 50, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = Default, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = ImmExec, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = ExclNames, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = StoreNames, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = UseRAR, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = RAR5, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = SFXModule, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = SFXIcon, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = SFXLogo, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = SFXElevate, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = CmtFile, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = CmtDataWide, size = 2, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = VolumeSize, data = 0, size = 4, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = VolSizeMod, data = 2, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = VolPause, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = OldVolNames, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = RecVolNumber, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = Update, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = Fresh, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = SyncFiles, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = Overwrite, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = Move, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = ArcRecBin, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = ArcWipe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = WipeIfPassword, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = Solid, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = Test, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = RecEnabled, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = RecSize, data = 4294967293, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = EraseDest, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = AddArcOnly, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = ClearArc, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = Lock, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = Method, data = 5, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = DictSizeLZ, data = 33554432, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = DictSize, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = Background, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = WaitForOther, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = Shutdown, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = PasswordData, size = 1, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = EncryptHeaders, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = ZipLegacyEncrypt, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = OpenShared, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = ProcessOwners, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = SaveStreams, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = SaveSymLinks, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = SaveHardLinks, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = GenerateArcName, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = VersionControl, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = BLAKE2, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = FileCopies, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = QuickOpen, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = GenerateMask, data = yyyymmddhhmmss, size = 30, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = FileTimeMode, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = FileDays, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = FileHours, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = FileMinutes, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = FileTimeLimit, data = 0, size = 8, type = REG_QWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = ArcTimeOriginal, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = ArcTimeLatest, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = mtime, data = 4, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = ctime, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = atime, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = PathsAbs, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = PathsNone, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = PathsAbsDrive, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = SeparateArc, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = SeparateArcDoubleExt, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = SeparateArcSubfolders, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = EmailArcTo, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = PackDetails, size = 192, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = Name, data = Backup selected files, size = 44, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = Default, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = ImmExec, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = ExclNames, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = StoreNames, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = UseRAR, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = RAR5, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = SFXModule, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = SFXIcon, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = SFXLogo, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = SFXElevate, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = CmtFile, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = CmtDataWide, size = 2, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = VolumeSize, data = 0, size = 4, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = VolSizeMod, data = 2, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = VolPause, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = OldVolNames, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = RecVolNumber, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = Update, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = Fresh, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = SyncFiles, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = Overwrite, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = Move, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = ArcRecBin, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = ArcWipe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = WipeIfPassword, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = Solid, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = Test, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = RecEnabled, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = RecSize, data = 4294967293, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = EraseDest, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = AddArcOnly, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = ClearArc, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = Lock, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = Method, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = DictSizeLZ, data = 33554432, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = DictSize, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = Background, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = WaitForOther, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = Shutdown, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = PasswordData, size = 1, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = EncryptHeaders, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = ZipLegacyEncrypt, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = OpenShared, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = ProcessOwners, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = SaveStreams, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = SaveSymLinks, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = SaveHardLinks, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = GenerateArcName, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = VersionControl, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = BLAKE2, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = FileCopies, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = QuickOpen, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = GenerateMask, data = yyyymmddhhmmss, size = 30, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = FileTimeMode, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = FileDays, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = FileHours, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = FileMinutes, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = FileTimeLimit, data = 0, size = 8, type = REG_QWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = ArcTimeOriginal, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = ArcTimeLatest, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = mtime, data = 4, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = ctime, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = atime, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = PathsAbs, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = PathsNone, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = PathsAbsDrive, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = SeparateArc, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = SeparateArcDoubleExt, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = SeparateArcSubfolders, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = EmailArcTo, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = PackDetails, size = 192, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = Name, data = Create 10 MB volumes, size = 42, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = Default, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = ImmExec, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = ExclNames, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = StoreNames, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = UseRAR, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = RAR5, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = SFXModule, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = SFXIcon, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = SFXLogo, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = SFXElevate, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = CmtFile, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = CmtDataWide, size = 2, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = VolumeSize, data = 10485760, size = 18, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = VolSizeMod, data = 2, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = VolPause, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = OldVolNames, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = RecVolNumber, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = Update, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = Fresh, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = SyncFiles, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = Overwrite, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = Move, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = ArcRecBin, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = ArcWipe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = WipeIfPassword, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = Solid, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = Test, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = RecEnabled, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = RecSize, data = 4294967293, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = EraseDest, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = AddArcOnly, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = ClearArc, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = Lock, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = Method, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = DictSizeLZ, data = 33554432, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = DictSize, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = Background, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = WaitForOther, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = Shutdown, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = PasswordData, size = 1, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = EncryptHeaders, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = ZipLegacyEncrypt, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = OpenShared, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = ProcessOwners, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = SaveStreams, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = SaveSymLinks, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = SaveHardLinks, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = GenerateArcName, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = VersionControl, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = BLAKE2, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = FileCopies, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = QuickOpen, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = GenerateMask, data = yyyymmddhhmmss, size = 30, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = FileTimeMode, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = FileDays, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = FileHours, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = FileMinutes, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = FileTimeLimit, data = 0, size = 8, type = REG_QWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = ArcTimeOriginal, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = ArcTimeLatest, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = mtime, data = 4, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = ctime, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = atime, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = PathsAbs, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = PathsNone, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = PathsAbsDrive, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = SeparateArc, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = SeparateArcDoubleExt, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = SeparateArcSubfolders, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = EmailArcTo, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = PackDetails, size = 192, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = Name, data = ZIP archive (low compression), size = 60, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = Default, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = ImmExec, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = ExclNames, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = StoreNames, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = UseRAR, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = RAR5, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = SFXModule, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = SFXIcon, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = SFXLogo, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = SFXElevate, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = CmtFile, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = CmtDataWide, size = 2, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = VolumeSize, data = 0, size = 4, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = VolSizeMod, data = 2, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = VolPause, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = OldVolNames, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = RecVolNumber, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = Update, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = Fresh, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = SyncFiles, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = Overwrite, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = Move, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = ArcRecBin, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = ArcWipe, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = WipeIfPassword, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = Solid, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = Test, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = RecEnabled, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = RecSize, data = 4294967293, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = EraseDest, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = AddArcOnly, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = ClearArc, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = Lock, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = Method, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = Background, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = WaitForOther, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = Shutdown, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = PasswordData, size = 1, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = EncryptHeaders, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = ZipLegacyEncrypt, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = OpenShared, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = ProcessOwners, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = SaveStreams, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = SaveSymLinks, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = SaveHardLinks, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = GenerateArcName, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = VersionControl, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = BLAKE2, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = FileCopies, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = QuickOpen, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = GenerateMask, data = yyyymmddhhmmss, size = 30, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = FileTimeMode, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = FileDays, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = FileHours, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = FileMinutes, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = FileTimeLimit, data = 0, size = 8, type = REG_QWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = ArcTimeOriginal, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = ArcTimeLatest, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = mtime, data = 4, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = ctime, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = atime, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = PathsAbs, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = PathsNone, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = PathsAbsDrive, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = SeparateArc, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = SeparateArcDoubleExt, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = SeparateArcSubfolders, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = EmailArcTo, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = PackDetails, size = 192, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes value_name = ShellExtBMP, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes value_name = ShellExtIcon, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths value_name = name, data = 120, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths value_name = size, data = 80, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths value_name = type, data = 120, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths value_name = mtime, data = 100, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Delete Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ArcName False 1
Fn
Delete Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileNames False 1
Fn
Delete Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SFX False 1
Fn
Delete Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = ArcName False 1
Fn
Delete Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = FileNames False 1
Fn
Delete Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 value_name = SFX False 1
Fn
Delete Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = ArcName False 1
Fn
Delete Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = FileNames False 1
Fn
Delete Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 value_name = SFX False 1
Fn
Delete Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = ArcName False 1
Fn
Delete Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = FileNames False 1
Fn
Delete Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 value_name = SFX False 1
Fn
Delete Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = ArcName False 1
Fn
Delete Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = FileNames False 1
Fn
Delete Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 value_name = SFX False 1
Fn
Module (51)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x7fef7a20000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 4
Fn
Load - base_address = 0x0 False 1
Fn
Load kernel32 base_address = 0x77ae0000 True 2
Fn
Load kernel32 base_address = 0x0 False 1
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 2
Fn
Load C:\Users\WhuOXYsD\AppData\Local\Temp\rarlng.dll base_address = 0x0 False 1
Fn
Load C:\Windows\system32\riched20.dll base_address = 0x7fef7980000 True 1
Fn
Load C:\Windows\system32\Crypt32.dll base_address = 0x7fefdc00000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x0 False 2
Fn
Load ext-ms-win-kernel32-package-current-l1-1-0 base_address = 0x0 False 2
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77ae0000 True 3
Fn
Get Handle c:\users\whuoxysd\appdata\local\temp\winrar.exe base_address = 0x13f160000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS True 1
Fn
Get Handle c:\users\whuoxysd\appdata\local\temp\winrar.exe base_address = 0x13f160000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\whuoxysd\appdata\local\temp\winrar.exe, file_name_orig = C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.exe, size = 260 True 1
Fn
Get Filename - process_name = c:\users\whuoxysd\appdata\local\temp\winrar.exe, file_name_orig = C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.exe, size = 2048 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\whuoxysd\appdata\local\temp\winrar.exe, file_name_orig = C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.exe, size = 2048 True 1
Fn
Get Filename C:\Users\WhuOXYsD\AppData\Local\Temp\rarlng.dll process_name = c:\users\whuoxysd\appdata\local\temp\winrar.exe, file_name_orig = C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.exe, size = 2048 True 4
Fn
Get Address c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll function = InitializeCriticalSectionEx, address_out = 0x0 False 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsAlloc, address_out = 0x77af7190 True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsSetValue, address_out = 0x77afbd90 True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsGetValue, address_out = 0x77b03520 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LCMapStringEx, address_out = 0x77b2b710 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c384f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SleepConditionVariableCS, address_out = 0x77b2b230 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WakeAllConditionVariable, address_out = 0x77c200b0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetDllDirectoryW, address_out = 0x77b2d8c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\crypt32.dll function = CryptProtectMemory, address_out = 0x7fefdc316f8 True 1
Fn
Get Address c:\windows\system32\crypt32.dll function = CryptUnprotectMemory, address_out = 0x7fefdc3171c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CompareStringOrdinal, address_out = 0x77afd720 True 1
Fn
Window (6)
»
Operation Window Name Additional Information Success Count Logfile
Create WinRAR class_name = WinRarWindow, wndproc_parameter = 0 True 1
Fn
Create - class_name = SysListView32, wndproc_parameter = 0 True 1
Fn
Create - class_name = tooltips_class32, wndproc_parameter = 0 True 1
Fn
Create - class_name = tooltips_class32, wndproc_parameter = 0 True 1
Fn
Find - class_name = WinRarWindow True 1
Fn
Find - class_name = WinRarWindow True 1
Fn
Keyboard (4)
»
Operation Additional Information Success Count Logfile
Get Info type = KB_CODEPAGE, result_out = 437 True 1
Fn
Read virtual_key_code = VK_SHIFT, result_out = 0 True 3
Fn
System (710)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-04-02 12:04:15 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 12515963894 True 1
Fn
Get Time type = Performance Ctr, time = 12517499009 True 1
Fn
Get Time type = System Time, time = 2019-04-02 12:04:16 (UTC) True 1
Fn
Get Time type = Local Time, time = 2019-04-02 16:04:16 (Local Time) True 1
Fn
Get Time type = Performance Ctr, time = 12897491989 True 1
Fn
Get Time type = Ticks, time = 10896607 True 1
Fn
Get Time type = Ticks, time = 10896623 True 3
Fn
Get Time type = System Time, time = 2019-04-02 12:04:17 (UTC) True 2
Fn
Get Time type = Performance Ctr, time = 12933977074 True 1
Fn
Get Time type = Performance Ctr, time = 12934092874 True 1
Fn
Get Time type = Ticks, time = 10896716 True 1
Fn
Get Time type = Ticks, time = 10899290 True 1
Fn
Get Time type = Performance Ctr, time = 13190782205 True 1
Fn
Get Time type = Ticks, time = 10899587 True 3
Fn
Get Time type = System Time, time = 2019-04-02 12:04:20 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 13353084064 True 1
Fn
Get Time type = Performance Ctr, time = 13354239960 True 1
Fn
Get Time type = Ticks, time = 10899602 True 2
Fn
Get Time type = Ticks, time = 10900070 True 1
Fn
Get Time type = Performance Ctr, time = 13450986294 True 1
Fn
Get Time type = Ticks, time = 10900086 True 3
Fn
Get Time type = Ticks, time = 10900289 True 6
Fn
Get Time type = System Time, time = 2019-04-02 12:04:21 (UTC) True 17
Fn
Get Time type = Performance Ctr, time = 13471727887 True 1
Fn
Get Time type = Performance Ctr, time = 13472062958 True 1
Fn
Get Time type = Ticks, time = 10900460 True 10
Fn
Get Time type = Performance Ctr, time = 13488563282 True 1
Fn
Get Time type = Performance Ctr, time = 13489526397 True 1
Fn
Get Time type = Performance Ctr, time = 13489884732 True 1
Fn
Get Time type = Ticks, time = 10900476 True 16
Fn
Get Time type = Performance Ctr, time = 13490287251 True 1
Fn
Get Time type = Performance Ctr, time = 13490814485 True 1
Fn
Get Time type = Performance Ctr, time = 13490974789 True 1
Fn
Get Time type = Performance Ctr, time = 13491189373 True 1
Fn
Get Time type = Performance Ctr, time = 13491503359 True 1
Fn
Get Time type = Ticks, time = 10900491 True 10
Fn
Get Time type = Performance Ctr, time = 13491677517 True 1
Fn
Get Time type = Performance Ctr, time = 13492361614 True 1
Fn
Get Time type = Performance Ctr, time = 13492979637 True 1
Fn
Get Time type = Ticks, time = 10900601 True 4
Fn
Get Time type = Performance Ctr, time = 13503560604 True 1
Fn
Get Time type = Ticks, time = 10900616 True 14
Fn
Get Time type = Performance Ctr, time = 13504295588 True 1
Fn
Get Time type = Performance Ctr, time = 13504981215 True 1
Fn
Get Time type = Performance Ctr, time = 13505230115 True 1
Fn
Get Time type = Performance Ctr, time = 13505517486 True 1
Fn
Get Time type = Ticks, time = 10900632 True 10
Fn
Get Time type = Performance Ctr, time = 13506205071 True 1
Fn
Get Time type = Performance Ctr, time = 13506378872 True 1
Fn
Get Time type = Performance Ctr, time = 13506978744 True 1
Fn
Get Time type = Ticks, time = 10900647 True 16
Fn
Get Time type = Performance Ctr, time = 13507612220 True 1
Fn
Get Time type = Performance Ctr, time = 13507845509 True 1
Fn
Get Time type = Performance Ctr, time = 13508082835 True 1
Fn
Get Time type = Performance Ctr, time = 13508417689 True 1
Fn
Get Time type = Performance Ctr, time = 13508536871 True 1
Fn
Get Time type = Ticks, time = 10900741 True 20
Fn
Get Time type = Performance Ctr, time = 13516604803 True 1
Fn
Get Time type = Performance Ctr, time = 13517074611 True 1
Fn
Get Time type = Performance Ctr, time = 13517182774 True 1
Fn
Get Time type = Performance Ctr, time = 13517412939 True 1
Fn
Get Time type = Performance Ctr, time = 13517718140 True 1
Fn
Get Time type = Performance Ctr, time = 13517867360 True 1
Fn
Get Time type = Ticks, time = 10900757 True 10
Fn
Get Time type = Performance Ctr, time = 13518476602 True 1
Fn
Get Time type = Performance Ctr, time = 13519095110 True 1
Fn
Get Time type = Performance Ctr, time = 13519305006 True 1
Fn
Get Time type = Ticks, time = 10900772 True 14
Fn
Get Time type = Performance Ctr, time = 13519718992 True 1
Fn
Get Time type = Performance Ctr, time = 13520210731 True 1
Fn
Get Time type = Performance Ctr, time = 13520415049 True 1
Fn
Get Time type = Performance Ctr, time = 13520974722 True 1
Fn
Get Time type = Ticks, time = 10900788 True 6
Fn
Get Time type = Performance Ctr, time = 13521574891 True 1
Fn
Get Time type = Performance Ctr, time = 13521800600 True 1
Fn
Get Time type = Ticks, time = 10900991 True 10
Fn
Get Time type = Performance Ctr, time = 13541916073 True 1
Fn
Get Time type = Performance Ctr, time = 13542576144 True 1
Fn
Get Time type = Performance Ctr, time = 13542822635 True 1
Fn
Get Time type = Ticks, time = 10901006 True 10
Fn
Get Time type = Performance Ctr, time = 13543531793 True 1
Fn
Get Time type = Performance Ctr, time = 13544125045 True 1
Fn
Get Time type = Performance Ctr, time = 13544384109 True 1
Fn
Get Time type = Ticks, time = 10901022 True 4
Fn
Get Time type = Performance Ctr, time = 13544761538 True 1
Fn
Get Time type = Ticks, time = 10901115 True 2
Fn
Get Time type = Performance Ctr, time = 13554903890 True 1
Fn
Get Time type = Ticks, time = 10901162 True 4
Fn
Get Time type = Performance Ctr, time = 13559623456 True 1
Fn
Get Time type = Ticks, time = 10904267 True 1
Fn
Get Time type = Performance Ctr, time = 13873902504 True 1
Fn
Get Time type = Ticks, time = 10904313 True 5
Fn
Get Time type = System Time, time = 2019-04-02 12:04:25 (UTC) True 13
Fn
Get Time type = Performance Ctr, time = 13875137465 True 1
Fn
Get Time type = Ticks, time = 10904329 True 10
Fn
Get Time type = Performance Ctr, time = 13875600106 True 1
Fn
Get Time type = Performance Ctr, time = 13876302166 True 1
Fn
Get Time type = Performance Ctr, time = 13876811224 True 1
Fn
Get Time type = Ticks, time = 10904345 True 14
Fn
Get Time type = Performance Ctr, time = 13877109142 True 1
Fn
Get Time type = Performance Ctr, time = 13877441946 True 1
Fn
Get Time type = Performance Ctr, time = 13877871495 True 1
Fn
Get Time type = Performance Ctr, time = 13878051397 True 1
Fn
Get Time type = Ticks, time = 10904454 True 1
Fn
Get Time type = Performance Ctr, time = 13903632655 True 1
Fn
Get Time type = Ticks, time = 10904610 True 5
Fn
Get Time type = Performance Ctr, time = 13904688347 True 1
Fn
Get Time type = Ticks, time = 10904625 True 18
Fn
Get Time type = Performance Ctr, time = 13905005137 True 1
Fn
Get Time type = Performance Ctr, time = 13905391554 True 1
Fn
Get Time type = Performance Ctr, time = 13905860002 True 1
Fn
Get Time type = Performance Ctr, time = 13906032831 True 1
Fn
Get Time type = Performance Ctr, time = 13906478368 True 1
Fn
Get Time type = Ticks, time = 10904641 True 12
Fn
Get Time type = Performance Ctr, time = 13906949251 True 1
Fn
Get Time type = Performance Ctr, time = 13907171906 True 1
Fn
Get Time type = Performance Ctr, time = 13907738609 True 1
Fn
Get Time type = Performance Ctr, time = 13908208135 True 1
Fn
Get Time type = Ticks, time = 10904657 True 4
Fn
Get Time type = Performance Ctr, time = 13908451904 True 1
Fn
Get Time type = Ticks, time = 10904766 True 10
Fn
Get Time type = Performance Ctr, time = 13919196610 True 1
Fn
Get Time type = Performance Ctr, time = 13919808273 True 1
Fn
Get Time type = Performance Ctr, time = 13920081079 True 1
Fn
Get Time type = Ticks, time = 10904781 True 14
Fn
Get Time type = Performance Ctr, time = 13920864311 True 1
Fn
Get Time type = Performance Ctr, time = 13921386762 True 1
Fn
Get Time type = Performance Ctr, time = 13921693295 True 1
Fn
Get Time type = Performance Ctr, time = 13921981844 True 1
Fn
Get Time type = Ticks, time = 10904797 True 16
Fn
Get Time type = Performance Ctr, time = 13922408281 True 1
Fn
Get Time type = Performance Ctr, time = 13922559500 True 1
Fn
Get Time type = Performance Ctr, time = 13922938749 True 1
Fn
Get Time type = Performance Ctr, time = 13923350467 True 1
Fn
Get Time type = Performance Ctr, time = 13923507125 True 1
Fn
Get Time type = Ticks, time = 10904813 True 10
Fn
Get Time type = Performance Ctr, time = 13923729003 True 1
Fn
Get Time type = Performance Ctr, time = 13924120282 True 1
Fn
Get Time type = Performance Ctr, time = 13924252589 True 1
Fn
Get Time type = Ticks, time = 10904891 True 6
Fn
Get Time type = Performance Ctr, time = 13932054929 True 1
Fn
Get Time type = Performance Ctr, time = 13932579592 True 1
Fn
Get Time type = Ticks, time = 10905031 True 4
Fn
Get Time type = Performance Ctr, time = 13946325660 True 1
Fn
Get Time type = Ticks, time = 10905905 True 4
Fn
Get Time type = Performance Ctr, time = 14034243149 True 1
Fn
Get Time type = Ticks, time = 10906045 True 4
Fn
Get Time type = Performance Ctr, time = 14048288949 True 1
Fn
Get Time type = Ticks, time = 10906061 True 11
Fn
Get Time type = System Time, time = 2019-04-02 12:04:26 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 14048774663 True 1
Fn
Get Time type = Performance Ctr, time = 14049337892 True 1
Fn
Get Time type = Performance Ctr, time = 14049703644 True 1
Fn
Get Time type = Ticks, time = 10906076 True 19
Fn
Get Time type = Ticks, time = 10907511 True 4
Fn
Get Time type = Performance Ctr, time = 14197035879 True 1
Fn
Get Time type = Ticks, time = 10908104 True 33
Fn
Get Time type = Performance Ctr, time = 14259284560 True 1
Fn
Get Time type = Performance Ctr, time = 14259531027 True 1
Fn
Get Time type = Performance Ctr, time = 14259709393 True 1
Fn
Get Time type = Performance Ctr, time = 14259870067 True 1
Fn
Get Time type = Performance Ctr, time = 14260031852 True 1
Fn
Get Time type = Performance Ctr, time = 14260194185 True 1
Fn
Get Time type = Performance Ctr, time = 14260355610 True 1
Fn
Get Time type = Performance Ctr, time = 14260510973 True 1
Fn
Get Time type = Ticks, time = 10908120 True 27
Fn
Get Time type = Performance Ctr, time = 14260730967 True 1
Fn
Get Time type = Performance Ctr, time = 14260897223 True 1
Fn
Get Time type = Performance Ctr, time = 14261079924 True 1
Fn
Get Time type = Performance Ctr, time = 14261241662 True 1
Fn
Get Time type = Performance Ctr, time = 14261448858 True 1
Fn
Get Time type = Performance Ctr, time = 14261610758 True 1
Fn
Get Time type = Performance Ctr, time = 14261770767 True 1
Fn
Get Time type = Ticks, time = 10908167 True 4
Fn
Get Time type = Performance Ctr, time = 14266187641 True 1
Fn
Get Time type = Ticks, time = 10908213 True 4
Fn
Get Time type = Performance Ctr, time = 14271275180 True 1
Fn
Get Time type = Ticks, time = 10908260 True 28
Fn
Get Time type = Performance Ctr, time = 14274917272 True 1
Fn
Get Time type = Performance Ctr, time = 14275086818 True 1
Fn
Get Time type = Performance Ctr, time = 14275254291 True 1
Fn
Get Time type = Performance Ctr, time = 14275419225 True 1
Fn
Get Time type = Performance Ctr, time = 14275579313 True 1
Fn
Get Time type = Performance Ctr, time = 14275917467 True 1
Fn
Get Time type = Performance Ctr, time = 14276084776 True 1
Fn
Get Time type = Ticks, time = 10908276 True 16
Fn
Get Time type = Performance Ctr, time = 14276441160 True 1
Fn
Get Time type = Performance Ctr, time = 14276608894 True 1
Fn
Get Time type = Performance Ctr, time = 14276773280 True 1
Fn
Get Time type = Performance Ctr, time = 14276934834 True 1
Fn
Get Time type = Ticks, time = 10908323 True 28
Fn
Get Time type = Performance Ctr, time = 14281143490 True 1
Fn
Get Time type = Performance Ctr, time = 14281310595 True 1
Fn
Get Time type = Performance Ctr, time = 14281508045 True 1
Fn
Get Time type = Performance Ctr, time = 14281668608 True 1
Fn
Get Time type = Performance Ctr, time = 14281976511 True 1
Fn
Get Time type = Performance Ctr, time = 14282152613 True 1
Fn
Get Time type = Performance Ctr, time = 14282315654 True 1
Fn
Get Time type = Ticks, time = 10908338 True 16
Fn
Get Time type = Performance Ctr, time = 14282572515 True 1
Fn
Get Time type = Performance Ctr, time = 14282739711 True 1
Fn
Get Time type = Performance Ctr, time = 14282918907 True 1
Fn
Get Time type = Performance Ctr, time = 14283082602 True 1
Fn
Get Time type = Ticks, time = 10908432 True 4
Fn
Get Time type = Performance Ctr, time = 14292076079 True 1
Fn
Get Time type = Ticks, time = 10908447 True 8
Fn
Get Time type = Performance Ctr, time = 14294452886 True 1
Fn
Get Time type = Performance Ctr, time = 14294601433 True 1
Fn
Get Time type = Performance Ctr, time = 14296014441 True 1
Fn
Get Time type = Performance Ctr, time = 14296047047 True 1
Fn
Get Info type = Operating System True 2
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 2
Fn
Mutex (2)
»
Operation Additional Information Success Count Logfile
Create mutex_name = WinRAR_Busy True 1
Fn
Release mutex_name = WinRAR_Busy False 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #8: winrar.exe
2822 0
»
Information Value
ID #8
File Name c:\users\whuoxysd\appdata\local\temp\winrar.exe
Command Line C:\Users\WhuOXYsD\AppData\Local\Temp\\WinRAR.exe m -r -pMyPassword Documents *
Initial Working Directory C:\Users\WhuOXYsD\Documents\
Monitor Start Time: 00:00:46, Reason: Child Process
Unmonitor End Time: 00:05:23, Reason: Terminated by Timeout
Monitor Duration 00:04:37
OS Process Information
»
Information Value
PID 0xa20
Parent PID 0x8dc (c:\windows\syswow64\cmd.exe)
Bitness 64-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username EGLAFTB1N8YA\WhuOXYsD
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A30
0x A68
0x 6E0
0x A88
0x AA8
0x 918
0x 6A4
0x 8EC
0x 174
0x 8C0
0x 240
0x 8C4
0x 2A8
0x 7A4
0x 78C
0x 780
0x 764
0x 93C
0x B60
0x B50
0x B54
0x B58
0x B5C
0x B64
0x B68
0x 80C
0x 3C4
0x 7F4
0x B4C
0x 360
0x 8F0
0x 8FC
0x 914
0x 904
0x 8D8
0x 94C
0x C4
0x 8BC
0x 8E0
0x 944
0x 11C
0x 880
0x 15C
0x 3D0
0x 5A4
0x 540
0x 534
0x 9DC
0x 9EC
0x 9F0
0x B0
0x 7BC
0x 210
0x 864
0x 870
0x 844
0x B84
0x B7C
0x 9B0
0x B8C
0x 9AC
0x B28
0x 5E0
0x 1C4
0x 688
0x 238
0x B94
0x 4AC
0x 9B8
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\version.dat 0.01 KB MD5: 732cf0fc10856b7caadb3f8522ef6947
SHA1: a1debb2f8cbcd9420ff06d9127b72dd3df24daa8
SHA256: f8cfc5341886e9e8b6f76e276172fd81c26b5869397ccf14787fd8d6f1d4c5fa
SSDeep: 3:8i:h
False
Documents.rar 0.02 KB MD5: d28c293e10139d5d8f6e4592aeaffc1b
SHA1: 3b575420ceea4203152041be00dc80519d1532b5
SHA256: 61126de1b795b976f3ac878f48e88fa77a87d7308ba57c7642b9e1068403a496
SSDeep: 3::
False
Modified Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\version.dat 0.01 KB MD5: 732cf0fc10856b7caadb3f8522ef6947
SHA1: a1debb2f8cbcd9420ff06d9127b72dd3df24daa8
SHA256: f8cfc5341886e9e8b6f76e276172fd81c26b5869397ccf14787fd8d6f1d4c5fa
SSDeep: 3:8i:h
False
Host Behavior
COM (8)
»
Operation Class Interface Additional Information Success Count Logfile
Create 56FDF344-FD6D-11D0-958A-006097C9A090 EA1AFB91-9E28-4B86-90E9-9E9F8A5EEFAF cls_context = CLSCTX_INPROC_SERVER True 8
Fn
File (556)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\WhuOXYsD\AppData\Local\Temp\winrar.lng desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create \\?\C:\Users\WhuOXYsD\AppData\Local\Temp\winrar.lng desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\version.dat desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\version.dat desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create Documents.rar desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
Create \\?\C:\Users\WhuOXYsD\Documents\Documents.rar desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
Create Documents.rar desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
Create \\?\C:\Users\WhuOXYsD\Documents\Documents.rar desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
Create Documents.rar desired_access = GENERIC_WRITE, GENERIC_READ True 1
Fn
Create -Rh7mA95EzQMCjv.pptx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create 0eTc aT.pptx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create 0WMsLhv.docx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create 0XuPmKuUcJqUgUNn.pptx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create 19uvJahSx.pptx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create 1dt_j0rkw.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create 3gZT0e1Jc7KRhrNwc8F.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create 6_vMe3CazzKO.docx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create 9klODxiFKz0-WlOc t7.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create AE1NPe45_G.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create atEaVS6T.pptx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create AtQu0 xTj.docx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create aZCuN2.pptx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create buu1yiRA_xVu8tVc\hLAWY-nuLL.pptx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C8sP.docx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create Da5qX9dUi.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create desktop.ini desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create dPdybr639pwn.odp desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create e8 DbP8IuWCbGEcy.docx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create F-YPFV_qYj4bfRfXw9yB.docx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create f7H1LR6Kr4.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create F_g z.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create G8MmJscBgVAAB6EEG8d0.docx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create GIwIhnYq\01ty5ZVjiFX.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create GIwIhnYq\4aTOLAatL.rtf desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create GIwIhnYq\gJxsA3QDXPNzu_.pps desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create HaxwmHj 0CtV7r4.docx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create IdJZzMH4BMOKYzj.docx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create Jrdm wCY_KpB5kAazb.docx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create jWTOiGMc8-CGVj37-J.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create K3zCHl_.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create kSD3eNYHYfeDhhgpl4.pptx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create KZD3FfQJWWhay.docx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create L4AvX7khKXUu5.docx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create LUsVMCA2kX5.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create M-At.docx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create M53FxPpcT\-GriIsafw.csv desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create M53FxPpcT\1ue2Dui.csv desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create M53FxPpcT\FCaj7Z UR1.ots desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create M53FxPpcT\oGJkVukoMxIO6MpIrH.xls desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create M53FxPpcT\s4EDs60 8.csv desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create mevC_E6.docx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create N-1n4D-yiI1zNCjze.pptx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create N5ZN.pptx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create N8uU1e.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create oAWd.pptx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create OhMb-UaJPoxHiI.pptx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create ohVGFnet7R0TYcogm.pptx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create OKr5u -WV3PR.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create Outlook Files\asdfasdf@rrrrv.com.pst desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create payrmo-.docx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create Pkijc OVe1YF8QnT.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create PonYvH9js.docx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create PQcpfPJA3.pptx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create qdf-_fT\JqbhJrWJOhGgC.doc desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create qdf-_fT\nwePxLPwZrM _B2.ppt desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create QVNqG4sHjJKiemivuPP.docx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create rONkvDPUqOyiM9A qv.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create Rr-L433.pptx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create s6aMY83d27.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create slFg55xQ.pptx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create sZysAGTn.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create s_UnG.docx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create t8SaG24LSbJT7XFl.pptx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create TM7LU.pptx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create wIOu8U.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create wnB9v0ottRO9k3_.pptx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create WPnyp7euOOTod.docx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create XRS5ksD\8quW\2d1Kv.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create XRS5ksD\8quW\bwEoB.ods desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create XRS5ksD\8quW\DmJHZllsIDAO 6.csv desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create XRS5ksD\8quW\geTVB4WtFHycydi mP.pptx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create XRS5ksD\8quW\hoT7s0jqF34TpSdFkEG.ppt desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create XRS5ksD\BZEpulzPesbCLsb0\0L7s8edhd_6mnq.ppt desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create XRS5ksD\BZEpulzPesbCLsb0\2t61b\jBnkdFwHfylWaZ6YaRt.ods desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create XRS5ksD\BZEpulzPesbCLsb0\4bPCYUxUkyRXz1a.odt desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create XRS5ksD\BZEpulzPesbCLsb0\4fPI cdQ5b.csv desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create XRS5ksD\BZEpulzPesbCLsb0\Cyhav4m7LPhUY.odt desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create XRS5ksD\BZEpulzPesbCLsb0\Ey3s.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create XRS5ksD\BZEpulzPesbCLsb0\T4drjs69aH-eO2f3M.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create XRS5ksD\jRXwpLVqeVbMwn-9J\8BCPb3BzgmrIOA5.csv desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create XRS5ksD\jRXwpLVqeVbMwn-9J\O0Hib.csv desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create XRS5ksD\jRXwpLVqeVbMwn-9J\VpyteSPe2.ppt desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create XRS5ksD\NnHAm7cjtqLnMEvQK_S.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create XRS5ksD\tiCKnWYQXORSFs05KwkK\2J0TC8BES4f8Vy_7 a7O.csv desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create XRS5ksD\tiCKnWYQXORSFs05KwkK\fcVw7y.csv desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create XRS5ksD\tiCKnWYQXORSFs05KwkK\MoqtBms5meoe1w.rtf desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create XRS5ksD\tiCKnWYQXORSFs05KwkK\PHjFMjnQ02ATkGOZl.pps desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create XRS5ksD\tiCKnWYQXORSFs05KwkK\PJuyGmzhd Ku-a_pm.pps desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create XRS5ksD\tiCKnWYQXORSFs05KwkK\SwMu.rtf desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create xwucnZa1H0T.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create YR5cgi5pBZBxCXpLKz.docx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create yudTBCftS3KtXZdN.pptx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create zbK0RkNWW_QYl4NDka.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create ZHKgPcRuClqfpQx70d.xlsx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create zqdJ P9hDbwBTPl.pptx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create Zrs5Ud.odt desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create Directory C:\Users\WhuOXYsD\AppData\Roaming\WinRAR - True 1
Fn
Add Search Path - - True 1
Fn
Get Info STD_INPUT_HANDLE type = file_type False 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type False 1
Fn
Get Info STD_ERROR_HANDLE type = file_type False 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.ini type = file_attributes False 1
Fn
Get Info \\?\C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.ini type = file_attributes False 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Roaming\WinRAR type = file_attributes False 3
Fn
Get Info \\?\C:\Users\WhuOXYsD\AppData\Roaming\WinRAR type = file_attributes False 3
Fn
Get Info C:\Users\WhuOXYsD\AppData\Roaming\WinRAR type = file_attributes True 5
Fn
Get Info C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\version.dat type = file_type True 2
Fn
Get Info C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\Settings.reg type = file_attributes False 1
Fn
Get Info \\?\C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\Settings.reg type = file_attributes False 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\Settings.reg type = file_attributes False 2
Fn
Get Info \\?\C:\Users\WhuOXYsD\AppData\Local\Temp\Settings.reg type = file_attributes False 2
Fn
Get Info Documents type = file_attributes False 1
Fn
Get Info \\?\C:\Users\WhuOXYsD\Documents\Documents type = file_attributes False 1
Fn
Get Info Documents.rar type = file_attributes False 3
Fn
Get Info \\?\C:\Users\WhuOXYsD\Documents\Documents.rar type = file_attributes False 3
Fn
Get Info Documents.zip type = file_attributes False 1
Fn
Get Info \\?\C:\Users\WhuOXYsD\Documents\Documents.zip type = file_attributes False 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\Themes type = file_attributes False 1
Fn
Get Info \\?\C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\Themes type = file_attributes False 1
Fn
Get Info My Music type = file_attributes True 1
Fn
Get Info My Pictures type = file_attributes True 1
Fn
Get Info My Videos type = file_attributes True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Read C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\version.dat size = 4096, size_out = 0 True 1
Fn
Read -Rh7mA95EzQMCjv.pptx size = 1048576, size_out = 41644 True 1
Fn
Data
Read -Rh7mA95EzQMCjv.pptx size = 1006932, size_out = 0 True 1
Fn
Read 0eTc aT.pptx size = 1048576, size_out = 101467 True 1
Fn
Data
Read 0eTc aT.pptx size = 947109, size_out = 0 True 1
Fn
Read 0WMsLhv.docx size = 1048576, size_out = 56780 True 1
Fn
Data
Read 0WMsLhv.docx size = 991796, size_out = 0 True 1
Fn
Read 0XuPmKuUcJqUgUNn.pptx size = 1048576, size_out = 60489 True 1
Fn
Data
Read 0XuPmKuUcJqUgUNn.pptx size = 988087, size_out = 0 True 1
Fn
Read 19uvJahSx.pptx size = 1048576, size_out = 12168 True 1
Fn
Data
Read 19uvJahSx.pptx size = 1036408, size_out = 0 True 1
Fn
Read 1dt_j0rkw.xlsx size = 1048576, size_out = 63284 True 1
Fn
Data
Read 1dt_j0rkw.xlsx size = 985292, size_out = 0 True 1
Fn
Read 3gZT0e1Jc7KRhrNwc8F.xlsx size = 1048576, size_out = 6200 True 1
Fn
Data
Read 3gZT0e1Jc7KRhrNwc8F.xlsx size = 1042376, size_out = 0 True 1
Fn
Read 6_vMe3CazzKO.docx size = 1048576, size_out = 6089 True 1
Fn
Data
Read 6_vMe3CazzKO.docx size = 1042487, size_out = 0 True 1
Fn
Read 9klODxiFKz0-WlOc t7.xlsx size = 1048576, size_out = 7995 True 1
Fn
Data
Read 9klODxiFKz0-WlOc t7.xlsx size = 1040581, size_out = 0 True 1
Fn
Read AE1NPe45_G.xlsx size = 1048576, size_out = 82290 True 1
Fn
Data
Read AE1NPe45_G.xlsx size = 966286, size_out = 0 True 1
Fn
Read atEaVS6T.pptx size = 1048576, size_out = 85875 True 1
Fn
Data
Read atEaVS6T.pptx size = 962701, size_out = 0 True 1
Fn
Read AtQu0 xTj.docx size = 1048576, size_out = 12259 True 1
Fn
Data
Read AtQu0 xTj.docx size = 1036317, size_out = 0 True 1
Fn
Read aZCuN2.pptx size = 1048576, size_out = 22211 True 1
Fn
Data
Read aZCuN2.pptx size = 1026365, size_out = 0 True 1
Fn
Read buu1yiRA_xVu8tVc\hLAWY-nuLL.pptx size = 1048576, size_out = 74760 True 1
Fn
Data
Read buu1yiRA_xVu8tVc\hLAWY-nuLL.pptx size = 973816, size_out = 0 True 1
Fn
Read C8sP.docx size = 1048576, size_out = 15090 True 1
Fn
Data
Read C8sP.docx size = 1033486, size_out = 0 True 1
Fn
Read Da5qX9dUi.xlsx size = 1048576, size_out = 87246 True 1
Fn
Data
Read Da5qX9dUi.xlsx size = 961330, size_out = 0 True 1
Fn
Read desktop.ini size = 1048576, size_out = 402 True 1
Fn
Data
Read desktop.ini size = 1048174, size_out = 0 True 1
Fn
Read dPdybr639pwn.odp size = 1048576, size_out = 24431 True 1
Fn
Data
Read dPdybr639pwn.odp size = 1024145, size_out = 0 True 1
Fn
Read e8 DbP8IuWCbGEcy.docx size = 1048576, size_out = 74690 True 1
Fn
Data
Read e8 DbP8IuWCbGEcy.docx size = 973886, size_out = 0 True 1
Fn
Read F-YPFV_qYj4bfRfXw9yB.docx size = 1048576, size_out = 61040 True 1
Fn
Data
Read F-YPFV_qYj4bfRfXw9yB.docx size = 987536, size_out = 0 True 1
Fn
Read f7H1LR6Kr4.xlsx size = 1048576, size_out = 93702 True 1
Fn
Data
Read f7H1LR6Kr4.xlsx size = 954874, size_out = 0 True 1
Fn
Read F_g z.xlsx size = 1048576, size_out = 40566 True 1
Fn
Data
Read F_g z.xlsx size = 1008010, size_out = 0 True 1
Fn
Read G8MmJscBgVAAB6EEG8d0.docx size = 1048576, size_out = 22507 True 1
Fn
Data
Read G8MmJscBgVAAB6EEG8d0.docx size = 1026069, size_out = 0 True 1
Fn
Read GIwIhnYq\01ty5ZVjiFX.xlsx size = 1048576, size_out = 59162 True 1
Fn
Data
Read GIwIhnYq\01ty5ZVjiFX.xlsx size = 989414, size_out = 0 True 1
Fn
Read GIwIhnYq\4aTOLAatL.rtf size = 1048576, size_out = 100922 True 1
Fn
Data
Read GIwIhnYq\4aTOLAatL.rtf size = 947654, size_out = 0 True 1
Fn
Read GIwIhnYq\gJxsA3QDXPNzu_.pps size = 1048576, size_out = 71757 True 1
Fn
Data
Read GIwIhnYq\gJxsA3QDXPNzu_.pps size = 976819, size_out = 0 True 1
Fn
Read HaxwmHj 0CtV7r4.docx size = 1048576, size_out = 33859 True 1
Fn
Data
Read HaxwmHj 0CtV7r4.docx size = 1014717, size_out = 0 True 1
Fn
Read IdJZzMH4BMOKYzj.docx size = 1048576, size_out = 75909 True 1
Fn
Data
Read IdJZzMH4BMOKYzj.docx size = 972667, size_out = 0 True 1
Fn
Read Jrdm wCY_KpB5kAazb.docx size = 1048576, size_out = 86062 True 1
Fn
Data
Read Jrdm wCY_KpB5kAazb.docx size = 962514, size_out = 0 True 1
Fn
Read jWTOiGMc8-CGVj37-J.xlsx size = 1048576, size_out = 41390 True 1
Fn
Data
Read jWTOiGMc8-CGVj37-J.xlsx size = 1007186, size_out = 0 True 1
Fn
Read K3zCHl_.xlsx size = 1048576, size_out = 31343 True 1
Fn
Data
Read K3zCHl_.xlsx size = 1017233, size_out = 0 True 1
Fn
Read kSD3eNYHYfeDhhgpl4.pptx size = 1048576, size_out = 84090 True 1
Fn
Data
Read kSD3eNYHYfeDhhgpl4.pptx size = 964486, size_out = 0 True 1
Fn
Read KZD3FfQJWWhay.docx size = 1048576, size_out = 72483 True 1
Fn
Data
Read KZD3FfQJWWhay.docx size = 976093, size_out = 0 True 1
Fn
Read L4AvX7khKXUu5.docx size = 1048576, size_out = 34956 True 1
Fn
Data
Read L4AvX7khKXUu5.docx size = 1013620, size_out = 0 True 1
Fn
Read LUsVMCA2kX5.xlsx size = 1048576, size_out = 21639 True 1
Fn
Data
Read LUsVMCA2kX5.xlsx size = 1026937, size_out = 0 True 1
Fn
Read M-At.docx size = 1048576, size_out = 82118 True 1
Fn
Data
Read M-At.docx size = 966458, size_out = 0 True 1
Fn
Read M53FxPpcT\-GriIsafw.csv size = 1048576, size_out = 82993 True 1
Fn
Data
Read M53FxPpcT\-GriIsafw.csv size = 965583, size_out = 0 True 1
Fn
Read M53FxPpcT\1ue2Dui.csv size = 1048576, size_out = 50145 True 1
Fn
Data
Read M53FxPpcT\1ue2Dui.csv size = 998431, size_out = 0 True 1
Fn
Read M53FxPpcT\FCaj7Z UR1.ots size = 1048576, size_out = 20944 True 1
Fn
Data
Read M53FxPpcT\FCaj7Z UR1.ots size = 1027632, size_out = 0 True 1
Fn
Read M53FxPpcT\oGJkVukoMxIO6MpIrH.xls size = 1048576, size_out = 63479 True 1
Fn
Data
Read M53FxPpcT\oGJkVukoMxIO6MpIrH.xls size = 985097, size_out = 0 True 1
Fn
Read M53FxPpcT\s4EDs60 8.csv size = 1048576, size_out = 45623 True 1
Fn
Data
Read M53FxPpcT\s4EDs60 8.csv size = 1002953, size_out = 0 True 1
Fn
Read mevC_E6.docx size = 1048576, size_out = 31620 True 1
Fn
Data
Read mevC_E6.docx size = 1016956, size_out = 0 True 1
Fn
Read N-1n4D-yiI1zNCjze.pptx size = 1048576, size_out = 38855 True 1
Fn
Data
Read N-1n4D-yiI1zNCjze.pptx size = 1009721, size_out = 0 True 1
Fn
Read N5ZN.pptx size = 1048576, size_out = 76712 True 1
Fn
Data
Read N5ZN.pptx size = 971864, size_out = 0 True 1
Fn
Read N8uU1e.xlsx size = 1048576, size_out = 27261 True 1
Fn
Data
Read N8uU1e.xlsx size = 1021315, size_out = 0 True 1
Fn
Read oAWd.pptx size = 1048576, size_out = 18793 True 1
Fn
Data
Read oAWd.pptx size = 1029783, size_out = 0 True 1
Fn
Read OhMb-UaJPoxHiI.pptx size = 1048576, size_out = 92069 True 1
Fn
Data
Read OhMb-UaJPoxHiI.pptx size = 956507, size_out = 0 True 1
Fn
Read ohVGFnet7R0TYcogm.pptx size = 1048576, size_out = 97550 True 1
Fn
Data
Read ohVGFnet7R0TYcogm.pptx size = 951026, size_out = 0 True 1
Fn
Read OKr5u -WV3PR.xlsx size = 1048576, size_out = 50281 True 1
Fn
Data
Read OKr5u -WV3PR.xlsx size = 998295, size_out = 0 True 1
Fn
Read Outlook Files\asdfasdf@rrrrv.com.pst size = 1048576, size_out = 271360 True 1
Fn
Data
Read Outlook Files\asdfasdf@rrrrv.com.pst size = 777216, size_out = 0 True 1
Fn
Read payrmo-.docx size = 1048576, size_out = 92833 True 1
Fn
Data
Read payrmo-.docx size = 955743, size_out = 0 True 1
Fn
Read Pkijc OVe1YF8QnT.xlsx size = 1048576, size_out = 31557 True 1
Fn
Data
Read Pkijc OVe1YF8QnT.xlsx size = 1017019, size_out = 0 True 1
Fn
Read PonYvH9js.docx size = 1048576, size_out = 51427 True 1
Fn
Data
Read PonYvH9js.docx size = 997149, size_out = 0 True 1
Fn
Read PQcpfPJA3.pptx size = 1048576, size_out = 72083 True 1
Fn
Data
Read PQcpfPJA3.pptx size = 976493, size_out = 0 True 1
Fn
Read qdf-_fT\JqbhJrWJOhGgC.doc size = 1048576, size_out = 52269 True 1
Fn
Data
Read qdf-_fT\JqbhJrWJOhGgC.doc size = 996307, size_out = 0 True 1
Fn
Read qdf-_fT\nwePxLPwZrM _B2.ppt size = 1048576, size_out = 13950 True 1
Fn
Data
Read qdf-_fT\nwePxLPwZrM _B2.ppt size = 1034626, size_out = 0 True 1
Fn
Read QVNqG4sHjJKiemivuPP.docx size = 1048576, size_out = 10002 True 1
Fn
Data
Read QVNqG4sHjJKiemivuPP.docx size = 1038574, size_out = 0 True 1
Fn
Read rONkvDPUqOyiM9A qv.xlsx size = 1048576, size_out = 24035 True 1
Fn
Data
Read rONkvDPUqOyiM9A qv.xlsx size = 1024541, size_out = 0 True 1
Fn
Read Rr-L433.pptx size = 1048576, size_out = 21302 True 1
Fn
Data
Read Rr-L433.pptx size = 1027274, size_out = 0 True 1
Fn
Read s6aMY83d27.xlsx size = 1048576, size_out = 37457 True 1
Fn
Data
Read s6aMY83d27.xlsx size = 1011119, size_out = 0 True 1
Fn
Read slFg55xQ.pptx size = 1048576, size_out = 36820 True 1
Fn
Data
Read slFg55xQ.pptx size = 1011756, size_out = 0 True 1
Fn
Read sZysAGTn.xlsx size = 1048576, size_out = 69178 True 1
Fn
Data
Read sZysAGTn.xlsx size = 979398, size_out = 0 True 1
Fn
Read s_UnG.docx size = 1048576, size_out = 97615 True 1
Fn
Data
Read s_UnG.docx size = 950961, size_out = 0 True 1
Fn
Read t8SaG24LSbJT7XFl.pptx size = 1048576, size_out = 41745 True 1
Fn
Data
Read t8SaG24LSbJT7XFl.pptx size = 1006831, size_out = 0 True 1
Fn
Read TM7LU.pptx size = 1048576, size_out = 26870 True 1
Fn
Data
Read TM7LU.pptx size = 1021706, size_out = 0 True 1
Fn
Read wIOu8U.xlsx size = 1048576, size_out = 89705 True 1
Fn
Data
Read wIOu8U.xlsx size = 958871, size_out = 0 True 1
Fn
Read wnB9v0ottRO9k3_.pptx size = 1048576, size_out = 22187 True 1
Fn
Data
Read wnB9v0ottRO9k3_.pptx size = 1026389, size_out = 0 True 1
Fn
Read WPnyp7euOOTod.docx size = 1048576, size_out = 65181 True 1
Fn
Data
Read WPnyp7euOOTod.docx size = 983395, size_out = 0 True 1
Fn
Read XRS5ksD\8quW\2d1Kv.xlsx size = 1048576, size_out = 28190 True 1
Fn
Data
Read XRS5ksD\8quW\2d1Kv.xlsx size = 1020386, size_out = 0 True 1
Fn
Read XRS5ksD\8quW\bwEoB.ods size = 1048576, size_out = 59852 True 1
Fn
Data
Read XRS5ksD\8quW\bwEoB.ods size = 988724, size_out = 0 True 1
Fn
Read XRS5ksD\8quW\DmJHZllsIDAO 6.csv size = 1048576, size_out = 85902 True 1
Fn
Data
Read XRS5ksD\8quW\DmJHZllsIDAO 6.csv size = 962674, size_out = 0 True 1
Fn
Read XRS5ksD\8quW\geTVB4WtFHycydi mP.pptx size = 1048576, size_out = 42780 True 1
Fn
Data
Read XRS5ksD\8quW\geTVB4WtFHycydi mP.pptx size = 1005796, size_out = 0 True 1
Fn
Read XRS5ksD\8quW\hoT7s0jqF34TpSdFkEG.ppt size = 1048576, size_out = 57236 True 1
Fn
Data
Read XRS5ksD\8quW\hoT7s0jqF34TpSdFkEG.ppt size = 991340, size_out = 0 True 1
Fn
Read XRS5ksD\BZEpulzPesbCLsb0\0L7s8edhd_6mnq.ppt size = 1048576, size_out = 22786 True 1
Fn
Data
Read XRS5ksD\BZEpulzPesbCLsb0\0L7s8edhd_6mnq.ppt size = 1025790, size_out = 0 True 1
Fn
Read XRS5ksD\BZEpulzPesbCLsb0\2t61b\jBnkdFwHfylWaZ6YaRt.ods size = 1048576, size_out = 9091 True 1
Fn
Data
Read XRS5ksD\BZEpulzPesbCLsb0\2t61b\jBnkdFwHfylWaZ6YaRt.ods size = 1039485, size_out = 0 True 1
Fn
Read XRS5ksD\BZEpulzPesbCLsb0\4bPCYUxUkyRXz1a.odt size = 1048576, size_out = 20186 True 1
Fn
Data
Read XRS5ksD\BZEpulzPesbCLsb0\4bPCYUxUkyRXz1a.odt size = 1028390, size_out = 0 True 1
Fn
Read XRS5ksD\BZEpulzPesbCLsb0\4fPI cdQ5b.csv size = 1048576, size_out = 19755 True 1
Fn
Data
Read XRS5ksD\BZEpulzPesbCLsb0\4fPI cdQ5b.csv size = 1028821, size_out = 0 True 1
Fn
Read XRS5ksD\BZEpulzPesbCLsb0\Cyhav4m7LPhUY.odt size = 1048576, size_out = 41644 True 1
Fn
Data
Read XRS5ksD\BZEpulzPesbCLsb0\Cyhav4m7LPhUY.odt size = 1006932, size_out = 0 True 1
Fn
Read XRS5ksD\BZEpulzPesbCLsb0\Ey3s.xlsx size = 1048576, size_out = 68563 True 1
Fn
Data
Read XRS5ksD\BZEpulzPesbCLsb0\Ey3s.xlsx size = 980013, size_out = 0 True 1
Fn
Read XRS5ksD\BZEpulzPesbCLsb0\T4drjs69aH-eO2f3M.xlsx size = 1048576, size_out = 39415 True 1
Fn
Data
Read XRS5ksD\BZEpulzPesbCLsb0\T4drjs69aH-eO2f3M.xlsx size = 1009161, size_out = 0 True 1
Fn
Read XRS5ksD\jRXwpLVqeVbMwn-9J\8BCPb3BzgmrIOA5.csv size = 1048576, size_out = 46788 True 1
Fn
Data
Read XRS5ksD\jRXwpLVqeVbMwn-9J\8BCPb3BzgmrIOA5.csv size = 1001788, size_out = 0 True 1
Fn
Read XRS5ksD\jRXwpLVqeVbMwn-9J\O0Hib.csv size = 1048576, size_out = 13175 True 1
Fn
Data
Read XRS5ksD\jRXwpLVqeVbMwn-9J\O0Hib.csv size = 1035401, size_out = 0 True 1
Fn
Read XRS5ksD\jRXwpLVqeVbMwn-9J\VpyteSPe2.ppt size = 1048576, size_out = 70838 True 1
Fn
Data
Read XRS5ksD\jRXwpLVqeVbMwn-9J\VpyteSPe2.ppt size = 977738, size_out = 0 True 1
Fn
Read XRS5ksD\NnHAm7cjtqLnMEvQK_S.xlsx size = 1048576, size_out = 58584 True 1
Fn
Data
Read XRS5ksD\NnHAm7cjtqLnMEvQK_S.xlsx size = 989992, size_out = 0 True 1
Fn
Read XRS5ksD\tiCKnWYQXORSFs05KwkK\2J0TC8BES4f8Vy_7 a7O.csv size = 1048576, size_out = 28370 True 1
Fn
Data
Read XRS5ksD\tiCKnWYQXORSFs05KwkK\2J0TC8BES4f8Vy_7 a7O.csv size = 1020206, size_out = 0 True 1
Fn
Read XRS5ksD\tiCKnWYQXORSFs05KwkK\fcVw7y.csv size = 1048576, size_out = 44653 True 1
Fn
Data
Read XRS5ksD\tiCKnWYQXORSFs05KwkK\fcVw7y.csv size = 1003923, size_out = 0 True 1
Fn
Read XRS5ksD\tiCKnWYQXORSFs05KwkK\MoqtBms5meoe1w.rtf size = 1048576, size_out = 87467 True 1
Fn
Data
Read XRS5ksD\tiCKnWYQXORSFs05KwkK\MoqtBms5meoe1w.rtf size = 961109, size_out = 0 True 1
Fn
Read XRS5ksD\tiCKnWYQXORSFs05KwkK\PHjFMjnQ02ATkGOZl.pps size = 1048576, size_out = 51720 True 1
Fn
Data
Read XRS5ksD\tiCKnWYQXORSFs05KwkK\PHjFMjnQ02ATkGOZl.pps size = 996856, size_out = 0 True 1
Fn
Read XRS5ksD\tiCKnWYQXORSFs05KwkK\PJuyGmzhd Ku-a_pm.pps size = 1048576, size_out = 31476 True 1
Fn
Data
Read XRS5ksD\tiCKnWYQXORSFs05KwkK\PJuyGmzhd Ku-a_pm.pps size = 1017100, size_out = 0 True 1
Fn
Read XRS5ksD\tiCKnWYQXORSFs05KwkK\SwMu.rtf size = 1048576, size_out = 66068 True 1
Fn
Data
Read XRS5ksD\tiCKnWYQXORSFs05KwkK\SwMu.rtf size = 982508, size_out = 0 True 1
Fn
Read xwucnZa1H0T.xlsx size = 1048576, size_out = 75962 True 1
Fn
Data
Read xwucnZa1H0T.xlsx size = 972614, size_out = 0 True 1
Fn
Read YR5cgi5pBZBxCXpLKz.docx size = 1048576, size_out = 23128 True 1
Fn
Data
Read YR5cgi5pBZBxCXpLKz.docx size = 1025448, size_out = 0 True 1
Fn
Read yudTBCftS3KtXZdN.pptx size = 1048576, size_out = 39831 True 1
Fn
Data
Read yudTBCftS3KtXZdN.pptx size = 1008745, size_out = 0 True 1
Fn
Read zbK0RkNWW_QYl4NDka.xlsx size = 1048576, size_out = 30157 True 1
Fn
Data
Read zbK0RkNWW_QYl4NDka.xlsx size = 1018419, size_out = 0 True 1
Fn
Read ZHKgPcRuClqfpQx70d.xlsx size = 1048576, size_out = 30953 True 1
Fn
Data
Read ZHKgPcRuClqfpQx70d.xlsx size = 1017623, size_out = 0 True 1
Fn
Read zqdJ P9hDbwBTPl.pptx size = 1048576, size_out = 15336 True 1
Fn
Data
Read zqdJ P9hDbwBTPl.pptx size = 1033240, size_out = 0 True 1
Fn
Read Zrs5Ud.odt size = 1048576, size_out = 49620 True 1
Fn
Data
Read Zrs5Ud.odt size = 998956, size_out = 0 True 1
Fn
Write C:\Users\WhuOXYsD\AppData\Roaming\WinRAR\version.dat size = 12 True 1
Fn
Data
Write Documents.rar size = 8 True 1
Fn
Data
Write Documents.rar size = 17 True 1
Fn
Data
Write Documents.rar size = 41744 True 1
Fn
Data
Write Documents.rar size = 104 True 5
Fn
Data
Write Documents.rar size = 101696 True 1
Fn
Data
Write Documents.rar size = 96 True 6
Fn
Data
Write Documents.rar size = 56928 True 1
Fn
Data
Write Documents.rar size = 60608 True 1
Fn
Data
Write Documents.rar size = 105 True 6
Fn
Data
Write Documents.rar size = 12208 True 1
Fn
Data
Write Documents.rar size = 98 True 6
Fn
Data
Write Documents.rar size = 63408 True 1
Fn
Data
Write Documents.rar size = 6240 True 1
Fn
Data
Write Documents.rar size = 106 True 5
Fn
Data
Write Documents.rar size = 6144 True 1
Fn
Data
Write Documents.rar size = 99 True 4
Fn
Data
Write Documents.rar size = 8048 True 1
Fn
Data
Write Documents.rar size = 108 True 3
Fn
Data
Write Documents.rar size = 82496 True 1
Fn
Data
Write Documents.rar size = 86080 True 1
Fn
Data
Write Documents.rar size = 97 True 3
Fn
Data
Write Documents.rar size = 12304 True 1
Fn
Data
Write Documents.rar size = 22304 True 1
Fn
Data
Write Documents.rar size = 95 True 3
Fn
Data
Write Documents.rar size = 74928 True 1
Fn
Data
Write Documents.rar size = 116 True 3
Fn
Data
Write Documents.rar size = 15120 True 1
Fn
Data
Write Documents.rar size = 93 True 5
Fn
Data
Write Documents.rar size = 87440 True 1
Fn
Data
Write Documents.rar size = 192 True 1
Fn
Data
Write Documents.rar size = 24512 True 1
Fn
Data
Write Documents.rar size = 100 True 3
Fn
Data
Write Documents.rar size = 74864 True 1
Fn
Data
Write Documents.rar size = 61168 True 1
Fn
Data
Write Documents.rar size = 109 True 4
Fn
Data
Write Documents.rar size = 93888 True 1
Fn
Data
Write Documents.rar size = 40688 True 1
Fn
Data
Write Documents.rar size = 94 True 4
Fn
Data
Write Documents.rar size = 22592 True 1
Fn
Data
Write Documents.rar size = 59296 True 1
Fn
Data
Write Documents.rar size = 85408 True 1
Fn
Data
Write Documents.rar size = 71904 True 1
Fn
Data
Write Documents.rar size = 111 True 2
Fn
Data
Write Documents.rar size = 33984 True 1
Fn
Data
Write Documents.rar size = 76064 True 1
Fn
Data
Write Documents.rar size = 86272 True 1
Fn
Data
Write Documents.rar size = 107 True 10
Fn
Data
Write Documents.rar size = 41504 True 1
Fn
Data
Write Documents.rar size = 31408 True 1
Fn
Data
Write Documents.rar size = 84304 True 1
Fn
Data
Write Documents.rar size = 72656 True 1
Fn
Data
Write Documents.rar size = 102 True 3
Fn
Data
Write Documents.rar size = 35072 True 1
Fn
Data
Write Documents.rar size = 21728 True 1
Fn
Data
Write Documents.rar size = 82320 True 1
Fn
Data
Write Documents.rar size = 83200 True 1
Fn
Data
Write Documents.rar size = 50288 True 1
Fn
Data
Write Documents.rar size = 21056 True 1
Fn
Data
Write Documents.rar size = 63584 True 1
Fn
Data
Write Documents.rar size = 45712 True 1
Fn
Data
Write Documents.rar size = 31680 True 1
Fn
Data
Write Documents.rar size = 38976 True 1
Fn
Data
Write Documents.rar size = 76880 True 1
Fn
Data
Write Documents.rar size = 27328 True 1
Fn
Data
Write Documents.rar size = 18896 True 1
Fn
Data
Write Documents.rar size = 92272 True 1
Fn
Data
Write Documents.rar size = 103 True 1
Fn
Data
Write Documents.rar size = 97728 True 1
Fn
Data
Write Documents.rar size = 50432 True 1
Fn
Data
Write Documents.rar size = 101 True 1
Fn
Data
Write Documents.rar size = 11792 True 1
Fn
Data
Write Documents.rar size = 121 True 2
Fn
Data
Write Documents.rar size = 93024 True 1
Fn
Data
Write Documents.rar size = 31632 True 1
Fn
Data
Write Documents.rar size = 51568 True 1
Fn
Data
Write Documents.rar size = 72256 True 1
Fn
Data
Write Documents.rar size = 52416 True 1
Fn
Data
Write Documents.rar size = 13968 True 1
Fn
Data
Write Documents.rar size = 10048 True 1
Fn
Data
Write Documents.rar size = 24112 True 1
Fn
Data
Write Documents.rar size = 21392 True 1
Fn
Data
Write Documents.rar size = 37568 True 1
Fn
Data
Write Documents.rar size = 36944 True 1
Fn
Data
Write Documents.rar size = 69360 True 1
Fn
Data
Write Documents.rar size = 97808 True 1
Fn
Data
Write Documents.rar size = 41840 True 1
Fn
Data
Write Documents.rar size = 26944 True 1
Fn
Data
Write Documents.rar size = 89888 True 1
Fn
Data
Write Documents.rar size = 22256 True 1
Fn
Data
Write Documents.rar size = 65296 True 1
Fn
Data
Write Documents.rar size = 28256 True 1
Fn
Data
Write Documents.rar size = 59984 True 1
Fn
Data
Write Documents.rar size = 86144 True 1
Fn
Data
Write Documents.rar size = 115 True 1
Fn
Data
Write Documents.rar size = 42880 True 1
Fn
Data
Write Documents.rar size = 120 True 2
Fn
Data
Write Documents.rar size = 57360 True 1
Fn
Data
Write Documents.rar size = 22848 True 1
Fn
Data
Write Documents.rar size = 127 True 1
Fn
Data
Write Documents.rar size = 9152 True 1
Fn
Data
Write Documents.rar size = 139 True 1
Fn
Data
Write Documents.rar size = 20288 True 1
Fn
Data
Write Documents.rar size = 128 True 1
Fn
Data
Write Documents.rar size = 19840 True 1
Fn
Data
Write Documents.rar size = 123 True 3
Fn
Data
Write Documents.rar size = 41760 True 1
Fn
Data
Write Documents.rar size = 126 True 1
Fn
Data
Write Documents.rar size = 68752 True 1
Fn
Data
Write Documents.rar size = 118 True 1
Fn
Data
Write Documents.rar size = 39520 True 1
Fn
Data
Write Documents.rar size = 131 True 2
Fn
Data
Write Documents.rar size = 46880 True 1
Fn
Data
Write Documents.rar size = 129 True 1
Fn
Data
Write Documents.rar size = 13216 True 1
Fn
Data
Write Documents.rar size = 119 True 1
Fn
Data
Write Documents.rar size = 71008 True 1
Fn
Data
Write Documents.rar size = 58720 True 1
Fn
Data
Write Documents.rar size = 28448 True 1
Fn
Data
Write Documents.rar size = 138 True 1
Fn
Data
Write Documents.rar size = 44752 True 1
Fn
Data
Write Documents.rar size = 74064 True 1
Fn
Data
Write Documents.rar size = 51856 True 1
Fn
Data
Write Documents.rar size = 135 True 2
Fn
Data
Write Documents.rar size = 31520 True 1
Fn
Data
Write Documents.rar size = 55920 True 1
Fn
Data
Write Documents.rar size = 76128 True 1
Fn
Data
Write Documents.rar size = 23216 True 1
Fn
Data
Write Documents.rar size = 39952 True 1
Fn
Data
Write Documents.rar size = 30224 True 1
Fn
Data
Write Documents.rar size = 31024 True 1
Fn
Data
Write Documents.rar size = 15376 True 1
Fn
Data
Write Documents.rar size = 49792 True 1
Fn
Data
Write Documents.rar size = 61 True 1
Fn
Data
Write Documents.rar size = 43 True 2
Fn
Data
Write Documents.rar size = 55 True 1
Fn
Data
Write Documents.rar size = 56 True 1
Fn
Data
Write Documents.rar size = 59 True 1
Fn
Data
Write Documents.rar size = 47 True 1
Fn
Data
Write Documents.rar size = 39 True 1
Fn
Data
Write Documents.rar size = 40 True 2
Fn
Data
Write Documents.rar size = 41 True 1
Fn
Data
Write Documents.rar size = 44 True 1
Fn
Data
Write Documents.rar size = 38 True 2
Fn
Data
Registry (235)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes - True 2
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\General - False 3
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Paths - False 7
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\General - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\WinRAR\Policy - False 4
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Policy - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\Software\WinRAR - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR - True 2
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\General - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Extraction - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\General - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 - True 81
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\1 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\2 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\3 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\4 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Profiles\5 - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Compression - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\FileList - False 8
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths - False 9
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnStates - False 5
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnStates - False 5
Fn
Open Key HKEY_CURRENT_USER\Software\WinRAR\Interface - True 2
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\General value_name = VerInfo, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\WinRAR value_name = rarkey, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\General value_name = Priority, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR value_name = rarreg.key, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\General value_name = SMP, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Default, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 2
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ArcName, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileNames False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ExclNames True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ExclNames, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = StoreNames True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = StoreNames, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = UseRAR, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = RAR5, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SFXModule, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SFX, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SFXIcon, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SFXLogo, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SFXElevate, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = CmtFile, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = CmtDataWide, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = CmtTextWide, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = CmtTextData, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = VolumeSize, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = VolSizeMod, data = 2, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = VolPause, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = OldVolNames, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = RecVolNumber, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Update, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Fresh, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SyncFiles, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Overwrite, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Move, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ArcRecBin, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ArcWipe, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = WipeIfPassword, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Solid, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Test, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = RecEnabled, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = RecSize, data = 4294967293, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Recovery, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = EraseDest, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = AddArcOnly, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ClearArc, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Lock, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Method, data = 3, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = DictSizeLZ, data = 4194304, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = DictSize, data = 33554432, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Name, data = Default Profile, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = PasswordData, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = EncryptHeaders, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ZipLegacyEncrypt, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = OpenShared, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ProcessOwners, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SaveStreams, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SaveSymLinks, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SaveHardLinks, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Background, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = WaitForOther, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = Shutdown, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = GenerateArcName, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = VersionControl, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = BLAKE2, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileCopies, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = QuickOpen, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = GenerateMask, data = yyyymmddhhmmss, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileTimeMode, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileDays, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileHours, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = FileMinutes, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ArcTimeOriginal, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ArcTimeLatest, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = mtime, data = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ctime, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = atime, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = PathsAbs, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = PathsNone, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = PathsAbsDrive, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = ImmExec, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SeparateArc, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SeparateArcDoubleExt, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = SeparateArcSubfolders, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = EmailArcTo, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Profiles\0 value_name = PackDetails, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes value_name = ActivePath, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Interface value_name = SystemProgressBar, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\WinRAR\Interface value_name = TaskbarProgressBar, data = 1, type = REG_NONE False 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes value_name = ShellExtBMP, size = 2, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes value_name = ShellExtIcon, size = 2, type = REG_SZ True 1
Fn
Module (44)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x7fef7a20000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 4
Fn
Load - base_address = 0x0 False 1
Fn
Load kernel32 base_address = 0x77ae0000 True 2
Fn
Load kernel32 base_address = 0x0 False 1
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 2
Fn
Load C:\Users\WhuOXYsD\AppData\Local\Temp\rarlng.dll base_address = 0x0 False 1
Fn
Load C:\Windows\system32\riched20.dll base_address = 0x7fef7980000 True 1
Fn
Load C:\Windows\system32\Crypt32.dll base_address = 0x7fefdc00000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77ae0000 True 3
Fn
Get Handle c:\users\whuoxysd\appdata\local\temp\winrar.exe base_address = 0x13f160000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\whuoxysd\appdata\local\temp\winrar.exe, file_name_orig = C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.exe, size = 260 True 1
Fn
Get Filename - process_name = c:\users\whuoxysd\appdata\local\temp\winrar.exe, file_name_orig = C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.exe, size = 2048 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\whuoxysd\appdata\local\temp\winrar.exe, file_name_orig = C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.exe, size = 2048 True 1
Fn
Get Filename C:\Users\WhuOXYsD\AppData\Local\Temp\rarlng.dll process_name = c:\users\whuoxysd\appdata\local\temp\winrar.exe, file_name_orig = C:\Users\WhuOXYsD\AppData\Local\Temp\WinRAR.exe, size = 2048 True 4
Fn
Get Address c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll function = InitializeCriticalSectionEx, address_out = 0x0 False 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsAlloc, address_out = 0x77af7190 True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsSetValue, address_out = 0x77afbd90 True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsGetValue, address_out = 0x77b03520 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LCMapStringEx, address_out = 0x77b2b710 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c384f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SleepConditionVariableCS, address_out = 0x77b2b230 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WakeAllConditionVariable, address_out = 0x77c200b0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetDllDirectoryW, address_out = 0x77b2d8c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\crypt32.dll function = CryptProtectMemory, address_out = 0x7fefdc316f8 True 1
Fn
Get Address c:\windows\system32\crypt32.dll function = CryptUnprotectMemory, address_out = 0x7fefdc3171c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CompareStringOrdinal, address_out = 0x77afd720 True 1
Fn
Window (5)
»
Operation Window Name Additional Information Success Count Logfile
Create WinRAR class_name = WinRarWindow, wndproc_parameter = 0 True 1
Fn
Create - class_name = SysListView32, wndproc_parameter = 0 True 1
Fn
Create - class_name = tooltips_class32, wndproc_parameter = 0 True 1
Fn
Create - class_name = tooltips_class32, wndproc_parameter = 0 True 1
Fn
Find - class_name = WinRarWindow False 1
Fn
Keyboard (2)
»
Operation Additional Information Success Count Logfile
Get Info type = KB_CODEPAGE, result_out = 437 True 1
Fn
Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
System (1410)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-04-02 12:04:15 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 12512136863 True 1
Fn
Get Time type = Performance Ctr, time = 12519857643 True 1
Fn
Get Time type = System Time, time = 2019-04-02 12:04:16 (UTC) True 1
Fn
Get Time type = Local Time, time = 2019-04-02 16:04:16 (Local Time) True 1
Fn
Get Time type = Performance Ctr, time = 12901208574 True 1
Fn
Get Time type = Ticks, time = 10896545 True 2
Fn
Get Time type = Ticks, time = 10896560 True 5
Fn
Get Time type = Ticks, time = 10896638 True 1
Fn
Get Time type = System Time, time = 2019-04-02 12:04:17 (UTC) True 2
Fn
Get Time type = Performance Ctr, time = 12927458107 True 1
Fn
Get Time type = Performance Ctr, time = 12927583358 True 1
Fn
Get Time type = Ticks, time = 10896654 True 1
Fn
Get Time type = Ticks, time = 10908432 True 1
Fn
Get Time type = Performance Ctr, time = 14293281261 True 1
Fn
Get Time type = Ticks, time = 10908447 True 1
Fn
Get Time type = System Time, time = 2019-04-02 12:04:29 (UTC) True 44
Fn
Get Time type = Performance Ctr, time = 14300498529 True 1
Fn
Get Time type = Ticks, time = 10908525 True 4
Fn
Get Time type = Performance Ctr, time = 14301568710 True 1
Fn
Get Time type = Ticks, time = 10908603 True 1
Fn
Get Time type = Performance Ctr, time = 14310599580 True 1
Fn
Get Time type = Ticks, time = 10908619 True 3
Fn
Get Time type = Ticks, time = 10908666 True 6
Fn
Get Time type = Performance Ctr, time = 14316067883 True 1
Fn
Get Time type = Performance Ctr, time = 14316335233 True 1
Fn
Get Time type = Ticks, time = 10908697 True 6
Fn
Get Time type = Performance Ctr, time = 14318681311 True 1
Fn
Get Time type = Performance Ctr, time = 14319638275 True 1
Fn
Get Time type = Ticks, time = 10908713 True 14
Fn
Get Time type = Performance Ctr, time = 14320079653 True 1
Fn
Get Time type = Performance Ctr, time = 14320563578 True 1
Fn
Get Time type = Performance Ctr, time = 14321184827 True 1
Fn
Get Time type = Performance Ctr, time = 14321421374 True 1
Fn
Get Time type = Ticks, time = 10908728 True 14
Fn
Get Time type = Performance Ctr, time = 14321972592 True 1
Fn
Get Time type = Performance Ctr, time = 14322609535 True 1
Fn
Get Time type = Performance Ctr, time = 14322828928 True 1
Fn
Get Time type = Performance Ctr, time = 14323005459 True 1
Fn
Get Time type = Ticks, time = 10908744 True 10
Fn
Get Time type = Performance Ctr, time = 14323429322 True 1
Fn
Get Time type = Performance Ctr, time = 14323568552 True 1
Fn
Get Time type = Performance Ctr, time = 14324513009 True 1
Fn
Get Time type = Ticks, time = 10908759 True 20
Fn
Get Time type = Performance Ctr, time = 14325008851 True 1
Fn
Get Time type = Performance Ctr, time = 14325238312 True 1
Fn
Get Time type = Performance Ctr, time = 14325384927 True 1
Fn
Get Time type = Performance Ctr, time = 14325763207 True 1
Fn
Get Time type = Performance Ctr, time = 14325867911 True 1
Fn
Get Time type = Performance Ctr, time = 14326007329 True 1
Fn
Get Time type = Ticks, time = 10908775 True 20
Fn
Get Time type = Performance Ctr, time = 14326312529 True 1
Fn
Get Time type = Performance Ctr, time = 14326410782 True 1
Fn
Get Time type = Performance Ctr, time = 14326561931 True 1
Fn
Get Time type = Performance Ctr, time = 14326811152 True 1
Fn
Get Time type = Performance Ctr, time = 14326951642 True 1
Fn
Get Time type = Performance Ctr, time = 14327623325 True 1
Fn
Get Time type = Ticks, time = 10908791 True 10
Fn
Get Time type = Performance Ctr, time = 14328186110 True 1
Fn
Get Time type = Performance Ctr, time = 14328515181 True 1
Fn
Get Time type = Performance Ctr, time = 14329205879 True 1
Fn
Get Time type = Ticks, time = 10908806 True 12
Fn
Get Time type = Performance Ctr, time = 14329806706 True 1
Fn
Get Time type = Performance Ctr, time = 14330108118 True 1
Fn
Get Time type = Performance Ctr, time = 14330322194 True 1
Fn
Get Time type = Performance Ctr, time = 14330707197 True 1
Fn
Get Time type = Ticks, time = 10908822 True 18
Fn
Get Time type = Performance Ctr, time = 14330852620 True 1
Fn
Get Time type = Performance Ctr, time = 14331111320 True 1
Fn
Get Time type = Performance Ctr, time = 14331451727 True 1
Fn
Get Time type = Performance Ctr, time = 14331610043 True 1
Fn
Get Time type = Performance Ctr, time = 14332238584 True 1
Fn
Get Time type = Ticks, time = 10908837 True 12
Fn
Get Time type = Performance Ctr, time = 14332823256 True 1
Fn
Get Time type = Performance Ctr, time = 14333320549 True 1
Fn
Get Time type = Performance Ctr, time = 14333522208 True 1
Fn
Get Time type = Performance Ctr, time = 14333793610 True 1
Fn
Get Time type = Ticks, time = 10908853 True 12
Fn
Get Time type = Performance Ctr, time = 14333998416 True 1
Fn
Get Time type = Performance Ctr, time = 14334716478 True 1
Fn
Get Time type = Performance Ctr, time = 14335194500 True 1
Fn
Get Time type = Performance Ctr, time = 14335493837 True 1
Fn
Get Time type = Ticks, time = 10908869 True 22
Fn
Get Time type = Performance Ctr, time = 14335648009 True 1
Fn
Get Time type = Performance Ctr, time = 14336039658 True 1
Fn
Get Time type = Performance Ctr, time = 14336140208 True 1
Fn
Get Time type = Performance Ctr, time = 14336402372 True 1
Fn
Get Time type = Performance Ctr, time = 14336755340 True 1
Fn
Get Time type = Performance Ctr, time = 14336918258 True 1
Fn
Get Time type = Ticks, time = 10908884 True 11
Fn
Get Time type = Performance Ctr, time = 14337531799 True 1
Fn
Get Time type = Performance Ctr, time = 14338027335 True 1
Fn
Get Time type = Performance Ctr, time = 14338310728 True 1
Fn
Get Time type = Performance Ctr, time = 14338863003 True 1
Fn
Get Time type = Ticks, time = 10908900 True 9
Fn
Get Time type = Performance Ctr, time = 14339367552 True 1
Fn
Get Time type = Performance Ctr, time = 14339633629 True 1
Fn
Get Time type = Ticks, time = 10908915 True 11
Fn
Get Time type = Performance Ctr, time = 14340398389 True 1
Fn
Get Time type = Performance Ctr, time = 14340904122 True 1
Fn
Get Time type = Performance Ctr, time = 14341251916 True 1
Fn
Get Time type = Performance Ctr, time = 14341784608 True 1
Fn
Get Time type = Ticks, time = 10908931 True 13
Fn
Get Time type = Performance Ctr, time = 14342331899 True 1
Fn
Get Time type = Performance Ctr, time = 14342507676 True 1
Fn
Get Time type = Performance Ctr, time = 14342753010 True 1
Fn
Get Time type = Ticks, time = 10908947 True 12
Fn
Get Time type = Performance Ctr, time = 14343409518 True 1
Fn
Get Time type = Performance Ctr, time = 14343562588 True 1
Fn
Get Time type = Performance Ctr, time = 14344038731 True 1
Fn
Get Time type = Performance Ctr, time = 14344801174 True 1
Fn
Get Time type = Ticks, time = 10908962 True 9
Fn
Get Time type = Performance Ctr, time = 14345092208 True 1
Fn
Get Time type = Performance Ctr, time = 14345949860 True 1
Fn
Get Time type = Ticks, time = 10908978 True 9
Fn
Get Time type = Performance Ctr, time = 14346517970 True 1
Fn
Get Time type = Performance Ctr, time = 14346921669 True 1
Fn
Get Time type = Performance Ctr, time = 14347922753 True 1
Fn
Get Time type = Ticks, time = 10908993 True 12
Fn
Get Time type = Performance Ctr, time = 14348457753 True 1
Fn
Get Time type = Performance Ctr, time = 14348734451 True 1
Fn
Get Time type = Performance Ctr, time = 14349049955 True 1
Fn
Get Time type = Performance Ctr, time = 14349439063 True 1
Fn
Get Time type = Ticks, time = 10909009 True 11
Fn
Get Time type = Performance Ctr, time = 14349633996 True 1
Fn
Get Time type = Performance Ctr, time = 14350254329 True 1
Fn
Get Time type = Performance Ctr, time = 14350748276 True 1
Fn
Get Time type = Performance Ctr, time = 14351151130 True 1
Fn
Get Time type = Ticks, time = 10909025 True 9
Fn
Get Time type = Performance Ctr, time = 14351875738 True 1
Fn
Get Time type = Performance Ctr, time = 14352358362 True 1
Fn
Get Time type = Ticks, time = 10909040 True 15
Fn
Get Time type = Performance Ctr, time = 14352796106 True 1
Fn
Get Time type = Performance Ctr, time = 14353229153 True 1
Fn
Get Time type = Performance Ctr, time = 14353630916 True 1
Fn
Get Time type = Performance Ctr, time = 14353810243 True 1
Fn
Get Time type = Performance Ctr, time = 14354393245 True 1
Fn
Get Time type = Ticks, time = 10909056 True 9
Fn
Get Time type = Performance Ctr, time = 14354916932 True 1
Fn
Get Time type = Performance Ctr, time = 14355125992 True 1
Fn
Get Time type = Ticks, time = 10909071 True 14
Fn
Get Time type = Performance Ctr, time = 14355850379 True 1
Fn
Get Time type = Performance Ctr, time = 14356399911 True 1
Fn
Get Time type = Performance Ctr, time = 14356723355 True 1
Fn
Get Time type = Performance Ctr, time = 14357314587 True 1
Fn
Get Time type = Ticks, time = 10909087 True 6
Fn
Get Time type = Performance Ctr, time = 14357835393 True 1
Fn
Get Time type = Performance Ctr, time = 14358288190 True 1
Fn
Get Time type = Ticks, time = 10909103 True 20
Fn
Get Time type = Performance Ctr, time = 14359069542 True 1
Fn
Get Time type = Performance Ctr, time = 14359481313 True 1
Fn
Get Time type = Performance Ctr, time = 14359645449 True 1
Fn
Get Time type = Performance Ctr, time = 14359879626 True 1
Fn
Get Time type = Performance Ctr, time = 14360223914 True 1
Fn
Get Time type = Performance Ctr, time = 14360385126 True 1
Fn
Get Time type = Ticks, time = 10909118 True 6
Fn
Get Time type = Performance Ctr, time = 14361070378 True 1
Fn
Get Time type = Performance Ctr, time = 14361904546 True 1
Fn
Get Time type = Ticks, time = 10909134 True 9
Fn
Get Time type = Performance Ctr, time = 14362288350 True 1
Fn
Get Time type = Performance Ctr, time = 14363151967 True 1
Fn
Get Time type = Ticks, time = 10909149 True 11
Fn
Get Time type = Performance Ctr, time = 14363686749 True 1
Fn
Get Time type = Performance Ctr, time = 14364004512 True 1
Fn
Get Time type = Performance Ctr, time = 14364574864 True 1
Fn
Get Time type = Performance Ctr, time = 14365019038 True 1
Fn
Get Time type = Ticks, time = 10909165 True 14
Fn
Get Time type = Performance Ctr, time = 14365630037 True 1
Fn
Get Time type = Performance Ctr, time = 14365874690 True 1
Fn
Get Time type = Performance Ctr, time = 14366253309 True 1
Fn
Get Time type = Performance Ctr, time = 14366419678 True 1
Fn
Get Time type = Ticks, time = 10909181 True 14
Fn
Get Time type = Performance Ctr, time = 14366999869 True 1
Fn
Get Time type = Performance Ctr, time = 14367460509 True 1
Fn
Get Time type = Performance Ctr, time = 14367704930 True 1
Fn
Get Time type = Performance Ctr, time = 14368087488 True 1
Fn
Get Time type = Ticks, time = 10909196 True 10
Fn
Get Time type = Performance Ctr, time = 14368823880 True 1
Fn
Get Time type = Performance Ctr, time = 14369013033 True 1
Fn
Get Time type = Performance Ctr, time = 14369543199 True 1
Fn
Get Time type = Ticks, time = 10909212 True 16
Fn
Get Time type = Performance Ctr, time = 14369938975 True 1
Fn
Get Time type = Performance Ctr, time = 14370107026 True 1
Fn
Get Time type = Performance Ctr, time = 14370452631 True 1
Fn
Get Time type = Performance Ctr, time = 14370837413 True 1
Fn
Get Time type = Performance Ctr, time = 14371030845 True 1
Fn
Get Time type = Ticks, time = 10909227 True 14
Fn
Get Time type = Performance Ctr, time = 14371737775 True 1
Fn
Get Time type = System Time, time = 2019-04-02 12:04:30 (UTC) True 53
Fn
Get Time type = Performance Ctr, time = 14372202558 True 1
Fn
Get Time type = Performance Ctr, time = 14372474913 True 1
Fn
Get Time type = Performance Ctr, time = 14372766487 True 1
Fn
Get Time type = Ticks, time = 10909243 True 16
Fn
Get Time type = Performance Ctr, time = 14373362487 True 1
Fn
Get Time type = Performance Ctr, time = 14373513046 True 1
Fn
Get Time type = Performance Ctr, time = 14373728089 True 1
Fn
Get Time type = Performance Ctr, time = 14374064460 True 1
Fn
Get Time type = Performance Ctr, time = 14374224613 True 1
Fn
Get Time type = Ticks, time = 10909259 True 10
Fn
Get Time type = Performance Ctr, time = 14374966542 True 1
Fn
Get Time type = Performance Ctr, time = 14375492286 True 1
Fn
Get Time type = Performance Ctr, time = 14375852489 True 1
Fn
Get Time type = Ticks, time = 10909274 True 6
Fn
Get Time type = Performance Ctr, time = 14376699179 True 1
Fn
Get Time type = Performance Ctr, time = 14377382459 True 1
Fn
Get Time type = Ticks, time = 10909290 True 10
Fn
Get Time type = Performance Ctr, time = 14377800452 True 1
Fn
Get Time type = Performance Ctr, time = 14378235610 True 1
Fn
Get Time type = Performance Ctr, time = 14378761865 True 1
Fn
Get Time type = Ticks, time = 10909305 True 4
Fn
Get Time type = Performance Ctr, time = 14379980806 True 1
Fn
Get Time type = Ticks, time = 10909321 True 6
Fn
Get Time type = Performance Ctr, time = 14381872893 True 1
Fn
Get Time type = Performance Ctr, time = 14382167972 True 1
Fn
Get Time type = Ticks, time = 10909337 True 4
Fn
Get Time type = Performance Ctr, time = 14382445512 True 1
Fn
Get Time type = Ticks, time = 10909352 True 6
Fn
Get Time type = Performance Ctr, time = 14383421309 True 1
Fn
Get Time type = Performance Ctr, time = 14383998436 True 1
Fn
Get Time type = Ticks, time = 10909368 True 14
Fn
Get Time type = Performance Ctr, time = 14384484044 True 1
Fn
Get Time type = Performance Ctr, time = 14384848412 True 1
Fn
Get Time type = Performance Ctr, time = 14385980169 True 1
Fn
Get Time type = Performance Ctr, time = 14386254534 True 1
Fn
Get Time type = Ticks, time = 10909383 True 14
Fn
Get Time type = Performance Ctr, time = 14386775259 True 1
Fn
Get Time type = Performance Ctr, time = 14387266037 True 1
Fn
Get Time type = Performance Ctr, time = 14387492443 True 1
Fn
Get Time type = Performance Ctr, time = 14388142316 True 1
Fn
Get Time type = Ticks, time = 10909399 True 2
Fn
Get Time type = Performance Ctr, time = 14390029013 True 1
Fn
Get Time type = Ticks, time = 10909415 True 10
Fn
Get Time type = Performance Ctr, time = 14390527683 True 1
Fn
Get Time type = Performance Ctr, time = 14391017234 True 1
Fn
Get Time type = Performance Ctr, time = 14391583399 True 1
Fn
Get Time type = Ticks, time = 10909430 True 24
Fn
Get Time type = Performance Ctr, time = 14391827387 True 1
Fn
Get Time type = Performance Ctr, time = 14392060716 True 1
Fn
Get Time type = Performance Ctr, time = 14392355330 True 1
Fn
Get Time type = Performance Ctr, time = 14392494836 True 1
Fn
Get Time type = Performance Ctr, time = 14392698352 True 1
Fn
Get Time type = Performance Ctr, time = 14392962989 True 1
Fn
Get Time type = Performance Ctr, time = 14393103501 True 1
Fn
Get Time type = Ticks, time = 10909446 True 14
Fn
Get Time type = Performance Ctr, time = 14393393687 True 1
Fn
Get Time type = Performance Ctr, time = 14393857860 True 1
Fn
Get Time type = Performance Ctr, time = 14394442671 True 1
Fn
Get Time type = Performance Ctr, time = 14394744656 True 1
Fn
Get Time type = Ticks, time = 10909461 True 12
Fn
Get Time type = Performance Ctr, time = 14395730715 True 1
Fn
Get Time type = Performance Ctr, time = 14395929607 True 1
Fn
Get Time type = Performance Ctr, time = 14396287249 True 1
Fn
Get Time type = Performance Ctr, time = 14396735380 True 1
Fn
Get Time type = Ticks, time = 10909477 True 14
Fn
Get Time type = Performance Ctr, time = 14396937388 True 1
Fn
Get Time type = Performance Ctr, time = 14397290740 True 1
Fn
Get Time type = Performance Ctr, time = 14397714315 True 1
Fn
Get Time type = Performance Ctr, time = 14397916261 True 1
Fn
Get Time type = Ticks, time = 10909493 True 10
Fn
Get Time type = Performance Ctr, time = 14399012292 True 1
Fn
Get Time type = Performance Ctr, time = 14399555539 True 1
Fn
Get Time type = Performance Ctr, time = 14400028047 True 1
Fn
Get Time type = Ticks, time = 10909508 True 6
Fn
Get Time type = Performance Ctr, time = 14400931663 True 1
Fn
Get Time type = Performance Ctr, time = 14402022031 True 1
Fn
Get Time type = Ticks, time = 10909524 True 14
Fn
Get Time type = Performance Ctr, time = 14402460060 True 1
Fn
Get Time type = Performance Ctr, time = 14402905405 True 1
Fn
Get Time type = Performance Ctr, time = 14403577388 True 1
Fn
Get Time type = Performance Ctr, time = 14403798569 True 1
Fn
Get Time type = Ticks, time = 10909539 True 10
Fn
Get Time type = Performance Ctr, time = 14404112338 True 1
Fn
Get Time type = Performance Ctr, time = 14404737301 True 1
Fn
Get Time type = Performance Ctr, time = 14404934024 True 1
Fn
Get Time type = Ticks, time = 10909555 True 14
Fn
Get Time type = Performance Ctr, time = 14405724578 True 1
Fn
Get Time type = Performance Ctr, time = 14406256401 True 1
Fn
Get Time type = Performance Ctr, time = 14406618597 True 1
Fn
Get Time type = Performance Ctr, time = 14406894660 True 1
Fn
Get Time type = Ticks, time = 10909571 True 12
Fn
Get Time type = Performance Ctr, time = 14407429887 True 1
Fn
Get Time type = Performance Ctr, time = 14407590674 True 1
Fn
Get Time type = Performance Ctr, time = 14408285303 True 1
Fn
Get Time type = Performance Ctr, time = 14408816940 True 1
Fn
Get Time type = Ticks, time = 10909586 True 14
Fn
Get Time type = Performance Ctr, time = 14409092131 True 1
Fn
Get Time type = Performance Ctr, time = 14409391012 True 1
Fn
Get Time type = Performance Ctr, time = 14409755690 True 1
Fn
Get Time type = Performance Ctr, time = 14409935360 True 1
Fn
Get Time type = Ticks, time = 10909602 True 14
Fn
Get Time type = Performance Ctr, time = 14410487922 True 1
Fn
Get Time type = Performance Ctr, time = 14410964765 True 1
Fn
Get Time type = Performance Ctr, time = 14411240000 True 1
Fn
Get Time type = Performance Ctr, time = 14411972305 True 1
Fn
Get Time type = Ticks, time = 10909617 True 11
Fn
Get Time type = Performance Ctr, time = 14412483634 True 1
Fn
Get Time type = Performance Ctr, time = 14413102871 True 1
Fn
Get Time type = Performance Ctr, time = 14413537196 True 1
Fn
Get Time type = Ticks, time = 10909633 True 15
Fn
Get Time type = Performance Ctr, time = 14413970756 True 1
Fn
Get Time type = Performance Ctr, time = 14414174789 True 1
Fn
Get Time type = Performance Ctr, time = 14414667817 True 1
Fn
Get Time type = Performance Ctr, time = 14415182972 True 1
Fn
Get Time type = Performance Ctr, time = 14415422321 True 1
Fn
Get Time type = Ticks, time = 10909649 True 20
Fn
Get Time type = Performance Ctr, time = 14415665318 True 1
Fn
Get Time type = Performance Ctr, time = 14416145970 True 1
Fn
Get Time type = Performance Ctr, time = 14416287630 True 1
Fn
Get Time type = Performance Ctr, time = 14416459251 True 1
Fn
Get Time type = Performance Ctr, time = 14416743006 True 1
Fn
Get Time type = Performance Ctr, time = 14416860468 True 1
Fn
Get Time type = Ticks, time = 10909664 True 26
Fn
Get Time type = Performance Ctr, time = 14417116890 True 1
Fn
Get Time type = Performance Ctr, time = 14417471387 True 1
Fn
Get Time type = Performance Ctr, time = 14418025991 True 1
Fn
Get Time type = Performance Ctr, time = 14418314769 True 1
Fn
Get Time type = Performance Ctr, time = 14418664767 True 1
Fn
Get Time type = Performance Ctr, time = 14418824326 True 1
Fn
Get Time type = Performance Ctr, time = 14419225174 True 1
Fn
Get Time type = Performance Ctr, time = 14419675202 True 1
Fn
Get Time type = Ticks, time = 10909680 True 14
Fn
Get Time type = Performance Ctr, time = 14419927745 True 1
Fn
Get Time type = Performance Ctr, time = 14420500253 True 1
Fn
Get Time type = Performance Ctr, time = 14420948523 True 1
Fn
Get Time type = Performance Ctr, time = 14421203639 True 1
Fn
Get Time type = Ticks, time = 10909695 True 11
Fn
Get Time type = Performance Ctr, time = 14421580814 True 1
Fn
Get Time type = Performance Ctr, time = 14421971854 True 1
Fn
Get Time type = Performance Ctr, time = 14422152410 True 1
Fn
Get Time type = Performance Ctr, time = 14423039366 True 1
Fn
Get Time type = Ticks, time = 10909711 True 13
Fn
Get Time type = Performance Ctr, time = 14423593843 True 1
Fn
Get Time type = Performance Ctr, time = 14423802584 True 1
Fn
Get Time type = Performance Ctr, time = 14424124922 True 1
Fn
Get Time type = Ticks, time = 10909727 True 12
Fn
Get Time type = Performance Ctr, time = 14424635960 True 1
Fn
Get Time type = Performance Ctr, time = 14424775684 True 1
Fn
Get Time type = Performance Ctr, time = 14425365808 True 1
Fn
Get Time type = Performance Ctr, time = 14425851971 True 1
Fn
Get Time type = Ticks, time = 10909742 True 14
Fn
Get Time type = Performance Ctr, time = 14426160725 True 1
Fn
Get Time type = Performance Ctr, time = 14426780928 True 1
Fn
Get Time type = Performance Ctr, time = 14427235399 True 1
Fn
Get Time type = Performance Ctr, time = 14427479868 True 1
Fn
Get Time type = Ticks, time = 10909758 True 16
Fn
Get Time type = Performance Ctr, time = 14427765698 True 1
Fn
Get Time type = Performance Ctr, time = 14428131575 True 1
Fn
Get Time type = Performance Ctr, time = 14428314385 True 1
Fn
Get Time type = Performance Ctr, time = 14428689933 True 1
Fn
Get Time type = Performance Ctr, time = 14429123259 True 1
Fn
Get Time type = Ticks, time = 10909773 True 8
Fn
Get Time type = Performance Ctr, time = 14429368627 True 1
Fn
Get Time type = Performance Ctr, time = 14430145798 True 1
Fn
Get Time type = Ticks, time = 10909789 True 12
Fn
Get Time type = Performance Ctr, time = 14431022188 True 1
Fn
Get Time type = Performance Ctr, time = 14431355056 True 1
Fn
Get Time type = Performance Ctr, time = 14431813432 True 1
Fn
Get Time type = Performance Ctr, time = 14432307719 True 1
Fn
Get Time type = Ticks, time = 10909805 True 4
Fn
Get Time type = Performance Ctr, time = 14432514319 True 1
Fn
Get Time type = Ticks, time = 10909867 True 4
Fn
Get Time type = Performance Ctr, time = 14439976311 True 1
Fn
Get Time type = Ticks, time = 10909883 True 6
Fn
Get Time type = Performance Ctr, time = 14440661809 True 1
Fn
Get Time type = Performance Ctr, time = 14441077800 True 1
Fn
Get Time type = Ticks, time = 10909898 True 4
Fn
Get Time type = Performance Ctr, time = 14442731780 True 1
Fn
Get Time type = Ticks, time = 10909914 True 10
Fn
Get Time type = Performance Ctr, time = 14443649106 True 1
Fn
Get Time type = Performance Ctr, time = 14443946333 True 1
Fn
Get Time type = Performance Ctr, time = 14444668081 True 1
Fn
Get Time type = Ticks, time = 10909929 True 12
Fn
Get Time type = Performance Ctr, time = 14445350766 True 1
Fn
Get Time type = Performance Ctr, time = 14445632024 True 1
Fn
Get Time type = Performance Ctr, time = 14445878619 True 1
Fn
Get Time type = Performance Ctr, time = 14446237189 True 1
Fn
Get Time type = Ticks, time = 10909945 True 14
Fn
Get Time type = Performance Ctr, time = 14446406130 True 1
Fn
Get Time type = Performance Ctr, time = 14447005123 True 1
Fn
Get Time type = Performance Ctr, time = 14447429518 True 1
Fn
Get Time type = Performance Ctr, time = 14447641341 True 1
Fn
Get Time type = Ticks, time = 10909961 True 14
Fn
Get Time type = Performance Ctr, time = 14447947889 True 1
Fn
Get Time type = Performance Ctr, time = 14448322105 True 1
Fn
Get Time type = Performance Ctr, time = 14448478588 True 1
Fn
Get Time type = Performance Ctr, time = 14449192181 True 1
Fn
Get Time type = Ticks, time = 10909976 True 20
Fn
Get Time type = Performance Ctr, time = 14449577172 True 1
Fn
Get Time type = Performance Ctr, time = 14449737180 True 1
Fn
Get Time type = Performance Ctr, time = 14449934204 True 1
Fn
Get Time type = Performance Ctr, time = 14450198497 True 1
Fn
Get Time type = Performance Ctr, time = 14450340620 True 1
Fn
Get Time type = Performance Ctr, time = 14450749006 True 1
Fn
Get Time type = Ticks, time = 10909992 True 15
Fn
Get Time type = Ticks, time = 10910007 True 13
Fn
Get Info type = Operating System True 2
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 2
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create mutex_name = WinRAR_Busy True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #9: unnam3d.exe
11336 0
»
Information Value
ID #9
File Name c:\users\whuoxysd\appdata\local\temp\unnam3d.exe
Command Line "C:\Users\WhuOXYsD\AppData\Local\Temp\UNNAM3D.EXE"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:55, Reason: Autostart
Unmonitor End Time: 00:05:23, Reason: Terminated by Timeout
Monitor Duration 00:03:28
OS Process Information
»
Information Value
PID 0x730
Parent PID 0x6bc (c:\windows\explorer.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level Medium
Username EGLAFTB1N8YA\WhuOXYsD
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 734
0x 7F4
0x 7F8
0x 7FC
0x 4EC
0x 4F4
0x 580
0x 6C8
0x 6D8
0x 728
Hook Information
»
Type Installer Target Size Information Actions
Code agiledotnetrt.dll:+0xfc2e6 ntdll.dll:DbgBreakPoint+0x0 1 bytes -
Code agiledotnetrt.dll:+0x4b698 clrjit.dll:sxsJitStartup+0x1e3bd 4 bytes -
Host Behavior
File (11)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll desired_access = FILE_READ_DATA, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\88044b52-bb1c-4d13-820b-fd46b551698e\ type = file_attributes True 2
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\88044b52-bb1c-4d13-820b-fd46b551698e\AgileDotNetRT.dll type = file_attributes True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll type = size, size_out = 0 True 1
Fn
Get Info C:\Windows\system32\RichEd20.DLL type = file_attributes True 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\UNNAM3D.EXE.config type = file_attributes False 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\UNNAM3D.EXE type = file_attributes True 1
Fn
Get Info C:\Users\WhuOXYsD\AppData\Local\Temp\Wallpaper.png type = file_attributes True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll size = 510104, size_out = 510104 True 1
Fn
Data
Registry (10)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Hardware\description\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 value_name = DriverDesc, data = 83 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Hardware\description\System value_name = SystemBiosVersion, data = 76 True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Hardware\description\System value_name = VideoBiosVersion, data = 76 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework value_name = DbgJITDebugLaunchSetting, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework value_name = DbgManagedDebugger, type = REG_NONE False 1
Fn
Module (156)
»
Operation Module Additional Information Success Count Logfile
Load C:\Users\WhuOXYsD\AppData\Local\Temp\88044b52-bb1c-4d13-820b-fd46b551698e\AgileDotNetRT.dll base_address = 0x713b0000 True 2
Fn
Load user32.dll base_address = 0x75c60000 True 1
Fn
Load advapi32.dll base_address = 0x74f30000 True 1
Fn
Load ntdll.dll base_address = 0x76fc0000 True 1
Fn
Load shell32.dll base_address = 0x75f70000 True 1
Fn
Load shlwapi.dll base_address = 0x75c00000 True 1
Fn
Load clrjit.dll base_address = 0x741f0000 True 1
Fn
Load comctl32.dll base_address = 0x737b0000 True 1
Fn
Load comctl32.dll base_address = 0x73000000 True 1
Fn
Load RichEd20.DLL base_address = 0x72f80000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75900000 True 2
Fn
Get Handle c:\windows\syswow64\crypt32.dll base_address = 0x75710000 True 1
Fn
Get Handle c:\windows\syswow64\psapi.dll base_address = 0x75100000 True 1
Fn
Get Handle c:\windows\syswow64\version.dll base_address = 0x74ad0000 True 1
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x75c60000 True 2
Fn
Get Handle comctl32.dll base_address = 0x0 False 2
Fn
Get Handle c:\users\whuoxysd\appdata\local\temp\unnam3d.exe base_address = 0x290000 True 21
Fn
Get Handle c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll base_address = 0x737b0000 True 77
Fn
Get Handle c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll base_address = 0x73000000 True 22
Fn
Get Filename C:\Users\WhuOXYsD\AppData\Local\Temp\88044b52-bb1c-4d13-820b-fd46b551698e\AgileDotNetRT.dll process_name = c:\users\whuoxysd\appdata\local\temp\unnam3d.exe, file_name_orig = C:\Users\WhuOXYsD\AppData\Local\Temp\88044b52-bb1c-4d13-820b-fd46b551698e\AgileDotNetRT.dll, size = 260 True 1
Fn
Get Filename c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll process_name = c:\users\whuoxysd\appdata\local\temp\unnam3d.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll, size = 260 True 1
Fn
Get Filename RichEd20.DLL process_name = c:\users\whuoxysd\appdata\local\temp\unnam3d.exe, file_name_orig = C:\Windows\system32\RichEd20.DLL, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x759111a9 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = IsUserAnAdmin, address_out = 0x75fc44f5 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySystemInformation, address_out = 0x76fdfda0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlAllocateHeap, address_out = 0x76fee026 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlLeaveCriticalSection, address_out = 0x76fe2270 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlEnterCriticalSection, address_out = 0x76fe22b0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitializeCriticalSection, address_out = 0x76ff2c42 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlReAllocateHeap, address_out = 0x77001f6e True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlSizeHeap, address_out = 0x76ff3002 True 1
Fn
Get Address c:\users\whuoxysd\appdata\local\temp\88044b52-bb1c-4d13-820b-fd46b551698e\agiledotnetrt.dll function = _Initialize, address_out = 0x713c142e True 2
Fn
Get Address c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll function = getJit, address_out = 0x7423f70e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x76ff25dd True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Window (61)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create .NET-BroadcastEventWindow.4.0.0.0.141b42a.0 class_name = .NET-BroadcastEventWindow.4.0.0.0.141b42a.0, wndproc_parameter = 0 True 1
Fn
Create TimerNativeWindow class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create UNNAM3D class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.RichEdit20W.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create Locked Files class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create CREATER: UNNAM3D class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create Discord: UNNAM3D#6666 class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create You will need to send an message to the below discord with a $50 amazon giftcard code. Then you will shortley get an message back with a password to unlock your files. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create All your personal files have been locked and you need to pay a ransom to get them back. You will have 24 hours to pay or the password will be deleted of our servers making it impossible to get your files back. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create How do i pay? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create What Happend? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create -YOUR FILES HAVE BEEN LOCKED- class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, wndproc_parameter = 0 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 1996432861 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 85788894 True 1
Fn
Set Attribute TimerNativeWindow class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, index = -4, new_long = 1996432861 True 1
Fn
Set Attribute TimerNativeWindow class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, index = -4, new_long = 85789094 True 1
Fn
Set Attribute UNNAM3D class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 1996432861 True 1
Fn
Set Attribute UNNAM3D class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 85789822 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, index = -4, new_long = 1996432861 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, index = -4, new_long = 85789862 True 1
Fn
Set Attribute UNNAM3D class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -8, new_long = 65888 False 1
Fn
Set Attribute UNNAM3D class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -8, new_long = 65888 True 1
Fn
Set Attribute UNNAM3D class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -16, new_long = 33619968 True 1
Fn
Set Attribute UNNAM3D class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -20, new_long = 65536 True 1
Fn
Set Attribute - class_name = WindowsForms10.RichEdit20W.app.0.141b42a_r14_ad1, index = -4, new_long = 1928863994 True 1
Fn
Set Attribute - class_name = WindowsForms10.RichEdit20W.app.0.141b42a_r14_ad1, index = -4, new_long = 85789942 True 1
Fn
Set Attribute - class_name = WindowsForms10.RichEdit20W.app.0.141b42a_r14_ad1, index = -12, new_long = 65894 False 1
Fn
Set Attribute Locked Files class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1929492681 True 1
Fn
Set Attribute Locked Files class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 85791366 True 1
Fn
Set Attribute Locked Files class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 65896 False 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 1996432861 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 85791406 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -12, new_long = 65898 False 1
Fn
Set Attribute CREATER: UNNAM3D class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1929492681 True 1
Fn
Set Attribute CREATER: UNNAM3D class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 85791446 True 1
Fn
Set Attribute CREATER: UNNAM3D class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 65900 False 1
Fn
Set Attribute Discord: UNNAM3D#6666 class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1929492681 True 1
Fn
Set Attribute Discord: UNNAM3D#6666 class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 85791486 True 1
Fn
Set Attribute Discord: UNNAM3D#6666 class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 65902 False 1
Fn
Set Attribute You will need to send an message to the below discord with a $50 amazon giftcard code. Then you will shortley get an message back with a password to unlock your files. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1929492681 True 1
Fn
Set Attribute You will need to send an message to the below discord with a $50 amazon giftcard code. Then you will shortley get an message back with a password to unlock your files. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 85834638 True 1
Fn
Set Attribute You will need to send an message to the below discord with a $50 amazon giftcard code. Then you will shortley get an message back with a password to unlock your files. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 65904 False 1
Fn
Set Attribute All your personal files have been locked and you need to pay a ransom to get them back. You will have 24 hours to pay or the password will be deleted of our servers making it impossible to get your files back. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1929492681 True 1
Fn
Set Attribute All your personal files have been locked and you need to pay a ransom to get them back. You will have 24 hours to pay or the password will be deleted of our servers making it impossible to get your files back. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 85834702 True 1
Fn
Set Attribute All your personal files have been locked and you need to pay a ransom to get them back. You will have 24 hours to pay or the password will be deleted of our servers making it impossible to get your files back. class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 65906 False 1
Fn
Set Attribute How do i pay? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1929492681 True 1
Fn
Set Attribute How do i pay? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 85834742 True 1
Fn
Set Attribute How do i pay? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 65908 False 1
Fn
Set Attribute What Happend? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1929492681 True 1
Fn
Set Attribute What Happend? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 85834782 True 1
Fn
Set Attribute What Happend? class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 65910 False 1
Fn
Set Attribute -YOUR FILES HAVE BEEN LOCKED- class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 1929492681 True 1
Fn
Set Attribute -YOUR FILES HAVE BEEN LOCKED- class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -4, new_long = 85834822 True 1
Fn
Set Attribute -YOUR FILES HAVE BEEN LOCKED- class_name = WindowsForms10.STATIC.app.0.141b42a_r14_ad1, index = -12, new_long = 65912 False 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 1996432861 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -4, new_long = 85834862 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = -12, new_long = 65914 False 1
Fn
Keyboard (146)
»
Operation Additional Information Success Count Logfile
Get Info type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 True 2
Fn
Read virtual_key_code = VK_RBUTTON, result_out = 0 True 29
Fn
Read virtual_key_code = VK_MBUTTON, result_out = 0 True 29
Fn
Read virtual_key_code = VK_XBUTTON1, result_out = 0 True 29
Fn
Read virtual_key_code = VK_XBUTTON2, result_out = 0 True 29
Fn
Read virtual_key_code = VK_LBUTTON, result_out = 0 True 28
Fn
System (10877)
»
Operation Additional Information Success Count Logfile
Get Cursor x_out = 1232, y_out = 631 True 4
Fn
Sleep duration = 100 milliseconds (0.100 seconds) True 10524
Fn
Sleep duration = 2000 milliseconds (2.000 seconds) True 1
Fn
Get Time type = Ticks, time = 21028 True 135
Fn
Get Time type = Ticks, time = 21044 True 114
Fn
Get Time type = System Time, time = 2019-04-02 08:05:44 (UTC) True 1
Fn
Get Time type = Ticks, time = 28532 True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = SYSTEM_MODULE_INFORMATION True 1
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 95
Fn
Environment (13)
»
Operation Additional Information Success Count Logfile
Get Environment String name = UKKED False 13
Fn
Debug (4)
»
Operation Process Additional Information Success Count Logfile
Check for Presence c:\users\whuoxysd\appdata\local\temp\unnam3d.exe - True 1
Fn
Check for Presence c:\users\whuoxysd\appdata\local\temp\unnam3d.exe - True 1
Fn
Check for Presence c:\users\whuoxysd\appdata\local\temp\unnam3d.exe - False 1
Fn
Hide c:\users\whuoxysd\appdata\local\temp\unnam3d.exe - True 1
Fn
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image